Regulation Systems Compliance and Integrity, 18083-18186 [2013-05888]

Download as PDF Vol. 78 Monday, No. 57 March 25, 2013 Part III Securities and Exchange Commission srobinson on DSK4SPTVN1PROD with PROPOSALS3 17 CFR Parts 242 and 249 Regulation Systems Compliance and Integrity; Proposed Rule VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\25MRP3.SGM 25MRP3 18084 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules SECURITIES AND EXCHANGE COMMISSION 17 CFR Parts 242 and 249 [Release No. 34–69077; File No. S7–01–13] RIN 3235–AL43 Regulation Systems Compliance and Integrity Securities and Exchange Commission. ACTION: Proposed rule and form; proposed rule amendment. AGENCY: The Securities and Exchange Commission (‘‘Commission’’) is proposing Regulation Systems Compliance and Integrity (‘‘Regulation SCI’’) under the Securities Exchange Act of 1934 (‘‘Exchange Act’’) and conforming amendments to Regulation ATS under the Exchange Act. Proposed Regulation SCI would apply to certain self-regulatory organizations (including registered clearing agencies), alternative trading systems (‘‘ATSs’’), plan processors, and exempt clearing agencies subject to the Commission’s Automation Review Policy (collectively, ‘‘SCI entities’’), and would require these SCI entities to comply with requirements with respect to their automated systems that support the performance of their regulated activities. DATES: Comments should be submitted on or before May 24, 2013. ADDRESSES: Interested persons should submit comments by any of the following methods: SUMMARY: Electronic Comments D Use the Commission’s Internet comment form (https://www.sec.gov/ rules/proposed.shtml); or D Send an email to rulecomments@sec.gov. Please include File Number S7–01–13 on the subject line; or D Use the Federal eRulemaking Portal (https://www.regulations.gov). Follow the instructions for submitting comments. srobinson on DSK4SPTVN1PROD with PROPOSALS3 Paper Comments D Send paper comments in triplicate to Elizabeth M. Murphy, Secretary, Securities and Exchange Commission, 100 F Street NE., Washington, DC 20549–1090. All comment letters should refer to File No. S7–01–13. This file number should be included on the subject line if email is used. To help us process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission’s Internet Web site (https:// www.sec.gov/rules/proposed.shtml). VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 Comments are also available for public inspection and copying in the Commission’s Public Reference Room, 100 F Street NE., Washington, DC 20549 on official business days between the hours of 10 a.m. and 3 p.m. All comments received will be posted without change; we do not edit personal information from submissions. You should submit only information that you wish to make publicly available. FOR FURTHER INFORMATION CONTACT: Heidi Pilpel, Special Counsel, Office of Market Supervision, at (202) 551–5666, Sara Hawkins, Special Counsel, Office of Market Supervision, at (202) 551– 5523, Jonathan Balcom, Special Counsel, Office of Market Supervision, at (202) 551–5737, Yue Ding, Attorney, Office of Market Supervision, at (202) 551–5842, Dhawal Sharma, Attorney, Office of Market Supervision, at (202) 551–5779, Elizabeth C. Badawy, Senior Accountant, Office of Market Supervision, at (202) 551–5612, and Gordon Fuller, Senior Special Counsel, Office of Market Operations, at (202) 551–5686, Division of Trading and Markets, Securities and Exchange Commission, 100 F Street NE., Washington, DC 20549–7010. SUPPLEMENTARY INFORMATION: Proposed Regulation SCI would supersede and replace the Commission’s current Automation Review Policy (‘‘ARP’’), established by the Commission’s two policy statements, each titled ‘‘Automated Systems of Self-Regulatory Organizations,’’ issued in 1989 and 1991.1 Regulation SCI also would supersede and replace aspects of those policy statements codified in Rule 301(b)(6) under the Exchange Act,2 applicable to significant-volume ATSs.3 Proposed Regulation SCI would require SCI entities to establish written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets, and that they operate in the manner intended. It would also require SCI entities to mandate participation by designated members or participants in scheduled testing of the operation of their business 1 See Securities Exchange Act Release Nos. 27445 (November 16, 1989), 54 FR 48703 (November 24, 1989) (‘‘ARP I Release’’ or ‘‘ARP I’’) and 29185 (May 9, 1991), 56 FR 22490 (May 15, 1991) (‘‘ARP II Release’’ or ‘‘ARP II’’ and, together with ARP I, the ‘‘ARP policy statements’’). 2 See 17 CFR 242.301(b)(6). See also Securities Exchange Act Release No. 40760 (December 8, 1998), 63 FR 70844 (December 22, 1998) (‘‘ATS Release’’). 3 See infra note 26. PO 00000 Frm 00002 Fmt 4701 Sfmt 4702 continuity and disaster recovery plans, including backup systems, and to coordinate such testing on an industryor sector-wide basis with other SCI entities. In addition, proposed Regulation SCI would require notices and reports to be provided to the Commission on a new proposed Form SCI regarding, among other things, SCI events and material systems changes, and would require SCI entities to take corrective action upon any responsible SCI personnel becoming aware of SCI events. SCI events would be defined to include systems disruptions, systems compliance issues, and systems intrusions. The proposed regulation would further require that information regarding certain types of SCI events be disseminated to members or participants of SCI entities. In addition, proposed Regulation SCI would require SCI entities to conduct a review of their systems by objective personnel at least annually, and would require SCI entities to maintain certain books and records. The Commission also is proposing to modify the volume thresholds in Regulation ATS 4 for significant-volume ATSs, apply them to SCI ATSs (as defined below), and move this standard from Regulation ATS to proposed Regulation SCI. Table of Contents I. Background A. History and Evolution of the Automation Review Policy Inspection Program B. Evolution of the Markets Since the Inception of the ARP Inspection Program C. Successes and Limitations of the Current ARP Inspection Program D. Recent Events II. Proposed Codification and Enhancement of ARP Inspection Program III. Proposed Regulation SCI A. Overview B. Proposed Rule 1000(a): Definitions Establishing the Scope of Regulation SCI 1. SCI Entities 2. Definition of SCI Systems and SCI Security Systems 3. SCI Events a. Systems Disruption b. Systems Compliance Issue c. Systems Intrusion d. Dissemination SCI events 4. Material Systems Changes C. Proposed Rule 1000(b): Obligations of SCI Entities 1. Policies and Procedures to Safeguard Capacity, Integrity, Resiliency, Availability, and Security a. Proposed Rule 1000(b)(1)(i) b. Proposed Rule 1000(b)(1)(ii) 2. Systems Compliance 3. SCI Events—Action required; Notification a. Corrective Action 4 17 E:\FR\FM\25MRP3.SGM CFR 242.300–303 (‘‘Regulation ATS’’). 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules b. Commission Notification c. Dissemination of Information to Members or Participants 4. Notification of Material Systems Changes 5. Review of Systems 6. Periodic Reports 7. Proposed Rule 1000(b)(9): SCI Entity Business Continuity and Disaster Recovery Plans Testing Requirements for Members or Participants D. Proposed Rule 1000(c)–(f): Recordkeeping, Electronic Filing on Form SCI, and Access 1. Recordkeeping Requirements 2. Electronic Submission of Reports, Notifications, and Other Communications on Form SCI 3. Access to the Systems of an SCI Entity E. New Proposed Form SCI 1. Notice of SCI Events Pursuant to Proposed Rule 1000(b)(4) 2. Notices of Material Changes Pursuant to Proposed Rule 1000(b)(6) 3. Reports Submitted Pursuant to Rule 1000(b)(8) 4. Notifications of Member or Participant Designation Standards and List of Designees Pursuant to Proposed Rule 1000(b)(9) 5. Other Information and Electronic Signature F. Request for Comment on Applying Proposed Regulation SCI to SecurityBased Swap Data Repositories and Security-Based Swap Execution Facilities G. Solicitation of Comment Regarding Potential Inclusion of Broker-Dealers, Other than SCI ATSs, and Other Types of Entities IV. Paperwork Reduction Act V. Economic Analysis A. Background B. Economic Baseline C. Consideration of Costs and Benefits, and the Effect on Efficiency, Competition, and Capital Formation D. Request for Comment on Economic Analysis VI. Consideration of Impact on the Economy VII. Regulatory Flexibility Act Certification VIII. Statutory Authority and Text of Proposed Amendments srobinson on DSK4SPTVN1PROD with PROPOSALS3 I. Background A. History and Evolution of the Automation Review Policy Inspection Program Section 11A(a)(2) of the Exchange Act,5 enacted as part of the Securities Acts Amendments of 1975 (‘‘1975 Amendments’’),6 directs the Commission, having due regard for the public interest, the protection of investors, and the maintenance of fair and orderly markets, to use its authority under the Exchange Act to facilitate the establishment of a national market system for securities in accordance with the Congressional findings and 5 15 U.S.C. 78k–1(a)(2). Law 94–29, 89 Stat. 97 (1975). 6 Public VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 objectives set forth in Section 11A(a)(1) of the Exchange Act.7 Among the findings and objectives in Section 11A(a)(1) is that ‘‘[n]ew data processing and communications techniques create the opportunity for more efficient and effective market operations’’ 8 and ‘‘[i]t is in the public interest and appropriate for the protection of investors and the maintenance of fair and orderly markets to assure * * * the economically efficient execution of securities transactions.’’ 9 In addition, Sections 6(b), 15A, and 17A(b)(3) of the Exchange Act impose obligations on national securities exchanges, national securities associations, and clearing agencies, respectively, to be ‘‘so organized’’ and ‘‘[have] the capacity to * * * carry out the purposes of [the Exchange Act].’’ 10 For over two decades, Commission staff has worked with SROs to assess their automated systems under the Commission’s ARP inspection program (‘‘ARP Inspection Program’’), a voluntary information technology review program created in response to the October 1987 market break.11 In 1989, the Commission published ARP I, its first formal policy statement regarding steps that SROs should take in connection with their automated systems.12 In ARP I, the Commission 7 15 U.S.C. 78k–1(a)(1). 11A(a)(1)(B) of the Exchange Act, 15 U.S.C. 78k–1(a)(1)(B). 9 Section 11A(a)(1)(C)(i) of the Exchange Act, 15 U.S.C. 78k–1(a)(1)(C)(i). Further, the Senate Committee Report accompanying the 1975 Amendments states further that a paramount objective of a national market system is ‘‘the maintenance of stable and orderly markets with maximum capacity for absorbing trading imbalances without undue price movements.’’ Senate Comm. On Banking, Housing and Urban Affairs, Report to accompany S. 249, Sen. Rep. 94– 75, 94th Cong., 1st Sess. at 7 (1975). 10 See Sections 6(b)(1), 15A(b)(2), and 17A(b)(3) of the Exchange Act, 15 U.S.C. 78f(b)(1), 78o– 3(b)(2), 78q–1(b)(3), respectively. See also Section 2 of the Exchange Act, 15 U.S.C. 78b, and Section 19 of the Exchange Act, 15 U.S.C. 78s. 11 See ARP I, supra note 1, 54 FR 48706. 12 See ARP I, supra note 1, 54 FR 48705–48706, stating that SROs should ‘‘take certain steps to ensure that their automated systems have the capacity to accommodate current and reasonably anticipated future trading volume levels and respond to localized emergency conditions.’’ In ARP I, the Commission also defined the terms ‘‘automated systems’’ and ‘‘automated trading systems’’ to refer ‘‘collectively to computer systems for listed and OTC equities, as well as options, that electronically route orders to applicable market makers and systems that electronically route and execute orders, including the data networks that feed the systems * * * [and encompass] systems that disseminate transaction and quotation information and conduct trade comparisons prior to settlement, including the associated communication networks.’’ See id. at n. 21. See also id. at n. 26 (stating that the Commission may suggest expansion of the ARP I policy statement to cover ‘‘other SRO computer-driven support systems for, among other things, clearance and settlement, and market 8 Section PO 00000 Frm 00003 Fmt 4701 Sfmt 4702 18085 discussed the development by SROs of automated execution, market information, and trade comparison systems to accommodate increased trading activity from the 1960s through the 1980s.13 The Commission acknowledged improvements in efficiency during that time period, but noted that the October 1987 market break had exposed that automated systems remained vulnerable to operational problems during extreme high volume periods. The Commission also expressed concern about the potential for systems failures to negatively impact public investors, broker-dealer risk exposure, and market efficiency.14 The Commission further stated in ARP I that market movements should be ‘‘the result of market participants’ changing expectations about the direction of the market for a particular security, or group of securities, and not the result of investor confusion or panic resulting from operational failures or delays in SRO automated trading or market information systems.’’ 15 The Commission issued ARP I as a result of these concerns, and stated that SROs should ‘‘establish comprehensive planning and assessment programs to test systems capacity and vulnerability.’’ 16 In particular, the Commission recommended that each SRO should: (1) Establish current and future capacity estimates for its automated order routing and execution, market information, and trade comparison systems; (2) periodically conduct capacity stress tests to determine the behavior of automated systems under a variety of simulated conditions; and (3) contract with independent reviewers to assess annually whether these systems could perform adequately at their estimated current and future capacity levels and have adequate protection against physical threat.17 In addition, ARP I surveillance, if the Commission finds it necessary to ensure the maintenance of fair and orderly markets’’). 13 See id. at 48705. 14 See id. at 48705. The Commission noted that problems encountered by trading systems during the October 1987 market break included: (i) Inadequate computer capacity causing queues of unprocessed orders to develop that, in turn, resulted in significant delays in order execution; (ii) inadequate contingency plans to accommodate increased order traffic; (iii) delays in the transmission of transaction reports to both member firms and markets; and (iv) delays in order processing. 15 See id. at 48705. 16 See id. at 48705–48706. 17 See id. at 48706–48707. With respect to capacity estimates and testing, the Commission urged SROs to institute procedures for stress testing E:\FR\FM\25MRP3.SGM Continued 25MRP3 18086 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 called for each SRO to have its automated systems reviewed annually by an ‘‘independent reviewer.’’ 18 In 1991, the Commission published ARP II.19 In ARP II, the Commission further articulated its views on how SROs should conduct independent reviews.20 ARP II stated that such reviews and analysis should: ‘‘(1) Cover significant elements of the operations of the automation process, including the capacity planning and testing process, contingency planning, systems development methodology and vulnerability assessment; (2) be performed on a cyclical basis by competent and independent audit personnel following established audit procedures and standards; and (3) result in the presentation of a report to senior SRO management on the recommendations and conclusions of the independent reviewer, which report should be made available to Commission staff for its review and comment.’’ 21 In addition, ARP II addressed how SROs should notify the Commission of material systems changes and significant systems problems. Specifically, ARP II stated that SROs should notify Commission staff of significant additions, deletions, or other changes to their automated systems on an annual and an as-needed basis, as well as provide real-time notification of unusual events, such as significant outages involving automated systems.22 Further, in ARP II, the Commission again suggested development of standards to meet the ARP policy using ‘‘standards generally set by the computer industry,’’ and report the results of stress testing to Commission staff. The Commission also requested comment on whether it should mandate specific standards for the SROs to follow, and if so, what those standards should be. See id. With respect to vulnerability of systems to external and internal threat, the Commission requested in ARP I that SROs assess the susceptibility of automated systems to computer viruses, unauthorized use, computer vandalism, and failures as result of catastrophic events (such as fire, power outages, and earthquakes), and promptly notify Commission staff of any instances in which unauthorized persons gained or attempted to gain access to SRO systems, and follow up with a written report of the problem, its cause, and the steps taken to prevent a recurrence. 18 See id. 19 See ARP II Release, 56 FR 22490, supra note 1. 20 See id. 21 See id. at 22491. In ARP II the Commission also explained that, in its view, ‘‘a critical element to the success of the capacity planning and testing, security assessment and contingency planning processes for [automated] systems is obtaining an objective review of those planning processes by persons independent of the planning process to ensure that adequate controls and procedures have been developed and implemented.’’ Id. 22 See id. at 22491. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 statements, stating that ‘‘the SROs, and other interested parties should begin the process of exploring the establishment of (1) standards for determining capacity levels for the SROs’ automated trading systems; (2) generally accepted computer security standards that would be effective for SRO automated systems; and (3) additional standards regarding audits of computer systems.’’ 23 The current ARP Inspection Program was developed by Commission staff to implement the ARP policy statements,24 and has garnered participation by all active registered clearing agencies, all registered national securities exchanges, the Financial Industry Regulatory Authority (‘‘FINRA’’), the only registered national securities association, one exempt clearing agency, and one ATS.25 In 1998, the Commission adopted Regulation ATS which, among other things, imposed by rule certain aspects of ARP I and ARP II on significant-volume ATSs.26 23 See id. participation in the ARP Inspection Program is voluntary, the underpinnings of ARP I and ARP II are rooted in Exchange Act requirements. See supra notes 5–10 and accompanying text. 25 See infra note 91 and accompanying text. One ATS currently complies voluntarily with the ARP Inspection Program. However, ARP staff has conducted ARP inspections of other ATSs over the course of the history of the ARP Inspection Program. See also infra notes, 134–135 and accompanying text. 26 See Rule 301(b)(6) of Regulation ATS, 17 CFR 242.301(b)(6). With regard to systems that support order entry, order routing, order execution, transaction reporting, and trade comparison, Regulation ATS requires significant-volume ATSs to: establish reasonable current and future capacity estimates; conduct periodic capacity stress tests of critical systems to determine their ability to accurately, timely and efficiently process transactions; develop and implement reasonable procedures to review and keep current system development and testing methodology; review system and data center vulnerability to threats; establish adequate contingency and disaster recovery plans; perform annual independent reviews of systems to ensure compliance with the above listed requirements and perform review by senior management of reports containing the recommendations and conclusions of the independent review; and promptly notify the Commission of material systems outages and significant systems changes. See Rule 301(b)(6)(ii) of Regulation ATS, 17 CFR 242.301(b)(6)(ii). Regulation ATS defines significant-volume ATSs as ATSs that, during at least 4 of the preceding 6 calendar months, had: (i) with respect to any NMS stock, 20 percent or more of the average daily volume reported by an effective transaction reporting plan; (ii) with respect to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, 20 percent or more of the average daily volume as calculated by the self-regulatory organization to which such transactions are reported; (iii) with respect to municipal securities, 20 percent or more of the average daily volume traded in the United States; or (iv) with respect to corporate debt securities, 20 percent or more of the average daily volume traded in the United States. See Rule 301(b)(6)(i) of Regulation ATS, 17 CFR 242.301(b)(6)(i). 24 While PO 00000 Frm 00004 Fmt 4701 Sfmt 4702 Thereafter, administration of these aspects of Regulation ATS was incorporated into the ARP Inspection Program. Under the ARP Inspection Program, staff in the Commission’s Division of Trading and Markets (‘‘ARP staff’’) conduct inspections of ARP entity systems, attend periodic technology briefings presented by ARP entity staff, monitor the progress of planned significant system changes, and respond to reports of system failures, disruptions, and other systems problems of ARP entities. An ARP inspection typically includes ARP staff review of information technology documentation, testing of selected controls, and interviews with information technology staff and management of the ARP entity.27 Just as markets have become increasingly automated and information technology programs and practices at ARP entities have changed, ARP inspections also have evolved considerably over the past 20 years. Today, the ARP Inspection Program covers nine general inspection areas, or information technology ‘‘domains:’’ application controls; capacity planning; computer operations and production environment controls; contingency planning; information security and networking; audit; outsourcing; physical security; and systems development methodology.28 The goal of an ARP inspection is to evaluate whether an ARP entity’s controls over its information technology resources in each domain are consistent with ARP and industry guidelines,29 as identified by ARP staff from a variety of information technology publications that ARP staff believes reflect industry standards for securities market participants. Most recently, these publications have included, among others, publications issued by the Federal Financial Institutions Examination Council (‘‘FFIEC’’) and the National Institute of 27 ARP inspections are typically conducted independently from the inspections and examinations of SROs, ATSs, and broker-dealers conducted by staff in the Commission’s Office of Compliance Inspections and Examinations (‘‘OCIE’’) for compliance with the federal securities laws and rules thereunder. 28 Each domain itself contains subcategories. For example, ‘‘contingency planning’’ includes business continuity, disaster recovery, and pandemic planning, among other things. 29 The domains covered during an ARP inspection depend in part upon whether the inspection is a regular inspection or a ‘‘for-cause’’ inspection. Typically, however, to make the most efficient use of resources, a single ARP inspection will cover fewer than nine domains. E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules Standards and Technology (‘‘NIST’’).30 ARP staff has also relied on the 2003 Interagency White Paper on Sound Practices to Strengthen the Resiliency of the U.S. Financial System 31 and the 2003 Policy Statement on Business Continuity Planning for Trading Markets.32 Since 2003, however, the Commission has not issued formal guidance on which publications establish the most appropriate guidelines for ARP entities. At the conclusion of an ARP inspection, ARP staff typically issues a report to the ARP entity with an assessment of its information technology program with respect to its critical systems, including any recommendations for improvement. Another significant aspect of the ARP Inspection Program relates to the monitoring of planned significant systems changes and reports of systems problems at ARP entities. As noted above, ARP II stated that SROs should notify Commission staff of significant additions, deletions, or other changes to their automated systems on an annual and an as-needed basis, as well as provide real-time notification of unusual events, such as significant outages involving automated systems.33 Likewise, Regulation ATS requires significant-volume ATSs to promptly notify the Commission of material systems outages and significant systems changes.34 In addition to the Commission’s ARP policy statements and Rule 301(b)(6) of Regulation ATS, Commission staff has provided guidance to ARP entities on how the staff believes they should report planned systems changes and systems issues to the Commission. For example, in 2001, Commission staff sent srobinson on DSK4SPTVN1PROD with PROPOSALS3 30 Other examples of publications that ARP staff has referred to include those issued by the Center for Internet Security (https:// benchmarks.cisecurity.org/en-us/ ?route=downloads.benchmarks); Information Systems Audit and Control Association (Control Objections for Information Technology Framework, available at: https://www.isaca.org/KnowledgeCenter/cobit/Pages/COBIT-Online.aspx); Defense Information Systems Agency, Security Technical Implementation Guides (available at https:// iase.disa.mil/stigs/); and Government Accountability Office (Federal Information System Controls Audit Manual (February 2009), available at: https://www.gao.gov/assets/80/77142.pdf). 31 See Securities Exchange Act Release No. 47638 (April 7, 2003), 68 FR 17809 (April 11, 2003) (Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial Systems) (‘‘2003 Interagency White Paper’’). 32 See Securities Exchange Act Release No. 48545 (September 25, 2003), 68 FR 56656 (October 1, 2003) (Policy Statement: Business Continuity Planning for Trading Markets) (‘‘2003 Policy Statement on Business Continuity Planning for Trading Markets’’). 33 See supra note 22 and accompanying text. 34 See 17 CFR 242.301(b)(6)(ii)(G). See also supra note 26. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 a letter to the SROs and other participants in the ARP Inspection Program to clarify what should be considered a ‘‘significant system change’’ and a ‘‘significant system outage’’ for purposes of reporting systems changes and problems to Commission staff.35 Further, in 2009, Commission staff sent a letter to the national securities exchanges and FINRA expressing the staff’s view that SROs are obligated to ensure that their systems’ operations comply with the federal securities laws and rules and the SRO’s rules, and that failure to satisfy this obligation could lead to sanctions under Section 19(h)(1) of the Exchange Act.36 Unlike ARP I, ARP II, and Rule 35 In June 2001, staff from the Division of Market Regulation sent a letter to the SROs and other participants in the ARP Inspection Program regarding Guidance for Systems Outage and System Change Notifications (‘‘2001 Staff ARP Interpretive Letter’’), advising them that the staff considers a significant system change to include: (i) Major systems architectural changes; (ii) reconfiguration of systems that cause a variance greater than five percent in throughput or storage; (iii) introduction of new business functions or services; (iv) material changes in systems; (v) changes to external interfaces; (vi) changes that could increase susceptibility to major outages; (vii) changes that could increase risks to data security; (viii) a change that was, or will be, reported or referred to the entity’s board of directors or senior management; or (ix) changes that may require allocation or use of significant resources. The 2001 Staff ARP Interpretive Letter also advised that Commission staff considers a ‘‘significant system outage’’ to include an outage that results in: (i) Failure to maintain service level agreements or constraints; (ii) disruption of normal operations, including switchover to back-up equipment with no possibility of near-term recovery of primary hardware; (iii) loss of use of any system; (iv) loss of transactions; (v) excessive back-ups or delays in processing; (vi) loss of ability to disseminate vital information; (vii) communication of an outage situation to other external entities; (viii) a report or referral of an event to the entity’s board of directors or senior management; (ix) a serious threat to systems operations even though systems operations are not disrupted; or (x) a queuing of data between system components or queuing of messages to or from customers of such duration that a customer’s normal service delivery is affected. The 2001 Staff ARP Interpretive Letter is available at https:// www.sec.gov/divisions/marketreg/ sroautomation.shtml. 36 In December 2009, staff from the Division of Trading and Markets and Office of Compliance Inspections and Examinations sent a letter (‘‘2009 Staff Systems Compliance Letter’’) to each national securities exchange and FINRA reminding each of its obligation to ensure that its systems’ operations are consistent with the federal securities laws and rules and the SRO’s rules, and clarifying the staff’s expectations regarding SRO systems compliance. The 2009 Staff Systems Compliance Letter also expressed the staff’s view that SROs and other participants in the ARP Inspection Program should have effective written policies and procedures for systems development and maintenance that provide for adequate regulatory oversight, including testing of system changes, controls over system changes, and independent audits. The 2009 Staff Systems Compliance Letter also expressed the staff’s expectation that, if an SRO becomes aware of a system function that could lead or has led to a failure to comply with the federal securities laws PO 00000 Frm 00005 Fmt 4701 Sfmt 4702 18087 301(b)(6) of Regulation ATS, the 2001 Staff ARP Interpretive Letter and 2009 Staff Systems Compliance Letter were not issued by the Commission and constitute only staff guidance. Proposed Regulation SCI, if adopted, would consolidate and supersede all such staff guidance, as well as the Commission’s ARP policy statements and Rule 301(b)(6) of Regulation ATS. In addition, OCIE conducts inspections of SROs, as part of the Commission’s oversight of them. Unlike ARP inspections, however, which focus on information technology controls, OCIE primarily conducts risk-based examinations of securities exchanges, FINRA, and other SROs to evaluate whether they and their member firms are complying with the Exchange Act and the rules thereunder, as well as SRO rules. Examples of OCIE risk-based examination areas include: governance, regulatory funding, trading regulation, member firm examination programs, disciplinary programs for member firms, and exchange programs for listing compliance. In 2011, OCIE conducted baseline assessments of all of the national securities exchanges then operating. These assessments included these areas, among others, but did not include examinations of the exchanges’ systems, as systems inspections are conducted under the ARP Inspection Program.37 As part of the Commission’s oversight of the SROs, OCIE also reviews systems compliance issues reported to Commission staff. The information gained from OCIE’s review of reported systems compliance issues helps to inform its examination riskassessments for SROs. B. Evolution of the Markets Since the Inception of the ARP Inspection Program Since the inception of the ARP Inspection Program more than two decades ago, the securities markets have experienced sweeping changes, evolving from a collection of relatively few, mostly manual markets, to a larger number and broader variety of trading centers that are almost completely automated, and dependent upon sophisticated technology and extremely or rules, or the SRO’s rules, the SRO should immediately take appropriate corrective action including, at a minimum, devoting adequate resources to remedy the issue as soon as possible, and notifying Commission staff and (if appropriate) the public of the compliance issue and efforts to rectify it. The 2009 Staff Systems Compliance Letter was sent to BATS, BATS–Y, CBOE, C2, CHX, EDGA, EDGX, FINRA, ISE, Nasdaq, Nasdaq OMX BX, Nasdaq OMX Phlx, NSX, NYSE, NYSE MKT (f/k/a NYSE Amex), NYSE Arca. See infra notes 47 and 51. 37 See text accompanying notes 24–29. E:\FR\FM\25MRP3.SGM 25MRP3 18088 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 fast and interconnected systems. Regulatory developments, such as Regulation NMS,38 decimalization,39 Regulation ATS,40 and the Order Handling Rules,41 also have impacted the structure of the markets by, among other things, mandating and providing incentives that encourage automation and speed. Although some markets today retain trading floors and accommodate some degree of manual interaction, these markets also have implemented electronic trading for their products. In stock markets, for example, in almost all cases, the volume of electronic trading dominates any residual manual activity.42 In addition, in recent years, the new trading systems developed by existing or new exchanges and ATSs rely almost exclusively on fully-electronic, automated technology to execute trades.43 As a result, the overwhelming majority of securities transactions today are executed on such automated systems.44 A primary driver and catalyst of this transformation has been the continual evolution of technologies for generating, routing, and executing orders. These technologies have dramatically improved the speed, capacity, and sophistication of the trading functions that are available to market participants.45 The increased 38 17 CFR 242.600–612. See also Securities Exchange Act Release No. 51808 (June 9, 2005), 70 FR 37496 (June 29, 2005). 39 See Securities Exchange Act Release No. 42360 (January 28, 2000), 65 FR 5003 (February 2, 2000). 40 17 CFR 242.300–303. See also ATS Release, supra note 2. 41 Securities Exchange Act Release No. (September 6, 1996), 61 FR 48290 (September 12, 1996). See also Concept Release on Equity Market Structure, supra note 42, at 3594. 42 See, e.g., Securities Exchange Act Release No. 61358 (January 14, 2010), 75 FR 3594, 3594–95 (January 21, 2010) (Concept Release on Equity Market Structure). See also Securities Exchange Act Release No. 58845 (October 24, 2008), 73 FR 64379 (October 29, 2008) (SR–NYSE–2008–46) (order approving NYSE’s New Market Model, an electronic trading system with floor-based components). 43 See, e.g., Securities Exchange Act Release Nos. 62716 (August 13, 2010), 75 FR 51295 (August 19, 2010) (order approving the exchange registration application of BATS–Y Exchange, Inc.); 61698 (March 12, 2010), 75 FR 13151 (March 18, 2010) (order approving the exchange registration applications of EDGA Exchange Inc. and EDGX Exchange Inc.); 57478 (March 12, 2008), 73 FR 14521 (March 18, 2008) (order approving a proposed rule change, as amended, by the NASDAQ Stock Market LLC to establish rules governing the trading of options on the NASDAQ Options Market). 44 For example, less than 30 percent of stock trading takes place on listing exchanges as orders are dispersed to more than 50 competing venues, almost all of which are fully electronic. See, e.g., https://www.batstrading.com/market_summary. See also Concept Release on Equity Market Structure, supra note 42, for a more detailed discussion of equity market structure. 45 For example, the speed of trading has increased to the point that the fastest traders now measure VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 speed and capacity of automated systems in the current market structure has contributed to surging message traffic.46 In addition to these changes, there has been an increase in the number of trading venues, particularly for equities. No longer is trading in equities dominated by one or two trading venues. Today, 13 national securities exchanges trade equities, with no single stock exchange having an overall market share of greater than twenty percent of consolidated volume for all NMS stocks,47 but each with a protected quotation 48 that may not be traded through by other markets.49 ATSs, including electronic communications networks (‘‘ECNs’’) and dark pools, as well as broker-dealer internalizers, also execute substantial volumes of securities transactions.50 Each of these trading venues is connected with the others through a vast web of linkages, including those that provide connectivity, routing services, and market data. The number of venues trading options has likewise grown, with 11 national securities exchanges their latencies in microseconds. See Concept Release on Equity Market Structure, supra note 42, at 3598. 46 See, e.g., ‘‘Climbing Mount Message: How Exchanges are Managing Peaks,’’ Markets Media (posted on June 29, 2012), available at: https:// marketsmedia.com/climbing-mount-messageexchanges-managing-peaks/ (noting that message volumes across U.S. exchanges hit a daily peak of 4.47 million messages per second). 47 See, e.g., market volume statistics reported by BATS Exchange, Inc., available at: https:// www.batstrading.com/market_summary (no single national securities exchange executed more than 20 percent of volume in NMS stocks during the 5-day period ending February 7, 2013). The following national securities exchanges have equities trading platforms: (1) BATS Exchange, Inc. (‘‘BATS’’); (2) BATS Y-Exchange, Inc. (‘‘BATS–Y’’); (3) Chicago Board Options Exchange, Incorporated (‘‘CBOE’’); (4) Chicago Stock Exchange, Inc. (‘‘CHX’’); (5) EDGA Exchange, Inc. (‘‘EDGA’’); (6) EDGX Exchange, Inc. (‘‘EDGX’’); (7) NASDAQ OMX BX, Inc. (‘‘Nasdaq OMX BX’’); (8) NASDAQ OMX PHLX LLC (‘‘Nasdaq OMX Phlx’’); (9) NASDAQ Stock Market LLC (‘‘Nasdaq’’); (10) National Stock Exchange, Inc. (‘‘NSX’’); (11) New York Stock Exchange LLC (‘‘NYSE’’); (12) NYSE MKT LLC (‘‘NYSE MKT’’); and (13) NYSE Arca, Inc. (‘‘NYSE Arca’’). 48 A ‘‘protected quotation’’ is defined by Regulation NMS as a quotation in an NMS stock that (i) is displayed by an automated trading center; (ii) is disseminated pursuant to an effective national market system plan; and (iii) is an automated quotation that is the best bid or best offer of a national securities exchange, the best bid or best offer of The Nasdaq Stock Market, Inc., or the best bid or best offer of a national securities association other than the best bid or best offer of The Nasdaq Stock Market, Inc. See Rule 600(b)(57)–(58) of Regulation NMS, 17 CFR 242.600(b)(57)–(58). 49 See Rule 611(a)(1) of Regulation NMS, 17 CFR 242.601(a)(1). 50 See Concept Release on Equity Market Structure, supra note 42. PO 00000 Frm 00006 Fmt 4701 Sfmt 4702 currently trading options, up from five as recently as 2004.51 The increased number of trading venues, dispersal of trading volume, and the resulting reliance on a variety of automated systems and intermarket linkages have increased competition and thus investor choice, but have also increased the complexity of the markets and the challenges for market participants seeking to manage their information technology programs and to ensure compliance with Commission rules.52 These changes have also substantially heightened the potential for systems problems originating from any number of sources to broadly affect the market. Given the increased interconnectedness of the markets, a trading venue may not always recognize the true impact and cost of a problem that originates with one of its systems. C. Successes and Limitations of the Current ARP Inspection Program While the Commission generally considers the ARP Inspection Program to have been successful in improving the automated systems of the SROs and other entities participating in the program over the past 20 years, the Commission is mindful of its limitations. For example, because the ARP Inspection Program is established pursuant to Commission policy statements, rather than Commission rules,53 the Commission’s ability to assure compliance with ARP standards with certainty or adequate thoroughness is limited. In particular, the Commission may not be able to fully address major or systemic market problems at all entities that would meet the proposed definition of SCI entity. Further, the Government Accountability Office 51 The following venues trade options today: (1) BATS Exchange Options Market; (2) Boston Options Exchange LLC (‘‘BOX’’); (3) C2 Options Exchange, Incorporated (‘‘C2’’); (4) CBOE; (5) International Securities Exchange, LLC (‘‘ISE’’); (6) Miami International Securities Exchange, LLC (‘‘MIAX’’); (7) NASDAQ Options Market; (8) NASDAQ OMX BX Options; (9) Nasdaq OMX Phlx; (10) NYSE Amex Options; and (11) NYSE Arca. 52 For example, one important type of linkage in the current market structure was created to comply with legal obligations to protect against tradethroughs as required by Rule 611 of Regulation NMS under the Exchange Act, 17 CFR 242.611. A trade-through is the execution of a trade at a price inferior to a protected quotation for an NMS stock. Importantly, Rule 611 applies to all trading centers, not just those that display protected quotations. Trading center is defined broadly in Rule 600(b)(78) of Regulation NMS to include, among others, all exchanges, all ATSs (including ECNs and dark pools), all OTC market makers, and any other broker-dealer that executes orders internally, whether as agent or principal. See Concept Release on Equity Market Structure, supra note 42, at 3601. 53 As discussed in infra Section III.B.1, no ATS currently meets the volume thresholds in Rule 301(b)(6) of Regulation ATS. E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules (‘‘GAO’’) has identified the voluntary nature of the ARP Inspection Program as a limitation of the program and recommended that the Commission make compliance with ARP guidelines mandatory.54 The Commission believes that the continuing evolution of the securities markets to the current state, where they have become almost entirely electronic and highly dependent on sophisticated trading and other technology (including complex regulatory and surveillance systems, as well as systems relating to the provision of market data, intermarket routing and connectivity, and a variety of other member and issuer services), has posed challenges for the ARP Inspection Program. Accordingly, the Commission believes that the guidance in the ARP policy statements should be updated and formalized, and that clarity with respect to a variety of important matters, including regarding appropriate industry practices, notice to the Commission of all SCI events and to members or participants of SCI entities of certain systems problems, Commission access to systems, and procedures designed to better ensure that SRO systems comply with the SRO’s own rules, would improve the Commission’s oversight capabilities. Furthermore, given the importance of ensuring that an SRO’s trading and other systems are operated in accordance with its rules, the Commission believes that improvements in SRO procedures could help to ensure that such systems are operating in compliance with relevant rules, and to promptly identify and address any instances of non-compliance.55 srobinson on DSK4SPTVN1PROD with PROPOSALS3 D. Recent Events In the Commission’s view, recent events further highlight why rulemaking 54 See GAO, Financial Market Preparedness: Improvements Made, but More Action Needed to Prepare for Wide-Scale Disasters, Report No. GAO– 04–984 (September 27, 2004). GAO cited instances in which the GAO believed that entities participating in the ARP Inspection Program failed to adequately address or implement ARP staff recommendations as the reasoning behind its recommendation to make compliance with ARP guidelines mandatory. As noted in supra Section I.A, the obligations underlying the policy statements are statutorily mandated. 55 Section 19(b)(1) of the Exchange Act requires each SRO to file with the Commission any proposed rule or any proposed change in, addition to, or deletion from the rules of such SRO (a ‘‘proposed rule change’’), accompanied by a concise general statement of the basis and purpose of such proposed rule change, and provides that no proposed rule change shall take effect unless approved by the Commission or otherwise permitted in accordance with the provisions of this section. See 15 U.S.C. 78s(b)(1). An SRO’s failure to file a proposed rule change when required would be a violation of Section 19(b)(1). VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 in this area may be warranted. On May 6, 2010, according to a report by the staffs of the Commission and the Commodity Futures Trading Commission (‘‘CFTC’’), the prices of many U.S.-based equity products experienced an extraordinarily rapid decline and recovery, with major equity indices in both the futures and securities markets, each already down over four percent from their prior day close, suddenly plummeting a further five to six percent in a matter of minutes before rebounding almost as quickly.56 According to the May 6 Staff Report, many individual equity securities and exchange traded funds suffered similar price declines and reversals within a short period of time, falling 5, 10, or even 15 percent before recovering most, if not all, of their losses.57 The May 6 Staff Report stated that some equities experienced even more severe price moves, both up and down, with over 20,000 trades in more than 300 securities executed at prices more than 60 percent away from their values just moments before.58 Among the key findings in the May 6 Staff Report was that the interaction between automated execution programs and algorithmic trading strategies can quickly erode liquidity and result in disorderly markets, and that concerns about data integrity, especially those that involve the publication of trades and quotes to the consolidated tape, can contribute to pauses or halts in many automated trading systems and in turn lead to a reduction in general market liquidity.59 According to the May 6 Staff Report, the events of May 6, 2010 clearly demonstrate the importance of data in today’s world of fully automated trading strategies and systems, and that fair and orderly markets require the maintenance of high standards for robust, accessible, and timely market data.60 Both before and after the May 6, 2010 incident, individual markets have also experienced other systems-related issues. In February 2011, NASDAQ OMX Group, Inc. revealed that hackers had penetrated certain of its computer networks, though Nasdaq reported that at no point did this intrusion 56 See Findings Regarding The Market Events Of May 6, 2010, Report Of The Staffs Of The CFTC And SEC To The Joint Advisory Committee On Emerging Regulatory Issues, September 30, 2010 (‘‘May 6 Staff Report’’). 57 See id. 58 These trades subsequently were broken by the exchanges and FINRA. See id. 59 See id. at 78. 60 See id. at 8. PO 00000 Frm 00007 Fmt 4701 Sfmt 4702 18089 compromise Nasdaq’s trading systems.61 In October 2011, the Commission sanctioned EDGX and EDGA, two national securities exchanges, and their affiliated broker, Direct Edge ECN LLC, for violations of federal securities laws arising from systems incidents.62 In the Direct Edge Order, the Commission noted that the ‘‘violations occurred against the backdrop of weaknesses in Respondents’ systems, processes, and controls.’’ 63 More recently, in 2012, systems issues hampered the initial public offerings of BATS Global Markets, Inc. and Facebook, Inc.64 On March 23, 2012, BATS announced that a ‘‘software bug’’ caused BATS to shut down the IPO of its own stock, BATS Global Markets, Inc.65 On May 18, 2012, issues with Nasdaq’s trading systems delayed the start of trading in the high-profile IPO of Facebook, Inc. and some market participants experienced delays in notifications over whether orders had been filled.66 While these are illustrative highprofile examples, they are not the only instances of disruptions and other systems problems experienced by SROs and ATSs.67 Moreover, the risks 61 See announcement by Nasdaq OMX (February 5, 2011), available at: https://www.nasdaq.com/ includes/announcement-2-5-11.aspx (accessed May 20, 2011). See also Devlin Barrett, ‘‘Hackers Penetrate NASDAQ Computers,’’ Wall St. J., February 5, 2011, at A1; Devlin Barrett et al., ‘‘NASDAQ Confirms Breach in Network,’’ Wall St. J., February 7, 2011, at C1. 62 See Securities Exchange Act Release No. 65556, In the Matter of EDGX Exchange, Inc., EDGA Exchange, Inc. and Direct Edge ECN LLC (settled action: October 13, 2011), available at: https:// www.sec.gov/litigation/admin/2011/34-65556.pdf (‘‘Direct Edge Order’’); see also Commission News Release, 2011–208, ‘‘SEC Sanctions Direct Edge Electronic Exchanges and Orders Remedial Measures to Strengthen Systems and Controls’’ (October 13, 2011). EDGX, EDGA, and their affiliated routing broker, Direct Edge ECN LLC (dba DE Route), consented to an Order Instituting Administrative and Cease-and-Desist Proceedings Pursuant to Sections 19(h) and 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing Remedial Sanctions and a Cease-andDesist Order. 63 See Direct Edge Order, supra note 62, at 3. 64 See also infra note 334 and accompanying text. 65 See ‘‘BATS BZX Exchange Post-Mortem’’ by BATS, March 23, 2012, available at: www.batstrading.com/alerts (accessed July 2, 2012). 66 See ‘‘Post-Mortem for NASDAQ issues related to the Facebook Inc. (FB) IPO Cross on Friday, May 18, 2012’’ by NASDAQ, May 18, 2012, available at: https://www.nasdaqtrader.com/ TraderNews.aspx?id=ETA2012-20 (accessed July 2, 2012). 67 The Commission notes that outages have occurred on foreign markets recently as well. See, e.g., Kana Inagaki and Kosaku Narioka, ‘‘Tokyo Tackles Trading Glitch,’’ Wall St. J., February 2, 2012; and Neil Shah and Carrick Mellenkamp, ‘‘London Exchange Paralyzed by Glitch,’’ Wall St. J., September 9, 2008, Europe Business News. See also discussion in infra Section III.C.1.b regarding E:\FR\FM\25MRP3.SGM Continued 25MRP3 18090 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 associated with cybersecurity, and how to protect against systems intrusions, are increasingly of concern to all types of entities, including public companies.68 On October 2, 2012, the Commission conducted a roundtable entitled ‘‘Technology and Trading: Promoting Stability in Today’s Markets’’ (‘‘Roundtable’’).69 The Roundtable examined the relationship between the operational stability and integrity of the securities market and the ways in which market participants design, implement, and manage complex and interconnected trading technologies.70 business continuity planning during October 2012 due to Superstorm Sandy. 68 See, e.g., CF Disclosure Guidance: Topic No. 2, Cybersecurity (October 13, 2011), available at: https://www.sec.gov/divisions/corpfin/guidance/ cfguidance-topic2.htm (providing the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents). 69 See Securities Exchange Act Release No. 67802 (September 7, 2012), 77 FR 56697 (September 13, 2012) (File No. 4–652). A webcast of the Roundtable is available at: www.sec.gov/news/otherwebcasts/ 2012/ttr100212.shtml. 70 See Securities Exchange Act Release No. 67725 (August 24, 2012), 77 FR 52766 (August 30, 2012) (File No. 4–652). The Roundtable included panelists from academia, clearing agencies, national securities exchanges, broker-dealers, and other organizations. Panelists for the first panel were: Dr. Nancy Leveson, Professor of Aeronautics and Astronautics and Engineering Systems, MIT (‘‘MIT’’); Sudhanshu Arya, Managing Director, ITG (‘‘ITG’’); Chris Isaacson, Chief Operating Officer, BATS Exchange (‘‘BATS’’); Dave Lauer, Market Structure and HFT Consultant, Better Markets, Inc. (‘‘Better Markets’’); Jamil Nazarali, Head of Citadel Execution Services, Citadel (‘‘Citadel’’); Lou Pastina, Executive Vice President—NYSE Operations, NYSE (‘‘NYSE’’); Christopher Rigg, Partner—Financial Services Industry, IBM (‘‘IBM’’); and Jonathan Ross, Chief Technology Officer, GETCO LLC (‘‘Getco’’). Panelists for the second panel were: Dr. M. Lynne Markus, Professor of Information and Process Management, Bentley University (‘‘Bentley’’); David Bloom, Head of UBS Group Technology (‘‘UBS’’); Chad Cook, Chief Technology Officer, Lime Brokerage LLC (‘‘Lime’’); Anna Ewing, Executive Vice President and Chief Information Officer, Nasdaq; Albert Gambale, Managing Director and Chief Development Officer, Depository Trust and Clearing Corp. (‘‘DTCC’’); Saro Jahani, Chief Information Officer, Direct Edge (‘‘DE’’); and Lou Steinberg, Chief Technology Officer, TD Ameritrade (‘‘TDA’’). See Technology and Trading: Promoting Stability in Today’s Markets Roundtable — Participant Bios, available at: https://www.sec.gov/ news/otherwebcasts/2012/ttr100212-bios.htm. The Roundtable was announced on August 3, 2012, following a report by Knight Capital Group, Inc. (‘‘Knight’’) that, on August 1, 2012, it ‘‘experienced a technology issue at the opening of trading at the NYSE * * * [which was] related to Knight’s installation of trading software and resulted in Knight sending numerous erroneous orders in NYSE-listed securities into the market * * * Knight * * * traded out of its entire erroneous trade position, which * * * resulted in a realized pre-tax loss of approximately $440 million.’’ See Knight Capital Group Provides Update Regarding August 1st Disruption To Routing In NYSE-listed Securities (August 2, 2012), available at: https://www.knight.com/investor Relations/pressReleases.asp?compid=105070& releaseID=1721599. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 Panelists offered their views on how market participants could prevent, or at least mitigate, technology errors as well as how error response could be improved. Although the discussion was wideranging, several themes emerged, with panelists generally agreeing that areas of focus across the industry should be on adherence to best practices, improved quality assurance, more robust testing, increased pre-trade and post-trade risk controls, real-time monitoring of systems, and improved communications when systems problems occur. The panelists also discussed whether there should be regulatory or other mandates for quality standards and industry testing, and whether specific mechanisms, such as ‘‘kill switches,’’ 71 would be useful to protect the markets from technology errors and to advance the goal of bolstering investor confidence in the markets.72 Several panelists also stated that, given the frequency of coding changes in the current market environment, testing of software changes should be far more robust.73 In addition to the Roundtable panels, the Commission solicited comment with respect to the Roundtable’s topics, and received statements from some of the Roundtable panelists, as well as comment letters from the public.74 Although the Knight incident highlights the importance of the integrity of broker-dealer systems, the focus of the Roundtable was not limited to broker-dealers. But see infra Section III.G, soliciting comment regarding the potential inclusion of broker-dealers, other than SCI ATSs, in the proposed definition of SCI entity. 71 The term ‘‘kill switch’’ is a shorthand expression used by market participants, including Roundtable participants and Roundtable commenters, to refer to mechanisms pursuant to which one or more limits on trading could be established by a trading venue for its participants that, if exceeded, would authorize the trading venue to stop accepting incoming orders from such participant. See also infra note 76 and accompanying text. 72 With regard to quality assurance in particular, Roundtable panelists differed on the role of third parties in providing quality assurance, with some panelists believing that, given the difficulty for an outside party to understand the complex systems of trading firms and other market participants, such a role should be performed by internal staff who are better able to understand such systems, with other panelists opining that there it was critical that independent parties provide quality assurance. 73 Panelists urging greater testing in general and industry testing in particular included those from BATS, Better Markets, DE, ITG, Getco, Nasdaq, NYSE, and TDA. 74 See https://www.sec.gov/comments/4-652/4652.shtml, listing and publishing all comment letters received by the Commission with respect to the Roundtable. The letters received cover a broad array of topics, some of which are unrelated to proposed Regulation SCI. This proposing release discusses and references the following letters when relevant to the discussion of proposed Regulation SCI: Letter dated September 5, 2012, from James J. PO 00000 Frm 00008 Fmt 4701 Sfmt 4702 Many comment letters specifically recommended improved testing as a way to aid error prevention.75 In addition, several commenters expressed support for a ‘‘kill-switch’’ mechanism that would permit exchanges or other market centers to terminate a firm’s trading activity if such activity was posing a threat to market integrity.76 Angel, Ph.D., CFA, Georgetown University and the Wharton School, University of Pennsylvania (‘‘Angel’’); Letter dated September 27, 2012, from Eric Swanson, BATS Global Markets, Inc.; Letter dated October 2, 2012, from Dave Lauer, Market Structure and HFT Consultant, Better Markets (‘‘Better Markets’’); Letter dated October 1, 2012, from Jamil Nazarali, Citadel (‘‘Citadel’’); Letter dated October 23, 2012, from Scott Goebel, Senior Vice President and General Counsel, Fidelity Management & Research Company (‘‘Fidelity’’); Letter dated November 1, 2012, from Arsalan Shahid, Program Director, Financial Information Forum (‘‘FIF’’); Letter dated October 19, 2012, from Courtney Doyle McGuinn, Operations Director, FIX Protocol Ltd. (‘‘FIX’’); Letter dated October 1, 2012, from Elizabeth K. King, Head of Regulatory Affairs, GETCO LLC (‘‘Getco’’); Letter dated October 18, 2012, from Adam Nunes, President, Hudson River Trading LLC (‘‘Hudson’’); Letter dated September 23, 2012, from Patrick J. Healy, CEO, Issuer Advisory Group LLC (‘‘IAG’’); Letter dated October 23, 2012, from Karrie McMillan, General Counsel, Investment Company Institute (‘‘ICI’’); Letter dated October 22, 2012, from James P. Selway III, Managing Director, Head of Liquidity Management, and Sudhanshu Arya, Managing Director, Head of Technology for Liquidity Management, ITG Inc. (‘‘ITG’’); Letter dated September 28, 2012, from Joseph M. Mecane, NYSE Euronext; Richard G. Ketchum, FINRA; Eric Noll, Nasdaq OMX, Inc.; Christopher A. Isaacson, BATS Global Markets, Inc.; Bryan Harkins, DirectEdge; David Herron, Chicago Stock Exchange; Murray Pozmanter, The Depository Trust & Clearing Corporation; Bank of America Merrill Lynch; Citadel LLC; Citigroup Global Markets Inc.; Deutsche Bank Securities Inc.; GETCO; Goldman, Sachs & Co/Goldman Sachs Execution and Clearing; IMC Chicago LLC; ITG, Inc.; Jane Street; J.P. Morgan Securities LLC; RBC Capital Markets, LLC; RGM Advisors, LLC; Two Sigma Securities; UBS Securities LLC; Virtu Financial; Wells Fargo Securities (‘‘Industry Working Group’’); Letter dated September 25, 2012, from R. T. Leuchtkafer (‘‘Leuchtkafer’’); Letter dated August 14, 2012, from Stuart J. Kaswell, Executive Vice President, Managing Director & General Counsel, Managed Funds Association (‘‘MFA’’); Letter dated October 1, 2012, from Richard Gorelick, RGM Advisors, Cameron Smith, Quantlab, and Peter Nabicht, Allston Trading (‘‘RGM’’); Letter dated September 28, 2012, from Nasser A. Sharara, Managing Director, Product Management, Raptor Trading Systems (‘‘Raptor’’); Letter dated October 1, 2012, from Lou Steinberg, Managing Director, Chief Technology Officer, TDA (‘‘TDA’’); Letter dated October 24, 2012, from David Weisberger, Executive Principal, Two Sigma Securities, LLC (‘‘Two Sigma’’). 75 See, e.g., letters from Angel, BATS, Better Markets, Citadel, Fidelity, FIF, FIX, Getco, Hudson, IAG, ICI, ITG, Industry Working Group, Leuchtkafer, MFA, RGM, and Two Sigma, supra note 74. Some of these commenters specifically urged greater integration testing and stated that testing with exchanges and other market centers under simulated market conditions were necessary in today’s extremely fast and interconnected markets. One commenter (Angel) suggested that exchanges operate completely from their backup data centers one day each year to test such systems and market participants’ connectivity to them. 76 See, e.g., letters from Angel, BATS, Citadel, FIF, Getco, IAG, Industry Working Group, MFA, E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 The Commission believes that the information presented at the Roundtable and received from commenters, as broadly outlined above, highlights that quality standards, testing, and improved error response mechanisms are among the issues needing very thoughtful and focused attention in today’s securities markets.77 In formulating proposed Regulation SCI, the Commission has considered the information and views discussed at the Roundtable and received from commenters. Most recently, the U.S. national securities exchanges closed for two business days in the wake of Superstorm Sandy, a major storm that hit the East Coast of the United States during October 2012, and which caused significant damage in lower Manhattan, among other places.78 Press reports stated that, while the markets planned to open on the first day of the storm (with the NYSE planning to operate under its contingency plan as an electronic-only venue),79 after RGM, and Raptor, supra note 74. See also letters from Fidelity, FIX, Hudson and ITG, supra note 74, submitted after the Roundtable, suggesting possible approaches for establishing kill switch criteria. See also supra note 71, describing the use of the term ‘‘kill switch’’ in this release. 77 The Commission notes that Roundtable panelists and commenters offering their views and suggestions generally did so in the context of discussing the market as a whole, rather than focusing on the roles and regulatory status of different types of market participants. However, some commented on the utility of the ARP Inspection Program and suggested that it could be expanded. See, e.g., letter from Leuchtkafer, supra note 74. In addition, the panelists from Getco, Nasdaq, and NYSE also suggested that ARP could be expanded, with the panelist from NYSE in particular advocating that the applicability of any new ARP-related regulations not be limited to SROs. One commenter suggested that the Commission update and formalize the ARP Inspection Program before extending it to other market participants. See letter from Fidelity, supra note 74. This commenter added further that, if the ARP program is extended to other market participants, it should not include a requirement that broker-dealers submit certain information, such as algorithmic code changes, for independent review. See also infra Section III.G, soliciting comment on whether the requirements of proposed Regulation SCI should apply, in whole or in part, to broker-dealers or a subset thereof. 78 See ‘‘NYSE to Remain Open for Trading While Physical Trading Floor and New York Building Close in Accordance with Actions Taken by City and State Officials,’’ (October 28, 2012) (‘‘NYSE Floor Closure Statement’’), available at: https:// www.nyse.com/press/1351243407197.html; and ‘‘NYSE Euronext Statement on Closure of U.S. Markets on Monday Oct. 29 and Pending Confirmation on Tuesday, Oct. 30, 2012,’’ (October 28, 2012) (‘‘NYSE Closure Statement’’), available at: https://www.nyse.com/press/1351243418010.html. 79 The NYSE had initially planned to act pursuant to NYSE Rule 49 (Emergency Powers), which permits a designated official of the NYSE, in the event of an emergency (as defined in Section 12(k)(7) of the Exchange Act), to designate NYSE Arca to receive and process bids and offers and to execute orders on behalf of the NYSE. See ‘‘NYSE VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 consultation with market participants, including the Commission and its staff, and in light of concerns over the physical safety of personnel and the possibility of technical issues, the national securities exchanges jointly decided not to open for trading on October 29 and October 30, 2012.80 The market closures occurred even though the securities industry’s annual test of how trading firms, market operators and their utilities could operate through an emergency using backup sites, backup communications, and disaster recovery facilities occurred on October 27, 2012, just two days before the storm.81 According to press reports, the test did not uncover issues that would preclude markets from opening two days later with backup systems, if they so chose.82 In addition, NYSE’s contingency plan was tested seven months prior to the storm, though press reports indicate that a large number of NYSE members did not participate.83 The Commission also has considered the impact of Superstorm Sandy on the securities markets, particularly with respect to business continuity planning and testing, in formulating proposed Regulation SCI. II. Proposed Codification and Enhancement of ARP Inspection Program In the Commission’s view, the convergence of several developments— the evolution of the markets to become significantly more dependent upon sophisticated automated systems, the limitations of the existing ARP Inspection Program, and the lessons of recent events—highlight the need to consider an updated and formalized regulatory framework for ensuring that the U.S. securities trading markets Contingency Trading Plan in effect for Monday, October 29, 2012,’’ (October 28, 2012) (‘‘Market Operations Update’’), available at: https:// markets.nyx.com/nyse/trader-updates/view/11503. The Commission approved NYSE Rule 49 on December 16, 2009. See Securities Exchange Act Release No. 61177 (December 16, 2009), 74 FR 68643 (December 28, 2009) (SR–NYSE–2009–105) (approving proposed rule change by the NYSE relating to the designation of NYSE Arca as the NYSE’s alternative trading facility in an emergency). 80 See, e.g., ‘‘A giant storm and the struggle over closing Wall Street,’’ October 31, 2012, available at: https://www.reuters.com/article/2012/10/31/usstorm-sandy-nyse-insightidUSBRE89T0F920121031. See also, e.g., NYSE Closure Statement, supra note 78. 81 See, e.g., ‘‘Storm Over Wall Street Going Dark,’’ November 12, 2012, available at: https:// www.tradersmagazine.com/news/storm-over-wallstreet-going-dark-110526-1.html. 82 See id. See also https://www.sifma.org/services/ bcp/industry-testing. 83 See id. and NYSE Floor Closure Statement, supra note 78. PO 00000 Frm 00009 Fmt 4701 Sfmt 4702 18091 develop and maintain systems with adequate capacity, integrity, resiliency, availability, and security, and reinforce the requirement that such systems operate in compliance with the Exchange Act. The Commission is proposing new Regulation SCI because the Commission preliminarily believes that it would further the goals of the national market system and reinforce Exchange Act obligations to require entities important to the functioning of the U.S. securities markets to carefully design, develop, test, maintain, and surveil systems integral to their operations. Proposed Regulation SCI would replace the two ARP policy statements. Although proposed Regulation SCI would codify in a Commission rule many of the principles of the ARP policy statements with which SROs and other participants in the ARP Inspection Program are familiar, the proposed rule would apply to more entities than the current ARP Inspection Program and would place obligations not currently included in the ARP policy statements on entities subject to the rule. Specifically, proposed Regulation SCI would apply to ‘‘SCI entities,’’ a term that would include ‘‘SCI SROs,’’ ‘‘SCI ATSs,’’ ‘‘plan processors,’’ and ‘‘exempt clearing agencies subject to ARP.’’ 84 Further, to help ensure that the proposed rule covers key systems of SCI entities, the proposed rule would define (for purposes of Regulation SCI) the term ‘‘SCI systems’’ to mean those systems of, or operated by or on behalf of, an SCI entity that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance. In addition, the term ‘‘SCI security systems’’ would include systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to such systems.85 The proposed rule also would define several other terms intended to specify what types of systems changes and problems (‘‘SCI events’’) the Commission considers to be most significant and, therefore, preliminarily believes should be covered by the proposed rule’s requirements. In addition, proposed Regulation SCI would specify the obligations SCI entities would have with respect to covered systems and SCI events. Specifically, proposed Regulation SCI would require that each SCI entity: (1) 84 Each of these terms is discussed in detail in Section III.B.1 below. 85 See infra Section III.B.2 for a discussion of the proposed definitions of SCI systems and SCI security systems. E:\FR\FM\25MRP3.SGM 25MRP3 18092 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules Establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets; (2) establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended; (3) respond to SCI events with appropriate corrective action; (4) report SCI events to the Commission and submit follow-up reports, as applicable; (5) disseminate information regarding certain SCI events to members or participants of the SCI entity; (6) report material systems changes to the Commission; (7) conduct an SCI review of its systems not less than once each calendar year; (8) submit certain periodic reports to the Commission, including a report of the SCI review, together with any response by senior management; (9) mandate participation by designated members or participants in scheduled testing of the operation of the SCI entity’s business continuity and disaster recovery plans, including backup systems, and coordinate such testing on an industryor sector-wide basis 86 with other SCI entities; and (10) make, keep, and preserve records relating to the matters covered by Regulation SCI, and provide them to Commission representatives upon request. The proposal also would require that an SCI entity submit all required written notifications and reports to the Commission electronically using new proposed Form SCI. III. Proposed Regulation SCI srobinson on DSK4SPTVN1PROD with PROPOSALS3 A. Overview The purpose of proposed Regulation SCI is to enhance the Commission’s regulatory supervision of SCI entities and thereby further the goals of the national market system by helping to ensure the capacity, integrity, resiliency, availability, and security, and enhance compliance with federal securities laws and regulations, of automated systems relating to the U.S. securities markets through the formalization of standards to which their automated systems would be held, and a regulatory framework for ensuring more effective Commission oversight of these systems. Proposed Rule 1000(a) sets forth several definitions designed to establish the scope of the new rule. Proposed Rule 86 See infra Section III.C.7 for a discussion of the terms industry-wide and sector-wide. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 1000(b) sets forth the obligations that would be imposed on SCI entities with respect to systems and systems issues. Proposed Rules 1000(c)-(f) set forth recordkeeping and electronic filing requirements and address certain other related matters. B. Proposed Rule 1000(a): Definitions Establishing the Scope of Regulation SCI A series of definitions set forth in proposed Rule 1000(a) relate to the scope of proposed Regulation SCI. These include the definitions for ‘‘SCI entity,’’ ‘‘SCI systems,’’ ‘‘SCI security systems,’’ ‘‘SCI event,’’ ‘‘systems disruption,’’ ‘‘systems compliance issue,’’ ‘‘systems intrusion,’’ ‘‘dissemination SCI event,’’ and ‘‘material systems change.’’ 1. SCI Entities Although the ARP policy statements are rooted in Exchange Act requirements, the ARP Inspection Program has developed without the promulgation of Commission rules applicable to SROs or plan processors. Under the ARP Inspection Program, Commission staff conducts inspections of SROs to assess the capacity, integrity, resiliency, availability, and security of their systems. These inspections also have historically included the systems of entities that process and disseminate quotation and transaction data on behalf of the Consolidated Tape Association System (‘‘CTA Plan’’), Consolidated Quotation System (‘‘CQS Plan’’), Joint Self-Regulatory Organization Plan Governing the Collection, Consolidation, and Dissemination of Quotation and Transaction Information for Nasdaq-Listed Securities Traded on Exchanges on an Unlisted Trading Privileges Basis (‘‘Nasdaq UTP Plan’’), and Options Price Reporting Authority (‘‘OPRA Plan’’).87 The ARP Inspection 87 See ARP I Release, supra note 1, at n. 8 and n. 17. Each of the CTA Plan, CQS Plan, Nasdaq UTP Plan, and OPRA Plan, is a ‘‘national market system plan’’ (‘‘NMS Plan’’) as defined under Rule 600(a)(43) of Regulation NMS under the Exchange Act, 17 CFR 242.600(a)(43). Rule 600(a)(55) of Regulation NMS under the Exchange Act, 17 CFR 242.600(a)(55), defines a ‘‘plan processor’’ as ‘‘any self-regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective national market system plan.’’ Section 3(a)(22)(B) of the Exchange Act, 15 U.S.C. 78c(22)(B), defines ‘‘exclusive processor’’ to mean ‘‘any securities information processor or self-regulatory organization which, directly or indirectly, engages on an exclusive basis on behalf of any national securities exchange or registered securities association, or any national securities exchange or registered securities association which engages on an exclusive basis on its own behalf, in collecting, processing, or preparing for distribution or publication any information with respect to (i) transactions or PO 00000 Frm 00010 Fmt 4701 Sfmt 4702 Program has also included one exempt clearing agency.88 Pursuant to Rule 301(b)(6) of Regulation ATS, certain aspects of the ARP policy statements apply mandatorily to significant-volume ATSs, as they are currently defined under Regulation ATS.89 However, because no ATSs currently meet the significant-volume thresholds specified in Rule 301(b)(6) of Regulation ATS,90 compliance with the ARP Inspection Program is not mandatory at this time for any ATS.91 Proposed Regulation SCI would provide mandatory uniform requirements for ‘‘SCI entities.’’ Proposed Rule 1000(a) would define ‘‘SCI entity’’ as an ‘‘SCI self-regulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP.’’ The proposed rule also would define each of these terms for the purpose of designating specifically the entities that the Commission preliminarily believes should be subject to the rule. Proposed Rule 1000(a) would define the term ‘‘SCI self-regulatory organization.’’ The definition of ‘‘SCI self-regulatory organization,’’ or ‘‘SCI SRO,’’ would be consistent with the definition of ‘‘self-regulatory organization’’ set forth in Section 3(a)(26) of the Exchange Act,92 and quotations on or effected or made by means of any facility of such exchange or (ii) quotations distributed or published by means of any electronic system operated or controlled by such association.’’ As a processor involved in collecting, processing, and preparing for distribution transaction and quotation information, the processor of each of the CTA Plan, CQS Plan, Nasdaq UTP Plan, and OPRA Plan meets the definition of ‘‘exclusive processor;’’ and because each acts as an exclusive processor in connection with an NMS Plan, each also meets the definition of ‘‘plan processor’’ under Rule 600(a)(55) of Regulation NMS, as well as proposed Rule 1000(a) of Regulation SCI. For ease of reference, an NMS Plan having a current or future ‘‘plan processor’’ is referred to herein as an ‘‘SCI Plan.’’ The Commission notes that not every processor of an NMS Plan would be a ‘‘plan processor,’’ as proposed to be defined in Rule 1000(a), and therefore not every processor of an NMS Plan would be an SCI entity subject to the requirements of proposed Regulation SCI. For example, the processor of the Symbol Reservation System associated with the National Market System Plan for the Selection and Reservation of Securities Symbols (File No. 4–533) would not be a ‘‘plan processor’’ subject to Regulation SCI because it does not meet the ‘‘exclusive processor’’ statutory definition, as it is not involved in collecting, processing, and preparing for distribution transaction and quotation information. 88 See infra notes 133–135 and accompanying text. 89 See 17 CFR 242.301(b)(6). See also supra note 26. 90 17 CFR 242.301(b)(6). 91 One ATS currently participates voluntarily in the ARP Inspection Program, though, in the past, other ATSs have also participated in the ARP Inspection Program. 92 See 15 U.S.C. 78c(a)(26): ‘‘The term ‘selfregulatory organization’ means any national E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 would cover all national securities exchanges registered under Section 6(b) of the Exchange Act,93 registered securities associations,94 registered clearing agencies,95 and the Municipal Securities Rulemaking Board (‘‘MSRB’’).96 The definition would, securities exchange, registered securities association, or registered clearing agency, or (solely for purposes of sections 19(b), 19(c), and 23(b) of this title) the Municipal Securities Rulemaking Board established by section 15B of this title.’’ See infra note 96. 93 Currently, these registered national securities exchanges are: (1) BATS; (2) BATS–Y; (3) BOX; (4) CBOE; (5) C2; (6) CHX; (7) EDGA; (8) EDGX; (9) ISE; (10) MIAX; (11) Nasdaq OMX BX; (12) Nasdaq OMX Phlx; (13) Nasdaq; (14) NSX; (15) NYSE; (16) NYSE MKT; and (17) NYSE Arca. 94 FINRA is the only registered national securities association. 95 Currently, there are seven clearing agencies (Depository Trust Company (‘‘DTC’’); Fixed Income Clearing Corporation (‘‘FICC’’); National Securities Clearing Corporation (‘‘NSCC’’); Options Clearing Corporation (‘‘OCC’’); ICE Clear Credit; ICE Clear Europe; and CME) with active operations that are registered with the Commission. See also infra notes 133–135 and accompanying text. The Commission notes that it recently adopted Rule 17Ad–22, which requires registered clearing agencies to have effective risk management policies and procedures in place. See Securities Exchange Act Release No. 68080 (October 22, 2012), 77 FR 66220 (November 2, 2012). Among other things, Rule 17Ad–22(d)(4) requires that registered clearing agencies ‘‘[i]dentify sources of operational risk and minimize them through the development of appropriate systems, controls, and procedures; implement systems that are reliable, resilient and secure, and have adequate, scalable capacity; and have business continuity plans that allow for timely recovery of operations and fulfillment of a clearing agency’s obligations.’’ In its adopting release, the Commission stated that Rule 17Ad–22(d)(4) ‘‘* * * complements the existing guidance provided by the Commission in its Automation Review Policy Statements and the Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System.’’ Similarly, the Commission preliminarily believes that proposed Regulation SCI, to the extent it addresses areas of risk management similar to those addressed by Rule 17Ad–22(d)(4), complements Rule 17Ad–22(d)(4). See also infra note 203. 96 15 U.S.C. 78c(a)(26). See also supra note 92. Historically, the ARP Inspection Program has not included the MSRB, but instead has focused on entities having trading, quotation and transaction reporting, and clearance and settlement systems more closely connected to the equities and options markets. In considering the entities that should be subject to proposed Regulation SCI, the Commission preliminarily believes that it would be appropriate to apply proposed Regulation SCI to all SROs (subject to the exception noted in infra note 97), of which the MSRB is one, particularly given the fact that the MSRB is the only SRO relating to municipal securities and is the sole provider of consolidated market data for the municipal securities market. Specifically, in 2008, the Commission amended Rule 15c2–12 to designate the MSRB as the single centralized disclosure repository for continuing municipal securities disclosure. In 2009, the MSRB established the Electronic Municipal Market Access system (‘‘EMMA’’). EMMA now serves as the official repository of municipal securities disclosure, providing the public with free access to relevant municipal securities data, and is the central database for information about municipal securities offerings, issuers, and obligors. Additionally, the VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 however, exclude an exchange that lists or trades security futures products that is notice-registered with the Commission as a national securities exchange pursuant to Section 6(g) of the Exchange Act, as well as any limited purpose national securities association registered with the Commission pursuant to Exchange Act Section 15A(k).97 Accordingly, the definition of SCI SRO in proposed Rule 1000(a) would mandate that all national securities exchanges registered under Section 6(b) of the Exchange Act, all registered securities associations, all registered clearing agencies, and the MSRB, comply with Regulation SCI.98 Proposed Rule 1000(a) would define the term ‘‘SCI alternative trading system,’’ or ‘‘SCI ATS,’’ as an alternative trading system, as defined in § 242.300(a), which during at least four of the preceding six calendar months, had: (1) With respect to NMS stocks— (i) five percent or more in any single NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan, or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan; (2) with respect to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, five percent or more of the average daily dollar volume as calculated by the selfregulatory organization to which such transactions are reported; or (3) with respect to municipal securities or corporate debt securities, five percent or more of either—(i) the average daily MSRB’s Real-Time Transaction Reporting System (‘‘RTRS’’), with limited exceptions, requires municipal bond dealers to submit transaction data to the MSRB within 15 minutes of trade execution, and such near real-time post-trade transaction data can be accessed through the MSRB’s EMMA Web site. While pre-trade price information is not as readily available in the municipal securities market, the Commission’s Report on the Municipal Securities Market also recommends that the Commission and MSRB explore the feasibility of enhancing EMMA to collect best bids and offers from material ATSs and make them publicly available on fair and reasonable terms. See Report on the Municipal Securities Market (July 31, 2012), available at: https://www.sec.gov/news/studies/2012/ munireport073112.pdf. 97 See 15 U.S.C. 78f(g); 15 U.S.C. 78o–3(k). These entities are security futures exchanges and the National Futures Association, for which the CFTC serves as their primary regulator. The Commission preliminarily believes that it would be appropriate to defer to the CFTC regarding the systems integrity of these entities. 98 For any SCI SRO that is a national securities exchange, any facility of such national securities exchange, as defined in Section 3(a)(2) of the Exchange Act, 15 U.S.C. 78c(a)(2), also would be covered because such facilities are included within the definition of ‘‘exchange’’ in Section 3(a)(1) of the Exchange Act, 15 U.S.C. 78c(a)(1). PO 00000 Frm 00011 Fmt 4701 Sfmt 4702 18093 dollar volume traded in the United States, or (ii) the average daily transaction volume traded in the United States.99 As proposed, ATSs would be covered if they met the proposed thresholds for at least four of the preceding six months, which the Commission preliminarily believes is an appropriate time period over which to evaluate the trading volume of an ATS.100 The Commission preliminarily believes that this time period would help ensure that the standards are not so low as to capture ATSs whose volume would still be considered relatively low, but, for example, that may have had an anomalous increase in trading on a given day or small number of days. The proposed definition would modify the thresholds currently appearing in Rule 301(b)(6) of Regulation ATS that apply to significant-volume ATSs.101 Specifically, the proposed definition would: Use average daily dollar volume thresholds, instead of an average daily share volume threshold, for ATSs that trade NMS stocks or equity securities that are not NMS stocks (‘‘non-NMS stocks’’); use alternative average daily dollar and transaction volume-based tests for ATSs that trade municipal securities or corporate debt securities; lower the volume thresholds applicable to ATSs for each category of asset class; and move the proposed thresholds to Rule 1000(a) of proposed Regulation SCI. In particular, with respect to NMS stocks, the Commission proposes to 99 Proposed Regulation SCI includes specific quantitative requirements, such as proposed Rule 1000(a), which would include numerical thresholds in the definition of SCI ATS. The Commission recognizes that the specificity of each such quantitative threshold could be read by some to imply a definitive conclusion based on quantitative analysis of that threshold and its alternatives. The numerical thresholds in the definition of SCI ATS have not been derived from econometric or mathematical models. Instead, they reflect a preliminary assessment by the Commission, based on qualitative and some quantitative analysis, of the likely economic consequences of the specific quantitative thresholds proposed to be included in the definition. There are a number of challenges presented in conducting such a quantitative analysis in a robust fashion as discussed in this section. Accordingly, the selection of the particular quantitative thresholds for the definition of SCI ATS reflects a qualitative and preliminary quantitative assessment by the Commission regarding the appropriate thresholds. In making such assessments and, in turn, selecting the proposed quantitative thresholds, the Commission has reviewed data from OATS and other sources. The Commission emphasizes that it invites comment, including relevant data and analysis, regarding all aspects of the various quantitative standards reflected in the proposed rules. 100 The proposed measurement period would remain unchanged from the period currently in Rule 301(b)(6) of Regulation ATS. 101 17 CFR 242.301(b)(6). See also supra note 26. E:\FR\FM\25MRP3.SGM 25MRP3 18094 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 change the volume threshold from 20 percent of average daily volume in any NMS stock such that an ATS that trades NMS stocks that meets either of the following two alternative threshold tests would be subject to the requirements of proposed Regulation SCI: (i) Five percent or more in any NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan; or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan. This change is designed to ensure that proposed Regulation SCI is applied to an ATS that could have a significant impact on the NMS stock market as a whole, as well as an ATS that could have a significant impact on a single NMS stock and some impact on the NMS stock market as a whole at the same time.102 Specifically, by imposing both a single NMS stock threshold and an all NMS stocks threshold in (i) above, proposed Regulation SCI would not apply to an ATS that has a large volume in a small NMS stock and little volume in all other NMS stocks. Based on data collected from FINRA’s Order Audit Trail System (‘‘OATS data’’) for one week of trading in May 2012,103 the 102 Under the proposed thresholds, inactive ATSs would not be included in the definition of SCI ATS. The Commission has considered barriers to entry and the promotion of competition in setting the threshold (see discussion at infra Section V.C.4.b) such that new ATSs trading NMS stocks would be able to commence operations without, at least initially, being required to comply with—and thereby not incurring the costs associated with— proposed Regulation SCI. If the proposed thresholds are adopted, a new ATS could engage in limited trading in any one NMS stock or all NMS stocks, until it reached an average daily dollar volume of five percent or more in any one NMS stock and 0.25 percent or more in all NMS stocks, or one percent in all NMS stocks, over four of the preceding six months. Because a new ATS could begin trading in NMS stocks for at least three months (i.e., less than four of the preceding six months), and conduct such trading at any dollar volume level without being subject to proposed Regulation SCI, and would have to exceed the specified volume levels for the requisite period to become so subject, the Commission preliminarily believes that these proposed thresholds should not prevent a new ATS entrant from having the opportunity to initiate and develop its business. 103 Commission staff analyzed OATS data for the week of May 7–11, 2012, a week with average market activity and no holidays or shortened trading days, and thus intended to be a representative trading week. However, because the OATS data analysis does not consider trading volume over a six-month period and does not base the threshold test on four out of the preceding six calendar months as prescribed in proposed Rule 1000(a), it may overestimate the number of ATSs that would meet the proposed thresholds. For example, a large block trade during a single week could skew an ATS’s numbers upward from what would be observed over the course of the four months with the highest volumes during a sixmonth period, particularly with respect to the VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 Commission preliminarily believes that approximately 10 ATSs trading NMS stocks would exceed the proposed thresholds and fall within the definition of SCI entity, accounting for approximately 87 percent of the dollar volume market share of all ATSs trading NMS stocks. The Commission notes that its analysis of the OATS data does not reveal an obvious threshold level above which a particular subset of ATSs may be considered to have a significant impact on individual NMS stocks or the overall market, as compared to another subset of ATSs. The Commission preliminarily believes that inclusion of the proposed dual dollar volume threshold is appropriate to help prevent an ATS from avoiding the requirements of proposed Regulation SCI by circumventing one of the two threshold tests. The Commission also preliminarily believes that a threshold that accounts for 87 percent of the dollar volume market share of all ATSs trading NMS stocks is a reasonable level that would not exclude new entrants to the ATS market.104 Moreover, the Commission preliminarily believes the proposed thresholds would appropriately include ATSs having NMS stock dollar volume comparable to the NMS stock dollar volume of the equity exchanges that are SCI SROs and therefore covered by proposed Regulation SCI.105 Since the time that the Commission originally adopted Regulation ATS, the equity markets have evolved significantly, resulting in an increase in the number of trading centers and a reduction in the concentration of trading activity.106 As such, even smaller trading centers, such as certain proposed single-stock threshold. In addition, because the OATS data does not identify all ATSs and does not identify some ATSs uniquely, some ATSs may not be accounted for in the estimated number of ATSs that would meet the proposed threshold. Nevertheless, the Commission believes the analysis of OATS data offers useful insights. 104 The Commission preliminarily believes that the remaining 13 percent of the dollar volume of all ATSs trading NMS stocks is limited to trading conducted on small and new ATSs. See also supra note 102. 105 For example, based on trade and quotation data published by NYSE Euronext for the period July 1, 2012 through December 31, 2012, the national securities exchanges with the smallest market shares in NMS stocks (based on average daily dollar volume) had market shares slightly above and, in one case, below, the proposed 0.25 percent threshold in all NMS stocks (the market shares of CBOE, NSX, and NYSE MKT were approximately 0.44 percent, 0.27 percent, and 0.06 percent, respectively). Further, all national securities exchanges that trade NMS stocks had at least 5 percent or more of the average daily dollar volume in at least one NMS stock, with most exceeding such threshold for multiple NMS stocks. 106 See supra notes 47–51 and accompanying text. PO 00000 Frm 00012 Fmt 4701 Sfmt 4702 ATSs, now collectively represent a significant source of liquidity for NMS stocks and, by comparison, no single registered securities exchange executes more than 20 percent of volume in NMS stocks.107 Given these developments in market structure, the Commission preliminarily believes that setting the average daily dollar volume threshold for NMS stocks at five percent in any NMS stock and 0.25 percent in all NMS stocks, or one percent in all NMS stocks, is appropriate to help ensure that entities that have determined to participate (in more than a limited manner) in the national market system as markets that bring buyers and sellers together, are subject to the requirements of proposed Regulation SCI. In addition, the Commission preliminarily believes that it is appropriate to propose average daily dollar volume thresholds for NMS stocks, rather than average daily share volume thresholds, because, by using dollar volume, the price level of a stock will not skew an ATS’s inclusion or exclusion from the definition of SCI entity, as may be the case when using share volume, and the use of dollar thresholds may better reflect the economic impact of trading activity.108 In sum, the Commission preliminarily believes that the proposed dollar volume thresholds for NMS stocks would further the goals of the national market system by ensuring that ATSs that meet the thresholds are subject to the same baseline standards as other SCI entities for systems capacity, integrity, resiliency, availability, and security. With respect to non-NMS stocks, municipal securities, and corporate debt securities, the Commission is proposing to lower the current thresholds in Rule 301(b)(6) of Regulation ATS. Specifically, the Commission is proposing to reduce the standard from 20 percent to five percent for these types of securities,109 the same percentage threshold for such types of securities that triggers the fair access provisions of Rule 301(b)(5) of Regulation ATS.110 The Commission preliminarily believes that ATSs that trade non-NMS stocks, municipal securities, and corporate debt securities above the proposed 107 See supra note 47. example, if a threshold is based on the average daily share volume in all NMS stocks, an ATS that transacts in a stock that has recently been through a stock split could experience a significant increase in its share volume (or, for reverse stock splits, a decrease in its share volume), whereas the dollar value transacted would remain the same. 109 See proposed Rule 1000(a). As discussed in this Section III.B.1, the thresholds in proposed Rule 1000(a) would be based on average daily dollar or transaction volume. 110 See Rule 301(b)(5) of Regulation ATS under the Exchange Act. 17 CFR 242.301(b)(5). 108 For E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules thresholds are those that play a significant role in the market for such securities and thus preliminarily believes that the proposed thresholds are appropriately designed. With respect to non-NMS stocks for which transactions are reported to a self-regulatory organization, the Commission proposes to lower the threshold to five percent or more of the average daily dollar volume as calculated by the self-regulatory organization to which such transactions are reported. Using data from the first six months of 2012, the Commission believes that an ATS executing transactions in non-NMS stocks at a level exceeding five percent of the average daily dollar volume traded in the United States would be executing trades at a level exceeding $31 million daily.111 Based on data collected from Form ATS–R for the second quarter of 2012, the Commission estimates that two ATSs would exceed this threshold and fall within the definition of SCI entity. The Commission requests comment on the accuracy of these estimates. With respect to municipal securities and corporate debt securities, the Commission proposes to lower the threshold to five percent or more of either: (i) The average daily dollar volume 112 traded in the United States; or (ii) the average daily transaction volume traded in the United States. The Commission preliminarily believes that this two-pronged threshold is appropriate for the debt market, as it should capture both ATSs that are focused on retail orders and facilitate a relatively greater number of trades with relatively lower dollar values, as well as those ATSs that are focused on institutional orders and facilitate a relatively lower number of trades with relatively greater dollar values. The Commission preliminarily believes that both of these thresholds are important in identifying ATSs that play a significant role in the debt markets for executing both retail- and institutionalsized trades.113 111 Source: Data provided by OTC Markets. with the proposed measures for ATSs that trade NMS stocks or non-NMS stocks, the Commission is proposing to use average daily dollar volume for debt securities, which the Commission preliminarily believes is the measure most commonly used when analyzing daily trading volume in the debt markets. 113 Most corporate and municipal bond trades are small (i.e., less than $100,000), but small trades do not account for most of the dollar volume in these markets. See, e.g., Edwards, Amy K., Harris, Lawrence and Piwowar, Michael S., Corporate Bond Market Transaction Costs and Transparency, Journal of Finance, Vol. 62, No. 3 (June 2007) and Lawrence E. Harris and Michael S. Piwowar, Secondary Trading Costs in the Municipal Bond srobinson on DSK4SPTVN1PROD with PROPOSALS3 112 As VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 Using data from the first six months of 2012, the Commission believes that an ATS executing transactions in municipal securities at a level exceeding five percent of the average daily dollar volume traded in the United States would be executing trades at a level of at least approximately $550 million daily,114 and that an ATS executing transactions in municipal securities at a level exceeding five percent of the average daily transaction volume traded in the United States would be executing an average of at least approximately 1,900 transactions daily.115 Based on data collected from Form ATS–R for the second quarter of 2012, the Commission preliminarily believes that currently no ATSs executing transactions in municipal securities would exceed the proposed average daily dollar volume threshold and fall within the definition of SCI entity pursuant to that proposed prong. ATSs are not required to report transaction volume data for municipal securities on Form ATS–R. However, based on discussions with industry sources, the Commission preliminarily believes that three ATSs executing transactions in municipal securities would likely exceed the proposed average daily transaction volume Market, J.FIN. (June 2006). An ATS that specializes in large trades may account for a small portion of the trades but a large portion of the dollar volume. Likewise, an ATS that specializes in small trades may account for a small portion of the dollar volume but a large portion of the trades. Therefore, a systems disruption, systems compliance issue, or systems intrusion in either of these ATS types could potentially disrupt a large portion of the market. As the Commission stated in the ATS Release, ‘‘many of the same concerns about the trading of equity securities on alternative trading systems apply equally to the trading of fixed income securities on alternative trading systems. Specifically, it is important that markets with significant portions of the volume in particular instruments have adequate systems capacity, integrity, and security, regardless of whether those instruments are equity securities or debt securities. Similarly, as electronic systems for debt grow, it will become increasingly important for the fair operation of our markets for market participants to have fair access to significant market centers in debt securities. One of the consequences of the growing role of alternative trading systems in the securities markets generally is that debt securities are increasingly being traded on these systems, similar to the way equity securities are traded.’’ See ATS Release, supra note 2, at 70862. 114 For the period of January 1, 2012 to June 30, 2012, the average daily dollar volume of trades was over $11 billion. See https://emma.msrb.org/ marketactivity/ViewStatistics.aspx (accessed January 30, 2013). Five percent of this amount is approximately $550 million. 115 For the period of January 1, 2012 to June 30, 2012, the average daily transaction volume was approximately 39,000. See https://emma.msrb.org/ marketactivity/ViewStatistics.aspx (accessed January 30, 2013). Five percent of this amount is approximately 1,900 trades. PO 00000 Frm 00013 Fmt 4701 Sfmt 4702 18095 threshold.116 The Commission requests comment on the accuracy of these estimates. Using data from the first six months of 2012, the Commission believes that an ATS executing transactions in corporate debt at a level exceeding five percent of the average daily dollar volume traded in the United States would be executing trades at a level of at least approximately $900 million daily,117 and that an ATS executing transactions in corporate debt at a level exceeding five percent of the average daily transaction volume traded in the United States would be executing an average of at least approximately 2,100 transactions daily.118 Based on data collected from Form ATS–R for the second quarter of 2012, the Commission preliminarily believes that currently no ATSs executing transactions in corporate debt would exceed the proposed average daily dollar volume threshold and fall within the definition of SCI entity pursuant to that proposed prong. ATSs are not required to report transaction volume data for corporate debt on Form ATS–R. However, based on discussions with industry sources, the Commission preliminarily believes that three ATSs executing transactions in corporate debt would likely exceed the proposed average daily transaction volume threshold.119 The Commission requests comment on the accuracy of these estimates. The Commission is proposing these numerical thresholds as a preliminary best estimate of when a market is of sufficient significance to the trading of the relevant asset class (i.e., NMS stocks, non-NMS stocks, municipal securities, and corporate debt securities) as to warrant the protections and obligations of proposed Regulation SCI. As noted 116 See, e.g., the Commission’s Report on the Municipal Securities Market, supra note 96 at n.715. The Commission preliminarily believes that the three ATSs that would likely exceed the proposed average daily transaction volume threshold for municipal securities are the same three ATSs that would likely exceed the corresponding threshold for corporate debt securities. See infra note 119. 117 For the period of January to June 2012, the average daily dollar volume was approximately $18 billion. Five percent of this amount is approximately $900 million. See U.S. Bond Market Trading Volume, available at: https://www.sifma.org/ research/statistics.aspx. 118 Source: Corporate bond transactions reported to TRACE from January through June 2012, excluding instruments subject to Rule 144A and April 6, 2012 (short trading day). 119 As noted above, the Commission preliminarily believes that the three ATSs that would likely exceed the proposed average daily transaction volume threshold for corporate debt securities are the same three ATSs that would likely exceed the corresponding threshold for municipal securities. See supra note 116. E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18096 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules above,120 the numerical thresholds in the definition of SCI ATS have not been derived from econometric or mathematical models. Instead, they reflect a preliminary assessment by the Commission, based on qualitative and some quantitative analysis, of the likely economic consequences of the specific quantitative thresholds proposed to be included in the definition. The Commission recognizes that there may reasonably be differing views as to what the threshold levels for inclusion should be and thus the Commission solicits comment on the appropriateness of the proposed threshold levels. The Commission recognizes that it is proposing numerically higher thresholds for non-NMS stocks, municipal securities, and corporate debt securities as compared to NMS stocks (five percent, as compared to one percent in all NMS stocks). While the Commission preliminarily believes that similar concerns about the trading of NMS stocks on ATSs apply to the trading of non-NMS stocks and debt securities on ATSs (namely, that markets with significant portions of the volume in particular instruments have adequate systems capacity, integrity, resiliency, availability, and security), the Commission notes that it has traditionally provided special safeguards with regard to NMS stocks in its rulemaking efforts relating to market structure.121 Further, in part due to the greater availability of, and reliance on, electronic trading for NMS stocks, the trading of such securities is generally more accessible to a wider range of investors and has resulted in increases in electronic trading volumes relative to 15 years ago, as compared to other markets, such as the debt markets, which still largely rely on manual trading. Because the degree of automation and electronic trading is generally lower in markets that trade non-NMS stocks and debt securities than in the markets that trade NMS stocks, the Commission preliminarily believes that a systems issue at an SCI entity that trades non-NMS stocks or debt securities would not have as significant an impact as readily as a systems issue at an SCI entity that trades NMS stocks. Therefore, the Commission preliminarily believes there is less need in the markets for those securities for more stringent thresholds that would trigger the requirements of proposed 120 See supra note 99. e.g., Regulation NMS, 17 CFR 242.600– 612; Securities Exchange Act Release No. 51808 (June 9, 2005), 70 FR 27496 (June 29, 2005). 121 See, VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 Regulation SCI.122 For example, the most recent widely publicized issues involving systems problems and disruptions in the securities markets have generally all been related to NMS stocks.123 The Commission also believes that imposition of a threshold that is set too low in markets that lack automation could have the unintended effects of discouraging automation in these markets and discouraging new entrants into these markets. For these reasons, the Commission preliminarily believes that it is appropriate at this time to apply a different threshold to ATSs trading NMS stocks than those ATSs trading non-NMS stocks, municipal securities, and corporate debt securities. Under Proposed Rule 1000(a), the term ‘‘plan processor’’ would have the meaning set forth in Rule 600(b)(55) of Regulation NMS, which defines ‘‘plan processor’’ as ‘‘any self-regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective national market system plan.’’ 124 As noted above, the ARP Inspection Program has developed to include the systems of the plan processors of the four current SCI Plans.125 Any entity selected as the processor of an SCI Plan is responsible for operating and maintaining computer and communications facilities for the receipt, processing, validating, and dissemination of quotation and/or last sale price information generated by the members of such plan.126 Although an entity selected as the processor of an SCI Plan acts on behalf of a committee of SROs, such entity is not required to be an SRO, nor is it required to be owned or operated by an SRO.127 The Commission believes, however, that the systems of such entities, because they deal with key market data, form the ‘‘heart of the national market 122 See also discussion in infra Section V.C.3.c. e.g., supra notes 61–66 and accompanying text. 124 See 17 CFR 242.600(b)(55). 125 See supra note 87, defining the term ‘‘SCI Plan’’ and discussing plan processors. 126 See, e.g., CTA Plan Section V(d) and CQS Plan Section V(d), available at: https://www.nyxdata.com/ cta; see also OPRA Plan, Section V, available at: https://www.opradata.com/pdf/opra_plan.pdf; and Nasdaq UTP Plan Section IV, available at: https:// www.utpplan.com. 127 Pursuant to Section 11A of the Exchange Act (15 U.S.C. 78k–1), and Rule 609 of Regulation NMS thereunder (17 CFR 242.609), such entities, as ‘‘exclusive processors,’’ are required to register with the Commission as securities information processors on Form SIP. See 17 CFR 249.1001 (Form SIP, application for registration as a securities information processor or to amend such an application or registration). 123 See, PO 00000 Frm 00014 Fmt 4701 Sfmt 4702 system,’’ 128 and should be subject to the same systems standards as SCI SROs, and proposes to include ‘‘plan processors’’ in the definition of SCI entity.129 Pursuant to its terms, each SCI Plan is required to periodically review its selection of its processor, and may in the future select a different processor for the SCI Plan than its current processor.130 The proposed inclusion of ‘‘plan processors’’ in the definition of SCI entity is designed to ensure that the processor for an SCI Plan, regardless of its identity, is independently subject to the requirements of proposed Regulation SCI. Thus, the proposed definition would cover any entity selected as the processor for a current or future SCI Plan.131 The Commission preliminarily believes that it is important for such plan processors to be subject to the requirements of proposed Regulation SCI because of the important role they serve in the national market system: Operating and maintaining computer and communications facilities for the receipt, processing, validating, and dissemination of quotation and/or last sale price information generated by the members of the plan.132 Under proposed Rule 1000(a), the term ‘‘exempt clearing agency subject to ARP’’ would mean ‘‘an entity that has received from the Commission an exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to the Commission’s Automation Review Policies, or any Commission regulation that supersedes or replaces such policies.’’ This proposed definition of 128 See Concept Release on Equity Market Structure, supra note 42, at 3600 (quoting H.R. Rep. No. 94–229, 94th Cong., 1st Sess. 93 (1975)). 129 See supra note 87. 130 See CTA Plan Section V(d) and CQS Plan Section V(d), available at: https://www.nyxdata.com/ cta; OPRA Plan Section V, available at: https:// www.opradata.com/pdf/opra_plan.pdf; and Nasdaq UTP Plan Section V, available at: https:// www.utpplan.com. 131 Currently, the Securities Industry Automation Corporation (‘‘SIAC’’) is the processor for the CTA Plan, CQS Plan, and OPRA Plan and Nasdaq is the processor for the Nasdaq UTP Plan. SIAC is wholly owned by NYSE Euronext. Both SIAC and Nasdaq are registered with the Commission as securities information processors, as required by Section 11A(b)(1) of the Exchange Act, 15 U.S.C. 78k1(b)(1), and in accordance with Rule 609 of Regulation NMS thereunder, 17 CFR 242.609. The Commission preliminarily believes that the proposed definition of plan processor also would include any entity selected and acting as exclusive processor of a future NMS plan, such as that contemplated by the Commission’s rules to create a consolidated audit trail. See Securities Exchange Act No. 67457 (July 18, 2012), 77 FR 45722 (August 1, 2012) (‘‘Consolidated Audit Trail Adopting Release’’). 132 See supra note 126 and accompanying text. E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules ‘‘exempt clearing agency subject to ARP’’ presently would apply to one entity, Global Joint Venture Matching Services—US, LLC (‘‘Omgeo’’).133 Among the operational conditions required by the Commission in the Omgeo Exemption Order were several that directly related to the ARP policy statements.134 For the same reasons that it required Omgeo to abide by the conditions relating to the ARP policy statements set forth in the Omgeo Exemption Order, the Commission preliminarily believes it would be appropriate that Omgeo (or any similarly situated exempt clearing agency) should be subject to the requirements of proposed Regulation SCI, and thus is proposing to include any ‘‘exempt clearing agency subject to ARP’’ as explained above, within the definition of SCI entity.135 srobinson on DSK4SPTVN1PROD with PROPOSALS3 Request for Comment 1. The Commission requests comment generally on the proposed definition of SCI entity and its constituent parts. Do commenters believe that entities of the type that would satisfy the proposed definition of SCI entity play significant roles in the U.S. securities markets such that they should be subject to proposed Regulation SCI? Why or why not? 2. Do commenters believe the scope of the proposed definition of SCI SRO is appropriate? Does the proposed 133 On April 17, 2001, the Commission issued an order granting Omgeo an exemption from registration as a clearing agency subject to certain conditions and limitations in order that Omgeo might offer electronic trade confirmation and central matching services. See Global Joint Venture Matching Services—US, LLC; Order Granting Exemption from Registration as a Clearing Agency, Securities Exchange Act Release No. 44188 (April 17, 2001), 66 FR 20494 (April 23, 2001) (File No. 600–32) (‘‘Omgeo Exemption Order’’). Because the Commission granted it an exemption from clearing agency registration, Omgeo is not a self-regulatory organization. See id. at 20498, n.41. 134 These conditions required Omgeo to, among other things: Provide the Commission with an audit report addressing all areas discussed in the Commission ARP policy statements; provide annual reports prepared by competent, independent audit personnel in accordance with the annual risk assessment of the areas set forth in the ARP policy statements; report all significant systems outages to the Commission; provide advance notice of any material changes made to its electronic trade confirmation and central matching services; and respond and require its service providers to respond to requests from the Commission for additional information relating to its electronic trade confirmation and central matching services, and provide access to the Commission to conduct inspections of its facilities, records and personnel related to such services. See id. 135 In the Omgeo Exemption Order, the Commission stated that, ‘‘[b]ecause these conditions are designed to promote interoperability, the Commission intends to require substantially the same conditions of other Central Matching Services that obtain an exemption from registration as a clearing agency.’’ See id. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 definition of SCI SRO include types of entities that should not be subject to the proposed requirements, or exclude types of entities that should be subject to the proposed requirements? If so, please identify such types of entities and explain why they should or should not be included in the definition of SCI entity or SCI SRO. Should the definition of ‘‘SCI self-regulatory organization’’ include exchanges notice-registered with the Commission pursuant to 15 U.S.C. 78f(g) or a limited purpose national securities association registered with the Commission pursuant to 15 U.S.C. 78o–3(k)? Do commenters believe that it is appropriate to defer to the CFTC regarding the systems compliance and integrity of such entities? Why or why not? 3. Do commenters believe that the proposed definition of ‘‘SCI alternative trading system’’ is appropriate? Why or why not? Do commenters believe that the proposed volume thresholds for the different asset classes under the proposed definition of SCI ATS are appropriate? Specifically, are the proposed average daily dollar volume thresholds of five percent or more in any NMS stock and 0.25 percent or more in all NMS stocks, or one percent or more in all NMS stocks, appropriate? Would higher or lower daily dollar volume thresholds for NMS stocks be more appropriate? 136 Please explain and provide data in support. Alternatively, would a different threshold measurement be more appropriate (e.g., transaction volume, share volume, etc.)? If so, which and at what threshold level? 137 Please explain and provide data in support. 136 For example, based on data from FINRA’s Order Audit Trail System, if the threshold were instead to be set at five percent or more in any NMS stock and 0.5 percent or more in all NMS stocks, the Commission preliminarily estimates that approximately nine ATSs would satisfy the thresholds, accounting for approximately 84 percent of the dollar-volume market share of all ATSs trading NMS stocks (i.e., not including NMS stocks traded on SROs). If the threshold were instead to be set at five percent or more in any NMS stock and one percent or more in all NMS stocks, the Commission preliminarily estimates that approximately three ATSs would satisfy the thresholds, accounting for approximately 38 percent of the market share. Further, if the threshold were instead to be set at 0.25 percent in all NMS stocks, the Commission preliminarily estimates that approximately ten ATSs would satisfy the threshold. If the threshold were instead to be set at 0.5 percent in all NMS stocks, the Commission preliminarily estimates that approximately nine ATSs would satisfy the threshold. 137 For example, based on data collected from Form ATS–R for the second quarter of 2012 and consolidated NMS stock share volume from the first six months of 2012, if the threshold were instead to be set at 0.25 percent of average daily NMS stock consolidated share volume, the Commission PO 00000 Frm 00015 Fmt 4701 Sfmt 4702 18097 4. The Commission notes that, unlike the threshold levels applicable to NMS stocks currently in Rule 301(b)(6) of Regulation ATS, the proposed thresholds for NMS stocks are based on average daily dollar volume in an individual NMS stock and/or all NMS stocks. Do commenters believe that these are appropriate standards? Why or why not? If not, what should be the appropriate standard, and why? Do commenters believe the proposed thresholds of five percent or more in any NMS stock and 0.25 percent or more in all NMS stocks would prevent a situation in which an ATS that has a large volume in one NMS stock and little volume in other NMS stocks would be covered by proposed Regulation SCI? How common is it for an ATS to trade illiquid NMS stocks without also trading more liquid NMS stocks? Please provide any data relevant to this question. 5. Should the SCI ATS thresholds be triggered only with respect to certain NMS stocks, for example, only with respect to the most liquid NMS stocks? If so, how should the Commission define the ‘‘most liquid’’ NMS stocks? For example, should the thresholds be triggered only for the 500 most liquid NMS stocks? The 100 most liquid NMS stocks? Another amount? Why or why not? Please describe your reasoning. Further, what would be the appropriate threshold measurement (e.g., average daily share volume, average daily dollar volume, or another measurement)? Please explain. 6. Is the proposed five percent threshold level appropriate for nonNMS stocks, municipal securities (approximately $550 million in daily dollar volume or 1,900 in daily transaction volume based on data from the first six months of 2012), and corporate debt securities (approximately $900 million in daily dollar volume or 2,100 in daily transaction volume based preliminarily estimates that approximately 15 ATSs would satisfy the threshold, accounting for approximately 14 percent of the total average daily consolidated share volume. If the threshold were instead to be set at 0.5 percent of average daily NMS stock consolidated share volume, the Commission preliminarily estimates that approximately 12 ATSs would satisfy the threshold, accounting for approximately 13 percent of the total average daily consolidated share volume. If the threshold were instead to be set at one percent of average daily NMS stock consolidated share volume, the Commission preliminarily estimates that approximately 6 ATSs would satisfy the threshold, accounting for approximately nine percent of the total average daily consolidated share volume. Based on consolidated NMS stock share volume from the first six months of 2012, the Commission estimates that the equity securities exchanges with the smallest volume each account for approximately 0.2 percent to 0.4 percent of the total average daily consolidated share volume. E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18098 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules on data from the first six months of 2012)? Why or why not? Please explain and provide data in support. If not, what should be the appropriate thresholds and why? 7. As with NMS stocks, the proposed five percent thresholds for non-NMS stocks are to be calculated by reference to daily dollar volume, though the proposed threshold would only be with reference to all such stocks (as opposed to average daily dollar volume in individual NMS stocks and/or all NMS stocks). Do commenters believe that this is the appropriate standard for non-NMS stocks? Why or why not? 8. Do commenters agree with the Commission’s assessment that there is less automation among markets that trade non-NMS stocks, municipal securities, and corporate debt securities as compared to markets that trade NMS stocks? Why or why not? What is the current level of automation in these markets? 9. Do commenters believe that there should be different thresholds for NMS stocks than non-NMS stocks, municipal securities, and corporate debt securities? Why or why not? Do commenters believe that the proposed two-pronged thresholds are appropriate for municipal securities and corporate debt securities? Why or why not? Would the proposed two-pronged approach be relevant or appropriate for securities other than municipal and corporate debt securities? Why or why not? 10. Do commenters believe that the Commission’s estimates of the current number of ATSs that would meet the proposed thresholds are accurate? Why or why not? If not, please provide any data or estimates that commenters believe would more accurately reflect the number of ATSs that would meet the proposed thresholds. 11. The Commission is also considering whether it should instead adopt a definition for SCI ATS that is based solely on a single type of threshold measurement (such as average daily dollar volume), which would be simpler and provide consistency across different asset classes, rather than the differing types of threshold tests for NMS stocks, non-NMS stocks, municipal securities, and corporate debt securities currently proposed. In particular, the Commission is considering whether it would be appropriate to solely use a threshold based on a percentage of average daily dollar volume for all asset classes. Would a threshold based on a percentage of average daily dollar volume be an appropriate single measure that the Commission should use for all asset classes (i.e., NMS VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 stocks, non-NMS stocks, municipal securities, and corporate debt securities) within the definition of SCI ATS? Why or why not? If so, would it be appropriate for the Commission to adopt the same dollar volume threshold measurement that applies for all of the asset classes? Why or why not? Please explain. If so, what would be an appropriate threshold measurement? For example, would five percent of the asset class’s total average daily dollar volume be appropriate? Should the measurement be higher or lower? Please be specific and explain. Or, rather than a threshold measurement that is based on a percentage of the asset class’s total average daily dollar volume, would a fixed average daily dollar volume threshold, such as $500 million, be appropriate? If so, should such a threshold be higher or lower than $500 million? Why or why not? Should such a fixed dollar threshold be different for different asset classes? Why or why not? If so, what should such thresholds be for each asset class? Please be specific. What are the advantages and disadvantages of a percentage-based threshold versus a fixed dollar threshold? Please explain. 12. Would it be appropriate for the Commission to adopt a single dollar volume threshold measurement that applies across all asset classes? For example, if an ATS trades both municipal securities and corporate debt securities, should its trading volume in both asset classes be aggregated to determine whether it exceeded the threshold measurement? Why or why not? 13. The proposed SCI ATS thresholds are to be calculated by reference to executions ‘‘during at least four of the preceding six calendar months,’’ the measurement period and method that is currently used in Regulation ATS. Do commenters believe this is the appropriate time frame and method to be included in Regulation SCI? Why or why not? If not, is there a more appropriate approach? If so, what should it be and why? 14. With respect to calculating the proposed thresholds for securities other than NMS stocks (i.e., non-NMS stocks, municipal securities, and corporate debt securities), would ATSs have available appropriate data with which to determine whether the proposed thresholds have been met? FINRA, through its OTC Reporting Facility and its Trade Reporting and Compliance Engine (‘‘TRACE’’) 138 facility, collects data on transactions in non-NMS stocks and corporate debt securities, and the MSRB collects data on transactions in municipal securities. Do commenters believe that FINRA, the MSRB, or another appropriate entity should be required to disseminate data in a format and frequency sufficient to enable ATSs to determine if they have met the proposed thresholds? Is there another mechanism or structure that could provide data in a format and frequency sufficient to enable ATSs to determine whether the proposed thresholds have been met? Please explain. 15. Are there ATSs or types of ATSs that would satisfy the proposed definition of SCI ATS that commenters believe should not be subject to proposed Regulation SCI? If so, please explain. Are there ATSs or types of ATSs that would not satisfy the proposed definition of SCI ATS that commenters believe should be subject to proposed Regulation SCI? If so, please explain. For example, should ATSs that execute transactions in U.S. treasuries and/or repurchase agreements be subject to proposed Regulation SCI? Why or why not? If a parent company owns multiple ATSs for a given asset class (e.g., NMS stocks), should the trading volumes of these ATSs be aggregated for purposes of determining whether the ATSs exceed the proposed thresholds? Why or why not? If so, how should such aggregation work? What are the advantages or disadvantages of such an approach? Please explain. 16. Do commenters believe that, for purposes of Regulation SCI, the proposed definition of plan processor is appropriate? Why or why not? Is it appropriate to limit the definition of plan processor to entities within the meaning of plan processor in Rule 600(b)(55) of Regulation NMS? Why or why not? Do commenters believe the proposed definition is sufficiently clear? Are there any other entities similar to the plan processors of SCI Plans that commenters believe should be made subject to the requirements of proposed Regulation SCI? If so, please describe and explain why. 17. Do commenters believe that the proposed definition of ‘‘exempt clearing agency subject to ARP’’ is appropriate? Why or why not? Are there other exempt clearing agencies that should be included in the proposed definition of SCI entity? Why or why not? Is it appropriate to limit the definition of SCI entity with respect to exempt clearing agencies to those with exemptions that 138 TRACE is an automated system that, among other things, accommodates reporting and dissemination of transaction reports for over-the- counter secondary market transactions in eligible fixed income securities, in accordance with the FINRA Rule 6700 series. PO 00000 Frm 00016 Fmt 4701 Sfmt 4702 E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules contain conditions that relate to the Commission’s Automation Review Policies or any Commission regulation that supersedes or replaces such policies? Why or why not? 18. What are the current practices of the proposed SCI entities with respect to the subject matter covered by the ARP policy statements? How many of them have practices that are consistent with ARP? How do they differ? Please be specific. srobinson on DSK4SPTVN1PROD with PROPOSALS3 2. Definition of SCI Systems and SCI Security Systems The Commission is proposing that Regulation SCI cover the systems of SCI entities, which would include both SCI systems and, where applicable, SCI security systems. Proposed Rule 1000(a) would define the term ‘‘SCI systems’’ to mean ‘‘all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity, whether in production, development, or testing, that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance,’’ and the term ‘‘SCI security systems’’ to mean ‘‘any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems.’’ Thus, for purposes of all of the provisions of proposed Regulation SCI, the proposed definition of SCI systems would cover all systems of an SCI entity that directly support trading, clearance and settlement, order routing, market data, regulation, and surveillance. In addition, the proposed definition of SCI security systems is designed to cover other types of systems if they share network resources with SCI systems and, if breached, would be reasonably likely to pose a security threat to SCI systems. Unlike SCI systems, only certain provisions of proposed Regulation SCI would apply to SCI security systems.139 The Commission preliminarily believes that the proposed definition of SCI systems would reach those systems traditionally considered to be core to the functioning of the U.S. securities 139 Specifically, under proposed Rule 1000(a), SCI security systems are included in the proposed definitions of ‘‘material systems change,’’ ‘‘responsible SCI personnel,’’ ‘‘SCI review,’’ and ‘‘systems intrusion.’’ For purposes of security standards, proposed Rule 1000(b)(1) would also apply to SCI security systems. In addition, with respect to systems intrusions, proposed Rules 1000(b)(3)–(5) would apply to SCI security systems. Further, because of the definitions of material systems change and SCI review, proposed Rules 1000(b)(6) and (7) would apply to SCI security systems. Finally, proposed Rules 1000(c) and (f), relating to recordkeeping and access, respectively, would apply to SCI security systems. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 markets, namely trading, clearance and settlement, order routing, market data, regulation, and surveillance systems.140 The proposed definition would also apply to, for example, such systems of exchange-affiliated routing brokers that are facilities of national securities exchanges or such systems operated on behalf of national securities exchanges. It would also apply to regulatory systems,141 including systems for the regulation of the over-the-counter market, systems used to carry out regulatory services agreements, and similar future systems, including the Consolidated Audit Trail repository.142 In addition, if an SCI entity contracts with a third party to operate its systems (such as those that use execution algorithms) on behalf of the SCI entity, such systems would also be covered by the proposed definition of SCI systems if they directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance. Therefore, systems covered by the proposed definition of SCI systems would not be limited only to those owned by the SCI entity, but also could include those operated by or on behalf of the SCI entity. Based on Commission staff’s experience with the ARP Inspection Program, the Commission believes that some SCI systems of SCI entities may in some cases be highly interconnected with SCI security systems because the SCI systems and SCI security systems share network resources. As a result, the Commission is concerned that a security issue or systems intrusion with respect to SCI security systems would be reasonably likely to cause an SCI event with respect to SCI systems. Because certain SCI security systems of an SCI entity may present likely vulnerable entry points to an SCI entity’s network, the Commission preliminarily believes that it is important that the provisions of proposed Regulation SCI relating to security standards and systems intrusions apply to SCI security systems.143 The proposed definition of SCI security systems does not identify the types of systems that would be covered, but rather describes them in terms of their connectivity and potential ability 140 See ARP I, supra note 1. entities that are obligated to comply with Section 31 of the Exchange Act (15 U.S.C. 78ee), and Rule 31 thereunder (17 CFR 240.31), employ various systems to generate, process, transmit, or store electronic messages related to securities transactions. Such systems may include matching engines, transaction data repositories, trade reporting systems, and clearing databases. 142 See Consolidated Audit Trail Adopting Release, supra note 131. 143 See supra note 139. 141 SCI PO 00000 Frm 00017 Fmt 4701 Sfmt 4702 18099 to undermine the integrity of SCI systems. However, examples of SCI security systems that could be highly interconnected with SCI systems and therefore be reasonably likely to pose a threat to SCI systems may include systems pertaining to corporate operations (e.g., systems that support web-based services, administrative services, electronic filing, email capability and intranet sites, as well as financial and accounting systems) that are typically accessed by an array of users (e.g., employees or executives of the SCI entity) authorized to view nonpublic information. In certain cases, such systems would likely offer insight into the vulnerabilities of an SCI entity if they were, for example, accessed by a hacker. The Commission is concerned that the breach of such systems would likely lead to disruption of an SCI entity’s general operations and, ultimately, its market-related activities. Similarly, systems by which an SCI entity provides a service to issuers, participants, or clients (e.g., transaction services, infrastructure services, and data services) may be accessed by employees or other representatives of the issuer, participant, or client organization, and may, in some instances, provide a point of access (and thus share network resources) to an SCI entity’s SCI systems. Accordingly, the Commission is proposing that the term SCI security systems include any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems, but only for the limited provisions of proposed Regulation SCI noted above.144 In light of the above concerns, the proposed definitions of SCI systems and SCI security systems together are intended to reach all of the systems that would be reasonably likely to impact an SCI entity’s operational capability and the maintenance of fair and orderly markets, rather than reaching solely SCI systems. Because of the dependence of today’s securities markets on highly sophisticated electronic trading and other technology, including complex regulatory and surveillance systems, as well as systems relating to clearance and settlement, the provision of market data, and order routing, the Commission preliminarily believes that the proposed definitions of SCI systems and SCI security systems are appropriate to help ensure the capacity, integrity, resiliency, availability, and security of an SCI entity’s systems. 144 See E:\FR\FM\25MRP3.SGM id. 25MRP3 18100 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 Request for Comment 19. The Commission requests comment generally on the proposed definitions of SCI systems and SCI security systems. 20. Do commenters believe that the proposed definitions appropriately capture the scope of systems of SCI entities that would be reasonably likely to impact the protection of investors and the maintenance of fair and orderly markets? Specifically, do the proposed definitions of SCI systems and SCI security systems capture the components of the critical systems infrastructure of SCI entities in a comprehensive manner? Are the proposed definitions sufficiently clear? 21. Are there any systems of SCI entities that should be included but would not be captured by the proposed definitions? Please explain. Are there any systems of SCI entities that should be excluded from the proposed definitions? Please explain. 22. By including in the proposed definition of ‘‘SCI systems’’ those systems operated ‘‘on behalf of’’ an SCI entity, systems operated by a third party under contract from an SCI entity and systems operated by affiliates of an SCI entity that are utilized by such SCI entity would also be included in the proposed definition of SCI systems. Do commenters agree that such systems should be included? Please explain. Should the requirements under proposed Regulation SCI apply differently to systems that are operated on behalf of an SCI entity? Why or why not? Please explain. 23. Do commenters agree with the proposal to distinguish between SCI systems and SCI security systems for purposes of triggering the various provisions of proposed Regulation SCI? For example, are the requirements that would apply to SCI security systems appropriate? Why or why not? If not, which requirements of proposed Regulation SCI should apply to SCI security systems and why? Should the requirements under proposed Regulation SCI apply differently to different types of systems, as proposed? Or, should SCI security systems be subject to all of the requirements of proposed Regulation SCI? Why or why not? 24. Alternatively, should SCI security systems be excluded entirely from the application of proposed Regulation SCI? Why or why not? The Commission is proposing its approach to distinguish between SCI systems and SCI security systems because it preliminarily believes that the interconnected nature of technology infrastructure today VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 creates the potential for systems other than SCI systems to expose vulnerable points of entry that could lead to a security breach or intrusion into SCI systems. In light of this potential, the Commission is proposing, as discussed further below, that the following provisions of proposed Regulation SCI apply to the SCI security systems of an SCI entity: (1) For purposes only of the policies and procedures relating to systems security, proposed Rule 1000(b)(1) would apply to its SCI security systems; (2) proposed Rules 1000(b)(3)–(5) (relating to SCI events and taking corrective action, Commission notification, and dissemination of information to members or participants, respectively) would apply to SCI security systems only with respect to systems intrusions; and (3) proposed Rule 1000(b)(6) would require an SCI entity to report a material systems change in a SCI security system only to the extent that it materially affects the security of such system.145 25. The goal of this proposed approach is to ensure that SCI systems, as the core systems of an SCI entity, are adequately secure and protected from systems intrusions. However, the Commission recognizes that there may be alternative ways to achieve this goal, including those that do not extend the scope of the proposed rule beyond the core systems that are defined as ‘‘SCI systems,’’ and that focus the Commission’s oversight on those systems. For example, one alternative would be to limit the scope of the proposed rule to SCI systems, but clarify that policies and procedures reasonably designed to ensure that SCI systems have adequate levels of security necessarily would require an assessment of security vulnerabilities created by other systems that share network resources with SCI systems, and appropriate steps to address those vulnerabilities. Specifically, under such an alternative, the defined term ‘‘SCI security systems,’’ and all references to them and any associated obligations, would be eliminated from the proposed rule text described herein, and clarifying guidance would be provided with respect to the security of SCI systems as noted above. With such an alternative, consideration also would need to be given to whether or not an SCI entity should notify the Commission (and potentially its members or participants) of a systems 145 See infra Sections III.C.1, III.C.3, and III.C.4. In addition, the scope of the applicability of proposed Rules 1000(b)(7), 1000(b)(8), and 1000(c)– (f) to SCI security systems would be determined by the provisions of the proposed Rules 1000(b)(1), and (3)–(6). See infra Sections III.C.5, III.C.6, and D. PO 00000 Frm 00018 Fmt 4701 Sfmt 4702 intrusion with respect to these non-SCI systems, or a systems change that materially impacts the security of such systems. Accordingly, the Commission solicits commenters’ views on this or any other potential alternative approaches that would not include a definition of SCI security systems within the scope of the proposed rule. 26. If the Commission were to determine to eliminate the proposed definition of SCI security systems from proposed Regulation SCI, what would be the likely effect of such elimination on the ability of proposed Regulation SCI to ensure that SCI systems are adequately secure and protected from systems intrusions? Please explain. Specifically, if the Commission eliminated the proposed definition of SCI security systems from proposed Regulation SCI, and its direct oversight of systems that share network resources with SCI systems, would the Commission’s ability to assure adequate security for SCI systems be materially weakened? Why or why not? Would such an alternative reduce compliance burdens for SCI entities, and improve the efficiency of Commission oversight without materially undermining its effectiveness? 27. If the Commission were to determine to eliminate the proposed definition of SCI security systems from proposed Regulation SCI, would it be appropriate, for example, for the Commission to interpret the requirement of proposed Rule 1000(b)(1) that would require an SCI entity to have ‘‘policies and procedures reasonably designed to ensure that its SCI systems have levels of * * * security * * * adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets’’ to require that an SCI entity’s SCI systems be protected from security threats by other systems with which they share network resources? Why or why not? Please explain. 28. If the Commission were to determine to eliminate the proposed definition of SCI security systems from proposed Regulation SCI, should the Commission still require an SCI entity to report to the Commission an intrusion into any system (and not just SCI systems) of an SCI entity? Why or why not? If the Commission were to determine to eliminate the proposed definition of SCI security systems from proposed Regulation SCI, should the Commission require an SCI entity to notify members and participants of an intrusion into any system of an SCI entity? Why or why not? If the Commission were to determine to eliminate the proposed definition of SCI E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 security systems from proposed Regulation SCI, are there any other changes to the rule that would be appropriate? What are they, and why would they be appropriate? Please describe in detail. 3. SCI Events Pursuant to the current ARP policy statements and Regulation ATS, a key element of the ARP Inspection Program has been to encourage ARP participants to notify Commission staff of significant systems disruptions so that the staff can work with the affected entity to help ensure that the disruption is addressed promptly and effectively, and that appropriate steps are taken to reduce the likelihood of future problems. Commission staff has previously sought to provide guidance and clarification on what should be considered a ‘‘significant system outage’’ for purposes of reports to Commission staff. Specifically, in the 2001 Staff ARP Interpretive Letter, Commission staff provided examples of situations for which an outage is deemed significant and thus should be reported.146 The examples listed in that letter included: (1) Outages resulting in a failure to maintain any service level agreements or constraints; (2) disruptions of normal operations, e.g., switchover to back-up equipment with zero hope of near-term recovery of primary hardware; (3) the loss of use of any system; (4) the loss of transactions; (5) outages resulting in excessive back-ups or delays in processing; (6) the loss of ability to disseminate vital information; (7) outage situations communicated to other external entities; (8) events that are (or will be) reported or referred to the entity’s board of directors or senior management; (9) events that threaten systems operations even though systems operations are not disrupted; for example, events that cause the entity to implement a contingency plan; and (10) the queuing of data between system components or queuing of messages to or from customers of such duration that a customer’s usual and customary service delivery is affected.147 The Commission believes that guidance in the 2001 Staff ARP Interpretive Letter regarding what constitutes a significant systems outage has been useful over the years to the entities that received the 2001 Staff ARP Interpretive Letter, but understands that Commission action in this area would help SROs and other entities by providing definitive guidance through a 146 See 2001 Staff ARP Interpretive Letter, supra note 35. 147 See id. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 formal rulemaking process that includes notice and comment. Furthermore, the Commission believes the term ‘‘significant systems outage’’ in plain usage denotes a category of systems problems that is considerably narrower than those the Commission believes could pose risks to the securities markets and market participants. Therefore, the Commission proposes to specify the types of events that would be required to be reported to the Commission and the types of systems problems that would trigger notice requirements on the part of an SCI entity. Specifically, the Commission is proposing to define the term ‘‘SCI event’’ in Rule 1000(a) as ‘‘an event at an SCI entity that constitutes: (1) A systems disruption; (2) a systems compliance issue; or (3) a systems intrusion.’’ As discussed in detail below, the proposed rule would define each of these terms used in the proposed definition of SCI event. a. Systems Disruption The Commission proposes that the term ‘‘systems disruption’’ be defined to mean ‘‘an event in an SCI entity’s SCI systems that results in: (1) A failure to maintain service level agreements or constraints; (2) a disruption of normal operations, including switchover to back-up equipment with near-term recovery of primary hardware unlikely; (3) a loss of use of any such system; (4) a loss of transaction or clearance and settlement data; (5) significant back-ups or delays in processing; (6) a significant diminution of ability to disseminate timely and accurate market data; or (7) a queuing of data between system components or queuing of messages to or from customers of such duration that normal service delivery is affected.’’ The proposed definition is similar, but not identical, to the definition of ‘‘significant systems outage’’ in the 2001 Staff ARP Interpretive Letter.148 As proposed, a systems disruption would be an event in an SCI entity’s SCI systems that manifests itself as a problem measured by reference to one or more of seven elements. The first proposed element, a failure to maintain service level agreements or constraints, is unchanged from the 2001 Staff ARP Interpretive Letter. This would include, for example, a failure or inability of the SCI entity to honor its contractual obligations to provide a specified level 148 See supra note 35. The Commission believes that the term ‘‘systems disruption’’ is a more appropriate term to describe the types of events captured within the proposed definition and thus is proposing to use the term ‘‘systems disruption,’’ rather than the term ‘‘systems outage,’’ the term used in the ARP Inspection Program. PO 00000 Frm 00019 Fmt 4701 Sfmt 4702 18101 or speed of service to users of its SCI systems. A trading market could, for example, contract to maintain its trading system without delays over a specific threshold, e.g., 100 milliseconds, and its failure to honor that obligation would thus be a systems disruption. The second proposed element, ‘‘a disruption of normal operations, including switchover to back-up equipment with near-term recovery of primary hardware unlikely’’ differs from the element in the 2001 Staff ARP Interpretive Letter (disruption of normal operations, e.g., switchover to back-up equipment with zero hope of near-term recovery of primary hardware). This modification is intended to convey that the Commission preliminarily believes that an SCI entity should be required to notify Commission staff of a SCI systems problem that involves a switchover to backup equipment, even if a determination that no recovery is possible has not been made because the probability that such switchover may continue indefinitely is significant. The Commission also intends that this proposed element, a ‘‘disruption of normal operations,’’ would capture problems with SCI systems such as programming errors, testing errors, systems failures, or if a system release is backed out after it is implemented in production. The third proposed element, ‘‘a loss of use of any such system,’’ is unchanged from the 2001 Staff ARP Interpretive Letter and would cover situations in which an SCI system is broken, offline, or otherwise out of commission. For example, the Commission intends that a failure of primary trading or clearance and settlement systems, even if immediately replaced by backup systems without any disruption to normal operations, would be covered under this third proposed element. The Commission preliminarily believes the language of the fourth proposed element, ‘‘a loss of transaction or clearance and settlement data,’’ is more precise than the language in the 2001 Staff ARP Interpretive Letter, which lists ‘‘loss of transactions’’ as an example of a systems outage. Similarly, the language of the fifth and sixth proposed elements is intended to be more precise than the comparable language in the fifth and sixth examples enumerated in the 2001 Staff ARP Interpretive Letter. The Commission is not at this time proposing to quantify what would constitute a ‘‘significant back-up or delay in processing’’ or a ‘‘significant diminution of ability to disseminate timely and accurate market data’’ because it preliminarily believes that the varying circumstances that E:\FR\FM\25MRP3.SGM 25MRP3 18102 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 could give rise to such events, and the range of SCI systems potentially impacted, make precise quantification impractical.149 These proposed elements are intended to include, for example, circumstances in which a problem with an SCI system results in a slowdown or disruption of operations that would adversely affect customers, impair quotation or price transparency, or impair accurate and timely regulatory reporting. Instances in which message traffic is throttled (i.e., slowed) by an SCI entity for any market participant, without a corresponding provision in the SCI entity’s rules, user agreements, or governing documents, as applicable, would also be covered here.150 Further, the Commission preliminarily believes that if customers or systems users, for example, have complained or inquired about a slowdown or disruption of operations, including, for example, a slowdown or disruption in their receipt of market data, then such circumstance would be indicative of a problem at an SCI entity that results in ‘‘significant back-ups or delays in processing’’ or a ‘‘significant diminution of ability to disseminate timely and accurate market data,’’ that should be considered a ‘‘systems disruption.’’ The fifth and sixth elements of the proposed definition of systems disruption are also intended to cover the entry, processing, or transmission of erroneous or inaccurate orders, trades, price-reports, other information in the securities markets or clearance and settlement systems, or any other significant deterioration in the transmission of market data in an accurate, timely, and efficient manner. For example, it is possible that an SCI system of an SCI entity that disseminates market data could, as a result of a programming or testing error in another system of the SCI entity, be overwhelmed with erroneous market data to such an extent that the SCI entity’s SCI systems are no longer able to disseminate market data in a timely and accurate manner. Finally, the seventh proposed element, ‘‘a queuing of data between system components or queuing of messages to or from customers of such duration that normal service delivery is affected,’’ is proposed to be included because the Commission preliminarily 149 The Commission is, however, soliciting comment on whether it would be appropriate to adopt quantitative criteria in connection with the definition of ‘‘systems disruption.’’ 150 However, if an SCI entity’s rules or governing documents provided for such throttling in specified scenarios as a part of normal operations, such throttling would not be covered as such a situation would not represent an unexpected back-up or delay in processing but rather would be part of the SCI entity’s normal operation. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 believes that queuing of data between system components of SCI systems is often a warning signal of significant disruption of normal system operations. Although the 2001 Staff ARP Interpretive Letter lists ‘‘a report or referral of an event to the entity’s board of directors or senior management’’ and ‘‘an outage situation communicated to other external entities’’ as examples of a significant systems outage, the Commission is not proposing to include such reports or communications in the definition of systems disruption because it preliminarily believes these examples are more likely to be indicia of whether information about a systems disruption or other systems problem warrants dissemination to the SCI entity’s members or participants.151 Further, although the 2001 Staff ARP Interpretive Letter lists ‘‘a serious threat to systems operations even though systems operations are not disrupted’’ as an example of a significant systems outage, the Commission has not included that example as an element in the proposed definition of systems disruption because it preliminarily believes that such a threat would more likely be indicative of a systems intrusion or systems compliance issue.152 Request for Comment 29. The Commission requests comment generally on the proposed definition of ‘‘systems disruption.’’ Do commenters believe that it is appropriate to limit the proposed definition of ‘‘systems disruption’’ to SCI systems? Why or why not? Do commenters believe the proposed definition of ‘‘systems disruption’’ is too broad? Why or why not? Please explain. 30. Do commenters believe that there should be minimum thresholds associated with the circumstances specified in any elements of the proposed definition of systems disruption—e.g., quantitative criteria describing when an event fitting the description of one of the elements of the proposed definition would meet the definition of SCI event? If so, what should such minimum thresholds be and to which elements of the definition of ‘‘systems disruption’’ should such minimum thresholds apply? Please explain. Should systems disruptions affecting different types of SCI systems be treated differently? For example, should trading systems have a different quantitative criteria than systems 151 See infra Section III.B.4.d, discussing whether an SCI event is a ‘‘dissemination SCI event.’’ 152 See infra Sections III.B.3.b and III.B.3.c, discussing the proposed definition of systems compliance issue and systems intrusion, respectively. PO 00000 Frm 00020 Fmt 4701 Sfmt 4702 dedicated to surveillance? Please be specific with respect to which categories of SCI systems might deserve different treatment, and what such quantitative criteria might be and why. 31. Do commenters believe the term ‘‘transaction or clearance and settlement data,’’ as used in paragraph (4) of the proposed definition of ‘‘systems disruption,’’ is appropriate? Why or why not? Should other types of data be included, in addition to transaction and clearance and settlement data? For example, should customer account data, regulatory data, and/or audit trail data be included? Why or why not? 32. Do commenters believe that there should be exceptions to the proposed definition of systems disruption? If so, what should such exceptions be and why? For example, should the proposed definition of systems disruption include a de minimis exception? If so, what types of systems problems should be considered de minimis and what criteria should be used to determine whether a systems problem is de minimis? Should the proposed definition of systems disruption include a materiality threshold? If so, what types of systems problems should be considered material and what criteria should be used to determine whether a systems problem is material? Should the definition of systems disruption exclude regular planned outages occurring during the normal course of business? 33. Should the proposed definition be expanded, narrowed, or otherwise modified in any way? For example, should the proposed definition include quantitative criteria that establish a minimum deviation from normal performance levels, such as a tenfold increase or greater in latency for queuing of data, for an event to be considered an SCI event? Would a minimum deviation of 100 milliseconds from normal system performance levels be an appropriate indication of system degradation? Or, would a larger or smaller deviation be more appropriate? Why or why not? For example, would the choice of a specific threshold help to balance the tradeoff between the costs of over-reporting systems disruptions and the costs of failing to report systems disruptions that could lead to significant negative consequences? Should different quantitative criteria be used across different SCI systems? For example, a limited pause in the operations of a clearing system may not raise the same issues as a similar pause in the operation of a market data feed. If commenters believe that different criteria should be maintained, please be specific and provide examples of what E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules the appropriate minimum deviations should be for such systems. 34. Are there other types of circumstances that should be included that are not part of the proposed definition? If so, please describe and explain. For example, if an SCI SRO or SCI ATS suspects a technology error originating from a third party (such as an SCI SRO’s member firm or an SCI ATS’s subscriber) that has the potential to disrupt the market, should that type of discovery be included in the definition of systems disruption? Why or why not? Is there additional guidance that commenters would find helpful to determine whether an event would meet the proposed definition of systems disruption? 35. How often do SCI entities currently experience systems disruptions? srobinson on DSK4SPTVN1PROD with PROPOSALS3 b. Systems Compliance Issue The Commission proposes that the term ‘‘systems compliance issue’’ be defined as ‘‘an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the federal securities laws and rules and regulations thereunder or the entity’s rules or governing documents, as applicable.’’ 153 Circumstances covered by the proposed definition would include, for example, situations in which a lack of communication between an SCI SRO’s information technology staff and its legal or regulatory staff regarding SCI systems design or requisite regulatory approvals resulted in one or more SCI systems operating in a manner not in compliance with the SCI SRO’s rules and, thus, in a manner other than how the users of the SCI SRO’s SCI systems, as well as market participants generally, have been informed that such systems would operate. Another example of a systems compliance issue could arise when a change to an SCI system is made by information technology staff that results in the system operating in a manner that fails to comply with the federal securities laws and rules thereunder. The phrase ‘‘operate in a manner that does not comply with * * * the entity’s rules or governing documents’’ would mean that an SCI entity is operating in a manner that does not comply with the 153 As discussed in infra Section III.C.2, one of the elements of the safe harbor in proposed Rule 1000(b)(2)(ii)(A) would require that an SCI entity establish policies and procedures that provide for ongoing monitoring of SCI systems functionality to detect whether SCI systems are operating in the manner intended. This element would require that each SCI entity establish parameters for detection of a systems compliance issue, and is not intended to suggest one set of parameters for all SCI entities. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 entity’s applicable rules and other documents, whether or not filed with the Commission. Generally, such rules or other documents are made available to the public and/or to members, clients, users, and/or participants in the SCI entity.154 Specifically, for an SCI SRO, this phrase would include operating in a manner that does not comply with the SCI SRO’s rules as defined in the Exchange Act and the rules thereunder.155 For a plan processor, this phrase would include operating in a manner that does not comply with an applicable effective national market system plan. For an SCI ATS or exempt clearing agency subject to ARP, this phrase would include operating in a manner that does not comply with documents such as subscriber agreements and any rules provided to subscribers and users and, for ATSs, described in their Form ATS filings with the Commission.156 Request for Comment 36. The Commission requests comment generally on the proposed definition of ‘‘systems compliance issue.’’ Do commenters believe it would be appropriate to define ‘‘systems compliance issue’’ to mean any instance in which an SCI system operates in a manner that does not comply with the federal securities laws and rules and regulations thereunder, or the entity’s rules or governing documents, as applicable? Why or why not? If the proposed definition is not appropriate, what would be an appropriate definition? Do commenters believe that it is appropriate to limit the proposed definition of ‘‘systems compliance issue’’ to SCI systems? Why or why not? Please explain. 37. Do commenters believe that there should be exceptions to the proposed definition of systems compliance issue? If so, what should such exceptions be and why? For example, should the proposed definition of systems compliance issue include a de minimis exception? If so, what types of systems 154 For example, each SCI SRO is required to publish its rules on its publicly available Web site. See 15 U.S.C. 78s(b)(2)(E). Each plan processor is also required to post amendments to its national market system plan on its Web site. See 17 CFR 242.608. Subscriber agreements and other similar documents that govern operations of SCI ATSs and exempt clearing agencies subject to ARP are generally not publicly available, but are provided to subscribers and users of such entities. 155 The rules of an SCI SRO are defined in Sections 3(a)(27) and (28) of the Exchange Act to include, among other things, its constitution, articles of incorporation, and bylaws. See 15 U.S.C. 78c(a)(27)–(28). See also Exchange Act Rule 19b– 4(c), 17 CFR 240.19b–4(c). 156 See 17 CFR 242.301(b) for a description of the filing requirements for ATSs. PO 00000 Frm 00021 Fmt 4701 Sfmt 4702 18103 compliance issues should be considered de minimis and what criteria should be used to determine whether a systems compliance issue is de minimis? Should the proposed definition of systems compliance issue include a materiality threshold? If so, what types of systems compliance issues should be considered material and what criteria should be used to determine whether a systems compliance issue is material? 38. Do commenters believe other types of documents or agreements should be included in the definition? If so, please specify the types of documents or agreements and explain why. 39. How often do SCI entities currently experience systems compliance issues? c. Systems Intrusion The Commission proposes that ‘‘systems intrusion’’ be defined as ‘‘any unauthorized entry into the SCI systems or SCI security systems of an SCI entity.’’ The proposed definition is intended to cover all unauthorized entry into SCI systems or SCI security systems by outsiders, employees, or agents of the SCI entity, regardless of whether the intrusions were part of a cyber attack, potential criminal activity, or other unauthorized attempt to retrieve, manipulate or destroy data, or access or disrupt systems of SCI entities. The proposed definition of systems intrusion would cover the introduction of malware or other attempts to disrupt SCI systems or SCI security systems of SCI entities provided that such systems were actually breached. In addition, the proposed definition is intended to cover unauthorized access, whether intentional or inadvertent, by employees or agents of the SCI entity that result from weaknesses in the SCI entity’s access controls and/or procedures. The proposed definition would not, however, cover unsuccessful attempts at unauthorized entry. An unsuccessful systems intrusion by definition is much less likely than a successful intrusion to disrupt the systems of an SCI entity. Moreover, because it is impossible to prevent attempted intrusions, the Commission preliminarily believes at this time that the focus of this aspect of proposed Regulation SCI should be on successful unauthorized entry. Request for Comment 40. The Commission requests comment generally on the proposed definition of ‘‘systems intrusion.’’ Is the proposed definition sufficiently clear? If not, why not? Do commenters believe that it is appropriate to apply the proposed definition of ‘‘systems E:\FR\FM\25MRP3.SGM 25MRP3 18104 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 intrusion’’ to both SCI systems and SCI security systems? Why or why not? Please explain. 41. Do commenters believe it is appropriate to exclude from the proposed definition of systems intrusion an attempted intrusion that did not breach systems or networks? Why or why not? Should significant, sophisticated, repeated, and/or attempted intrusions, even if unsuccessful, be included? Why or why not? If yes, please explain what categories of attempted intrusions should be covered by the proposed rule and why. 42. Should the proposed definition of systems intrusion be expanded to include the unauthorized use or unintended release of information or data, for example, by an employee or agent of an SCI entity? Why or why not? If so, should the definition be limited to the unauthorized use of non-public or confidential information or should it apply to any unauthorized use of information or data? The Commission recognizes that including in the definition all instances of unauthorized use or unintended release of information or data may be broad and solicits comment generally on how the definition might be more narrowly defined to encompass those types of events that commenters believe would be appropriate to be included in proposed Regulation SCI. 43. How often do SCI entities currently experience known systems intrusions or known attempted systems intrusions? d. Dissemination SCI events The Commission proposes that the term ‘‘dissemination SCI event’’ be defined as ‘‘an SCI event that is a: (1) Systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants.’’ 157 As discussed below in Section III.C.3, proposed Rule 1000(b)(5) includes requirements for disseminating information regarding certain SCI events to members or participants.158 Specifically, only information relating to dissemination SCI events would be required to be disseminated to members or participants pursuant to proposed Rule 1000(b)(5).159 The Commission 157 See proposed Rule 1000(a). Rule 1000(b)(5) would require the dissemination of specified information relating to dissemination SCI events and specify the nature and timing of such dissemination, with a delay in dissemination permitted for certain systems intrusions. See infra Section III.C.3.c. 159 See infra note 235. 158 Proposed VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 recognizes that public disclosure of each and every systems issue (such as very brief outages or minor disruptions of normal systems operations where the effects on trading, market data, and clearance and settlement are immaterial) could be counterproductive, potentially overwhelming the public with information, masking significant issues that might arise, and thus preliminarily believes that requiring the dissemination of information about dissemination SCI events to members or participants would promote dissemination of information to persons who are most directly affected by such events and who would most naturally need, want, and be able to act on the information, without creating a separate regulatory standard governing when broader public disclosure should be made. In the case of a dissemination SCI event, the Commission preliminarily believes that dissemination to members or participants of the nature of the event and the steps being taken to remedy it would be necessary to help ensure that potentially impacted market participants, and others that might be evaluating whether to use the affected systems, have basic information about the event so that they might be able to better assess what, if any, next steps they might deem prudent to take in light of the event.160 Proposed Rule 1000(a) specifies three categories of SCI events that would constitute a dissemination SCI event. 160 However, as discussed below, the Commission recognizes that, in the case of systems intrusions, there may be circumstances in which full prompt dissemination of information to members or participants of a systems intrusion could hinder an investigation into such an intrusion or an SCI entity’s ability to mitigate it. As such, the Commission is proposing that dissemination of information for certain systems intrusions could be delayed in specified circumstances. Specifically, the Commission is proposing that an SCI entity disseminate information about a systems intrusion to its members or participants, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity’s SCI systems or SCI security systems, or an investigation of the systems intrusion, and documents the reasons for such determination. See proposed Rule 1000(b)(5)(ii) and text accompanying infra note 174. The Commission preliminarily believes, however, that an SCI entity should ultimately disseminate information regarding systems intrusions, and that the provisions of proposed Rule 1000(b)(5)(ii) permitting a delay in dissemination, if applicable, should only affect the timing of such dissemination. The Commission notes that some Roundtable panelists and commenters discussed the role that communications and disclosure should play in mitigation of risk from systems issues. For example, panelists from Citadel, DE, Nasdaq, Lime, and TDA, among others, spoke about the role of communications and management involvement in responding to errors. See discussion of Roundtable, supra Section I.D. See also text accompanying infra note 238. PO 00000 Frm 00022 Fmt 4701 Sfmt 4702 First, any SCI event that is a systems compliance issue would be a dissemination SCI event.161 The Commission preliminarily believes that, if an SCI entity’s SCI systems were operating in a manner not in compliance with the federal securities laws and rules and regulations thereunder, or the entity’s rules or governing documents, as applicable, the SCI entity should be required to disseminate that information to all members or participants, i.e., the users of its SCI systems. In addition, because SCI entities that are SCI SROs or plan processors are required by the Exchange Act to comply with their rules, proposing to require dissemination of information about systems compliance issues to members or participants should help to reinforce this statutory obligation. Second, any SCI event that is a systems intrusion would also be a dissemination SCI event. The Commission preliminarily believes that a systems intrusion may represent a significant weakness in the security of an SCI entity’s systems and thus warrant dissemination of information to an SCI entity’s members or participants. However, because detailed information about a systems intrusion may expose an SCI entity’s systems to further probing and attack, an SCI entity would only be required to provide a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved.162 In addition, because immediate dissemination of information about a systems intrusion may in some cases further compromise the security of the SCI entity’s SCI systems or SCI security systems, or an investigation of the systems intrusion, an SCI entity in some cases may be permitted to delay the dissemination of information about such systems intrusion.163 Finally, the Commission is proposing that any systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants would also be a dissemination SCI event. Some systems disruptions may have an immediate, obvious, and detrimental impact on market participants, hampering the ability of an SCI entity’s members or participants to utilize the SCI entity’s SCI systems and, in some cases, making 161 See supra Section III.B.3.b, discussing the definition of ‘‘systems compliance issue.’’ 162 See infra Section III.C.3.c and proposed Rule 1000(b)(5)(ii). 163 See id. E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 such systems unusable. At the same time, the Commission recognizes that disseminating information relating to a single systems disruption that results in harm or loss to one or a small number of market participants that is not significant may not warrant the cost of such dissemination. Furthermore, the Commission preliminarily believes that the proposed standard is appropriate in that it does not set a specific threshold or definition of ‘‘significant harm or loss to market participants,’’ and provides an SCI entity with reasonable discretion in estimating whether a given systems disruption has resulted, or would result, in significant harm or loss to market participants.164 Although the particular facts and circumstances will differ for each systems disruption, some systems disruptions would clearly result in significant harm or loss to market participants and warrant dissemination of information regarding such systems disruption to the SCI entity’s members or participants, even if the harm or loss, or the potential harm or loss, is difficult to quantify. For example, if a market experiences a problem with a trading system such that order processing and execution in certain securities is halted and members are not able to confirm transactions in such securities, the Commission preliminarily believes that such a systems disruption would be a dissemination SCI event. In contrast, if a trading market or a clearing agency experienced a momentary power disruption causing a fail over to the backup data center with no customer, member, or participant impact, such SCI event would be a systems disruption requiring written notice to the Commission, but would not be a dissemination SCI event. Request for Comment 44. Do commenters believe the proposed definition of ‘‘dissemination SCI event’’ is appropriate? Why or why not? 45. Do commenters believe that a ‘‘systems compliance issue’’ should constitute a dissemination SCI event? Why or why not? Please explain. 46. Do commenters believe that a ‘‘systems intrusion’’ should constitute a dissemination SCI event? Why or why not? Please explain. 47. Do commenters believe that systems disruptions that meet the ‘‘significant harm or loss to market participants’’ standard should be included as dissemination SCI events? Why or why not? If not, what would be 164 The tradeoffs of setting thresholds are discussed in the Economic Analysis Section below. See infra Section V.B. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 an appropriate threshold, and how should it be measured? Should the term ‘‘significant harm or loss to market participants’’ be further clarified or defined in the rule? Why or why not? If so, what should such clarification or definition be and why? 48. Would an alternative measurement, or group of alternative measurements, for systems disruptions, such as a 50 millisecond pause in service or some other nonmonetary measure (for example, out of memory situations, memory overloads, data loss due to an SCI system exceeding capacity limitations, excessive queuing or throttling), also be an appropriate and effective means to measure certain events about which an SCI entity should disseminate information to its members or participants? If so, what are they and why? Should any such measurements vary based on the type of SCI system involved? If so, how? Please be specific. 49. Are there any other types of systems disruptions that should be required to be disseminated to members or participants? If so, please explain why. Should, for example, information relating to a systems disruptions be required to be disseminated to members or participants if it affects a certain number of market participants? If so, how should such a level (number of market participants) be determined? 4. Material Systems Changes Rule 1000(a) of proposed Regulation SCI would define ‘‘material systems change’’ as ‘‘a change to one or more: (1) SCI systems of an SCI entity that: (i) Materially affects the existing capacity, integrity, resiliency, availability, or security of such systems; (ii) relies upon materially new or different technology; (iii) provides a new material service or material function; or (iv) otherwise materially affects the operations of the SCI entity; or (2) SCI security systems of an SCI entity that materially affects the existing security of such systems.’’ 165 This proposed definition of ‘‘material systems change’’ is substantively similar to the definition of ‘‘significant system change’’ discussed in the ARP II Release.166 165 See proposed Rule 1000(a). See also infra Sections III.C.4 and III.C.6 discussing notices of material systems changes and reports of material systems changes, respectively. 166 See ARP II Release, supra note 1, at 22592– 93. See also 2001 Staff ARP Interpretive Letter, supra note 35 (citing ARP II, supra note 1, at 22492–93: ‘‘ARP II provides a non-exclusive list of factors that should be considered in determining whether a system change is significant and should be reported. The list includes a change that: (1) Affects existing capacity or security; (2) in itself raises capacity or security issues, even if it does not affect other existing systems; (3) relies upon PO 00000 Frm 00023 Fmt 4701 Sfmt 4702 18105 Item (1)(i) of the proposed definition of material systems change differs from item (1) in the definition in the ARP II Release of ‘‘significant system change,’’ as proposed item (1)(i) refers to changes to an SCI entity’s SCI systems that affect not only capacity and security, but also integrity, resiliency, and availability.167 Items (1)(ii) and (1)(iii) in the proposed definition of material systems change are intended to be substantively identical to items (3) and (4) of the definition of significant system change in the 2001 Staff ARP Interpretive Letter, generally covering changes to an SCI entity’s SCI systems designed to advance systems development.168 Proposed item (1)(iv), covering a change to an SCI entity’s SCI systems that ‘‘otherwise materially affects the operations of the SCI entity,’’ is intended to require notification of major systems changes to SCI systems that are not captured by other elements of paragraph (1) of the proposed definition. Proposed item (2), covering a change to an SCI entity’s SCI security systems that ‘‘materially affects the existing security of such systems,’’ is intended to ensure that significant changes that would affect the security of an SCI entity’s SCI security systems (i.e., systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems) 169 are reported to the Commission. Examples that the Commission preliminarily believes could be included within the proposed definition of material systems change are: Major systems architecture changes; reconfigurations of systems that would cause a variance greater than five percent in throughput or storage; the introduction of new business functions or services; changes to external interfaces; changes that could increase susceptibility to major outages; changes that could increase risks to data substantially new or different technology; (4) is designed to provide a new service or function for SRO members or their customers; or (5) otherwise significantly affects the operations of the entity.’’). 167 Proposed item (1)(i) consolidates items (1) and (2) of the definition of material systems change in the 2001 Staff ARP Interpretive Letter. The Commission believes that the addition of integrity, resiliency, and availability aspects of SCI systems that are important in today’s automated trading environments appropriately reflects the evolution of the types of systems issues since the 2001 Staff ARP Interpretive Letter. 168 In addition, each of proposed items (1)(i) through (1)(iii) are changes that concern the adequacy of capacity estimates, testing, and security measures taken by an SCI entity, for which adequate procedures are required by proposed Rule 1000(b)(1). See infra Section III.C.1. 169 See supra Section III.B.2 (discussing definition of SCI security system). E:\FR\FM\25MRP3.SGM 25MRP3 18106 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules security; changes that were, or would be, reported to or referred to the entity’s board of directors, a body performing a function similar to the board of directors, or senior management; and changes that could require allocation or use of significant resources. These examples are cited in the 2001 Staff ARP Interpretive Letter.170 Based on Commission staff’s experience working with SROs that have relied on the guidance provided in the 2001 Staff ARP Interpretive Letter, the Commission preliminarily believes that such examples could continue to be relevant guidance to SCI SROs as well as to other SCI entities. In addition, the Commission preliminarily believes that any systems change occurring as a result of the discovery of an actual or potential systems compliance issue, as that term would be defined in proposed Rule 1000(a), would be material. Based on its experience with SROs and other entities reporting significant systems changes in the context of the ARP Inspection Program, the Commission preliminarily believes that the proposed definition of material systems change is appropriate for all SCI entities. The Commission preliminarily believes that proposed items (1)(i)–(iv) and (2), which would cover changes affecting capacity estimates, security measures, the use of new technology and new functionality, could also highlight the need for SCI entities that are SROs, when applicable, to file a proposed rule change with the Commission under Section 19(b) of the Exchange Act and SCI entities that are SROs to file proposed amendments for SCI Plans under Rule 608 of Regulation NMS.171 As the Commission noted in ARP II, the purpose of urging SROs to notify Commission staff of significant system changes was not to supplant or provide an alternative means for SROs to satisfy their obligations to file proposed rule changes as required by the Exchange Act.172 Rather, under ARP 170 See supra note 35. 19(b)(1) of the Exchange Act requires an SRO to file proposed rules and proposed rule changes with the Commission in accordance with rules prescribed by the Commission. See 15 U.S.C. 78s(b)(1). Section 19(b)(1) further requires the Commission to solicit public comment on any proposed rule change filed by an SRO. See id. Rule 608(a)(1) of Regulation NMS under the Exchange Act, 17 CFR 242.608(a)(1), permits ‘‘self-regulatory organizations, acting jointly, [to] file a national market system plan or [to] propose an amendment to an effective national market system plan.’’ Rule 608(b) of Regulation NMS, 17 CFR 242.608(b), requires the Commission to publish such proposed national market system plan or national market system plan amendment for notice and comment, and, in certain situations, approve such NMS plan or plan amendment before it may become effective. 172 See ARP II, supra note 1, at 22493. ARP II explained that because the rule change process srobinson on DSK4SPTVN1PROD with PROPOSALS3 171 Section VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 II, the Commission was primarily concerned with fulfilling its oversight responsibilities and was also interested in obtaining a full view and understanding of systems development at SROs.173 Likewise, the proposal to require an SCI entity to notify the Commission of material systems changes would not relieve an SCI SRO of any obligation it may have to file a proposed rule change, the participants of an SCI Plan to file a proposed amendment to such SCI Plan, or any other obligation any SCI entity may have under the Exchange Act or rules thereunder.174 Request for Comment 50. The Commission requests comment generally on the proposed definition of ‘‘material systems change.’’ Is the proposed definition of material systems change clear? Should the Commission provide additional guidance on, or further define what would constitute a ‘‘material systems change?’’ Are there other factors that should be included? Please be specific and give examples of types of system changes that should be included in the proposed definition but currently are not. 51. The Commission sets forth above examples of systems changes that it preliminarily believes could be included within the proposed definition of material systems change (i.e., major systems architecture changes; reconfigurations of systems that would cause a variance greater than five percent in throughput or storage; the introduction of new business functions or services; changes to external interfaces; changes that could increase susceptibility to major outages; changes that could increase risks to data security; changes that were, or would be, reported to or referred to the entity’s board of directors, a body performing a function similar to the board of directors, or senior management; and pursuant to Section 19(b) of the Exchange Act and Rule 19b–4 thereunder ‘‘imposes shortened timeframes for action on proposed rule changes and because not all systems changes trigger the need for changes to rules of the SROs,’’ the rule change process was not providing staff with timely and complete detail on various significant systems changes occurring at the SROs. The policy of urging SROs to provide timely and accurate information on systems changes was intended as an adjunct to, and not a substitution for the rule change process. See id. 173 See id. at 22493–94, n. 20. 174 See infra request for comment in Section III.C.1.b, wherein the Commission solicits comment on whether SCI SROs should be required to provide notice to their members of anticipated technology deployments prior to implementation and offer their members the opportunity to test anticipated technology deployments prior to implementation. PO 00000 Frm 00024 Fmt 4701 Sfmt 4702 changes that could require allocation or use of significant resources). Do commenters agree each of these examples could constitute material systems changes? Why or why not? 52. Should any of the proposed factors be eliminated or refined? If so, please explain. Should material systems changes be defined to include cumulative systems changes over a specified period that might not otherwise qualify individually as a material systems change? For example, if systems changes (such as reconfigurations of systems that would cause a variance greater than five percent in throughput or storage) occurred that, on their own, each would not constitute a material systems change but, if grouped together with other similar or even identical changes (or, alternatively, that occurred repeatedly over a certain period of time such as a week or a month) could represent a material system change, should such changes together be considered a material systems change? If so, what would be the appropriate number of similar or identical systems changes that should be considered and/or what would be an appropriate time period to consider? Should all non-material systems changes count towards this threshold or should only non-material systems changes of the same or similar type count? Would cumulative changes over a week be an appropriate measurement period? Would a 30-day measurement period be appropriate? Should the period be longer or shorter? Please explain. 53. Do commenters believe that a change to the SCI systems of an SCI entity that ‘‘materially affects the existing capacity, integrity, resiliency, availability, or security of such systems’’ should constitute a material systems change as proposed? Why or why not? Should a change with respect to any of the proposed characteristics of such systems (i.e., capacity, integrity, resiliency, availability, or security) be eliminated or modified? Should any be added? Please explain. 54. Should a change to the SCI systems of an SCI entity that ‘‘relies upon materially new or different technology’’ constitute a material systems change as proposed? Why or why not? Is the phrase ‘‘materially new or different’’ sufficiently clear? If not, please explain. 55. Should a change to an SCI entity’s SCI systems that ‘‘provides a new material service or material function’’ constitute a material systems change as proposed? Why or why not? Is the phrase ‘‘a new material service or E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules material function’’ sufficiently clear? If not, please explain. 56. Do commenters believe it is appropriate to include a change to an SCI entity’s SCI systems that ‘‘otherwise materially affects the operations of the SCI entity’’ as proposed? Why or why not? Please explain. 57. Do commenters believe that a change to the SCI security systems of an SCI entity that ‘‘materially affects the existing security of such systems’’ should constitute a material systems change as proposed? Why or why not? Please explain. 58. Do commenters believe the rule should include quantitative criteria or other minimum thresholds for the effect of a change to an SCI entity’s SCI systems or SCI security systems beyond which the Commission must be notified of the change? Why or why not? If so, what should such quantitative criteria or other minimum thresholds be and why? 59. How often do SCI entities currently make material systems changes? How often do SCI SROs make material systems changes and what percentage of the time are such changes filed with the Commission as proposed rule changes under Section 19 of the Exchange Act? C. Proposed Rule 1000(b): Obligations of SCI Entities Paragraph (b) of proposed Rule 1000 would set forth requirements that would apply to SCI entities relating to written policies and procedures, obligations with regard to corrective actions, reporting of SCI events to the Commission, dissemination of information relating to certain SCI events to members or participants, reporting of material systems changes, SCI reviews, and the participation of designated members or participants of SCI entities in testing the business continuity and disaster recovery plans of SCI entities. srobinson on DSK4SPTVN1PROD with PROPOSALS3 1. Policies and Procedures To Safeguard Capacity, Integrity, Resiliency, Availability, and Security 175 Proposed Rule 1000(b)(1) would require each SCI entity to establish, maintain, and enforce written policies and procedures, reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational 175 See infra Sections IV.D.1.a and V.B for discussions related to current practices of SCI entities. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 capability and promote the maintenance of fair and orderly markets. Proposed Rule 1000(b)(1)(i) would further provide that such policies and procedures include, at a minimum: ‘‘(A) The establishment of reasonable current and future capacity planning estimates; (B) periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (C) a program to review and keep current systems development and testing methodology for such systems; (D) regular reviews and testing of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (E) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a widescale disruption; and (F) standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data.’’ 176 Proposed Rule 1000(b)(1)(ii) would deem an SCI entity’s policies and procedures required by proposed Rule 1000(b)(1) to be reasonably designed if they are consistent with SCI industry standards.177 In particular, for purposes of complying with proposed Rule 1000(b)(1), if an SCI entity has policies and procedures that are consistent with such SCI industry standards, as discussed further in Section III.C.1.b below, such policies and procedures would be deemed to be reasonably designed and thus the SCI entity would be in compliance with proposed Rule 1000(b)(1). In addition, under proposed Rule 1000(b)(1)(ii), compliance with the identified SCI industry standards would not be the exclusive means to comply with the requirements of proposed Rule 1000(b)(1). a. Proposed Rule 1000(b)(1)(i) Proposed Rule 1000(b)(1) would require that an SCI entity have policies and procedures that address items (i)(A)-(F) for its SCI systems and, for purposes of security standards, SCI security systems. Items (A)-(C) enumerated in proposed Rule 1000(b)(1)(i) are substantively the same as the requirements of Rule 301(b)(6)(ii)(A)-(C) of Regulation ATS, 176 See proposed Rule 1000(b)(1)(i)(A)-(F). 177 See infra Section III.C.1.b. PO 00000 Frm 00025 Fmt 4701 Sfmt 4702 18107 applicable to significant-volume alternative trading systems, and trace their origin to the ARP I Release.178 With respect to SCI systems and, as applicable, SCI security systems, proposed item (A), which would require an SCI entity to establish, maintain, and enforce policies and procedures for the establishment of reasonable current and future capacity planning estimates, and proposed item (B), which would require an SCI entity to establish, maintain, and enforce policies and procedures for periodic capacity stress tests of such systems, would help an SCI entity determine its systems’ ability to process transactions in an accurate, timely, and efficient manner, and thereby help ensure market integrity. Proposed item (C), which would require an SCI entity to establish, maintain, and enforce policies and procedures that include a program to review and keep current systems development and testing methodology for such systems, would help ensure that the SCI entity continues to monitor and maintain systems capacity and availability. Proposed item (D), which would require an SCI entity to establish, maintain, and enforce policies and procedures to review and test regularly such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters, would likewise assist an SCI entity in ascertaining whether its SCI systems and SCI security systems are and remain sufficiently secure and resilient. Unlike Rule 301(b)(6)(ii)(D) of Regulation ATS, proposed item (D) includes ‘‘manmade disasters’’ in the list of vulnerabilities an SCI entity would be required to consider and protect against. The Commission proposes to add ‘‘manmade disasters’’ to be clear that acts of terrorism and sabotage—threats that some SCI entities have faced in recent history 179—are threats that an SCI entity must prepare for in reviewing and testing its systems and operations. Proposed items (B), (C), and (D) would each require, among other things, the establishment of policies and procedures relating to various aspects of systems testing, including capacity stress tests, testing methodology, and tests for systems vulnerabilities to internal and external threats, physical hazards, and natural or manmade disasters, respectively. The Commission preliminarily believes that, to help ensure an effective testing regime, such 178 See 17 CFR 242.301(b)(6)(ii)(A)–(C); see also ARP I Release, supra note 1, at 48706–07. 179 See, e.g., supra note 61. E:\FR\FM\25MRP3.SGM 25MRP3 18108 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 policies and procedures would need to address when testing with members, participants, and other market participants would be appropriate.180 Proposed item (E), which would require SCI entities to establish, maintain, and enforce policies and procedures for business continuity and disaster recovery plans, is substantially similar to a requirement in Rule 301(b)(6)(ii) of Regulation ATS and ARP I.181 However, proposed item (E) would further require SCI entities to have plans for maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a widescale disruption. The proposed resiliency and geographic diversity requirement is designed particularly to help ensure that an SCI entity would be able to continue operations from the backup site during a wide-scale disruption resulting from natural disasters, terrorist activity, or other significant events. For example, the Commission preliminarily believes that backup sites should not rely on the same infrastructure components (e.g., transportation, telecommunications, water supply, and electric power) used by the primary site.182 The proposed 180 See also the Commission’s request for comment in infra Sections III.C.1.b and III.C.7, on whether proposed Regulation SCI should be more prescriptive regarding testing standards and requirements in light of comments on testing made by Roundtable panelists and commenters, and the closure of the national securities exchanges in the wake of Superstorm Sandy, as discussed in the text accompanying supra notes 78–83. 181 See 17 CFR 242.301(b)(6)(ii)(E); ARP I Release, supra note 1, at 48706. 182 See 2003 Interagency White Paper, supra note 31. As discussed further below in Section III.C.1.b, proposed Rule 1000(b)(1) would require an SCI entity to have policies and procedures that are ‘‘reasonably designed’’ and ‘‘adequate to maintain [its] operational capability and promote the maintenance of fair and orderly markets.’’ Proposed Rule 1000(b)(1)(i)(E) would require that such policies and procedures include ‘‘business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse,’’ (emphasis added) to ensure next business day or two-hour resumption as applicable, following a wide-scale disruption. While ‘‘sufficient’’ geographic diversity would be a required element of reasonably designed business continuity and disaster recovery plans, the proposed rule does not specify any particular minimum distance or geographic location that would be necessary to achieve the requisite level of geographic diversity. Instead, the proposed rule focuses on the ability to achieve the goal of resuming business within the applicable time frame in the wake of a wide-scale disruption. As noted above, the Commission also preliminarily believes that an SCI entity should have a reasonable degree of flexibility to determine the precise nature and location of its backup site depending on the particular vulnerabilities VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 next business day trading resumption standard reflects the Commission’s preliminary view that an SCI entity, being part of the critical infrastructure of the U.S. securities markets, should have plans to limit downtime caused by a wide-scale disruption to less than one business day.183 Likewise, the proposed two-hour resumption standard for clearance and settlement services, which traces its origin to the 2003 Interagency White Paper,184 reflects the Commission’s preliminary view that an SCI entity that is a registered clearing agency or an ‘‘exempt clearing agency subject to ARP’’ should have contingency plans to avoid a scenario in which failure to settle transactions by the end of the day could present systemic risk to the markets.185 Proposed item (F) would require SCI entities to have standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data. As the Commission previously noted, when Congress mandated a national market system in 1975, it emphasized that the systems for collecting and distributing consolidated market data would ‘‘form the heart of the national market system.’’ 186 As a result of consolidated market data, the public has ready access to a comprehensive, accurate, and reliable source of information for the prices and volume of any NMS stock at any time during the trading day.187 This information helps to ensure that the public is aware of the best displayed prices for a stock, no matter where they may arise in the national market system.188 It also enables investors to monitor the prices at which their orders are executed and assess whether their orders received best execution.189 Further, as noted above, one of the findings of the May 6 Staff Report is that ‘‘fair and orderly markets require that the standards for robust, accessible, and timely market data be set quite high.’’ 190 The Commission believes that the accurate, timely and efficient processing of data is similarly important to the proper functioning of the securities markets. For example, if a clearing agency were not able to process data accurately, settlements could potentially be impacted. Similarly, if an exchange does not process trades accurately, erroneous executions could occur. Consistent with these goals and Congress’s statement, proposed item (F) would be a new requirement that has no precedent in either Rule 301(b)(6) of Regulation ATS or the ARP policy statements and would require SCI entities to have ‘‘standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data.’’ 191 The Commission preliminarily believes that proposed item (F) would assist an SCI entity in ensuring that its market data systems are designed to maintain market integrity. associated with those sites, and the nature, size, technology, business model, and other aspects of its business. 183 Standards with respect to resilient and geographically remote back-up sites and resumption of operations are discussed in the 2003 Interagency White Paper and the 2003 Policy Statement on Business Continuity Planning for Trading Markets, and these publications are proposed to be designated as industry standards in the context of contingency planning. See 2003 Interagency White Paper, supra note 31 and 2003 Policy Statement on Business Continuity Planning for Trading Markets, supra note 32. In addition, the 2003 Policy Statement on Business Continuity Planning for Trading Markets urged SRO markets and ECNs to ‘‘have a business continuity plan that anticipates the resumption of trading * * * no later than the next business day following a wide-scale disruption.’’ See supra note 32, at 56658. 184 See supra note 31. See also infra note 195, discussing further the 2003 Interagency White Paper. 185 The Commission believes that all clearing agencies that would be subject to proposed Regulation SCI (i.e., all of the registered clearing agencies and the current ‘‘exempt clearing agency subject to ARP’’) currently strive to adhere to this standard. 186 See Concept Release on Equity Market Structure, supra note 42, at 3600 (quoting H.R. Rep. No. 94–229, 94th Cong., 1st Sess. 93 (1975)). 187 See id. b. Proposed Rule 1000(b)(1)(ii) Proposed Rule 1000(b)(1) would generally require that each SCI entity’s policies and procedures be reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, ‘‘have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance PO 00000 Frm 00026 Fmt 4701 Sfmt 4702 188 See id. id. The benefits of consolidated market data discussed here are true for the options markets as well. 190 See May 6 Staff Report, supra note 56, at 8. 191 This proposed requirement is consistent with Rule 603(a) of Regulation NMS, which states that any ‘‘* * * broker or dealer with respect to information for which it is the exclusive source, that distributes information with respect to quotations for or transactions in an NMS stock to a securities information processor shall do so on terms that are fair and reasonable.’’ In adopting Regulation NMS, the Commission stated that Rule 603(a) ‘‘prohibits an SRO or broker-dealer from transmitting data to a vendor or user any sooner than it transmits the data to a Network processor.’’ Rule 603(a) by its terms applies only to NMS stocks. See supra note 121. See also 17 CFR 242.603(a). 189 See E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules of fair and orderly markets.’’ As discussed above, proposed Rule 1000(b)(1)(i) would also require that an SCI entity have policies and procedures that address items (A)–(F). The Commission notes that SCI entities that are ARP participants have been applying the ARP I principles underlying proposed Rule 1000(b)(1)(i)(A)–(F) for many years. However, while the items enumerated in proposed Rule 1000(b)(1)(i)(A)–(F) identify the areas that would be required to be addressed by an SCI entity’s policies and procedures, the Commission is not proposing to prescribe the specific policies and procedures an SCI entity must follow to comply with the requirements of proposed Rule 1000(b)(1). Instead, the Commission intends to, and preliminarily believes that the proposed requirements as written would, provide SCI entities sufficient flexibility, based on the nature, size, technology, business model, and other aspects of their business, to identify appropriate policies and procedures that would meet the articulated standard, namely that they be reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. However, the Commission also preliminarily believes that it would be helpful to SCI entities to provide additional guidance about one way in which they might elect to satisfy this general standard in proposed Rule 1000(b)(1). Therefore, the Commission is proposing Rule 1000(b)(1)(ii), which would provide that, for purposes of complying with proposed Rule 1000(b)(1), an SCI entity’s policies and procedures would be deemed to be reasonably designed, and thus satisfy the requirements of proposed Rule 1000(b)(1), if they are consistent with current SCI industry standards. Proposed Rule 1000(b)(1)(ii) further states that such SCI industry standards shall be: (A) comprised of information technology practices that are widely available for free to information technology professionals in the financial sector; and (B) issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. Proposed Rule 1000(b)(1)(ii) would additionally provide that compliance with the SCI industry standards identified in the proposal would not be the exclusive means to comply with the requirements VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 of paragraph (b)(1). As noted above, the Commission intends to, and preliminarily believes that the proposed requirements as written would, provide SCI entities sufficient flexibility, based on the nature, size, technology, business model, and other aspects of their business, to identify appropriate policies and procedures to comply with proposed Rule 1000(b)(1). The Commission is proposing this approach because it preliminarily believes that providing additional guidance on the types of industry standards that would satisfy the requirements of proposed Rule 1000(b)(1) could assist an SCI entity in determining how to best allocate resources to maintain its systems’ operational capability, and promote the maintenance of fair and orderly markets.192 The Commission acknowledges that current industry standards applicable to SCI entities have been developed in a number of areas to help ensure that systems have adequate capacity, integrity, resiliency, availability, and security. Accordingly, the current SCI industry standards that would be deemed to be reasonably designed for purposes of proposed Rule 1000(b)(1) are not limited to the SCI industry standards discussed and contained in the publications identified in Table A below, but rather may be found in a variety of publications, issued by a range of sources. The Commission acknowledges that an SCI entity’s choice of a current SCI industry standard in a given domain or subcategory thereof may be different than those contained in the publications identified in Table A. Further, some of the identified standards may be more relevant for some SCI entities than others, based on the nature and amount of their respective activities. Thus, the Commission’s proposed approach is designed to provide a non-exclusive method of compliance. The Commission preliminarily believes that the publications set forth in Table A below 193 contain examples 192 See infra Sections V.B and V.C, discussing market failures and the anticipated economic benefits of proposed Regulation SCI. Each SCI entity, to the extent it seeks to rely on SCI industry standards in complying with proposed Rule 1000(b)(1), would have discretion to identify those industry standards that provide an appropriate way for it to comply with the requirements set forth in the rule, given its technology, business model, and other factors. 193 Each of these publications would meet the proposed criteria that they be: (i) Information technology practices that are widely available for free to information technology professionals in the financial sector; and (ii) issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or PO 00000 Frm 00027 Fmt 4701 Sfmt 4702 18109 of SCI industry standards that an SCI entity may elect to look to in establishing its policies and procedures under proposed Rule 1000(b)(1). However, as proposed Rule 1000(b)(1)(ii) makes clear, compliance with such current SCI industry standards would not be the exclusive means to comply with the requirements of proposed Rule 1000(b)(1). Thus, as proposed, written policies and procedures that are consistent with the relevant examples of SCI industry standards contained in the publications identified in Table A, would be deemed to be ‘‘reasonably designed’’ for purposes of proposed Rule 1000(b)(1). The publications identified in Table A cover nine inspection areas, or ‘‘domains,’’ that have evolved over the past 20 years of the ARP Inspection Program and that are relevant to SCI entities’ systems capacity, integrity, resiliency, availability, and security, namely: Application controls; capacity planning; computer operations and production environment controls; contingency planning; information security and networking; audit; outsourcing; physical security; and systems development methodology. The publications included in Table A set forth industry standards that the Commission understands are currently used by information technology and audit professionals in the financial and government sectors. These industry standards have been issued primarily by NIST and FFIEC. NIST, an agency within the U.S. Department of Commerce, has issued special publications regarding information technology systems. The FFIEC is a U.S. intergovernmental body that prescribes uniform principles and practices for the examination of certain financial institutions by U.S. regulators, and has issued publications on numerous topics, including development and acquisition of applications, computer operations, outsourcing technology, business continuity planning, information security, and internal audits.194 In addition to these standards issued by FFIEC and NIST, financial regulatory agencies, including the Commission, provided guidance on business continuity and disaster recovery plans agencies, or widely recognized organization. See proposed Rules 1000(b)(1)(ii). 194 The federal agencies represented on the FFIEC are the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, Office of the Comptroller of the Currency, and the Consumer Financial Protection Bureau. E:\FR\FM\25MRP3.SGM 25MRP3 18110 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 in the 2003 Interagency White Paper 195 and the 2003 Policy Statement on Business Continuity Planning for Trading Markets.196 Also included in Table A is a publication issued by the Institute of Internal Auditors (‘‘IIA’’). The IIA is an international professional association that has developed and published guidance setting forth industry best practices in internal auditing for internal audit professionals. It has more than 175,000 members in 165 countries and territories around the world.197 IIA is also a credentialing organization, awarding the Certified Internal Auditor (CIA), Certified Government Auditing Professional (CGAP), Certified Financial Services Auditor (CFSA), Certification in Control Self-Assessment (CCSA), and Certification in Risk Management Assurance (CRMA) certifications to those who meet the requirements.198 The Commission preliminarily believes these factors support identification of IIA as an authoritative body that is a widely recognized organization. In addition, one of the publications identified in Table A is issued by the Security Benchmarks division of the Center for Internet Security (‘‘CIS’’). The CIS is a not-for-profit organization focused on enhancing the cybersecurity readiness and response of public and private sector entities. The CIS Security Benchmarks division facilitates the development of industry best practices for security configuration, tools for measuring information security status, and resources to assist entities in making security investment decisions.199 Its members include commercial organizations, academic organizations, government agencies, and security service, consulting, and software organizations.200 According to the CIS, its benchmarks are regularly referred to by U.S. government agencies for compliance with information security rules and regulations.201 The Commission preliminarily believes these factors support a determination that CIS is an authoritative body that is a widely recognized organization. Table A lists the publication(s) that the Commission has preliminarily identified as SCI industry standard(s) in each domain that an SCI entity, taking into account its nature, size, technology, business model, and other aspects of its business, could, but is not required to, use to establish, maintain, and enforce reasonably designed policies and procedures that satisfy the requirements of proposed Rule 1000(b)(1). Thus, the Commission is proposing that the industry standards contained in the publications identified in Table A be one example of ‘‘current SCI industry standards’’ for purposes of proposed Rule 1000(b)(1), and requests commenters’ views on the appropriateness of each publication identified in Table A as a ‘‘current SCI industry standard.’’ Each listed publication is identified with specificity, and includes the particular publication’s date, volume number, and/or publication number, as the case may be. Thus, to the extent an SCI entity seeks to rely on SCI industry standards for purposes of complying with proposed Rule 1000(b)(1)(ii), the Commission intends SCI entities that establish policies and procedures based on the SCI industry standards contained in the publications set forth in Table A to enforce written policies and procedures, taking into account their nature, size, technology, business model, and other aspects of their business, consistent with relevant standards, even if the issuing organization were to subsequently update a given industry practice, until such time as the list of SCI industry standards were to be updated, as discussed below.202 Of course, SCI entities could elect to use standards contained in the publications other than those identified on Table A to satisfy the requirements of proposed Rule 1000(b)(1). 195 See 2003 Interagency White Paper, supra note 31. In the 2003 Interagency White Paper, which was issued jointly by the Commission, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency, the agencies identified a broad consensus on three important business continuity objectives: (1) Rapid recovery and timely resumption of critical operations following a wide-scale disruption; (2) rapid recovery and timely resumption of critical operations following the loss or inaccessibility of staff in at least one major operating location; and (3) a high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible. See id. at 17811. The agencies also identified sound practices for core clearing and settlement organizations and firms that play significant roles in critical financial markets. They stated that in this context, ‘‘core clearing and settlement organizations’’ consist of market utilities that provide clearing and settlement services for critical financial markets or act as largevalue payment system operators and present systemic risk to the markets should they be unable to perform. ‘‘Firms that play significant roles in critical financial markets’’ refers to organizations whose participation in one or more critical financial markets is significant enough that their failure to settle their own or their customers’ material pending transactions by the end of the day could present systemic risk to the markets. The sound practices address the risks of a wide-scale disruption and strengthen the resilience of the financial system. They also reduce the potential that key market participants will present systemic risk to one or more critical markets because primary and back-up processing facilities and staffs are concentrated within the same geographic region. The sound practices are as follows. First, identify clearing and settlement activities in support of critical financial markets. These activities include the completion of pending large-value payments; clearance and settlement of material pending transactions; meeting material end-of-day funding and collateral obligations necessary to ensure the performance of pending large-value payments and transactions; and updating records of accounts. Second, determine appropriate recovery and resumption objectives for clearing and settlement activities in support of critical markets. In this regard, core clearing and settlement organizations are expected to develop the capacity to recover and resume clearing and settlement activities within the business day on which the disruption occurs with the overall recovery goal of two hours after an event. Third, maintain sufficient geographically dispersed resources to meet recovery and resumption objectives. The 2003 Interagency White Paper states that back-up arrangements should be as far away from the primary site as necessary to avoid being subject to the same set of risks as the primary location and should not rely on the same infrastructure components used by the primary site. Fourth, routinely use or test recovery and resumption arrangements. This includes regular tests of internal recovery and resumption arrangements as well as cross-organization tests to ensure the effectiveness and compatibility of recovery and resumption strategies within and across critical markets. See id. at 17811–13. 196 See supra note 32. The Commission’s policy statement applies more broadly to all ‘‘SRO markets’’ and ECNs, not just those that play ‘‘significant roles in critical financial markets,’’ as discussed in the 2003 Interagency White Paper. Each SRO market and ECN is expected to (1) have in place a business continuity plan that anticipates the resumption of trading in the securities traded by that market no later than the next business day following a wide-scale disruption; (2) maintain appropriate geographic diversity between primary and back-up sites in order to assure resumption of trading activities by the next business day; (3) assure the full resilience of shared information streams, such as the consolidated market data stream generated for the equity and options markets; and (4) confirm the effectiveness of the back-up arrangements through testing. See id. at 56658. 197 See IIA’s 2011 Annual Report, available at: https://na.theiia.org/about-us/Pages/AnnualReports.aspx. 198 See id. 199 See https://benchmarks.cisecurity.org/en-us/ ?route=default.about. 200 See https://benchmarks.cisecurity.org/en-us/ ?route=membership. 201 The CIS states that its benchmarks are widely accepted by U.S. government agencies for compliance with the Federal Information Security Management Act (FISMA), Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, The Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other the regulatory requirements for information security. See https:// benchmarks.cisecurity.org/en-us/ ?route=membership. 202 See discussion in this Section III.C.1.b following Table A below. 203 The Commission recently adopted a similar contingency planning practice in Rule 17Ad– 22(d)(4) that requires registered clearing agencies to have policies and procedures designed to identify sources of operational risk and minimize those risks through the development of appropriate systems controls and procedures. See Securities Exchange Act Release No. 68080 (October 22, 2012), 77 FR 66220 (November 2, 2012). See also supra note 95. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 PO 00000 Frm 00028 Fmt 4701 Sfmt 4702 E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules 18111 TABLE A—PUBLICATIONS RELATING TO INDUSTRY STANDARDS IN 9 DOMAINS Domain Industry standards Application Controls ................................... NIST DRAFT Security and Privacy Controls for Federal Information Systems and Organizations (Special Publication 800–53 Rev. 4) available at: https://csrc.nist.gov/publications/drafts/800-53rev4/sp800-53-rev4-ipd.pdf. FFIEC, Operations IT Examination Handbook (July 2004), available at: https://ithandbook.ffiec.gov/ ITBooklets/FFIEC_ITBooklet_Operations.pdf. NIST DRAFT Security and Privacy Controls for Federal Information Systems and Organizations (Special Publication 800–53 Rev. 4), available at: https://csrc.nist.gov/publications/drafts/800-53rev4/sp800-53-rev4-ipd.pdf. NIST Contingency Planning Guide for Federal Information Systems (Special Publication 800–34 Rev. 1), available at: https://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errataNov11-2010.pdf. 2003 Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, Securities Exchange Act Release No. 47638 (April 8, 2003), 68 FR 17809 (April 11, 2003), available at: https://www.sec.gov/news/studies/34-47638.htm. 2003 Policy Statement on Business Continuity Planning for Trading Markets, Securities Exchange Act Release No. 48545 (September 25, 2003), 68 FR 56656 (October 1, 2003), available at: https://www.sec.gov/rules/policy/34-48545.htm. NIST DRAFT Security and Privacy Controls for Federal Information Systems and Organizations (Special Publication 800–53 Rev. 4), available at: https://csrc.nist.gov/publications/drafts/800-53rev4/sp800-53-rev4-ipd.pdf. NIST Guidelines on Security and Privacy in Public Cloud Computing (Special Publication 800–144), available at: https://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf. The Center for Internet Security Configuration Benchmarks, available at: https://benchmarks.cisecurity.org/en-us/?route=downloads.benchmarks. FFIEC, Audit IT Examination Handbook (August 2003), available at: https://ithandbook.ffiec.gov/ ITBooklets/FFIEC_ITBooklet_Audit.pdf. IIA, The Role of Internal Auditing in Enterprise-wide Risk Management, available at: https:// www.theiia.org/iia and https://www.theiaa.org/index. FFIEC, Outsourcing Technology Services IT Examination Handbook (June 2004), available at: https:// ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_OutsourcingTechnologyServices.pdf. NIST DRAFT Security and Privacy Controls for Federal Information Systems and Organizations (Special Publication 800–53 Rev. 4), available at: https://csrc.nist.gov/publications/drafts/800-53rev4/sp800-53-rev4-ipd.pdf. NIST Security Considerations in the System Development Life Cycle (Special Publication 800–64 Rev. 2), available at: https://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64Revision2.pdf. Capacity Planning ...................................... Computer Operations and Production Environment Controls. Contingency Planning (BCP) 203 ................ Information Security and Networking ........ Audit ........................................................... Outsourcing ................................................ Physical Security ....................................... srobinson on DSK4SPTVN1PROD with PROPOSALS3 Systems Development Methodology ......... As noted above, each of the publications listed in Table A is intended to identify information technology practices that are widely available for free to information technology professionals in the financial sector and are issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. Although the industry standards contained in the publications identified in Table A above are intended as an appropriate initial set of industry standards under proposed Regulation SCI, the Commission does not seek to foreclose the development, whether by the Commission or otherwise, of a set of industry standards that is more focused on the specific businesses and systems of SCI entities.204 In such a case, the 204 Standards issued by the Commission itself would meet the proposed criteria in that they would be: (i) Comprised of information technology practices that are widely available for free to information technology professionals in the financial sector; and (ii) issued by an authoritative body that is a U.S. governmental entity or agency, VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 Commission preliminarily believes that it would be appropriate to use the industry standards contained in the publications listed in Table A as a starting point for such development. Further, the Commission recognizes that systems and technologies are continually evolving. As such, the standards identified in this proposal would likely be updated from time to time by the organizations issuing them. However, the Commission also preliminarily believes that, following its initial identification of one set of SCI industry standards, it may be appropriate to update the identified set of standards from time to time through the periodic issuance of Commission staff guidance. Accordingly, the Commission preliminarily believes it would be appropriate for Commission staff, from time to time, to issue notices to update the list of previously identified set of SCI industry standards after receiving appropriate input from association of U.S. governmental entities or agencies, or widely recognized organization. PO 00000 Frm 00029 Fmt 4701 Sfmt 4702 interested persons.205 The Commission preliminarily believes that this approach would provide the public, including SCI entities and other market participants, an opportunity to comment on newly proposed SCI industry standards. However, until such time as Commission staff were to update the identified set of SCI industry standards, the then-current set of SCI industry standards would be the standards referred to in proposed Rule 1000(b)(1)(ii) of Regulation SCI. As noted above, proposed Rule 1000(b)(1)(ii) would require that any SCI industry standards be: (i) Comprised of information technology practices that are widely available for free to information technology professionals in the financial sector; and (ii) issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or a widely recognized organization. 205 As noted in the request for comment section below, the Commission solicits comment on the ways in which appropriate input from interested persons should be obtained for updating the SCI industry standards. E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18112 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules Request for Comment 60. The Commission requests comment generally on proposed Rule 1000(b)(1). Do commenters believe the proposed scope of required policies and procedures is appropriate? Why or why not? Please explain. 61. Do commenters believe that it is appropriate to apply the requirements of proposed Rule 1000(b)(1) to SCI systems and, for purposes of security standards, to SCI security systems? Why or why not? Please explain. 62. Do commenters believe the enumeration of the items in proposed Rule 1000(b)(1)(i)(A)–(F) that are to be addressed in the required policies and procedures is appropriate? Why or why not? Specifically, is the proposal to require that such policies and procedures include the establishment of reasonable current and future capacity planning estimates, as provided in proposed Rule 1000(b)(1)(i)(A), appropriate? Why or why not? 63. Should the Commission specify the interval (e.g., monthly or quarterly) at which SCI entities would be required to conduct periodic capacity stress tests of relevant systems, as provided in proposed Rule 1000(b)(1)(i)(B)? Should such periodic tests be limited to a subset of systems? If so, for which systems should such tests be required and why would that limitation be appropriate? 64. Should the Commission require SCI entities to have a program to review and keep current systems development and testing methodology, as proposed to be required in proposed Rule 1000(b)(1)(i)(C)? Why or why not? 65. Should the Commission specify the interval at which SCI entities would be required to conduct reviews and tests of SCI systems and SCI security systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters, as provided in proposed Rule 1000(b)(1)(i)(D)? Why or why not? And, if so, what would be appropriate intervals and why? 66. The Commission notes that items (i)(B), (C), and (D) would each require the establishment of policies and procedures for: Testing of capacity, testing methodology, and testing for vulnerabilities, respectively. The Commission also notes that the need for improved testing was a recurring theme during the Roundtable and discussed in several comment letters.206 The 206 See text accompanying supra note 72, discussing recommendations by Roundtable panelists and commenters to lower rates of error in software development by improving testing opportunities and participation in testing by VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 Commission requests comment on whether the testing policies and procedures requirements in proposed Rule 1000(b)(1)(i)(B), (C), and (D) would be sufficiently comprehensive to foster development of the types of testing that Roundtable panelists and commenters recommended. Why or why not? Please be specific. Should the Commission require certain types of testing by SCI entities? Why or why not? Please be specific. If so, what specific types of testing should the Commission require in proposed Regulation SCI? Please describe in detail. 67. Should the Commission require SCI entities to have, and make available to their members or participants, certain infrastructure or mechanisms that would aid industry-wide testing or direct testing with an SCI entity, such as test facilities or test symbols? Why or why not? If so, please specify what types of infrastructures or mechanisms should be required. 68. Should the Commission require industry-wide testing for certain types of anticipated technology deployments? 207 Why or why not? If so, what should be the criteria for identifying anticipated technology deployments that warrant mandatory industry-wide testing and which market participants should be required to participate? Please explain in detail. 69. Should the Commission require SCI entities to mandate that their members or participants participate in direct testing with such SCI entities for certain types of anticipated technology deployments by the members or participants? 208 Why or why not? If so, what should be the criteria for identifying anticipated technology deployments that warrant mandatory testing with an SCI entity? Should the Commission identify such criteria, or should SCI entities identify such criteria? Please explain. 70. Similarly, would proposed item (i)(E), regarding policies and procedures for business continuity and disaster recovery plans, be sufficiently comprehensive to foster the establishment of the types of contingency plans discussed by Roundtable panelists and Roundtable commenters, such as predetermined communication plans, escalation procedures, and/or kill switches? 209 Why or why not? Should proposed Regulation SCI expressly require that an SCI entity’s contingency plans include such details? 210 Why or why not? Please explain. Should SCI entities’ contingency plans and the testing of such plans be required to account for specific types of disaster or threat scenarios, such as an extreme volume surge, the failure of a major market participant, and/or a terrorist or cyber attack? Why or why not? Please explain. If so, what other types of scenarios should such plans take into account? Please be specific. 71. There was considerable discussion at the Roundtable about kill switches, with several panelists advocating the kill switch proposal outlined in the Industry Working Group comment letter,211 while others expressed concerns.212 The Commission is not proposing at this time any requirements related to kill switches. However, do commenters believe that the implementation of kill switches, as outlined in the Industry Working Group comment letter, would assist SCI entities in maintaining the integrity of their systems? Why or why not? If so, how, if at all, should the Commission foster the development of coordinated contingency plans among SCI SROs and SCI ATSs that would include such a kill switch mechanism? 72. Should the Commission include the criteria of geographic diversity in the requirement relating to business continuity and disaster recovery plans in proposed Rule 1000(b)(1)(i)(E)? Why or why not? Please explain. Should the Commission specify minimum standards for ‘‘geographically diverse’’ in proposed Rule 1000(b)(1)(i)(E)? Why or why not? If so, what would be an appropriate standard? 73. Is the next business day resumption of trading following a widescale disruption requirement in member firms. See also text accompanying supra note 180. 207 See also infra Section III.C.7 (discussing, among other things, the requirement of proposed Rule 1000(b)(9)(ii) that an SCI entity coordinate the testing of the SCI entity’s business continuity and disaster recovery plans, including its backup systems, with other SCI entities). 208 See also infra Section III.C.7 (discussing, among other things, the requirement of proposed Rule 1000(b)(9)(i) that an SCI entity require participation by designated members or participants in scheduled functional and performance testing of the operation of the SCI entity’s business continuity and disaster recovery plans, including its backup systems). 209 See discussion of Roundtable in supra Section I.D. The Commission is not proposing at this time any requirements related to kill switches. 210 See also infra Section III.C.3.a, discussing proposed Rule 1000(b)(3), which would require an SCI entity, upon any responsible SCI personnel becoming aware of an SCI event, to begin to take appropriate corrective action, including, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable, and the associated request for comment. 211 See letter from Industry Working Group, supra note 74 and accompanying text. 212 See, e.g., letter from TDA, supra note 74. PO 00000 Frm 00030 Fmt 4701 Sfmt 4702 E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules proposed Rule 1000(b)(1)(i)(E) appropriate? Why or why not? Is the two-hour resumption of clearance and settlement services following a widescale disruption an appropriate requirement for an SCI entity that is a registered clearing agency or ‘‘exempt clearing agency subject to ARP?’’ Why or why not? 74. As discussed above, the U.S. national securities exchanges closed for two business days in October 2012 in the wake of Superstorm Sandy, even though the securities industry’s annual test of how trading firms, market operators, and their utilities could operate through an emergency using backup sites, backup communications, and disaster recovery facilities occurred without significant incident on October 27, 2012, just two days before the storm.213 As discussed in greater detail below, proposed Rule 1000(b)(9) would require SCI entities to mandate participation by designated members or participants in scheduled testing of the operation of their business continuity and disaster recovery plans, including backup systems, and to coordinate such testing with other SCI entities.214 Are there other industry practices related to proposed Regulation SCI that should be considered further in light of the twoday closure of the U.S. securities markets during the storm? If so, what are they? For example, for SCI entities that are trading markets, should the Commission limit the extent to which an SCI entity’s business continuity and disaster recovery plans may involve changing how trading may be conducted? For example, the NYSE, pursuant to its rules, initially proposed to conduct trading only electronically on October 29, 2012, using NYSE Arca systems, rather than conduct trading both electronically as well as on a physical trading floor, as it normally does.215 Should an SCI entity that is experiencing a wide-scale disruption be permitted to offer its members or participants an alternative that significantly differs from its usual method of operation? Please explain. What are the costs and benefits associated with each type of approach? 75. Should business continuity and disaster recovery plans involving backup data centers be required to be tested in a live ‘‘production’’ environment on a periodic basis (e.g., annually, or at some other frequency)? Why or why not? Please explain. 76. The Commission understands that certain entities that would be defined as 213 See supra Section I.D. infra Section III.C.7. 215 See supra Section I.D. 214 See VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 SCI entities (such as registered clearing agencies) are already effectively operating under business resumption requirements of less than one business day. Should the Commission consider revising the proposed next business day resumption requirement for trading to a shorter or longer period, for example, a specific number of hours less or more than one business day or within the business day for certain entities that play a significant role within the securities markets? Why or why not? Similarly, should the proposed twohour resumption standard for clearance and settlement services be shortened or lengthened? Why or why not? 77. Following a systems disruption (including, for example, activation of an SCI entity’s business continuity plan), should the Commission require user testing and certification prior to resuming operation of the affected systems? Why or why not? If so, what should the testing requirements be? Should they vary depending on the type of system(s) affected? To whom should an SCI entity certify that an affected system or group of systems is ready to resume operation? 78. Is the requirement in proposed Rule 1000(b)(1)(i)(F) for ‘‘standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data’’ appropriate? Are there other factors that the Commission should consider in determining whether standards to process data are adequate? Or, should some of the proposed standards be eliminated or modified? If so, please explain how and why. 79. Do commenters believe there are specific internal controls or other mechanisms that would reinforce the effectiveness of an SCI entity’s reasonably designed policies and procedures under proposed Rule 1000(b)(1)? Why or why not? Please explain. How do SCI entities presently use specific internal controls or other mechanisms to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets? How do commenters generally view the advantages and disadvantages of specific internal controls or other mechanisms? The Commission is not proposing to prescribe specific internal controls under proposed Rule 1000(b)(1). Should the Commission propose that any particular internal controls or other mechanisms be required (for example, that a senior officer be designated to be responsible for the SCI entity’s compliance with proposed Regulation SCI, or that PO 00000 Frm 00031 Fmt 4701 Sfmt 4702 18113 personnel of the SCI entity certify that the SCI entity’s policies and procedures are reasonably designed)? 80. Would any of the Commission’s proposed requirements under proposed Rule 1000(b)(1) create inappropriate barriers to entry for new entities seeking to register with the Commission as an SRO, ATS, or plan processor? Would any of the proposed requirements inappropriately limit the growth or expansion of entities currently registered with the Commission as an SRO, ATS, or plan processor? Why or why not? 81. As noted above, the Commission proposes that policies and procedures would be deemed to be reasonably designed for purposes of proposed Rule 1000(b)(1) if they are consistent with current SCI industry standards. Do commenters agree with this approach? Why or why not? What are the advantages or disadvantages of such an approach? 82. Do commenters believe that the publications listed in Table A represent publications that are suitable for purposes of proposed Rule 1000(b)(1)(ii) and that should be the ‘‘current SCI industry standards’’ for purposes of proposed Rule 1000(b)(1)(ii)? Why or why not? If not, what publications would be appropriate? Do commenters believe that SCI entities currently follow the industry standards contained in the publications listed in Table A? 83. Are there areas within one of the nine identified domains that these publications do not cover? For example, should the Commission identify additional publications that provide industry standards for specific areas such as personnel security or information security risk management? If so, please identify any such publications that would be appropriate for the Commission to apply to SCI entities. Are there other areas that commenters believe are not covered at all by the publications listed in Table A that should be included? If so, what publications would be appropriate for such areas? Are there any areas within one of the nine identified domains that commenters believe should not be included? If so, why not? 84. Should any of the publications listed in Table A be eliminated? If so, which ones and why? Are there any publications that should be added? If so, which ones and why? Are there industry practices that apply to, or are developed by, entities related to the securities markets that should be considered? If so, what are they and why? Are there any types of SCI entities for which the proposed publications would not be appropriate? If so, which E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18114 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules types of entities and why? How should any such possible concerns be addressed? The Commission notes that many of the publications in Table A have been issued by either NIST or FFIEC. Do commenters believe that SCI entities generally currently follow the industry standards issued by one of these organizations more frequently than the other? If so, which one and why? Is one organization’s publications more appropriate or preferable for SCI entities? If so, please explain. What are the advantages and/or disadvantages of the publications issued by each organization? 85. The Commission seeks comment on whether commenters believe that the identified publications, and the industry standards within, are adequate in terms of the detail, specificity and scope. Are there areas in which the industry standards listed in the publications in Table A should be modified to provide adequate guidance to SCI entities? If so, please explain in detail. For example, the Commission understands that many businesses, including SCI entities, now utilize cloud computing as part of their operations, and the Commission has identified industry standards with respect to cloud computing among the publications listed in Table A. However, do commenters believe that these industry standards provide an adequate level of specificity to allow an SCI entity to ascertain how to comply with such standards? Further, do the industry standards contained in the publications in Table A cover all of the relevant areas related to a particular subject area (such as cloud computing)? Similarly, the Commission notes that it has identified publications with respect to capacity planning, but that the industry standards in such publications focus primarily on continuity of operations. As such, the Commission seeks comment on whether commenters believe that the identified publications with respect to capacity planning are adequate in terms of the detail, specificity, and scope? Specifically, do these publications provide an adequate level of specificity to allow an SCI entity to ascertain how to comply with such standards, and do the industry standards cover all of the necessary areas related to a particular subject area such as capacity planning? Why or why not? As noted above, compliance with the industry standards contained in the publications on Table A would not be the exclusive means to comply with the requirements of proposed Rule 1000(b)(1). 86. Do commenters agree with the Commission’s proposed policies and procedures approach to the VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 requirements of proposed Rule 1000(b)(1)? Why or why not? If not, is there another approach that is more appropriate? If so, please describe and explain. Do commenters agree with the Commission’s proposed approach to deem an SCI entity’s policies and procedures to be reasonably designed if they are consistent with current SCI industry standards, as provided for in proposed Rule 1000(b)(1)(ii)? Why or why not? How do commenters believe the actions of SCI entities might differ if such a provision were not available? What are the costs and benefits of the Commission’s approach ? What would be the costs and benefits of other approaches? Please explain. 87. Do commenters agree or disagree with the Commission’s proposed criteria to evaluate publications suitable for inclusion on Table A as an SCI industry standard and to update such list? Do commenters agree with the proposed criteria that identified publications should be: (i) Comprised of information technology practices that are widely available for free to information technology professionals in the financial sector; and (ii) issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization? Why or why not? Are there other criteria that would be more appropriate? Should the proposed criteria allow for a publication that may be available for an incidental charge rather than being required to be available for free? Why or why not? How frequently should such list of publications be updated and revised and what should the process be to update and/or revise them? 88. Are there SCI entities for which the proposed requirements in Rule 1000(b)(1) would be inappropriate (e.g., not cost effective)? If so, please identify such type of entity or entities, or the characteristics of such entity or entities, and explain which proposed requirements would be inappropriate and why. Would cost burden be an appropriate reason to omit an SCI entity or proposed requirement generally? Alternatively, would cost burden be an appropriate reason to omit an SCI entity or proposed requirement, on a case-bycase basis, as the Commission determined to be consistent with Exchange Act requirements? 89. When the Commission adopts new rules, or when SCI SROs implement rule changes, SCI SROs and their members often need to make changes to their systems to comply with such new rules. Would the requirements of proposed Rule 1000(b)(1) add additional time to PO 00000 Frm 00032 Fmt 4701 Sfmt 4702 this process and would the requirements increase the amount of time SCI entities would need to adjust their systems for Commission or SCI SRO rule changes? If so, how much additional time would SCI SROs need to adjust their systems? If not, should proposed Regulation SCI or another Commission rule require SCI SROs to provide minimum advance notice to their members of anticipated technology deployments prior to the implementation of any associated new rule or rule change by the SCI SRO? Why or why not? If so, how much advance notice should be required (e.g., a few days, a week, 30 days, 60 days, some other period)? Along with any such advance notice, should SCI SROs be required to offer to its members the opportunity to test such change with the SCI SRO prior to deployment of the new technology and implementation of any associated new rule or rule change? Why or why not? Should there be a similar requirement for other types of SCI entities? Why or why not? If so, what types of entities and what sorts of requirements should be included? 90. Do commenters believe the potential additional time SCI SROs allocate to this process would result in fewer SCI events by helping to ensure that SCI SROs properly implement systems changes? Why or why not? How would the benefits and costs of such potential additional time compare? Please be as specific as possible. 91. The Commission generally solicits comments on its proposed process for updating current SCI industry standards. Do commenters believe that it would be appropriate that Commission staff, from time to time, issue notices to update the list of previously identified publications containing SCI industry standards after receiving appropriate input from interested persons? Is there a more appropriate method? If so, what would it be? If not, why not? 92. Would such a process in allow for Commission staff to receive sufficient input from the public, including experts, SCI entities, and other market participants regarding the appropriate standards it should update, and how to do so? Why or why not? 93. Would it be useful, for example, to provide notice to the public that it was focusing on a given domain or standard and seek comment on a domain-by-domain, or standard-bystandard, basis? Would it be useful for the Commission to set up a committee to advise Commission staff on such standards? If so, which groups or types of market participants should be represented on such a committee and E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 why? Is there any other process that the Commission or its staff should use to help it obtain useful input? Would it be appropriate to instead require SROs, for example, to submit an NMS plan under Rule 608 of Regulation NMS that contained standards? Why or why not? 94. If the Commission, its staff, or another entity seeks to develop a set of standards that is more focused on the specific businesses and systems of SCI entities, do commenters agree that the industry standards contained in the publications listed in Table A would be appropriate to be used as a starting point for this effort? Why or why not? If not, what publication(s) should be used as a starting point? Please describe in detail and explain. 95. Do commenters believe it would be feasible to establish industry standards through means other than identification through Table A? For example, should SCI entities take the lead in developing such standards? Why or why not? If so, how should the process be organized and what parameters should be put in place to facilitate the process? For example, should SCI entities jointly develop industry standards that apply to all SCI entities or should the various types of SCI entities (e.g., national securities exchanges, ATSs, plan processors, clearing agencies) work separately to develop their own standards? Should one or more industry organizations take the lead in developing such standards? If so, which ones, and why? Should any such standards identified by the SCI entities and/or industry organizations be formally approved or disapproved by the Commission as part of any such process? 2. Systems Compliance Proposed Rule 1000(b)(2)(i) would require each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and the entity’s rules and governing documents, as applicable.216 Whereas proposed Rule 1000(b)(1) concerns the robustness of the SCI entity’s SCI systems and SCI security systems—i.e., such systems’ capacity and resiliency against failures and security threats—proposed Rule 1000(b)(2) concerns the SCI entity’s establishment of policies and procedures reasonably designed to ensure the operational compliance of an SCI entity’s SCI systems with applicable laws, rules, and the SCI entity’s governing documents. Diligent discharge of this proposed obligation to establish, maintain, and enforce written policies and procedures would establish the organizational framework for an SCI entity to meet its other obligations under proposed Regulation SCI. In particular, with respect to SCI SROs, compliance with proposed Rule 1000(b)(2)(i) should help to ensure that SCI SROs comply with Section 19(b)(1) of the Exchange Act, which requires each SRO to file with the Commission copies of any proposed rule or any proposed change in, addition to, or deletion from the rules of the SRO.217 Therefore, compliance with this proposed requirement may help ensure not only that SCI SROs operate in compliance with the Exchange Act, but also help reinforce existing processes for filing SRO rule changes in order to better assist market participants and the public in understanding how the SCI systems of SCI SROs are intended to operate.218 Because of the complexity of SCI systems and the breadth of the federal securities laws and rules and regulations thereunder and the SCI entities’ rules and governing documents, the Commission preliminarily believes that it would be appropriate to provide an explicit safe harbor for SCI entities and their employees in order to provide greater clarity as to how they can ensure that their conduct will comply with this provision. Therefore, the Commission is proposing Rules 1000(b)(2)(ii) and (iii), which would provide a safe harbor from liability under proposed Rule 1000(b)(2)(i) for SCI entities and persons employed by SCI entities, respectively, as further described below. Specifically, proposed Rule 1000(b)(2)(ii) would provide that an SCI entity would be deemed not to have violated proposed Rule 1000(b)(2)(i) if: (A) the SCI entity has established and maintained policies and procedures reasonably designed to provide for: (1) Testing of all SCI systems and any changes to such systems prior to implementation; (2) periodic testing of all such systems and any changes to such systems after their implementation; (3) a system of internal controls over changes to such systems; (4) ongoing monitoring of the functionality of such systems to detect whether they are operating in the manner intended; (5) assessments of SCI 217 See 15 U.S.C. 78s(b)(1). SROs would similarly be assisted in meeting their obligations to file plan amendments to SCI Plans under Rule 608 of Regulation NMS. 218 SCI 216 See supra Section III.B.3.b, discussing the definition of ‘‘systems compliance issue.’’ VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 PO 00000 Frm 00033 Fmt 4701 Sfmt 4702 18115 systems compliance performed by personnel familiar with applicable federal securities laws and rules and regulations thereunder and the SCI entity’s rules and governing documents, as applicable; and (6) review by regulatory personnel of SCI systems design, changes, testing, and controls to prevent, detect, and address actions that do not comply with applicable federal securities laws and rules and regulations thereunder and the SCI entity’s rules and governing documents, as applicable; (B) the SCI entity has established and maintained a system for applying such policies and procedures which would reasonably be expected to prevent and detect, insofar as practicable, any violations of such policies and procedures by the SCI entity or any person employed by the SCI entity; and (C) the SCI entity: (1) has reasonably discharged the duties and obligations incumbent upon the SCI entity by such policies and procedures, and (2) was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. The Commission preliminarily believes that, if an SCI entity establishes and maintains policies and procedures reasonably designed to provide for the items in proposed Rule 1000(b)(2)(ii)(A)(1)-(6), such policies and procedures would meet the requirement articulated in proposed Rule 1000(b)(2)(i). Specifically, the Commission preliminarily believes that items (1) and (2), which, for purposes of qualifying for the safe harbor, would require SCI entities to have policies and procedures requiring the testing of SCI systems and changes to such systems before they are put into production and periodically thereafter, should help SCI entities to identify potential problems before such problems have the ability to impact markets and investors. Items (3) and (4), which, for purposes of qualifying for the safe harbor, would require a system of internal controls over changes to SCI systems and ongoing monitoring of the functionality of such systems, would provide a framework for SCI entities seeking to bring newer, faster, and more innovative SCI systems online. In conjunction with ongoing monitoring, the Commission preliminary believes the policies and procedures proposed to be required in items (3) and (4) for purposes of qualifying for the safe harbor, would help prevent SCI systems becoming noncompliant resulting from, for example, inattention or failure to review compliance with established written policies and procedures. E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18116 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules Further, the Commission preliminarily believes that item (5) (which, for purposes of qualifying for the safe harbor, would require that an SCI entity establish, maintain, and enforce written policies and procedures for assessments of SCI systems compliance by personnel familiar with applicable federal securities laws, rules and regulations thereunder, and the SCI entity’s rules and governing documents), in conjunction with item (6) (which, for purposes of qualifying for the safe harbor, would require policies and procedures directing that regulatory personnel review SCI systems design, changes, testing, and controls), would help foster coordination between the information technology and regulatory staff of an SCI entity so that SCI events and other issues related to an SCI entity’s SCI systems would be more likely to be addressed by a team of staff in possession of the requisite range of knowledge and skills to help ensure compliance with the SCI entity’s obligations under proposed Regulation SCI. Insofar as an SCI entity follows them to qualify for the safe harbor, proposed items (5) and (6) also are intended to help to ensure that an SCI entity’s business interests do not undermine regulatory, surveillance, and compliance functions and, more broadly, the requirements of the federal securities laws, during the development, testing, implementation, and operation processes for SCI systems. Thus, proposed items (1)-(6) together, insofar as SCI entities follow them to qualify for the safe harbor, are meant to promote the development and implementation of policies and procedures consistent with the functioning of SCI systems of SCI entities as planned and as described by the SCI entity’s rules and governing documents, as well as in compliance with applicable federal securities laws and rules.219 In addition to establishing and maintaining the policies and procedures described in proposed Rule 1000(b)(2)(ii)(A)(1)-(6), to qualify for the safe harbor, an SCI entity would also be required to satisfy two additional requirements. First, under proposed Rule 1000(b)(2)(ii)(B), it would be required to have established and maintained a system for applying such policies and procedures which would reasonably be expected to prevent and detect, insofar as practicable, any violations of such policies and procedures by the SCI entity or any person employed by the SCI entity. In 219 See supra note 154–156 and accompanying text. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 addition, under proposed Rule 1000(b)(2)(ii)(C), the SCI entity would be required to: (1) Have reasonably discharged the duties and obligations incumbent upon it by such policies and procedures; and (2) have been without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. To the extent an SCI entity seeks to qualify for the safe harbor, the elements of proposed Rules 1000(b)(2)(ii)(B) and (C) would require not only that its policies and procedures are reasonably designed to achieve SCI systems compliance, as described in items (A)(1)-(6) above, but also that, as part of such policies and procedures, the SCI entity establishes and maintains a system for applying those policies and procedures, and enforces its policies and procedures, in a manner that would reasonably allow it to prevent and detect violations of the policies and procedures. Proposed Rules 1000(b)(2)(ii)(B) and (C) are also designed to ensure that the SCI entity reasonably discharges duties and obligations incumbent upon it by such policies and procedures and is without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. In addition, proposed Rule 1000(b)(2)(iii) would provide a safe harbor from liability for individuals. Specifically, proposed Rule 1000(b)(2)(iii) would provide that a person employed by an SCI entity shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity has reasonably discharged the duties and obligations incumbent upon such person by such policies and procedures, and was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. The Commission preliminarily believes that the safe harbor for individuals under proposed Rule 1000(b)(2)(iii) would appropriately provide protection from liability under Rule 1000(b)(2) to employees of SCI entities who reasonably conduct their assigned responsibilities under the SCI entity’s policies and procedures and do not have reasonable cause to believe the policies and procedures were not being complied with in any material respect. In this regard, an SCI entity would not be deemed to violate proposed Rule 1000(b)(2)(i) merely because it experienced a systems compliance issue, and could take advantage of the safe harbor for SCI entities if it satisfied PO 00000 Frm 00034 Fmt 4701 Sfmt 4702 the elements enumerated in proposed Rule 1000(b)(2)(ii).220 Likewise, an employee of an SCI entity, including an employee involved in the design or implementation of policies and procedures under the rule, would not be deemed to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of proposed Rule 1000(b)(2)(i) merely because the SCI entity at which he or she worked experienced a systems compliance issue, whether or not the employee was able to take advantage of the safe harbor for individuals under proposed Rule 1000(b)(2)(iii). Request for Comment 96. The Commission requests comment generally on all aspects of proposed Rule 1000(b)(2). Do commenters believe that it is appropriate to limit the application of the requirements of proposed Rule 1000(b)(2)(i) to SCI systems? Why or why not? Please explain. Do commenters agree with the requirements of the proposed safe harbor for SCI entities? Why or why not? Specifically, with respect to proposed Rule 1000(b)(2)(ii)(A)(1), which would include in the safe harbor a requirement that each SCI entity establish and maintain written policies and procedures that provide for testing of all SCI systems and any changes to such systems prior to implementation, should certain types of SCI systems be excluded from the proposed requirement? If so, please specify which types and explain. 97. Should the Commission specify the interval at which SCI entities would be required to conduct the periodic testing of all SCI systems contemplated by the safe harbor under proposed Rule 1000(b)(2)(ii)(A)(2)? Why or why not? And if so, what would be an appropriate interval? Should certain types of SCI systems be tested on a more or less frequent basis? If so, please specify which types and explain. 98. With respect to proposed Rule 1000(b)(2)(ii)(A)(3), which would include in the safe harbor a requirement that an SCI entity establish and maintain written policies and procedures that provide for a system of internal controls over changes to SCI 220 The language of proposed Rules 1000(b)(2)(ii)(B) and (C) is drawn in significant part from language in Section 15(b)(4)(E) of the Exchange Act, 15 U.S.C. 78o(b)(4)(E), which generally provides a safe harbor from liability for failure to supervise, with a view to preventing violations of the securities laws, another person who is subject to his or her supervision and who commits such a violation. E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules systems, should the Commission specify minimum standards for internal controls? If so, please explain why, as well as what such standards should be. 99. With respect to proposed Rule 1000(b)(2)(ii)(A)(4), which would include in the safe harbor a requirement that an SCI entity establish and maintain written policies and procedures that provide for ongoing monitoring of the functionality of SCI systems to detect whether they are operating in the manner intended, should the Commission specify the frequency with which the monitoring of such systems’ functionality should occur? If so, please explain. Should the Commission require different monitoring frequencies depending on the type of SCI system? Why or why not? If so, what should they be? Please explain. 100. For purposes of the safe harbor and proposed Rule 1000(b)(2)(ii)(A)(5), do commenters believe the Commission should require that the assessments of SCI systems compliance be performed by persons having specified qualifications? Why or why not? If so, what would be appropriate and/or necessary qualifications for such personnel? 101. Proposed Rule 1000(b)(2)(ii)(A)(6) would include in the safe harbor a requirement that each SCI entity establish and maintain policies and procedures that provide for review by regulatory personnel of SCI systems design, changes, testing, and controls to prevent, detect, and address actions that are not in compliance with applicable federal securities laws and rules and regulations thereunder and the SCI entity’s rules and governing documents, as applicable. Do commenters believe, for purposes of qualifying for the safe harbor, the roles and allocations of responsibility for personnel in proposed Rules 1000(b)(2)(ii)(A)(5) and (6) are appropriate? Why or why not? 102. Do commenters agree that in order for an SCI entity to qualify for the safe harbor from liability under proposed Rule 1000(b)(2)(i), it should, in addition to establishing and maintaining the policies and procedures described in proposed Rule 1000(b)(2)(ii)(A)(1)-(6), be required to establish and maintain a system for applying such policies and procedures which would reasonably be expected to prevent and detect, insofar as practicable, any violations of such policies and procedures by the SCI entity or any person employed by the SCI entity? Why or why not? To qualify for the safe harbor from liability under proposed Rule 1000(b)(2)(i), should an SCI entity be further required to: have VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 reasonably discharged the duties and obligations incumbent upon the SCI entity by such policies and procedures; and be without reasonable cause to believe that such policies and procedures were not being complied with in any material respect? Why or why not? Please explain. 103. Do commenters agree with the requirements for the proposed safe harbor for individuals in proposed Rule 1000(b)(2)(iii), which would provide that a person employed by an SCI entity shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity: has reasonably discharged the duties and obligations incumbent upon such person by such policies and procedures; and was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect? Why or why not? Should a similar safe harbor be available to individuals other than persons employed by SCI entities? Why or why not? Please explain. 104. Do commenters agree with the Commission’s proposed policies and procedures approach to the requirements of proposed Rule 1000(b)(2)? Why or why not? If not, is there another approach that is more appropriate? If so, please describe and explain. As discussed above, the Commission is proposing to include safe harbor provisions in proposed Rule 1000(b)(2) for SCI entities and employees of SCI entities. The Commission preliminarily believes that, in the context of proposed Regulation SCI, this approach may be appropriate to provide clarity and guidance to SCI entities and SCI entity employees on one method to comply with the proposed general standard in proposed Rule 1000(b)(2)(i). The Commission solicits commenters’ views on the Commission’s proposed approach. Specifically, do commenters agree with the Commission’s proposed approach to provide safe harbors for SCI entities and employees of SCI entities from liability under proposed Rule 1000(b)(2)(i)? Why or why not? How do commenters believe the actions of SCI entities or behavior of employees of SCI entities might differ if the safe harbors under proposed Rule 1000(b)(2) were not available? What are the costs and benefits of the Commission’s approach to provide safe harbors? What would be the costs and benefits of other approaches? Please explain. 105. Do commenters believe there are specific internal controls or other PO 00000 Frm 00035 Fmt 4701 Sfmt 4702 18117 mechanisms that would reinforce the effectiveness of an SCI entity’s reasonably designed policies and procedures under proposed Rule 1000(b)(2)? Why or why not? Please explain. How do SCI entities presently use specific internal controls or other mechanisms to ensure that their systems operate in a manner that complies with the federal securities laws and rules and regulations thereunder and their rules and governing documents, as applicable? How do commenters generally view the advantages and disadvantages of specific internal controls or other mechanisms? The Commission is not proposing to prescribe specific internal controls related to compliance with proposed Rule 1000(b)(2). Should the Commission propose that any particular internal controls or other mechanisms be required (for example, that a senior officer be designated to be responsible for the SCI entity’s compliance with proposed Regulation SCI, or that personnel of the SCI entity certify that the SCI entity’s policies and procedures are reasonably designed)? 3. SCI Events—Action Required; Notification Proposed Rule 1000(b)(3)–(5) would govern the actions an SCI entity must take upon any responsible SCI personnel becoming aware of an SCI event, whether it be a systems disruption, systems compliance issue, or systems intrusion.221 a. Corrective Action Proposed Rule 1000(b)(3) would require an SCI entity, upon any responsible SCI personnel becoming aware of an SCI event, to begin to take appropriate corrective action including, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. The Commission is proposing this requirement to make clear that, upon learning of an SCI event, an SCI entity would be required to take the steps necessary to remedy the problem or problems causing the SCI event and mitigate the effects of the SCI event, if any, on customers, market participants and the securities markets. Proposed Rule 1000(a) would define ‘‘responsible SCI personnel’’ to mean, for a particular SCI system or SCI security system impacted by an SCI event, any personnel, whether an 221 See supra Section III.B.3 for a discussion of the proposed definition of systems disruption, systems compliance issue, and systems intrusion. E:\FR\FM\25MRP3.SGM 25MRP3 18118 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 employee or agent, of an SCI entity having responsibility for such system. The proposed definition is intended to include any personnel used by the SCI entity that has responsibility for the specific system(s) impacted by a given SCI event. Thus, such personnel would include, for example, any technology, business, or operations staff with responsibility for such systems. With respect to systems compliance issues, such personnel would also include regulatory, legal, or compliance personnel with legal or compliance responsibility for such systems. In addition, such ‘‘responsible SCI personnel’’ would not be limited to managerial or senior-level employees of the SCI entity. For example, the proposed definition is intended to include a junior systems analyst responsible for monitoring the operations or testing of an SCI system or SCI security system. The proposed definition would also include not only applicable employees of the SCI entity, but applicable agents of the SCI entity as well. Thus, for example, if an SCI entity were to contract the monitoring of the operations of a given SCI system to an external firm, the proposed definition of ‘‘responsible SCI personnel’’ would include the personnel of such firm that were responsible for the monitoring. The proposed definition, however, is not intended to include all personnel of an SCI entity. For example, personnel of the SCI entity who have no responsibility for any SCI system or SCI security system of an SCI entity are not intended to be included in the proposed definition. b. Commission Notification Proposed Rule 1000(b)(4) would address the obligation of an SCI entity to notify the Commission upon any responsible SCI personnel becoming aware of an SCI event.222 Proposed Rule 1000(b)(4)(i) would require an SCI entity, upon any responsible SCI personnel 223 becoming aware of a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion (‘‘immediate notification SCI event’’), to notify the Commission of such SCI event, which may be done orally or in writing (e.g., by email). Proposed Rule 1000(b)(4)(ii) would 222 Proposed Rule 1000(b)(5), addressed in Section III.C.3.c below, would address whether and when an SCI entity would be required to disseminate information regarding an SCI event to its members or participants. 223 See supra III.C.3.a (discussing definition of ‘‘responsible SCI personnel’’). VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 require an SCI entity to submit a written notification pertaining to any SCI event to the Commission within 24 hours of any responsible SCI personnel becoming aware of the SCI event. Proposed Rule 1000(b)(4)(iii) would require an SCI entity to submit to the Commission continuing written updates on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until such time as the SCI event is resolved.224 Proposed Rule 1000(b)(4) also would require that any written notification to the Commission made pursuant to proposed Rules 1000(b)(4)(ii) or 1000(b)(4)(iii) be made electronically on new proposed Form SCI (§ 249.1900), and include all information as prescribed in Form SCI and the instructions thereto.225 To help ensure that the Commission and its staff receive all information known by the SCI entity relevant to aiding the Commission’s understanding of an SCI event, proposed Rule 1000(b)(4)(iv) would provide that a written notification under proposed Rule 1000(b)(4)(ii) must include all pertinent information known about an SCI event, including: (1) A detailed description of the SCI event; (2) the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; (3) the potential impact of the SCI event on the market; and (4) the SCI entity’s current assessment of the SCI event, including a discussion of the SCI entity’s determination regarding whether the SCI event is a dissemination SCI event or not.226 In addition, to the extent available as of the time of the initial notification, Exhibit 1 would require inclusion of the following information: (1) A description of the steps the SCI entity is taking, or plans to take, with respect to the SCI event; (2) the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; (3) a description of the SCI entity’s rule(s) and/or governing documents, as applicable, that relate to the SCI event; and (4) an analysis of the parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss.227 Proposed Rule 1000(b)(4)(iv)(B) would require an SCI entity to update any of the pertinent information 224 See supra Section III.B.3.d, for a discussion of dissemination SCI events. 225 New proposed Form SCI is discussed in detail in Section III.E below. 226 See proposed Rule 1000(b)(4)(iv)(A)(1). 227 See proposed Rule 1000(b)(4)(iv)(A)(2). PO 00000 Frm 00036 Fmt 4701 Sfmt 4702 contained in previous written notifications, including any information required by proposed Rule 1000(b)(4)(iv)(A)(2) that was not available at the time of initial submission. Subsequent notifications would be required to update any of the pertinent information previously provided until the SCI event is resolved. Proposed Rule 1000(b)(4)(iv)(C) would further require an SCI entity to provide a copy of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity’s publicly available Web site. The Commission preliminarily believes an SCI entity’s obligation to notify the Commission of significant SCI events should begin upon any responsible SCI personnel becoming aware of an SCI event. Thus, for all immediate notification SCI events, an SCI entity would be required to notify the Commission of the SCI event. Such notification could be made orally (e.g., by telephone) or in a written form (e.g., by email). The Commission preliminarily believes that, by not prescribing the precise method of communication for an initial notification of an immediate notification SCI event under proposed Rule 1000(b)(4)(i), SCI entities would have the needed flexibility to determine the most appropriate method.228 Further, if the responsible SCI personnel became aware of such an SCI event outside of normal business hours, the SCI entity would still be required to notify the Commission at that time rather than, for example, the start of the next business day. For all SCI events, including immediate notification SCI events, an SCI entity would be required to submit a written notification pertaining to such SCI event to the Commission on Form SCI, and follow up with regular written updates until the SCI event is resolved. Even if an SCI entity had notified the Commission of an immediate notification SCI event in writing as would be permitted under proposed Rule 1000(b)(4)(i), the SCI entity would still be required to submit a separate written notification on Form SCI pursuant to proposed Rule 1000(b)(4)(ii).229 228 The Commission expects that it would establish a telephone hotline, designated email accounts, or similar arrangements, to enable receipt of notifications of immediate notification SCI events. 229 See proposed Rule 1000(b)(4)(iv), which would require that written notifications under 1000(b)(4)(ii) be submitted on Form SCI, and which would not provide for the ability of SCI entities to submit a written notification of an immediate notification SCI event on Form SCI. E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules The Commission preliminarily believes that the proposed notification requirement for immediate notification SCI events, the proposed 24-hour time frame for submission of written notices, and the proposed continuing update requirement, are appropriately tailored to help the Commission and its staff quickly assess the nature and scope of an SCI event, and help the SCI entity identify the appropriate response to the SCI event, including ways to mitigate the impact of the SCI event on investors and promote the maintenance of fair and orderly markets. These requirements would help to ensure not only that the Commission and its staff are kept apprised of such SCI events, including their causes and their effect on the markets, but also that the Commission is aware of the steps and resources necessary to correct such SCI events, mitigate their effects on other SCI entities and the market, and prevent recurrence to the extent possible. The Commission also preliminarily believes that the proposal to require an SCI entity to update the Commission regularly regarding an SCI event, or at such frequency as reasonably requested by a representative of the Commission, until the SCI event is resolved, provides appropriate flexibility to the Commission to request additional information as necessary, depending on the facts and circumstances of the SCI event and the SCI entity’s progress in resolving it. At the same time, the Commission recognizes that the information required to be provided to it by an SCI entity about an immediate notification SCI event under proposed Rule 1000(b)(4)(i) would represent the SCI entity’s initial assessment of the SCI event, and that even the written notification on Form SCI required under proposed Rule 1000(b)(4)(ii) may, in some cases, be a preliminary assessment of the SCI event for which the SCI entity may still be in the process of analyzing and assessing the precise facts and circumstances related to the SCI event. Thus, the Commission is proposing to only require that SCI entities provide certain key information for the written notification required under proposed Rule 1000(b)(4)(ii),230 and only provide certain additional details ‘‘to the extent available as of the time of the notification.’’ 231 In addition, the Commission’s proposal allows for the SCI entity to subsequently ‘‘update any information previously provided regarding the SCI event, including any information required by paragraph (b)(4)(iv)(A)(2) which was not available 230 See 231 See proposed Rule 1000(b)(4)(iv)(A)(1). proposed Rule 1000(b)(4)(iv)(A)(2). VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 at the time of the notification made pursuant to paragraph (b)(4)(ii).’’ 232 Comprehensive reporting of all SCI events would facilitate the Commission’s regulatory oversight of the national securities markets. The proposed reporting requirements should provide the Commission with an aggregate and comprehensive set of data on SCI events, a significant improvement over the current state of administration, whereby SCI entities report events through multiple methods and with varying consistency.233 The aggregated data that would result from the reporting of SCI events would also permit the Commission to analyze such data, e.g., to examine the most common types of events and the types of systems most often affected. This ability to more efficiently analyze a comprehensive set of data would help the Commission to carry out its oversight responsibilities because it would help the Commission identify more effectively, for example, areas of persistent or recurring problems across the systems of all SCI entities. As discussed in greater detail below, the Commission also preliminarily believes that submission of required notifications by SCI entities by filing Form SCI in an electronic format would be less burdensome and a more efficient filing process for SCI entities and the Commission than the submission of such notices in non-standardized ad hoc formats, as they are currently provided under the ARP Program.234 c. Dissemination of Information to Members or Participants 235 Proposed Rule 1000(b)(5) would require information relating to 232 See proposed Rule 1000(b)(4)(iv)(B). there is no Commission rule specifically requiring SCI entities to notify the Commission of systems problems in writing or in a specific format. Nevertheless, voluntary communications of systems problems to Commission staff occur in a variety of ways, including by telephone and email. The Commission notes that proposed Rule 1000(b)(4) would impose a new reporting requirement on SCI entities, regardless of whether they currently voluntarily notify the Commission of SCI events on an ad hoc basis. As such, the Commission preliminarily believes that a history of voluntarily reporting such events to the Commission would not lessen the future burden of reporting such events to the Commission on Form SCI as required under proposed Rule 1000(b)(4). 234 See infra Section III.D.2 discussing proposed Rule 1000(d), requiring electronic filings on new proposed Form SCI, and Section III.E, discussing information proposed to be required to be submitted on new Form SCI. See also infra note 235 and accompanying text. 235 The requirements relating to dissemination of information relating to dissemination SCI events to members or participants proposed to be included in Regulation SCI relate solely to Regulation SCI. Nothing in proposed Regulation SCI should be construed as superseding, altering, or affecting the 233 Currently, PO 00000 Frm 00037 Fmt 4701 Sfmt 4702 18119 dissemination SCI events to be disseminated to members or participants, and specify the nature and timing of such disseminations, with a limited delay permitted for certain systems intrusions, as discussed further below.236 Proposed Rule 1000(b)(5)(i)(A) would require that an SCI entity, promptly after any responsible SCI personnel 237 becomes aware of a dissemination SCI event other than a systems intrusion, disseminate to its members or participants the following information about such SCI event: (1) The systems affected by the SCI event; and (2) a summary description of the SCI event. In addition, proposed Rule 1000(b)(5)(i)(B) would require an SCI entity to further disseminate to its members or participants, when known: (1) A detailed description of the SCI event; (2) the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; and (3) a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. Proposed Rule 1000(b)(5)(i)(C) would further require an SCI entity to provide regular updates to members or participants on any of the information required to be disseminated under proposed Rules 1000(b)(5)(i)(A) and (i)(B). For the disseminations of information to members or participants to be meaningful, the Commission preliminarily believes it would be necessary for an SCI entity to describe the SCI event in sufficient detail to enable a member or participant to determine whether and how it was affected by the SCI event and make appropriate decisions based on that determination. For example, the Commission preliminarily believes that a general statement that a systems disruption occurred that impacted trading for a certain period of time would not be sufficient. The reporting obligations of SCI entities under other federal securities laws or regulations. Accordingly, in the case of an SCI event, SCI entities subject to the public company reporting requirements of Section 13 or Section 15(d) of the Exchange Act would need to ensure compliance with their disclosure obligations pursuant to those provisions (including, for example, with respect to Regulation S–K and Forms 10–K, 10–Q and 8–K) in addition to their disclosure and reporting obligations under Regulation SCI. See, e.g., CF Disclosure Guidance: Topic No. 2, Cybersecurity (October 13, 2011), available at: https://www.sec.gov/divisions/corpfin/ guidance/cfguidance-topic2.htm. As an additional example, nothing in proposed Regulation SCI should be construed as superseding the obligations such SCI entities may have under Regulation FD. 236 See supra Section III.B.3.d for a discussion of dissemination SCI events. 237 See supra III.C.3.a (discussing definition of ‘‘responsible SCI personnel’’). E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18120 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules dissemination of information should, for example, specify with particularity such information as necessary to provide readers meaningful context with regard to the issue, which may include but is not limited to, details relating to, if applicable: the magnitude of the issue (such as estimates with respect to the number of shares affected, numbers of stocks affected, and total dollar volumes of the affected trades); the specific system(s) or part of the system(s) that caused the issue; the Commission and SCI entity rule(s) that relate most directly to the issue; the specific time periods in which the issue occurred, including whether the issue may be ongoing; and the specific names of the securities affected. The Commission preliminarily believes these proposed items, which concern the timing, nature, and foreseeable possible consequences of a systems problem, comprise the appropriate minimum detail that a member or participant would need to assess whether an SCI event affected or would potentially affect that member or participant, and would assist members and participants in making investment or business decisions based on disclosed facts rather than on speculation regarding, for example, the cause of a market disruption.238 The Commission preliminarily believes that it is appropriate to require that the information specified by proposed Rule 1000(b)(5)(i)(A) be disseminated by the SCI entity to its members or participants promptly after any responsible SCI personnel becomes aware of an applicable dissemination SCI event. The Commission also preliminarily believes that it is appropriate to require the further dissemination of information specified by proposed Rule 1000(b)(5)(i)(B) ‘‘when known’’ by the SCI entity. These requirements reflect the Commission’s preliminary view that, given the sensitivities of such dissemination of information, it is important that, before information is shared with the SCI entity’s members or participants, the SCI entity be given a reasonable amount of time to gather, confirm, and preliminarily analyze facts regarding a dissemination SCI event. The Commission preliminarily believes that the value of dissemination of information to an SCI entity’s members or participants in these circumstances is enhanced when the SCI entity has taken an appropriate amount of time to ensure that the information it is sharing with its 238 See supra note 160, referring to Roundtable panelists suggesting that communication and disclosure are important elements of risk mitigation. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 members or participants is accurate, such that incorrect information does not cause or exacerbate market confusion. At the same time, the Commission preliminarily believes that it is important that basic information about dissemination SCI events, such as those items required by proposed Rule 1000(b)(5)(i)(A), be made available to members or participants promptly. The proposed requirement relating to dissemination of information to members or participants of dissemination SCI events, other than systems intrusions as specified in proposed Rule 1000(b)(5)(i), is intended to aid members or participants of SCI entities in determining whether their trading activity has been or might be impacted by the occurrence of an SCI event at an SCI entity, so that they could consider that information in making trading decisions, seeking corrective action or pursuing remedies, or taking other responsive action. Further, the requirement to disseminate information regarding dissemination SCI events could provide an incentive for SCI entities to devote more resources and attention to improving the integrity and compliance of their systems and preventing the occurrence of SCI events. Proposed Rule 1000(b)(5)(ii) would provide a limited exception to the proposed requirement of prompt dissemination of information to members or participants for certain systems intrusions.239 Proposed Rule 1000(b)(5)(ii) would require an SCI entity, promptly after any responsible SCI personnel becomes aware of a systems intrusion, to disseminate to its members or participants a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion was resolved or an estimate of when the systems intrusion is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity’s SCI systems or SCI security systems, or an investigation of the systems intrusion, and documents the reasons for such determination.240 239 As noted in supra note 235, the requirements relating to information disseminations to members or participants proposed to be included in Regulation SCI, including the proposal to permit an SCI entity to delay such dissemination for certain systems intrusions, relate solely to Regulation SCI. Nothing in proposed Regulation SCI should be construed as superseding, altering, or affecting the reporting obligations of SCI entities under other federal securities laws or regulations. 240 Unlike proposed Rule 1000(b)(5), proposed Rule 1000(b)(4) (relating to Commission notification), discussed above in Section III.C.3.b, would not provide for a delay in reporting any systems intrusions to the Commission. PO 00000 Frm 00038 Fmt 4701 Sfmt 4702 The Commission preliminarily believes that information relating to all dissemination SCI events, including systems intrusions, should be disseminated to members or participants, but that there may be circumstances in which such dissemination of information relating to a systems intrusion should be delayed, for example, to avoid compromising the investigation or resolution of a systems intrusion.241 If an SCI entity determines to delay the dissemination of information to members or participants relating to a systems intrusion, it would be required to make an affirmative determination and document the reasons for such determination that such dissemination would likely compromise the security of its SCI systems or SCI security systems, or an investigation of the systems intrusion. If it cannot make such a determination, or at whatever point in time such a determination no longer applies, information relating to the systems intrusion would be required to be disseminated to the SCI entity’s members or participants. The information required to be disseminated to members or participants for systems intrusions by proposed Rule 1000(b)(5)(ii) is not as extensive as that required to be disseminated to members or participants for other types of dissemination SCI events. The Commission is sensitive to the fact that dissemination of too much detailed information regarding a systems intrusion may provide hackers or others seeking unauthorized entry into the systems of an SCI entity with insights into the potential vulnerabilities of the SCI entity’s systems. At the same time, the occurrence of a systems intrusion may reveal a weakness in the SCI systems or SCI security systems of the SCI entity that warrants dissemination of information about such event to the SCI entity’s members or participants. Proposed Rule 1000(b)(5)(ii) is therefore intended to strike an appropriate balance by requiring dissemination to members or participants, which may be delayed when necessary, of key summary information about a given systems intrusion. Request for Comment 106. The Commission requests comment on all aspects of proposed Rules 1000(b)(3), (4), and (5). 107. Do commenters believe the proposed definition of ‘‘responsible SCI personnel’’ in proposed Rule 1000(a) is appropriate? Why or why not? Please 241 See E:\FR\FM\25MRP3.SGM supra note 239. 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules explain. Is the proposed definition sufficiently clear? If not, why not? Should the proposed definition only apply to personnel of a given seniority, such as managerial personnel or officers of an SCI entity? Why or why not? Should the proposed definition include both employees and agents of an SCI entity? Why or why? 108. As proposed to be required by Rule 1000(b)(3), do commenters believe the Commission should require an SCI entity, upon any responsible SCI personnel becoming aware of an SCI event, to begin to take appropriate corrective action including, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable? If not, why not? Should the proposed requirement that an SCI entity take corrective action be triggered by something other than awareness of an SCI event? If so, what would be an appropriate trigger, and why? 109. In addition to requiring an SCI entity to take appropriate corrective action, should the Commission also require an SCI entity to have written policies and procedures regarding how it should respond to SCI events, such as an incident response plan that, for example, would lay out in advance of any SCI event the courses of action, responsibilities of personnel, chains of command, or similar information regarding how the SCI entity and its personnel should respond to various SCI event scenarios? Why or why not? Would such a requirement be useful? What would be the potential costs and benefits of such a requirement? Would SCI entities be able to meet the requirements of proposed Rule 1000(b)(3) without developing such response plans? 242 Why or why not? Do SCI entities have such plans in place today? If so, please describe. 110. With respect to proposed Rule 1000(b)(4), do commenters believe the proposal to require an SCI entity to report all SCI events to the Commission is appropriate? 111. Are there SCI events that should not be required to be reported to the Commission? If so, what are they, and why should reporting of such SCI events not be required? Or, as an alternative, would it be appropriate for the Commission to require SCI entities to keep and preserve the documentation 242 See also supra Section III.C.1.a (requesting comment on proposed Rule 1000(b)(1)(i)(E) regarding policies and procedures for development of business continuity plans and on whether the Commission and/or SCI SROs should propose rules governing how such plans are tested). VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 relating to certain types of SCI events without sending that documentation to the Commission? Why or why not? If so, how would commenters recommend the Commission distinguish between SCI events that should be reported to the Commission and those that should only be subject to a recordkeeping requirement? What do commenters believe might be the advantages or disadvantages of such an alternative approach? Do commenters believe proposed Rule 1000(b)(4) may require the reporting of types of issues or types of information that may not be critical to the goals of proposed Regulation SCI? Please be specific and describe such situations. 112. What criteria do ARP participants currently use for reporting ARP events? How many SCI events would an SCI entity expect to report each year? 113. For immediate notification SCI events, is the initial notification requirement in proposed Rule 1000(b)(4)(i) to the Commission appropriate? Why or why not? If so, should this requirement apply to such SCI events that occur outside normal business hours as well? If not, what should be the requirement? Should the Commission require a different notification procedure for immediate notifications that might occur outside normal business hours? What are the advantages and disadvantages of different methods of immediate notifications? Please describe. Do commenters agree that those systems disruptions that the SCI entity reasonably estimates would have a material impact on its operations or on market participants should be subject to the immediate notification requirement? Why or why not? Please explain. Do commenters agree that all systems compliance issues should be subject to the immediate notification requirement? Why or why not? Do commenters agree that all systems intrusions should be subject to the immediate notification requirement? Why or why not? Should additional types of SCI events be subject to the immediate notification requirement? If so, which types of SCI events? Please be specific. 114. Do commenters agree with the proposed 24-hour written notification requirement for all SCI events? 115. Do commenters believe it is appropriate to require that written updates be submitted regularly until an SCI event is resolved, or at such frequency as reasonably requested by a representative of the Commission? 116. Do commenters believe the proposed required dissemination of information to an SCI entity’s members PO 00000 Frm 00039 Fmt 4701 Sfmt 4702 18121 or participants regarding dissemination SCI events set forth in proposed Rule 1000(b)(5) are appropriate? If not, why not? Do commenters believe that requiring the dissemination of information about dissemination SCI events to members or participants would promote dissemination of information to persons who are most directly affected by such events? Why or why not? With respect to proposed Rule 1000(b)(5), should any of the proposed requirements relating to dissemination of information to members or participants be eliminated or modified? 243 Please explain. What other information, if any, should be required to be disseminated to members or participants? Please explain. Could these proposed requirements have any negative or unintended impact on the market or market participants? If so, please explain. 117. Do commenters agree with the timing requirements contained in proposed Rule 1000(b)(5)? Do commenters agree that the initial dissemination of information to members or participants should be required promptly after an SCI entity’s responsible SCI personnel becomes aware of a dissemination SCI event, as would be required by proposed Rule 1000(b)(5)(i)(A)? Do commenters believe that more specific timing requirements would be more appropriate? If so, what should such requirements be? Should there be a specific time period requirement with respect to subsequent updates on the status of the dissemination SCI event? Why or why not? For example, should there be a requirement that an SCI entity provide updates daily or weekly? If so, what additional specificity should be included? 118. Do commenters believe it is appropriate to permit an SCI entity to delay the dissemination of information to members or participants for certain systems intrusions as proposed in Rule 1000(b)(5)(ii)? Should an SCI entity be required to immediately disseminate information to members or participants regarding a systems intrusion, with delays permitted only when the Commission specifically authorizes the delay? Why or why not? Should the proposed rule impose a maximum period of time that an SCI entity may delay its dissemination of information to members or participants for certain systems intrusions? Why or why not? If 243 See also infra Section III.E.1, discussing proposed Exhibit 3 to Form SCI, which would require that an SCI entity provide a copy of any information disseminated to date regarding an SCI event to its members or participants or on the SCI entity’s publicly available Web site. E:\FR\FM\25MRP3.SGM 25MRP3 18122 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 so, what should such a maximum period of time be and should the rule set forth a specific maximum time period applicable to all instances? Please explain. 119. Are there types of dissemination SCI events that should not be required to be disseminated to members or participants? If so, what are they, and why should it not be required? 120. Should dissemination of information to members or participants of any types of dissemination SCI events, other than those that are systems intrusions, be delayed? If so, please describe the types of SCI events and explain why. In addition, please describe the time period within which commenters believe such types of dissemination SCI events should be disseminated and why such time period would be appropriate. 121. For any types of dissemination SCI events for which commenters believe information should either not be required to be disseminated to members or participants or be permitted to have a delay in dissemination in certain circumstances (such as for systems intrusions), what might be the impact of such non-dissemination or delay in dissemination with respect to different types of market participants? 122. Are there SCI entities for which the proposed requirements in Rules 1000(b)(3), (b)(4), and (b)(5) would not be appropriate (e.g., not cost-effective)? If so, please identify such entity or entities, or the characteristics of such entity or entities, and explain which proposed requirements would be inappropriate and why. Is the fact that they might not be cost-effective an appropriate reason to omit them generally for those SCI entities, or on a case-by-case basis, as the Commission determined to be consistent with Exchange Act requirements? 123. What are the current practices of SCI entities with respect to the dissemination of information about systems issues to members or participants? What type of information do SCI entities currently disseminate? Please describe. 4. Notification of Material Systems Changes Proposed Rule 1000(b)(6) addresses notification to the Commission regarding planned material systems changes,244 which the Commission believes is important to help ensure it has information about important changes at an SCI entity that may affect the SCI entity’s ability to effectively 244 See supra Section III.B.4 (discussing the proposed definition of material systems change). VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 oversee the operations of its systems. Proposed Rule 1000(b)(6) would require an SCI entity, absent exigent circumstances, to notify the Commission in writing at least 30 calendar days before implementation of any planned material systems changes including a description of the planned material systems changes as well as the expected dates of commencement and completion of implementation of such changes. A written notification to the Commission made pursuant to paragraph (b)(6) would be required to be made electronically on Form SCI and include all information as prescribed in Form SCI and the instructions thereto.245 The Commission preliminarily believes that the proposed 30 calendar day requirement regarding preimplementation written notification to the Commission of planned material systems changes would be an appropriate time period. The Commission has found through its experience with the current ARP Inspection Program that this amount of advance notice typically is needed to allow Commission staff to effectively monitor technology developments associated with a planned material systems change. A shorter timeframe might not provide sufficient time for Commission staff to understand the impact of the systems change; a longer time frame might unnecessarily interfere with SCI entities’ flexibility in planning and implementing systems changes. If exigent circumstances existed, or if the information previously provided to the Commission regarding any planned material systems change has become materially inaccurate, the SCI entity would be required to notify the Commission, either orally or in writing, with any oral notification to be memorialized within 24 hours after such oral notification by a written notification, as early as reasonably practicable.246 The existence of exigent circumstances would be determined by the SCI entity and might exist where, for example, a systems compliance issue or systems intrusion were discovered that requires immediate corrective action to ensure compliance with the Exchange Act and the rules and regulations thereunder, and/or the SCI entity’s own rules and procedures. In such cases, it would not be prudent or desirable to delay corrective action simply to permit the 30 calendar days’ advance notice required in non-exigent circumstances. 245 See infra Section III.E.2, discussing proposed new Form SCI and electronic submission of the notices required by proposed Rule 1000(b)(6). 246 See proposed Rule 1000(b)(6)(ii). PO 00000 Frm 00040 Fmt 4701 Sfmt 4702 In addition, there may be circumstances where the information previously provided to the Commission regarding a material systems change has become materially inaccurate. For example, if a material systems change’s expected implementation completion date were to be substantially delayed because of an inability to procure systems components, or due to difficulties in systems programming, an update to reflect this development would enable the Commission to make further inquiry (as appropriate) in order to understand the potential consequences of the delay. Similarly, an update would be required if the SCI entity were to decide to significantly alter the scope of its planned material systems change. The Commission notes further that, in such cases, an SCI entity might separately be obligated to notify the Commission or its members or participants pursuant to proposed Rules 1000(b)(4) and (5), as discussed above.247 Request for Comment 124. The Commission requests comment generally on proposed Rule 1000(b)(6). Is the proposed requirement to notify the Commission in advance of implementation of material systems changes appropriate? 125. Should the Commission provide additional guidance on, or define, what constitutes ‘‘exigent circumstances’’ that would obviate the need for advance notification? If so, what information, clarification, or definition would be helpful, and why? 126. Do commenters believes that an SCI entity should be required to provide updated information to the Commission regarding a planned material systems change if the information previously provided to the Commission regarding such change were to become materially inaccurate? Why or why not? 127. Do commenters believe that the proposed notification requirements would discourage an SCI entity from making necessary systems changes? Why or why not? 128. Is the proposed requirement that an SCI entity report all material systems changes too broad or too narrow? Why or why not? Should all material systems changes be reported to the Commission? If not, which systems changes should be excluded? Do commenters believe the proposed rule should specify quantitative criteria or other minimum thresholds for the effect of a change to an SCI entity’s systems on the entity’s capacity, security, and operations, beyond which the SCI entity would be 247 See E:\FR\FM\25MRP3.SGM supra Section III.B.3. 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules required to notify the Commission of the change? 129. Do commenters believe it is appropriate for the Commission to require a standardized format for disclosing planned material systems changes on new proposed Form SCI? If not, why not? What would be a better approach? 130. Are there SCI entities for which the proposed requirements in Rule 1000(b)(6) would not be appropriate (e.g., cost-effective)? If so, please identify such entity or entities, or the characteristics of such entity or entities, and explain which proposed requirements would be inappropriate and why. If they are not cost-effective, would that be an appropriate reason to omit them generally for those SCI entities, or on a case-by-case basis, as the Commission determined to be consistent with Exchange Act requirements? 131. How often do SCI entities make material systems changes? srobinson on DSK4SPTVN1PROD with PROPOSALS3 5. Review of Systems Proposed Rule 1000(b)(7) would require an SCI entity to conduct an SCI review of the SCI entity’s compliance with Regulation SCI not less than once each calendar year, and submit a report of the SCI review to senior management of the SCI entity no more than 30 calendar days after completion of such SCI review. Proposed Rule 1000(a) would define the term ‘‘SCI review’’ to mean a review, following established procedures and standards, that is performed by objective personnel having appropriate experience in conducting reviews of SCI systems and SCI security systems, and which review contains: (1) A risk assessment with respect to such systems of the SCI entity; and (2) an assessment of internal control design and effectiveness to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards.248 In addition, such review would be required to include penetration test reviews of the SCI entity’s network, firewalls, development, testing and production systems at a frequency of not less than once every three years.249 The proposed requirement for an annual SCI review would formalize a practice in place under the current ARP Inspection Program in which SROs conduct annual systems reviews following established audit procedures and standards that 248 See infra discussion of proposed Rule 1000(b)(8). See also supra publications listed in Table A, Domain: Audit. 249 See proposed Rule 1000(a). VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 result in the presentation of a report to senior SRO management on the recommendations and conclusions of the review.250 The risk assessment with respect to SCI entity’s systems and assessment of internal control design and effectiveness should help an SCI entity assess the effectiveness of its information technology practices and determine where to best devote resources, including identifying instances in which the SCI entity was not in compliance with the policies and procedures required by proposed Rules 1000(b)(1) and (2). The penetration test reviews of the SCI entity’s network, firewalls, and development, testing and production systems should help an SCI entity evaluate the system’s security and resiliency in the face of attempted and successful systems intrusions. In requiring a frequency of not less than once every three years for penetration test reviews, the Commission seeks to balance the frequency of such tests with the costs associated with performing the tests.251 For such assessments and reviews to be effective, the Commission preliminarily believes that it is important that they be conducted by objective personnel having appropriate experience performing such types of reviews. The Commission is not proposing a definition of the term ‘‘objective,’’ but preliminarily believes that to satisfy the criterion that an SCI review be conducted by ‘‘objective personnel,’’ it should be performed by persons who have not been involved in the development, testing, or implementation of the systems being reviewed.252 The Commission preliminarily believes that persons who were not involved in the process for development, testing, or implementation of such systems would likely be in a better position to identify weaknesses and deficiencies that were not identified in the development, testing, and implementation stages. As proposed, the SCI review could be performed by personnel of the SCI entity (e.g., an SCI entity’s internal audit department) or an external firm with objective personnel. 250 See supra notes 17–21 and accompanying text. Although ARP policy statements used the term ‘‘independent,’’ the Commission is using the term ‘‘objective’’ in proposed Regulation SCI to distinguish the meaning of ‘‘objective’’ from the meaning of ‘‘independent,’’ which may be considered a term of art in the context of financial accounting audits. 251 See infra Section IV.D.2.d (estimating, among other things, the cost of conducting SCI reviews, including penetration test reviews). 252 See also supra ARP II note 1 at 22492 n.9. PO 00000 Frm 00041 Fmt 4701 Sfmt 4702 18123 In addition, proposed Rule 1000(b)(7) would require an SCI entity to submit a report of the SCI review to senior management of the SCI entity no more than 30 calendar days after completion of such SCI review.253 The proposed 30day time frame is based on the Commission’s experience with the current ARP Inspection Program that an entity is able within 30 calendar days to consider the review and prepare a report for senior management consideration prior to submission to the Commission. Request for Comment 132. The Commission requests comment on all aspects of proposed Rule 1000(b)(7). Is the proposed definition of ‘‘SCI review’’ appropriate? Why or why not? And, if not, what would be an appropriate definition? 133. Is the proposed scope of the SCI review appropriate? Why or why not? Is it sufficiently clear? Why or why not? Should the SCI review include, as proposed in Rule 1000(a), an assessment of internal control design and effectiveness to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards? Why or why not? Should it include, as proposed in Rule 1000(a), penetration test reviews of the SCI entity’s network, firewalls, development, testing and production systems? Is the proposed frequency of such penetration test reviews (i.e., not less than once every three years) appropriate? Why or why not? Should it be more or less frequent? Why or why not? 134. Do commenters agree with the proposed requirement that the review be performed by persons with appropriate experience conducting reviews of SCI systems and SCI security systems? Should the Commission define how it would evaluate whether a person or persons performing the review would satisfy the proposed requirement that they have appropriate systems review experience? Are there any credentials or specific qualifications that the Commission should require or specify as meeting the requirement? For example, should the Commission specify that a review be conducted by a Certified Information System Auditor (CISA) or GIAC Systems and Network Auditor (GSNA) certification? 254 253 This proposed requirement would formalize a recommendation under the current ARP Inspection Program. See supra note 21 and accompanying text. 254 For further information regarding these certifications, see, e.g., https://www.isaca.org/ Certification/CISA-Certified-Information-Systems- E:\FR\FM\25MRP3.SGM Continued 25MRP3 18124 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 135. Should the term ‘‘objective personnel’’ be defined or further clarified? If so, what should be such definition? 136. Are there other elements that should be included in the scope of the SCI review? If so, which ones? For example, should the review include an assessment of the systems’ compliance with the federal securities laws and rules and regulations thereunder or the entity’s rules or governing documents as applicable? Why or why not? 137. Under what circumstances do SCI entities presently use outside consultants or other third parties to review their systems and controls? When such outside reviews are conducted, what is the scope and the stated purpose? How do outside reviews compare to internal reviews by audit or other staff in terms of scope or other factors? What are the considerations used by SCI entities in determining whether and when to engage outside consultants? How do commenters generally view the advantages and disadvantages of internal v. external reviews? The Commission is not proposing at this time any requirements related to third party reviews. Should the Commission propose to require that SCI review be conducted by third parties? 138. What are the current practices of SCI entities with respect to reviews of their SCI systems and SCI security systems? How often are such reviews conducted? Who conducts such reviews? What do such reviews entail? What types of assessments or tests are included in such reviews? Do such reviews include penetration test reviews? Please describe. 139. Do commenters agree with the proposal to require an SCI entity to submit a report of the SCI review to senior management of the SCI entity no more than 30 calendar days after completion of such SCI review? Why or why not? Is the 30-day time frame reasonable? Would a shorter or longer time period be more appropriate, such as 20, 45, or 60 days? If so, what should such a time period be and why? Please explain. 6. Periodic Reports Proposed Rule 1000(b)(8)(i) would require an SCI entity to submit to the Commission a report of the SCI review required by paragraph (b)(7), together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. Auditor/What-is-CISA/Pages/default.aspx and https://www.giac.org/certifications. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 The proposed requirement to submit a report of the SCI review required by paragraph (b)(7), together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity, is designed to ensure that the senior management of the SCI entity is aware of any issues with its systems and promptly establishes plans for resolving such issues. The Commission preliminarily believes that the report would also help ensure that the Commission and its staff receive the report and any management response in a timely manner,255 would help to ensure that the Commission is aware of areas that may warrant more focused attention during its inspections (i.e., which SCI entities would already have identified for itself through its SCI review), and would allow the Commission to review the SCI entity’s progress in resolving any systems issues. Further, the proposed requirement to submit the annual report within 60 calendar days after its submission to senior management is based on the Commission’s experience with the current ARP Inspection Program that 60 calendar days after completion of an annual review or report is a sufficient period of time to enable senior management to consider such review or report before submitting it to the Commission. In addition, proposed Rule 1000(b)(8)(ii) would require each SCI entity to submit a report within 30 calendar days after the end of June and December of each year containing a summary description of the progress of any material systems change during the six-month period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of implementation of such changes. The proposed requirement to submit these semi-annual reports within 30 calendar days of the end of each semi-annual period is designed to ensure that the Commission would have regularly updated information with respect to the status of ongoing material systems changes that were originally reported pursuant to proposed Rule 1000(b)(6).256 This proposed 255 See infra Section III.E.3 and General Instructions to the Form, explaining that, ‘‘within 60 calendar days after its submission to senior management of the SCI entity, the SCI entity shall attach [as Exhibit 5] the report of the SCI review of the SCI entity’s compliance with Regulation SCI, together with any response by senior management.’’ 256 As discussed above in supra Section III.C.4, proposed Rule 1000(b)(6)(ii) would require SCI entities to provide the Commission with an update if the information it previously provided to the Commission regarding any planned material systems change had become materially inaccurate. PO 00000 Frm 00042 Fmt 4701 Sfmt 4702 requirement would formalize a practice in place under the current ARP Inspection Program in which senior information technology, audit, and compliance staff of certain SROs prepare such reports in advance of meeting with Commission staff periodically throughout the year to present and discuss recently completed systems projects and proposed systems projects. Further, the proposed requirement to submit the semi-annual report within 30 calendar days after the end of the applicable semi-annual period is based on the Commission’s experience with the current ARP Inspection Program that 30 calendar days after completion of a report is a sufficient time period to enable senior management to consider such report before submitting it to the Commission. The Commission is proposing to require these reports to be submitted to the Commission on a semi-annual basis because the proposal would separately require information relating to planned material systems changes to be submitted (absent exigent circumstances or when information regarding any planned material systems change becomes materially inaccurate) at least 30 calendar days before their implementation 257 and thus requiring an ongoing summary report more frequently would not, in the Commission’s preliminary view, be necessary. On the other hand, the Commission is concerned that a longer period of time (such as on an annual basis) would permit significant updates and milestones relating to systems changes to occur without notice to the Commission. Pursuant to proposed Rule 1000(b)(8)(iii), the reports required to be submitted to the Commission by proposed Rule 1000(b)(8) would be required to be submitted electronically as prescribed in Form SCI and the instructions thereto.258 Request for Comment 140. Do commenters believe it would be appropriate to require SCI entities to submit a report of an SCI review to the Commission within 60 calendar days of its submission to senior management of the SCI entity? Should the Commission lengthen or shorten the time period for submission? Why or why not? If so, what is an appropriate period? 257 See proposed Rule 1000(b)(6); see supra notes 244–247 and accompanying text. 258 See infra Section III.E discussing new proposed Form SCI and its contemplated use by SCI entities to submit reports and other required information to the Commission electronically in a standardized format with attachments when and as required. E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 141. Is the proposed requirement to submit semi-annual reports on material systems changes necessary or appropriate? Do commenters believe it would be appropriate to require each SCI entity to submit a semi-annual report within 30 calendar days after the end of each semi-annual period containing a description of the progress of any material systems change during the applicable semi-annual period and the date, or expected date, of completion of implementation? Should the Commission lengthen or shorten the 30-day period for submission? Is the semi-annual submission requirement appropriate or should these reports be required to be submitted more or less frequently? If so, please state what such frequency should be and why. 142. Are there any other reports the Commission should require of SCI entities? If so, please explain. 143. Are there SCI entities for which the proposed requirements in Rule 1000(b)(8) would not be cost-effective? If so, please identify such entity or entities, or the characteristics of such entity or entities. For proposed requirements that commenters believe would not be cost-effective, would that be an appropriate reason to omit them generally for those SCI entities, or on a case-by-case basis, as the Commission determines to be consistent with Exchange Act requirements? 7. Proposed Rule 1000(b)(9): SCI Entity Business Continuity and Disaster Recovery Plans Testing Requirements for Members or Participants The Commission is proposing Rule 1000(b)(9), which would address testing of SCI entity business continuity and disaster recovery plans, including backup systems, by SCI entity members or participants. Specifically, proposed Rule 1000(b)(9)(i) would require an SCI entity, with respect to its business continuity and disaster recovery plans, including its backup systems, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency as specified by the SCI entity, at least once every 12 months. Proposed Rule 1000(b)(9)(ii) would further require an SCI entity to coordinate such testing on an industry- or sector-wide basis with other SCI entities. Proposed Rule 1000(b)(9)(iii) would require each SCI entity to designate those members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans, to participate in the testing of such plans. Proposed Rule VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 1000(b)(9)(iii) would also require each SCI entity to notify the Commission of such designations and its standards for designation on Form SCI and promptly update such notification after any changes to its designations or standards.259 The Commission preliminarily believes that the testing participation requirement in proposed Rule 1000(b)(9) would help an SCI entity to ensure that its efforts to develop effective business continuity and disaster recovery plans are not undermined by a lack of participation by its members or participants that the SCI entity believes would be necessary to the success of such plans if they were to be put into effect. The Commission further preliminarily believes that the appropriate standard for measuring whether a business continuity and disaster recovery plans can be activated successfully is whether such activation would likely result in the maintenance of fair and orderly markets, a goal Congress found important in adopting Section 11A of the Exchange Act.260 The 2003 Interagency White Paper, which underlies the requirement in proposed Rule 1000(b)(1)(i)(E) pertaining to business continuity and disaster recovery plans,261 identifies three important business continuity objectives that would apply to SCI entities: (1) Rapid recovery and timely resumption of critical operations following a wide-scale disruption; (2) rapid recovery and timely resumption of critical operations following the loss or inaccessibility of staff in at least one major operating location; and (3) a high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible.262 The 2003 Interagency White Paper also states that it is a ‘‘sound practice’’ for organizations to ‘‘routinely use or test recovery and resumption arrangements.’’ 263 Further, the Commission’s 2003 Policy Statement on Business Continuity Planning for Trading Markets states, among other things, that market centers, including 259 The proposed rule does not specify when the Commission would need to be notified about the designations and standards because SCI entities would be required to provide an initial notification at such point as when proposed Regulation SCI were effective, and subsequent updates only promptly after its designations and/or standards changed. 260 See Section 11A(a)(1)(C) and (a)(2), 15 U.S.C. 76k–1(a)(1)(C) and (a)(2). 261 The 2003 Interagency White Paper is included in Table A as a proposed SCI industry standard. See supra Section III.C.1.b. 262 See supra note 195. 263 See id. PO 00000 Frm 00043 Fmt 4701 Sfmt 4702 18125 SROs, are to: (1) Have in place a business continuity plan that anticipates the resumption of trading in the securities traded by that market no later than the next business day following a wide-scale disruption; (2) maintain appropriate geographic diversity between primary and back-up sites in order to assure resumption of trading activities by the next business day; and (3) confirm the effectiveness of the backup arrangements through testing.264 SCI entities that currently participate in the ARP Inspection Program are familiar with the standards identified in the 2003 Interagency White Paper and the Commission’s 2003 Policy Statement on Business Continuity Planning for Trading Markets. As noted above,265 the experience of the equities and options markets in the wake of Superstorm Sandy demonstrates the importance of not only an SCI entity itself being able to operate following an event that triggers its business continuity and disaster recovery plans, but also that the members or participants of the SCI entity be able to conduct business with such SCI entity when its business continuity and disaster recovery plans have been activated. The Commission preliminarily believes that, even if an SCI entity is able to operate following an event that triggers its business continuity and disaster recovery plans, unless there is effective participation by certain of its members or participants in the testing of such plans, the objective of ensuring resilient and available markets in general,266 and the maintenance of fair and orderly markets in particular, would not be achieved. Accordingly, the Commission preliminarily believes that it is appropriate to require SCI entities to designate members or participants they believe are necessary to the successful activation of their business continuity and disaster recovery plans, including backup systems, and require them to participate in the testing of such plans. Under the proposed rule, each SCI entity would need to schedule, and require their designated members or participants to participate in, scheduled ‘‘functional and performance testing’’ 267 of the entity’s business continuity and 264 See supra notes 32 and 196. supra notes 78–83 and accompanying text. 266 See proposed Rule 1000(b)(1) (requiring SCI entities to have policies and procedures relating to, among other things, resiliency and availability) and supra Section III.C.1. 267 As commonly understood, functional testing examines whether a system operates in accordance with its specifications, whereas performance testing examines whether a system is able to perform under a particular workload. 265 See E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18126 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules disaster recovery plans. Such functional and performance testing should include not only testing of connectivity, but also testing of an SCI entity’s systems, such as order entry, execution, clearance and settlement, order routing, and the transmission and/or receipt of market data, as applicable, to determine if they can operate as contemplated by its business continuity and disaster recovery plans. Proposed Rule 1000(b)(9)(i) would require that testing of an SCI entity’s business continuity and disaster recovery plans occur at least once every 12 months. This proposed requirement reflects the Commission’s preliminary view that the testing of business continuity and disaster recovery plans, including backup systems, must occur regularly if such plans are to be effective when an actual disaster or disruption occurs. The Commission preliminarily believes that its proposed required testing frequency of at least once every 12 months is the minimum frequency that would be consistent with seeking to ensure that testing is meaningful and effective.268 However, the proposed rule would not prevent an SCI entity from conducting testing and requiring participation by members or participants in such testing more frequently than once every 12 months, if the SCI entity believes it is necessary or if, for example, it materially modifies its business continuity and disaster recovery plans. Proposed Rule 1000(b)(9)(i) would also provide an SCI entity with discretion to determine the precise manner and content of the testing. Thus, for example, the SCI entity would have discretion to determine, for example, the duration of the testing, the sample size of transactions tested, the scenarios tested, and the scope of the test. The Commission preliminarily believes that SCI entities are in the best position to structure the details of the test in a way that would maximize its utility. Although proposed Rule 1000(b)(9)(i) would give SCI entities discretion to determine the precise manner and content of the testing, the Commission is also proposing Rule 1000(b)(9)(ii), which would require an SCI entity to coordinate its testing on an industry- or sector-wide basis with other SCI entities.269 The proposed coordination 268 Consistent with the frequency of testing under proposed Rule 1000(b)(9), the Securities Industry and Financial Markets Association coordinates an industry-wide business continuity test each year in October. See https://www.sifma.org/services/bcp/ industry-testing. See also supra notes 81–82 and accompanying text. 269 Thus, to satisfy the requirement of proposed Rule 1000(b)(9)(ii), an SCI entity could coordinate VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 requirement is designed to enhance the value of testing by requiring SCI entities to work together to schedule and conduct the testing in as efficient and effective a manner as possible. Given that trading in the U.S. securities markets today is dispersed among a wide variety of exchanges, ATSs, and other trading venues, and is often conducted through sophisticated algorithmic trading strategies that access many trading platforms simultaneously, the Commission preliminarily believes that requiring SCI entities to coordinate testing is necessary to ensure the goal of achieving robust and effective business continuity and disaster recovery plans, because it would result in testing under more realistic market conditions. In addition, the Commission is cognizant that situations that trigger implementation of an SCI entity’s business continuity and disaster recovery plans are often not limited in scope to a single SCI entity, but may affect multiple, or even all, SCI entities at the same time. Thus, proposed Rule 1000(b)(9)(ii)’s requirement is designed to foster better coordination and cooperation across the securities industry such that the markets, investors, and all market participants may benefit from more efficient and meaningful testing. Further, the Commission preliminarily believes that it would be more cost-effective for market participants to participate in the testing of the business continuity and disaster recovery plans of SCI entities on an industry- or sector-wide basis because such coordination would likely reduce duplicative testing efforts. While proposed Rule 1000(b)(9)(ii) would require SCI entities to coordinate testing on an industry- or sector-wide basis, it would provide discretion to SCI entities to determine how to best meet this requirement because the Commission preliminarily believes that SCI entities currently are best suited to find the most efficient and effective way to test. Of course, as noted above, each SCI entity may require its members or participants to participate in additional testing beyond the industry- or sectorwide testing under proposed Rule 1000(b)(9)(ii). Proposed Rule 1000(b)(9)(iii) would require each SCI entity to designate those members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and its testing with all SCI entities, or an appropriate subset of them, such as by asset class(es) (NMS stocks, non-NMS stocks, municipal debt, corporate bonds, options) or type of SCI entity (national securities exchanges, clearing agencies, plan processors). PO 00000 Frm 00044 Fmt 4701 Sfmt 4702 disaster recovery plans, to participate in the testing of such plans. In addition, proposed Rule 1000(b)(9)(iii) would require each SCI entity to provide to the Commission on Form SCI its standards for determining which members or participants are necessary for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans and promptly update such notification following any changes to such standards. The Commission believes that the viability of an SCI entity’s business continuity and disaster recovery plans, and the usefulness of its backup systems, depend upon the ability of such members or participants to be ready, able, and willing to use such systems during an actual disaster or disruption. The proposed requirement that designated members or participants be required to test such plans in advance reflects the Commission’s preliminary view that the proposed testing would enhance the value of SCI entities’ business continuity and disaster recovery plans, and thereby advance the goal of achieving resilient and available markets.270 For SCI SROs, proposed Rule 1000(b)(9)(iii) would require SRO rules pursuant to Section 19(b) of the Exchange Act, setting forth the standards for designation. For an SCI ATS or an exempt clearing agency subject to ARP, the requirement in proposed Rule 1000(b)(9)(iii) would be satisfied by setting forth such standards in its internal procedures, as well as any subscriber or similar agreement, as applicable. For an SCI entity that is a plan processor, proposed Rule 1000(b)(9)(iii) would require an amendment to the applicable SCI Plan pursuant to Rule 608 of Regulation NMS, setting forth such standards. Further, proposed Rule 1000(b)(9)(iii) would require each SCI entity to provide to the Commission on Form SCI the list of designated members or participants and promptly update such notification following any changes to the designations.271 Request for Comment 144. The Commission requests comment generally on proposed Rule 1000(b)(9). 270 See supra note 266. discussed in infra Section III.E, Form SCI would also require SCI entities to attach the relevant provision of their rules (for SCI SROs), SCI Plans (for plan processors) or subscriber or similar agreements (for SCI ATSs and exempt clearing agencies subject to ARP) that require designated members or participants to participate in the testing required by proposed Rule 1000(b)(9). 271 As E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules 145. Do commenters believe the proposal to require an SCI entity, with respect to its business continuity and disaster recovery plans, including its backup systems, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency as specified by the SCI entity, is appropriate? Why or why not? Is the proposed requirement that SCI entities require participation in ‘‘functional and performance testing’’ appropriate? Why or why not? Is the term ‘‘functional and performance testing’’ clear? If not, why not and what would be a better description of the nature of the proposed required testing? 146. Do commenters believe it is appropriate to require that such testing occur at least once every 12 months? Why or why not? Would another minimum interval for such testing, such as bi-annually, semi-annually, or quarterly, be more appropriate? Please explain. Would it be appropriate to also require such testing to occur following a material change to the SCI entity’s business continuity and disaster recovery plans? Why or why not? If yes, would it be appropriate to require such testing within 90 days of the material change? Why or why not? Would another time period be more appropriate? If so, what should such time period be? 147. Should the Commission give SCI entities discretion in designating the members or participants that must participate in the testing of the business continuity and disaster recovery plans? Why or why not? Should the Commission instead specify standards for such designation? If so, what should the standards be based on? For example, should the standards be based on the size, volume traded or cleared, and/or geographic proximity of a member or participant to the SCI entity’s backup systems? Why or why not? Should only members or participants that execute or clear transactions above a certain volume threshold and/or that account for a certain percentage of trading volume on the SCI entity be required to participate? Why or why not? If so, what should be such threshold or thresholds (e.g., 0.5 percent, 1 percent, 5 percent)? Should an SCI entity be required to mandate participation in testing by some other subset of members or participants? For example, should such subset comprise members or participants that account for a certain percentage of trading in each or all of the equities, options, or fixed-income markets traded through the SCI entity? Why or why not? If so, what should be VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 such threshold (e.g., 0.5 percent, 1 percent, 5 percent)? Or, should testing be mandated only for certain types of market participants (e.g., market makers, clearing broker-dealers, retail brokerdealers)? If so, for which types of market participants should testing be mandatory and why? Please explain. Alternatively, should all members or participants of an SCI entity (or certain types of SCI entities, e.g., plan processors) be required to participate in the testing of its business continuity and disaster recovery plans? Why or why not? 148. Do commenters believe those members or participants that would likely be designated by SCI entities under proposed Rule 1000(b)(9)(iii) currently have the ability, including the infrastructure, to participate in the required testing? Do commenters believe all members or participants of SCI entities currently have the ability, including the infrastructure, to participate in such testing? What would be the costs and benefits to a member or participant of an SCI entity to participate in such testing, including for such member or participant to establish and maintain connectivity to an SCI entity’s backup systems? What would be the economic effect of this proposed rule, particularly with regard to a member or participant? Please describe in detail and provide data to support your views if possible. 149. Should an SCI entity be required to notify the Commission on Form SCI of its standards for designating members or participants for testing and its list of designated members or participants? Why or why not? Should an SCI entity be required to promptly update such Commission notification if its standards for designation or list of designated members or participants change? Why or why not? Is there a more appropriate time period for updating Commission notifications (e.g., 7 days following a change, 30 days following a change, quarterly)? Please explain. 150. Proposed Rule 1000(b)(9)(i) would require each SCI entity to mandate participation by designated members or participants in ‘‘functional and performance testing’’ of its business continuity and disaster recovery plans, including its backup systems, but would leave to the discretion of the SCI entity the details regarding the manner of testing. Should the Commission be more prescriptive with respect to such testing? For example, should the Commission require that SCI entities periodically operate from their backup facilities during regular trading hours? Why or why not? Please explain. Are there other details that the Commission PO 00000 Frm 00045 Fmt 4701 Sfmt 4702 18127 should prescribe in relation to the proposed rule? If so, please explain. 151. Proposed Rule 1000(b)(9)(ii) would require SCI entities to coordinate testing on an industry- or sector-wide basis, but would not specify how or the parameters. Do commenters believe it is appropriate to leave such discretion to SCI entities? Why or why not? Are the terms ‘‘industry-wide’’ and ‘‘sectorwide’’ clear? Should the Commission define these terms? If so, what would be appropriate definitions? Would such an approach foster the creation of meaningful, efficient testing of business continuity and disaster recovery plans across SCI entities and their members or participants? Why or why not? If not, what would be a more appropriate approach? Should the Commission require a minimum number of SCI entities needed to satisfy the coordination requirement of proposed Rule 1000(b)(9)(ii)? Or should that requirement only be satisfied if all SCI entities (or all SCI entities within a sector of the industry) participate? Why or why not? Should the Commission mandate a minimum list of actions that SCI entities must take to satisfy the requirement of proposed Rule 1000(b)(9)(ii)? If so, what actions should be required and why? If not, why not? 152. Should the Commission require SCI entities to submit reports on the results of their testing of business continuity and disaster recovery plans or reports of any systems testing that was not successful? If not, why not? If so, should such reports be required to be submitted within a specified time frame or in a specified manner or format? Please explain. In addition, should the Commission require SCI entities to submit reports on systems testing opportunities required of or made available to members or subscribers and the extent to which such members or subscribers participate in such opportunities? 153. Would proposed Rule 1000(b)(9) enhance investor confidence in the integrity of the U.S. securities markets? Why or why not? Please explain. What would be the costs associated with proposed Rule 1000(b)(9)? What would be the benefits? Please be specific. What would be the potential competitive impacts of proposed Rule 1000(b)(9), including impacts on small members or small participants? To the extent possible, please provide data to support your views. 154. To help ensure that the goals of an SCI entity’s business continuity and disaster recovery plans are achieved, should the Commission impose other requirements (in addition to the mandatory testing participation E:\FR\FM\25MRP3.SGM 25MRP3 18128 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules requirement in proposed Rule 1000(b)(9)) on the members or participants of SCI entities? 272 For example, proposed Rule 1000(b)(1)(i)(E) would require that an SCI entity’s business continuity and disaster recovery plans allow for ‘‘maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading.’’ Should the Commission require SCI entities to mandate that some or all of their members or participants be able to meet the next business day resumption of trading standards for SCI entities in proposed Rule 1000(b)(1)(i)(E)? Why or why not? If not all, which members or participants should be required to meet such resumption of trading standards? For example, should an SCI entity require members or participants that execute transactions above a certain volume threshold and/or that account for a certain percentage of trading on the SCI entity to meet such resumption of trading standards? Why or why not? If so, what should be such threshold or thresholds? 155. Are there other requirements that SCI entities should mandate for their members or participants to help SCI entities meet their obligations under proposed Regulation SCI? If so, what are they? Please describe. For example, should the Commission also require each SCI entity to mandate that its members or participants maintain continuous connectivity with the SCI entity’s backup data centers? Why or why not? If not all, which members or participants should be required to maintain continuous connectivity with the SCI entity’s backup data centers? For example, should an SCI entity require members or participants designated under proposed Rule 1000(b)(9)(iii), or that execute transactions above a certain volume threshold and/or that account for a certain percentage of trading on the SCI entity, to maintain such connectivity? Why or why not? If so, what should be such threshold or thresholds? srobinson on DSK4SPTVN1PROD with PROPOSALS3 D. Proposed Rule 1000(c)–(f): Recordkeeping, Electronic Filing on Form SCI, and Access 1. Recordkeeping Requirements The Commission notes that many SCI entities are already subject to 272 See also infra Section III.G (soliciting comment on whether broker-dealers, other than SCI ATSs, should be subject to some or all of the additional system safeguard rules that are proposed for SCI entities). VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 recordkeeping requirements,273 but that records relating to systems review and testing may not be specifically addressed in certain current recordkeeping rules. Accordingly, the Commission is proposing Rule 1000(c) to specifically address recordkeeping requirements for SCI entities with respect to records relating to Regulation SCI compliance. Proposed Rule 1000(c)(1) would require each SCI SRO to make, keep, and preserve all documents relating to its compliance with Regulation SCI, as prescribed by Rule 17a–1 under the Exchange Act.274 Rule 17a–1(a) under the Exchange Act requires every national securities exchange, national securities association, registered clearing agency, and the MSRB to keep and preserve at least one copy of all documents, including all correspondence, memoranda, papers, books, notices, accounts, and other such records as shall be made and received by it in the course of its business as such and in the conduct of its self-regulatory activity.275 In addition, Rule 17a–1(b) requires these entities to keep all such documents for a period of not less than five years, the first two years in an easily accessible place, subject to the destruction and disposition provisions of Rule 17a–6.276 Rule 17a–1(c) requires these entities, upon request of any representative of the Commission, to promptly furnish to the possession of Commission representatives copies of 273 See, e.g., 17 CFR 240.17a–1, applicable to SCI SROs; 17 CFR 240.17a–3, 17a–4, applicable to broker-dealers; and 17 CFR 242.301–303, applicable to ATSs. It has been the experience of the Commission that SCI entities presently subject to the ARP Inspection Program (nearly all of whom are SCI SROs that are also subject to the record keeping requirements of Rule 17a–1(a)) do generally keep and preserve the types of records that would be subject to the requirements of proposed Rule 1000(c). Nevertheless, the Commission preliminarily believes that Regulation SCI’s codification of these preservation practices will support an accurate, timely, and efficient inspection and examination process and help ensure that all types of SCI entities keep and preserve such records. 274 17 CFR 240.17a–1. 275 See 17 CFR 240.17a–1(a). Such records would, for example, include copies of incident reports and the results of systems testing. 276 See 17 CFR 240.17a–1(b). Rule 17a–6(a) under the Exchange Act states: ‘‘Any document kept by or on file with a national securities exchange, national securities association, registered clearing agency or the Municipal Securities Rulemaking Board pursuant to the Act or any rule or regulation thereunder may be destroyed or otherwise disposed of by such exchange, association, clearing agency or the Municipal Securities Rulemaking Board at the end of five years or at such earlier date as is specified in a plan for the destruction or disposition of any such documents if such plan has been filed with the Commission by such exchange, association, clearing agency or the Municipal Securities Rulemaking Board and has been declared effective by the Commission.’’ 17 CFR 240.17a–6(a). PO 00000 Frm 00046 Fmt 4701 Sfmt 4702 any documents required to be kept and preserved by it pursuant to Rule 17a– 1(a) and (b).277 The Commission believes that the breadth of Rule 17a–1 under the Exchange Act is such that it would require SCI SROs to make, keep, and preserve records relating to their compliance with proposed Regulation SCI should the Commission adopt Regulation SCI. Thus, the Commission proposes to cross-reference Rule 17a–1 in proposed Regulation SCI to be clear that it intends all SCI entities to be subject to the same recordkeeping requirements regarding compliance with proposed Regulation SCI. For SCI entities that are not SCI SROs (i.e., SCI ATSs, plan processors, and exempt clearing agencies subject to ARP), the Commission is proposing broad recordkeeping requirements relating to compliance with proposed Regulation SCI that are consistent with those applicable to SROs under Rule 17a–1 under the Exchange Act. Thus, the Commission is proposing Rule 1000(c)(2), which would require SCI entities other than SCI SROs to: (i) Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and SCI security systems; (ii) keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; 278 and (iii) upon request of any representative of the Commission, promptly furnish to the possession of such representative copies of any documents required to be kept and preserved by it pursuant to (i) and (ii) above. Proposed Rule 1000(c)(3), applicable to all SCI entities, would require each SCI entity, upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, to take all necessary action to ensure that records required to be made, kept, and preserved by proposed Rule 1000(c) would be accessible to the Commission or its representatives for the remainder of the period required by proposed Rule 1000(c). For example, an SCI entity could fulfill its obligations under proposed Rule 1000(c)(3) by delivering 277 See 17 CFR 240.17a–1(c). proposed five-year and two-year time frames would be the same as those applicable to SCI SROs pursuant to Rule 17a–1 under the Exchange Act, and the Commission preliminarily believes it would be appropriate for all SCI entities to be subject to the same time frame requirements. 278 The E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules such records, immediately prior to deregistration, to a repository or other similar entity and by making all necessary arrangements for such records to be readily accessible to the Commission or its representative, for inspection and examination for the duration of the requirement under proposed Rule 1000(c)(3). The Commission preliminarily believes that its ability to examine for and enforce compliance with proposed Regulation SCI could be hampered if an SCI entity were not required to adequately provide accessibility for the full proposed retention period. In addition, while many SCI events may occur, be discovered, and be resolved in a short time frame, there may be other SCI events that may not be discovered until months or years after their occurrences, or may take significant periods of time to fully resolve. In such cases, having an SCI entity’s records available even after it has ceased to do business or be registered under the Exchange Act would be beneficial. Because SCI events have the potential to negatively impact investor decisions, risk exposure, and market efficiency, the Commission also preliminarily believes that its ability to oversee the securities markets could be undermined if it is unable to review records to determine the causes and consequences of one or more SCI events experienced by an SCI entity that deregisters or ceases to do business. This information would provide an additional tool to help the Commission reconstruct important market events and better understand how such events impacted investor decisions, risk exposure, and market efficiency. Proposed Rule 1000(e) would provide that, if the records required to be made or kept by an SCI entity under proposed Regulation SCI were prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity would be required to ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service, signed by a duly authorized person at such service bureau or other recordkeeping service. The written undertaking would be required to include an agreement by the service bureau designed to permit the Commission and its representatives to examine such records at any time or from time to time during business hours, and to promptly furnish to the Commission and its representatives true, correct, and current electronic files VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 in a form acceptable to the Commission or its representatives or hard copies of any, all, or any part of such records, upon request, periodically, or continuously and, in any case, within the same time periods as would apply to the SCI entity for such records. The preparation or maintenance of records by a service bureau or other recordkeeping service would not relieve an SCI entity from its obligation to prepare, maintain, and provide the Commission and its representatives with access to such records. Proposed Rule 1000(e) is substantively the same as the requirement applicable to brokerdealers under Rule 17a–4(i) of the Exchange Act.279 The Commission is proposing this requirement for SCI entities to prevent the inability of the Commission to obtain required SCI entity records because they are held by a third party that may not otherwise have an obligation to make such records available to the Commission. In addition, the requirement that SCI entities obtain from such third parties a written undertaking would help ensure that such service bureau or other recordkeeping service is aware of this obligation with respect to records relating to proposed Regulation SCI. The Commission preliminarily believes that it is appropriate to include this requirement in proposed Regulation SCI to help ensure that the Commission would have prompt and efficient access to all required records, including those housed at a service bureau or any other recordkeeping service.280 Request for Comment 156. The Commission requests comment on all aspects of proposed Rule 1000(c). Specifically, do SCI entities currently make, keep, and preserve the types of records that would be required to be made, kept, and preserved by proposed Rule 1000(c)? Are there any records that could be important to make, keep, and preserve that would not be captured under proposed Rule 1000(c) or the existing recordkeeping requirements for SROs under Rule 17a–1? If so, please explain and identify the records. Should any of the records subject to proposed Rule 1000(c) not be required? If so, please explain and identify the records. Should the Commission require SCI entities to furnish records to Commission representatives electronically in a tagged data format (e.g., XML, XBRL, or similar structured data formats which 279 17 CFR 240.17a–4(i). 17 CFR 240.17a–4(i) (records preserved or maintained by a service bureau). 280 See PO 00000 Frm 00047 Fmt 4701 Sfmt 4702 18129 may be tagged)? The Commission notes that a tagged data format would have the benefit of permitting records to be organized and searched more easily, and thereby enable more efficient analyses, but that there would also be costs associated with implementing a tagged data format requirement. Do commenters believe the benefits of using a tagged data format would justify the costs? Why or why not? Please explain. If so, should any particular electronic format be mandated? If so, please describe. 157. Should the Commission lengthen or shorten the proposed periods for SCI entities to keep and preserve records? If so, by how much and why? Is it appropriate for an SCI entity, prior to ceasing to do business or ceasing to be regulated under the Exchange Act, to be required to ensure that its records are accessible in some way to the Commission and its representatives? Why or why not? What practical steps do commenters envision an SCI entity taking to comply with this proposed requirement? 158. The Commission requests comment on all aspects of proposed Rule 1000(e). Specifically, would the written undertaking required by proposed Rule 1000(e) be sufficient to help ensure that the Commission and its representatives would be able to obtain and examine true, correct, and current records of SCI entities? Why or why not? Are the provisions of proposed Rule 1000(e) an appropriate means of addressing any potential problems with access to books and records at service bureaus? Why or why not? Are there alternatives that the Commission should consider with respect to recordkeeping requirements for SCI entities? If so, please explain your reasoning. 2. Electronic Submission of Reports, Notifications, and Other Communications on Form SCI Proposed Rule 1000(d) provides that, except with respect to notifications to the Commission under proposed Rule 1000(b)(4)(i) (Commission notification of certain SCI events), and oral notifications to the Commission under proposed Rule 1000(b)(6)(ii) (Commission notification of certain material systems changes), any notification, review, description, analysis, or report required to be submitted to the Commission under proposed Regulation SCI must be submitted electronically and contain an electronic signature. This proposed requirement is intended to provide a uniform manner in which the Commission would receive—and SCI entities would provide—written E:\FR\FM\25MRP3.SGM 25MRP3 18130 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules notifications, reviews, descriptions, analyses, or reports made pursuant to proposed Regulation SCI. The Commission preliminarily believes that such standardization would guide SCI entities in completing such submissions and make it easier and more efficient for them to draft and submit such required reports. Additionally, the standardization would make it easier and more efficient for the Commission to promptly review, analyze, and respond, as necessary, to the information proposed to be provided.281 The electronic signature requirement is consistent with the intention of the Commission to receive documents that can be readily accessed and processed electronically. Proposed Rule 1000(d) also would require that submissions by SCI entities be filed electronically on new proposed Form SCI, in accordance with the instructions contained in Form SCI.282 The Commission’s proposal contemplates the use of an online filing system, similar to the electronic form filing system (‘‘EFFS’’) currently used by SCI SROs to submit Form 19b–4 filings, through which an SCI entity would be able to file a completed Form SCI.283 Based on the widespread use and availability of the Internet, the Commission preliminarily believes that filing Form SCI in an electronic format would be less burdensome and a more efficient filing process for SCI entities and the Commission, as it is likely to be less expensive and cumbersome than mailing and filing paper forms to the Commission. srobinson on DSK4SPTVN1PROD with PROPOSALS3 Request for Comment 159. The Commission requests comment on all aspects of proposed Rule 1000(d). Do commenters believe that the electronic submission requirement of proposed Rule 1000(d) is appropriate? Alternatively, would the submission of a required notification, review, description, analysis, or report via electronic mail to one or more Commission email addresses be a more appropriate way for the Commission to implement the proposed requirement? Are there other alternative methods that would be preferable? If so, please describe. Should there be any additional 281 This proposed requirement is consistent with electronic-reporting standards set forth in other Commission rules under the Exchange Act, such as Rule 17a–25 (Electronic Submission of Securities Transaction Information by Exchange Members, Brokers, and Dealers). See 17 CFR 240.17a–25. 282 See proposed Rule 1000(d) and infra Section III.E. 283 See Securities Exchange Act Release No. 50486 (October 4, 2004), 69 FR 60287 (October 8, 2004) (adopting the EFFS for use in filing Form 19b–4). VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 security requirements for such communications (e.g., password protection or encryption)? If so, please describe. Should the submissions be made in a tagged data format, e.g., XML, XBRL, or similar structured data formats which may be tagged? The Commission notes that a tagged data format would have the benefit of permitting records to be organized and searched more easily, and thereby enable more efficient analyses, but that there would also be costs associated with implementing a tagged data format requirement. Do commenters believe the benefits of using a tagged data format would justify the costs? Why or why not? Please explain. If so, should any particular electronic format be mandated? If so, please describe. 3. Access to the Systems of an SCI Entity Proposed Rule 1000(f) would require SCI entities to provide Commission representatives reasonable access to their SCI systems and SCI security systems. Thus, the proposed rule would facilitate the access of representatives of the Commission to such systems of an SCI entity either remotely or on site.284 Proposed Rule 1000(f) is intended to be consistent with the Commission’s current authority with respect to access to records generally 285 and help ensure that Commission representatives have ready access to the SCI systems and SCI security systems of SCI entities in order to evaluate an SCI entity’s practices with regard to the requirements of proposed Regulation SCI.286 Request for Comment 160. The Commission requests comment generally on proposed Rule 1000(f). Are there restrictions that should be placed on the proposed access that would still allow the Commission and its representatives to be able to evaluate an SCI entity’s practices with regard to the requirements of proposed Regulation 284 For example, with access to an SCI entity’s SCI systems and SCI security systems, Commission representatives could test an SCI entity’s firewalls and vulnerability to intrusions. 285 See, e.g., Section 17(b) of the Exchange Act which states that all records of the entities listed in Section 17(a) ‘‘are subject at any time, or from time to time, to such reasonable periodic, special, or other examinations by representatives of the Commission * * * as the Commission * * * deems necessary or appropriate in the public interest, for the protection of investors, or otherwise in furtherance of the purposes of [the Exchange Act].’’ 286 See 15 U.S.C. 78q(b). The Commission believes proposed Rule 1000(f) also is authorized by Sections 11A, 6(b)(1), 15A(b)(2), and 17A(b)(3)(A) of the Exchange Act, among others. See supra notes 9–11 and accompanying text. PO 00000 Frm 00048 Fmt 4701 Sfmt 4702 SCI? If so, what should such restrictions be and why? Please describe. E. New Proposed Form SCI The Commission is proposing that the notices, reports, and other information required to be provided to the Commission pursuant to proposed Rules 1000(b)(4), (6), (8), and (10) of Regulation SCI be submitted electronically on new proposed Form SCI. Proposed Form SCI would solicit information through a series of questions designed to elicit short-form answers and also would require SCI entities to provide information and/or reports in narrative form by attaching specified exhibits. All filings on proposed Form SCI would require that an SCI entity identify itself and indicate the basis for submitting Form SCI, whether a: notification or update notification regarding an SCI event pursuant to proposed Rule 1000(b)(4); notice of a planned material systems change pursuant to proposed Rule 1000(b)(6); submission of a required report pursuant to proposed Rule 1000(b)(8); or notification of an SCI entity’s standards for designation of members or participants to participate in required testing and the identity of such designated members or participants pursuant to proposed Rule 1000(b)(9). A filing on Form SCI required by proposed Rules 1000(b)(4), (6), (8), or (9) would require that an SCI entity provide additional information on attached exhibits, as discussed below. 1. Notice of SCI Events Pursuant to Proposed Rule 1000(b)(4) As discussed above, proposed Rule 1000(b)(4)(i) would require an SCI entity, upon any responsible SCI personnel becoming aware of a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion, to notify the Commission of such SCI event. Proposed Rule 1000(b)(4)(ii) would require an SCI entity, upon any responsible SCI personnel becoming aware of any SCI event, to notify the Commission of the SCI event in writing within 24 hours. Proposed Rule 1000(b)(4)(iii) would require continuing written updates on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until such time as the SCI event is resolved. Proposed Rule 1000(b)(4)(iv) would direct an SCI entity to submit the required notifications on Form SCI. Further, proposed Rule 1000(b)(4)(iv) and new proposed Form SCI would specify the particular information an E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 SCI entity would be required to provide to the Commission to comply with the Commission notification requirements of proposed Rules 1000(b)(4)(ii) and 1000(b)(4)(iii). As such, proposed Rule 1000(b)(4) would specify when and how notices would be required to be filed, and it and new proposed Form SCI would address the content of required notices. For a written notification to the Commission of an SCI event under proposed Rule 1000(b)(4)(ii), new proposed Form SCI would require that an SCI entity indicate that the filing is being made pursuant to proposed Rule 1000(b)(4)(ii) and provide the following information in a short, standardized format: (i) Whether the filing is a Rule 1000(b)(4)(ii) notification or Rule 1000(b)(4)(iii) update of an SCI event; (ii) the SCI event type(s) (i.e., systems compliance issue, systems intrusion, and/or systems disruption); (iii) whether the event is a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants; (iv) if so, whether the Commission has been notified of the SCI event; (v) whether the SCI event has been resolved; (vi) the date/time the SCI event started; (vii) the duration of the SCI event; (viii) the date and time when responsible SCI personnel became aware of the SCI event; (ix) the estimated number of market participants impacted by the SCI event; (x) the type(s) of systems impacted; 287 and (xi) if applicable, the type of systems disruption.288 In addition, proposed Form SCI would require attachment of Exhibit 1, providing a narrative description of the SCI event, including: (1) A detailed description of the SCI event; (2) the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; (3) the potential impact of the SCI event on the market; and (4) the SCI entity’s current 287 The types of systems listed on proposed Form SCI track the types of systems that make up the proposed definitions of ‘‘SCI system’’ and ‘‘SCI security system’’ in proposed Rule 1000(a). 288 The types of systems disruptions listed on proposed Form SCI track the provisions of the proposed definition of ‘‘system disruption’’ in proposed Rule 1000(a) and include, with respect to SCI systems: (1) A failure to maintain service level agreements or constraints; (2) a disruption of normal operations, including switchover to back-up equipment with near-term recovery of primary hardware unlikely; (3) a loss of use of any such system; (4) a loss of transaction or clearance and settlement data; (5) significant back-ups or delays in processing; (6) a significant diminution of ability to disseminate timely and accurate market data; or (7) a queuing of data between system components or queuing of messages to or from customers of such duration that normal service delivery is affected. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 assessment of the SCI event, including a discussion of the SCI entity’s determination regarding whether the SCI event is a dissemination SCI event or not.289 In addition, to the extent available as of the time of the initial notification, Exhibit 1 would require inclusion of the following information: (1) A description of the steps the SCI entity is taking, or plans to take, with respect to the SCI event; (2) the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; (3) a description of the SCI entity’s rule(s) and/or governing documents, as applicable, that relate to the SCI event; and (4) an analysis of the parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss.290 Proposed Rule 1000(b)(4)(iii) would require an SCI entity to provide continuing written updates regularly for each SCI event, or at such frequency as reasonably requested by a representative of the Commission, until such time as the SCI event is resolved.291 Proposed Form SCI would require that an SCI entity indicate that it is providing such written update pursuant to Rule 1000(b)(4)(iii) and attach such update as Exhibit 2 to Form SCI. If any of the foregoing information is not available for inclusion on Exhibit 1 as of the date of the initial notification, the SCI entity would be required to provide such information when it becomes available on Exhibit 2. The information proposed to be required in narrative format in Exhibit 1, and if applicable, Exhibit 2, is intended to elicit a fuller description of the SCI event, and would require an SCI entity to provide detail and context not easily conveyed in short-form responses. Proposed Form SCI would further require attachment of Exhibit 3, providing a copy in pdf or html format of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity’s publicly available Web site.292 The Commission preliminarily believes that the proposed items of information required to be disclosed by an SCI entity on Exhibit 1 within 24 hours of any of its responsible SCI personnel becoming aware of an SCI event, or when available, on Exhibit 2, would help the Commission and its staff quickly assess the nature and scope of an SCI event, and help the SCI entity 289 See proposed Rule 1000(b)(4)(iv)(A)(1). proposed Rule 1000(b)(4)(iv)(A)(2). 291 See proposed Rule 1000(b)(4)(iv)(B). 292 See proposed Rule 1000(b)(4)(iv)(C). 290 See PO 00000 Frm 00049 Fmt 4701 Sfmt 4702 18131 identify the appropriate response to the SCI event, including ways to mitigate the impact of the SCI event on investors and promote the maintenance of fair and orderly markets. 2. Notices of Material Changes Pursuant to Proposed Rule 1000(b)(6) Proposed Rule 1000(b)(6) would require an SCI entity to notify the Commission of planned material systems changes on proposed Form SCI 30 calendar days in advance of such change, unless exigent circumstances exist or information previously provided regarding a material systems change has become materially inaccurate, necessitating notice regarding a material systems change with less than 30 calendar days’ notice. To implement this requirement, proposed Form SCI would require an SCI entity to indicate on Form SCI that it is filing a planned material systems change notification, provide the date of the planned material systems change, indicate whether exigent circumstances exist or if the information previously provided to the Commission regarding any planned material systems change has become materially inaccurate, and, if so, whether the Commission has been notified orally, and attach as Exhibit 4 a description of the planned material systems change as well as the expected dates of commencement and completion of implementation of such changes, or, if applicable, a material systems change that has already been made due to exigent circumstances. 3. Reports Submitted Pursuant to Rule 1000(b)(8) Proposed Rule 1000(b)(8) would require an SCI entity to submit to the Commission: (i) A report of the SCI review required by proposed Rule 1000(b)(7), together with any response by senior management, within 60 calendar days after submission of the SCI review to senior management; and (ii) a report within 30 calendar days after the end of June and December of each year containing a summary description of the progress of any material systems change during the sixmonth period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of implementation of such changes. For filings of the reports of SCI reviews, proposed Form SCI would require an SCI entity to indicate on Form SCI that it is filing a report of SCI review, indicate the date of completion of the SCI review, and date of submission of the SCI review to senior management of the SCI entity. The report of the SCI review required by E:\FR\FM\25MRP3.SGM 25MRP3 18132 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules proposed Rule 1000(b)(7), together with any response by senior management, would be required to be submitted as Exhibit 5 to proposed Form SCI. For filings of the semi-annual reports of material systems changes, proposed Form SCI would require an SCI entity to indicate on Form SCI that it is filing a semi-annual report of material systems changes, and attach the semi-annual report as Exhibit 6 to proposed Form SCI. srobinson on DSK4SPTVN1PROD with PROPOSALS3 4. Notifications of Member or Participant Designation Standards and List of Designees Pursuant to Proposed Rule 1000(b)(9) Proposed Rule 1000(b)(9) would require an SCI entity to notify the Commission of its standards for designating members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of the SCI entity’s business continuity and disaster recovery plans, to participate in the testing of such plans as well as a list of members or participants designated in accordance with such standards, and prompt updates following any changes to such standards and designations. Form SCI would require such information to be submitted as Exhibit 7 to Form SCI. Thus, an SCI SRO would be required to attach any relevant provisions of its rules, an SCI ATS or exempt clearing agency subject to ARP would be required to attach its relevant internal processes or other documents, and a plan processor would be required to attach the relevant provisions of its SCI Plan. The Commission preliminarily believes that the proposed mechanism of submitting the reports, notices, and other information required by proposed Rules 1000(b)(4), (6), (8), and (10) by attaching them as exhibits to Form SCI would be an efficient manner for providing such information to the Commission and its staff, and that it would be more cost-effective for SCI entities as well as the Commission than requiring the submission in a paper format or using an electronic method that differs from that proposed. 5. Other Information and Electronic Signature In addition to the foregoing, proposed Form SCI would require an SCI entity to provide Commission staff with point of contact information for systems personnel and regulatory personnel responsible for addressing an SCI event, including the name, title, telephone number and email address of such persons. Proposed Form SCI would also require the SCI entity to designate on VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 the form contact information for a senior officer of the SCI entity responsible for matters concerning the submission of such Form SCI. Finally, proposed Form SCI would require an electronic signature to help ensure the authenticity of the Form SCI submission. The Commission preliminarily believes these proposed requirements would expedite communications between Commission staff and an SCI entity and help to ensure that only personnel authorized by the SCI entity are submitting required filings and working with Commission staff to address an SCI event or systems issue promptly and efficiently. To the extent that the Commission receives confidential information pursuant to these reports and submissions, such information would be kept confidential, subject to the provisions of applicable law.293 Request for Comment 161. The Commission requests comment on all aspects of proposed Form SCI. Do commenters believe proposed Form SCI would capture the information necessary to assist the Commission in obtaining relevant information about SCI events to mitigate the effects of such events on investors and the public? Specifically, do commenters believe that the proposal to elicit the following information on Form SCI within 24 hours of any responsible SCI personnel becoming aware of an SCI event is appropriate: (i) Whether the filing is a Rule 1000(b)(4)(ii) notification or Rule 1000(b)(4)(iii) update of an SCI event; (ii) the SCI event type(s) (i.e., systems compliance issue, systems intrusion, and/or systems disruption); (iii) whether the event is a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants; (iv) if so, whether the Commission has been notified of the SCI event; (v) whether the SCI event has been resolved; (vi) the date/time the SCI event started; (vii) the duration of the SCI event (viii) the date and time when responsible SCI personnel became aware of the SCI event; (ix) the estimated number of market participants impacted by the SCI event; (x) the 293 See, e.g., 5 U.S.C. 552 (Exemption 4 of the Freedom of Information Act provides an exemption for ‘‘trade secrets and commercial or financial information obtained from a person and privileged or confidential.’’ 5 U.S.C. 552(b)(4). Exemption 8 of the Freedom of Information Act provides an exemption for matters that are ‘‘contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions.’’ 5 U.S.C. 552(b)(8)). PO 00000 Frm 00050 Fmt 4701 Sfmt 4702 type(s) of systems impacted; and (xi) if applicable, the type of systems disruption. 162. Do commenters believe that all relevant information relating to a systems disruption, systems compliance issue, or systems intrusion would be captured on proposed Form SCI? If not, what additional information should be included on proposed Form SCI? For example, should proposed Form SCI require that an SCI entity specifically identify market participants that may have been affected by the SCI event? Why or why not? 163. Do commenters believe the proposed information required to be provided to the Commission regarding SCI events in the 24-hour notification on Exhibit 1 is appropriate? Do commenters believe that the proposal to require an update notification on Exhibit 2, and the information required to be provided for such updates, are appropriate? Why or why not? 164. Commenters that believe the information proposed to be required on Form SCI, whether in short form or in narrative form on proposed Exhibits 1 and 2, is not appropriate should explain their reasoning and suggest alternatives, as appropriate. Should any information proposed to be required be eliminated? Should any other information be required? Please describe and explain. 165. Do commenters believe the required contents of proposed Exhibit 3 are appropriate (i.e., a copy in pdf or html format of any information disseminated to an SCI entity’s members or participants or on the SCI entity’s publicly available Web site)? If not, why not? 166. Do commenters believe submission of proposed Form SCI and attachment of Exhibits 4, 5, 6, and 7 regarding material systems changes, SCI reviews, and notifications of standards for designations and designees for the testing of an SCI entity’s business continuity and disaster recovery plans, is an appropriate method for SCI entities to provide this information to the Commission? If not, why not? Should any information proposed to be required be eliminated? Should any other information be required? Please explain. 167. Is the proposal to require contact information for systems, regulatory, and senior officer appropriate? Should any information proposed to be required be eliminated? Is there any other type of information that proposed Form SCI should require? Is the proposal to require an electronic signature appropriate? If not, why not? 168. Would proposed Form SCI contain enough information so that the Commission and its staff would be able E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules to accurately analyze SCI events, material changes to systems, and all other required filings? 169. Upon receiving information submitted as part of an SCI entity’s electronic filing, it is the Commission’s objective that such information be easily analyzed, searched, and manipulated. The Commission has designed proposed Form SCI with this objective in mind, particularly with the uniform requirements on the front of the form. The Commission, however, is cognizant that certain information, particularly with respect to the information required on the various exhibits to the proposed form, may not be as easily analyzed, searched, or manipulated. The Commission seeks comment as to whether it should mandate that proposed Form SCI as a whole, including the proposed exhibits, employ a particular structured data format that would allow the Commission and its staff to analyze, search, and manipulate the form’s information. At the same time, the Commission recognizes that employing a particular tagged data format may potentially reduce the flexibility afforded to such entities to collect and report data in a manner that is more efficient and cost effective for them. The Commission requests comments as to whether there may be tagged data formats that are sufficiently flexible and that are accepted and used throughout the industry, such as XML, XBRL, or another structured data format that could be used for proposed Form SCI. Are there different standard data formats currently in use depending on the type of SCI entity that would enable the Commission to achieve its goals? If so, what are they? Should the SCI entity have the flexibility to specify the acceptable data format for submitting information? Why or why not? Do commenters have concerns with proposed Regulation SCI requiring the use of a tagged data format, such as XML, XBRL, or some other structured data format that may be tagged, to report data? If so, what are they? Are there any licensing fees or other costs associated with the use of tagged data formats, such as XML, XBRL, or similar structured data formats that may be tagged? If so, what action should the Commission take, if any, to help ensure wide availability of a common data format by all participants? VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 F. Request for Comment on Applying Proposed Regulation SCI to SecurityBased Swap Data Repositories and Security-Based Swap Execution Facilities On July 21, 2010, the President signed the Dodd-Frank Act into law.294 The Dodd-Frank Act was enacted, among other things, to promote the financial stability of the United States by improving accountability and transparency of the nation’s financial system.295 Title VII of the Dodd-Frank Act provides the Commission and the CFTC with the authority to regulate over-the-counter (‘‘OTC’’) derivatives. 1. Proposed System Safeguard Rules for SB SDRs and SB SEFs Section 763 of the Dodd-Frank Act amends the Exchange Act by adding various new statutory provisions to govern the regulation of various entities, including security-based swap data repositories and security-based swap execution facilities.296 Under the authority of Section 13(n) of the Exchange Act, applicable to SB SDRs, and Section 3D(d) of the Exchange Act, applicable to SB SEFs, the Commission recently proposed rules for these entities with regard to their automated systems’ capacity, resiliency, and security.297 Specifically, in the SB SDR Proposing Release and the SB SEF Proposing Release, respectively, the Commission proposed Rule 13n–6 and Rule 822 under the Exchange Act, which would set forth the requirements 294 The Dodd-Frank Wall Street Reform and Consumer Protection Act (Pub. L. 111–203, H.R. 4173) (‘‘Dodd-Frank Act’’). 295 See Public Law 111–203 Preamble. 296 See Public Law 111–203, Section 763 (adding Sections 13(n), 3C, and 3D of the Exchange Act). The Dodd-Frank Act also directs the Commission to harmonize to the extent possible Commission regulation of SB SDRs and SB SEFs with CFTC regulation of swap data repositories (‘‘SDRs’’) and swap execution facilities (‘‘SEFs’’) under the CFTC’s jurisdiction, an endeavor that Commission staff is undertaking as it seeks to move the SB SDR and SB SEF proposals toward adoption. See Public Law 111–203, Section 712, directing the Commission, before commencing any rulemaking with regard to SB SDRs or SB SEFs, to consult and coordinate with the CFTC for purposes of assuring regulatory consistency and comparability to the extent possible. 297 See Securities Exchange Act Release Nos. 63347 (November 19, 2010), 75 FR 77306 (December 10, 2010) (proposing new Rule 13n–6 under the Exchange Act applicable to SB SDRs) (‘‘SB SDR Proposing Release’’); 63825 (February 2, 2011), 76 FR 10948 (February 28, 2011) (proposing new Rule 822 under the Exchange Act applicable to SB SEFs) (‘‘SB SEF Proposing Release,’’ together with the SB SDR Proposing Release, the ‘‘SBS Releases’’). See also Public Law 111–203, Section 761(a) (adding Section 3(a)(75) of the Exchange Act) (defining the term ‘‘security-based swap data repository’’), and Section 761(a) (adding Section 3(a)(77) of the Exchange Act) (defining the term ‘‘security-based swap execution facility’’). PO 00000 Frm 00051 Fmt 4701 Sfmt 4702 18133 for these entities with regard to their automated systems’ capacity, resiliency, and security.298 In each release, the Commission stated that it was proposing standards comparable to the standards applicable to SROs, including exchanges and clearing agencies, and other registrants, pursuant to the Commission’s ARP standards.299 Proposed Rules 13n–6 and 822, applicable to SB SDRs and SB SEFs, respectively, would require these entities, ‘‘with respect to those systems that support or are integrally related to the performance of its activities’’ to ‘‘establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its systems provide adequate levels of capacity, resiliency, and security.’’ 300 Under proposed Rules 13n–6 and 822, such policies and procedures, at a minimum, would require these SB SDRs and SB SEFs to: (i) Establish reasonable current and future capacity estimates; (ii) conduct periodic capacity stress tests of critical systems to determine such systems’ ability to process transactions in an accurate, timely, and efficient manner; (iii) develop and implement reasonable procedures to review and keep current their system development and testing methodologies; (iv) review the vulnerability of their systems and data center computer operations to internal and external threats, physical hazards, and natural disasters; and (v) establish adequate contingency and disaster recovery plans.301 Proposed Rules 13n–6 and 822 would further require SB SDRs and SB SEFs to submit, on an annual basis, an ‘‘objective review’’ of their systems to the Commission within 30 calendar days of its completion; 302 notify the Commission in writing of material systems outages; and notify the Commission in writing at least 30 calendar days before implementation of any planned material systems changes. To date, the Commission has received two comment letters from one commenter in response to proposed Rule 13n–6 303 and four comment letters 298 See SB SDR Proposing Release and SB SEF Proposing Release, supra note 297. 299 See SB SDR Proposing Release, supra note 293, at 77332 and SB SEF Proposing Release, supra note 297, at 10987. 300 See SB SDR Proposing Release, 75 FR 77370 and SB SEF Proposing Release, 76 FR 11064, supra note 297. 301 Id. 302 Such review may be performed internally if an external firm reports on the objectivity, competency, and work performance with respect to the internal review. 303 See Letter from Larry E. Thompson, General Counsel, The Depository Trust & Clearing E:\FR\FM\25MRP3.SGM Continued 25MRP3 18134 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules in response to proposed Rule 822.304 Both comment letters on proposed Rule 13n-6 expressed support for the proposed rule.305 Two commenters on proposed Rule 822 expressed support for the proposed rule.306 Two other commenters on proposed Rule 822 suggested modifications, including that the Commission (1) require SB SEFs to establish policies and procedures reasonably designed to prevent any provision in a valid swap transaction from being invalidated or modified through the utilization of, or execution on, a SB SEF; 307 and (2) provide for the implementation of the system safeguards requirements on a staged basis.308 srobinson on DSK4SPTVN1PROD with PROPOSALS3 2. Proposed System Safeguard Rules for SB SDRs and SB SEFs as Compared to Proposed Regulation SCI As noted above, proposed Regulation SCI is intended to build upon and update the Commission’s ARP standards,309 which were the basis for proposed Rules 13n–6 and 822 for SB SDRs and SB SEFs, respectively. Although proposed Rules 13n–6 and 822 have much in common with proposed Regulation SCI, they differ in scope and detail from proposed Regulation SCI in a number of ways. Among the differences are certain provisions in proposed Regulation SCI that proposed Rules 13n–6 and 822 do Corporation to Elizabeth M. Murphy, Secretary, Commission, dated January 24, 2011 (‘‘DTCC SB SDR Letter 1’’); and Letter from Larry E. Thompson, General Counsel, Depository Trust & Clearing Corporation to Mary Shapiro, Chairman, Commission, dated June 3, 2011 (‘‘DTCC SB SDR Letter 2’’). 304 See Letter from American Benefits Counsel to Elizabeth M. Murphy, Secretary, Commission, dated April 8, 2011 (‘‘ABC SB SEF Letter’’); Letter from Nancy C. Gardner, Executive Vice President & General Counsel, Markets Division, Thomson Reuters to Elizabeth M. Murphy, Secretary, Commission, dated April 4, 2011 (‘‘Thomson SB SEF Letter’’); Letter from Stephen Merkel, Chairman, Wholesale Markets Brokers’ Association Americas to Elizabeth M. Murphy, Secretary, Commission, dated April 4, 2011 (‘‘WMBAA SB SEF Letter’’); and Letter from Robert Pickel, Executive Vice Chairman, International Swaps and Derivatives Association, and Kenneth E. Bentsen, Jr., Executive Vice President, Public Policy and Advocacy, Securities Industry and Financial Markets Association to Elizabeth M. Murphy, Secretary, Commission, dated April 4, 2011 (‘‘ISDA SIFMA SB SEF Letter’’). 305 See DTCC SB SDR Letter 1, supra note 304, at 3; DTCC SB SDR Letter 2, supra note 304, at 4 (recommending that SB SDRs ‘‘maintain multiple levels of operational redundancy and data security’’). 306 See Thomson SB SEF Letter, supra note 304, at 8; WMBAA SB SEF Letter, supra note 304, at 24. 307 See ABC SB SEF Letter, supra note 304, at 10. 308 See ISDA SIFMA SB SEF Letter, supra note 304, at 12 (noting that the system safeguard requirements would require time and systems expertise to implement fully). 309 See supra Sections I and II. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 not include. Specifically, as discussed above, proposed Regulation SCI would: (i) Define the terms ‘‘SCI systems’’ and ‘‘SCI security systems;’’ 310 (ii) specifically require the establishment, maintenance, and enforcement of written policies and procedures reasonably designed to ensure that SCI systems and, for purposes of security standards, SCI security standards, have levels of capacity, integrity, resiliency, availability, and security adequate to maintain an SCI entity’s operational capability and promote the maintenance of fair and orderly markets; 311 (iii) require SCI entities to establish policies and procedures regarding standards that result in systems designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; (iv) require SCI entities to establish, maintain, and enforce reasonably designed written policies and procedures to ensure that SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and, as applicable, the entity’s rules and governing documents; (v) require SCI entities to take corrective action, including devoting adequate resources, to remedy an SCI event as soon as reasonably practicable; 312 (vi) require SCI entities to have backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading following a wide scale disruption; (vii) require an annual SCI review of the SCI entity’s compliance with proposed Regulation SCI and the reporting of such review to the Commission; (viii) require an SCI entity, with respect to its business continuity 310 See proposed Rule 1000(a), which would define ‘‘SCI systems’’ as ‘‘all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity, whether in production, development, or testing, that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance,’’ and ‘‘SCI security systems’’ as ‘‘any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems.’’ 311 While proposed Rule 13n–6 did not specifically include such a requirement for SB SDRs, the SB SDR Proposing Release stated that ‘‘[a]s a general matter, the Commission preliminarily believes that, if an SDR’s policies and procedures satisfy industry best practices standards, then these policies and procedures would be adequate.’’ See SB SDR Proposing Release, supra note 297, at 77333. See also SB SEF Proposing Release, supra note 297, at 10988. 312 See proposed Rule 1000(a), defining ‘‘SCI event’’ as an event at an SCI entity that constitutes: (1) A systems disruption; (2) a systems compliance issue; or (3) a systems intrusion. PO 00000 Frm 00052 Fmt 4701 Sfmt 4702 and disaster recovery plans, including its backup systems, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans at specified intervals, and to coordinate such required testing with other SCI entities; (ix) require all SCI events to be reported to the Commission, and certain types of SCI events to be disseminated to an SCI entity’s members or participants; and (x) establish semi-annual reporting obligations for planned material systems changes. In addition, proposed Regulation SCI would establish a system for submitting required notices, reports, and other information to the Commission on proposed new Form SCI. Each of these proposed requirements goes beyond the explicit requirements in proposed Rules 13n–6 and 822. 3. Consideration of Applying the Requirements of Proposed Regulation SCI to SB SDRs and/or SB SEFs If the Commission were to adopt Rules 13n–6 and 822 as proposed in the SBS Releases and also adopt Regulation SCI as proposed herein, there would be differences, as noted above, between the obligations imposed on SB SDRs and SB SEFs with respect to system safeguards on the one hand and the obligations imposed on SCI entities on the other. Therefore, the Commission solicits comment on whether it should propose to apply the requirements of proposed Regulation SCI, in whole or in part, to SB SDRs and/or SB SEFs. In providing views on whether the Commission should propose to apply proposed Regulation SCI to SB SDRs and/or SB SEFs, commenters are encouraged to consider the discussion regarding each provision of proposed Regulation SCI that is set forth in Sections III.B through III.E above. Should the Commission to decide to propose to apply the requirements of proposed Regulation SCI to such entities, the Commission would issue a separate release discussing such a proposal. In enacting Title VII of the DoddFrank Act, Congress judged it important to increase the transparency and oversight of the OTC derivatives market. In addition, in proposing Regulation SB SEF, the Commission noted that SB SEFs are intended to ‘‘lead to a more robust, transparent, and competitive environment for the market for securitybased swaps (‘‘SBS’’ or ‘‘SB swaps’’).’’ 313 Similarly, in proposing rules for SB SDRs, the Commission 313 See SB SEF Proposing Release, supra note 297, at 11035. E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 noted that ‘‘SDRs may be especially critical during times of market turmoil, both by giving relevant authorities information to help limit systemic risk and by promoting stability through enhanced transparency’’ and that, ‘‘[b]y enhancing stability in the SBS market, SDRs may also indirectly enhance stability across markets, including equities and bond markets.’’ 314 The Commission notes that it may or may not be appropriate to apply the requirements of proposed Regulation SCI to SB SDRs and SB SEFs. In particular, SB SDRs will play an important role in limiting systemic risk and promoting the stability of the SBS market. SB SDRs also would serve as information disseminators 315 in a manner similar to plan processors in the equities and options markets that, under this proposal, would be subject to the requirements of proposed Regulation SCI. SB SEFs would function as trading markets, and in that respect could be viewed as analogous to national securities exchanges and SCI ATSs, both of which function as trading markets and are included in the proposed definition of SCI entity.316 The Commission preliminarily believes that the same types of concerns and issues that have resulted in the Commission previously publishing its ARP policy statements,317 developing its ARP Inspection Program,318 adopting certain aspects of the ARP policy statements under Regulation ATS,319 and, ultimately, proposing Regulation SCI,320 may similarly apply to SB SDRs and SB SEFs. In proposing Rule 13n–6, the Commission noted that systems failures can limit access to data, call into question the integrity of data, and prevent market participants from being able to report transaction data, and thereby have a large impact on market confidence, risk exposure, and market efficiency.321 Similarly, in proposing Rule 822, the Commission noted that the proposed system safeguard requirements for SB SEFs are designed 314 See SB SDR Proposing Release, supra note 297, at 77307. 315 See Securities Exchange Act Release No. 63346 (November 19, 2010), 75 FR 75208, 75227 (December 2, 2010) (proposing Regulation SBSR). 316 See SB SEF Proposing Release, supra note 297, at 10987, n.246 (‘‘Because SB SEFs would be an integral part of the market for SB swaps, and therefore an integral part of the national market system, the Commission believes that it is appropriate to model a SB SEF’s rules on system safeguards on ARP.’’). 317 See supra notes 1 and 12–18 and accompanying text. 318 See supra notes 25–26 and accompanying text. 319 See supra note 26 and accompanying text. 320 See supra Section I.B. 321 See SB SDR Proposing Release, supra note 297, at 77332. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 to prevent and minimize the impact of systems failures that might negatively impact the stability of the SB swaps market.322 At the same time, because the Commission recognizes that there may be differences between the markets for the types of securities that would be covered by proposed Regulation SCI and the SBS market, including differing levels of automation and stages of regulatory development, the Commission requests comment on whether it would be appropriate to propose to apply the requirements of proposed Regulation SCI to SB SDRs and/or SB SEFs. As discussed further below, the Commission also requests comment on whether, if commenters believe proposed Regulation SCI should apply to SB SDRs and/or SB SEFs, the system safeguard rules currently proposed for SB SDRs and SB SEFs in the SBS Releases should, if adopted, be replaced, at some point in the future, by the requirements proposed in this release and, if so, how. 170. Are the SBS markets sufficiently similar to the markets within which the proposed SCI entities operate such that it would be appropriate to apply the same system safeguard requirements to SB SDRs and/or SB SEFs that would be applicable to SCI entities? Why or why not? Do commenters believe that there are characteristics of the SBS markets that the Commission should consider to support its applying different system safeguard rules to SB SDRs and/or SB SEFs than to SCI entities? If so, what are those characteristics, and why should different rules apply to SB SDRs and/or SB SEFs? If not, why not? 171. If the Commission were to propose to apply some or all of the provisions of proposed Regulation SCI to SB SDRs and/or SB SEFs, should the Commission propose to apply the provisions of proposed Regulation SCI differently to SB SDRs versus SB SEFs? For example, should the Commission propose to apply some or all of the provisions of proposed Regulation SCI to SB SDRs but not SB SEFs or vice versa? Why or why not? 172. What effect, if any, would there be of having SB SDRs and/or SB SEFs subject to different system safeguard rules than those proposed for SCI entities? Would there be any short term and/or long term impact of SB SDRs and/or SB SEFs being subject to different system safeguard rules than those proposed for SCI entities? For example, if SB SEFs were subject to different system safeguard rules than those proposed for SCI entities, would 322 See SB SEF Proposing Release, supra note 297, at 10987. PO 00000 Frm 00053 Fmt 4701 Sfmt 4702 18135 there be an impact on competition between SB SEFs and national securities exchanges that trade SB swaps? Please describe any expected impact on competition. Are there any provisions in proposed Regulation SCI that, if applied to SB SEFs, would create barriers to entry that could preclude small SB SEFs (e.g., those that do not exceed a specified volume or liquidity threshold) from entering the SBS market? 173. The Commission also requests comment on whether it should propose to apply all provisions of proposed Regulation SCI to SB SDRs and/or SB SEFs or just those provisions comparable to the proposed system safeguard rules for SB SDRs or SB SEFs. 174. Should the Commission, if it were to propose to apply some or all of the provisions of proposed Regulation SCI to SB SDRs and/or SB SEFs, propose that SB SEFs and/or SB SDRs have written policies and procedures reasonably designed to ensure that their SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain their operational capability and promote the maintenance of fair and orderly markets? Why or why not? If the Commission were to propose such a requirement for SB SDRs and/or SB SEFs, should SCI industry standards for SB SDRs and/or SB SEFs be different from those proposed for SCI entities? If so, please explain why. What are the industry standards that should apply to SB SEFs and/or SB SDRs? Please be as specific as possible and explain why a particular industry standard would be appropriate. 175. Do the characteristics of the SBS market support a need for a mandatory requirement that SB SDRs and/or SB SEFs maintain backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading (for SB SEFs) or data repository services (for SB SDRs) following a wide scale disruption? Why or why not? 176. Should the Commission propose to require SB SEFs and/or SB SDRs to establish written policies and procedures regarding standards that result in systems designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data? Why or why not? 177. Should the Commission propose to require SB SEFs and/or SB SDRs to establish, maintain, and enforce policies and procedures reasonably designed to ensure that their SCI systems operate in the manner intended, including in a E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18136 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules manner that complies with federal securities laws and rules and regulations thereunder and, as applicable, the entity’s rules and governing documents, as proposed for SCI entities in Rule 1000(b)(2)(i)? Why or why not? Should the Commission propose a safe harbor from liability for SB SEFs and/or SB SDRs and their respective employees if they satisfy the elements of a safe harbor, similar to those for SCI entities in proposed Rules 1000(b)(2)(ii) and (iii)? Why or why not? 178. Should the Commission propose to require SB SEFs and/or SB SDRs, with respect to their business continuity and disaster recovery plans, including their backup systems, to require participation by designated participants in scheduled functional and performance testing of the operation of such plans at specified intervals, and to coordinate such required testing with other SB SEFs and/or SB SDRs, as proposed for SCI entities in Rule 1000(b)(9)? Why or why not? 179. With regard to the reporting and information dissemination requirements in proposed Rules 1000(b)(4) and Rule 1000(b)(5) of Regulation SCI, would it be appropriate to propose that an SB SDR and/or SB SEF be required to report all SCI events to the Commission, and disseminate information relating to dissemination SCI events to their participants? Why, or why not? If not, on what basis should SB SDRs and/or SB SEFs be distinguished from other SCI entities? 180. Should SB SDRs and/or SB SEFs be required to provide notice of, and file semi-annual reports for, material systems changes with the Commission, as proposed for SCI entities in Rules 1000(b)(6) and (b)(8)? Why or why not? 181. Should SB SDRs and/or SB SEFs be required to undertake an annual SCI review of systems and submit to the Commission a report of such review, together with any response of senior management, as proposed for SCI entities in Rule 1000(b)(7) and (8)? Why or why not? 182. Should SB SDRs and/or SB SEFs be required to submit any required notices, reports, and other information to the Commission on proposed new Form SCI? Why, or why not? 183. If the Commission were to determine that it would be appropriate to propose to apply some or all of the requirements of proposed Regulation SCI to SB SDRs and/or SB SEFs, should the Commission propose to apply such requirements of proposed Regulation SCI to all SB SDRs? To all SB SEFs? Are there distinctions that should be made between different types of SB SDRs (or SB SEFs) such that some requirements VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 of proposed Regulation SCI might be appropriate for some SB SDRs (or SB SEFs) but not others? If so, what are those distinctions and what are those requirements? For example, should any requirements be based on criteria such as number of transactions or notional volume reported to a SB SDR or executed on a SB SEF? If so, what would be an appropriate threshold for any such criteria, and why? 184. Alternatively, given the nascent stage of regulatory development of the SBS markets, would it be appropriate to create a category under proposed Regulation SCI such as ‘‘new SB SCI entity’’ that would, for example, be applicable to SB SDRs and/or SB SEFs for a certain period of time after such entities become registered with the Commission? If so, what period of time would be appropriate (e.g., one year, three years, or some other period)? Should there be other criteria for an SB SEF (or SB SDR) to be considered a new SB SCI entity? If so, what should be the criteria for inclusion? Would market share, number of transactions, and/or notional volume be appropriate criteria? If so, at what level should the criteria thresholds be set, and why? If not, why not? How should the requirements of proposed Regulation SCI differ for such ‘‘new SB SCI entities?’’ 185. The Commission notes that, if it were to adopt proposed Regulation SCI and proposed Rules 13n–6 and 822, the system safeguard rules applicable to SB SDRs and SB SEFs would diverge from those applicable to SCI entities, as well as from those the CFTC has adopted for SDRs and may adopt for SEFs.323 What negative effects, if any, do commenters believe would result from disparity in the: (1) Commission’s system safeguard rules applicable to SB SDRs and/or SB SEFs; (2) requirements of Regulation SCI applicable to SCI entities; and (3) CFTC’s system safeguard rules applicable to SDRs and SEFs? 186. The Commission seeks commenters’ views on all aspects of whether to propose to apply Regulation 323 As noted above, SDRs and SEFs, entities similar to SB SDRs and SB SEFs, respectively, are subject to the CFTC’s jurisdiction. The CFTC’s system safeguards rules for SDRs, and those proposed for SEFs differ from those rules that the Commission is proposing in Regulation SCI. See 76 FR 54538 (September 1, 2011) (adopting 17 CFR part 49, Swap Data Repositories: Registration Standards, Duties and Core Principles, Effective October 31, 2011); 76 FR 1214 (January 7, 2011) (proposing 17 CFR part 37, Core Principles and Other Requirements for Swap Execution Facilities). For example, for SDRs, the CFTC requires same day recovery for ‘‘critical SDRs’’ whereas proposed Regulation SCI would require next business day recovery for trading services (and two-hour recovery for clearing and settlement services). See CFTC Rule 49.24. PO 00000 Frm 00054 Fmt 4701 Sfmt 4702 SCI to SB SDRs and/or SB SEFs, taking into account the possibility that any final Commission action on proposed Rules 13n–6 and 822 could occur prior to any final Commission action on proposed Regulation SCI. The Commission seeks commenters’ views on whether a proposal to extend the requirements of proposed Regulation SCI to SB SDRs and/or SB SEFs would be beneficial to help to promote the integrity, capacity, resiliency, availability, and security of their systems. The Commission notes that having comparable system safeguard requirements may be appropriate for SB SDRs and/or SB SEFs if, as noted above, the same types of concerns and issues that have resulted in the Commission previously publishing its ARP policy statements, developing its ARP Inspection Program, adopting certain aspects of the ARP policy statements under Regulation ATS, and, ultimately, proposing Regulation SCI, also apply to SB SDRs and/or SB SEFs. 187. The Commission is particularly interested in commenters’ views on the different benefits and costs associated with applying proposed Regulation SCI to SB SDRs and/or SB SEFs versus the costs and benefits of applying proposed Rules 13n–6 and 822 to SB SDRs and SB SEFs, respectively. In the SBS Proposing Releases, the Commission provided aggregate estimates of the costs of its proposed rules governing SB SDRs and SB SEFs. The SB SDR Proposing Release provided an aggregate initial cost estimate of approximately $214,913,592 to be incurred by prospective SB SDRs and an aggregate ongoing annualized cost estimate of approximately $140,302,120, both of which estimates took account of proposed Rule 13n–6.324 324 See SB SDR Proposing Release, supra note 297, at 77364. In the SB SDR Proposing Release, the Commission estimated that the paperwork burden associated with proposed Rule 13n–6 would come from preparing and implementing policies associated with SB SDR duties, data collection and maintenance, automated systems and direct electronic access, and from preparing reports and reviews. See id. at 77345–46. The Commission estimated that there would be up to 10 SB SDRs subject to the proposed SB SDR rules. See id. at 77355. Based on the information in the SB SDR Proposing Release, the Commission estimated that the aggregate burden on an estimated 10 SB SDRs to prepare and implement the policies and procedures under Rule 13n–6 would be 2100 hours along with 500 hours of outside legal services at $400 an hour, and that the aggregate annual burden on such SB SDRs to maintain such policies would be an additional 600 hours. See id. at 77349. Based on the information in the SB SDR Proposing Release, the Commission estimated that the annual aggregate burden on SB SDRs to promptly notify the Commission and submit a written description and analysis of outages and any remedial measures would be 154 hours and the aggregate annual burden on SB SDRs to notify the Commission of planned material system changes would be 1200 E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 Similarly, the SB SEF Proposing Release provided an aggregate initial cost estimate of approximately $41,692,900 and an aggregate ongoing annualized cost estimate of approximately $22,342,700 to be incurred by prospective SB SEFs, both of which estimates took account of proposed Rule 822.325 If the Commission were to propose to apply Regulation SCI to SB SDRs and/ or SB SEFs, it preliminarily believes that the initial potential costs of such application could differ from the costs to be incurred by SCI entities that currently participate in the ARP Inspection Program on a per entity basis, as described in Sections IV and V below. This is because prospective SB SDRs and prospective SB SEFs, unlike those entities, are not now subject to the ARP Inspection Program and its standards.326 However, the Commission preliminarily believes that the initial potential costs of such application to SB SDRs and SB SEFs, on a per entity basis, could be equivalent to those costs estimated below in Sections IV and V with respect to SCI entities that currently do not participate in the ARP Inspection Program. Further, as noted above, the SBS Releases have accounted for potential costs to be incurred by SB SDRs and SB SEFs in implementing the proposed system safeguard requirements in Rules 13n–6 and 822, respectively and, as discussed above, the requirements in proposed Regulation SCI could be incremental to those already proposed in Rules 13n–6 and 822. The Commission therefore preliminarily believes that, if it were to decide to propose to apply some or all hours. See id. at 77349–50. The Commission estimated that the aggregate annual burden on SB SDRs to submit an objective review would be 8250 hours and $900,000. See id. at 77350. 325 See SB SEF Proposing Release, supra note 297, at 11034. In the SB SEF Proposing Release, the Commission estimated that the paperwork burden associated with Rule 822 would come from rule writing requirements under Rule 822(a)(1), and from reporting requirements under Rules 822(a)(2), 822(a)(3), and 822(a)(4). See id. at 11017–19. The Commission also estimated that there would be up to 20 SB SEFs subject to the proposed SB SEF rules. See id. at 11023. Based on the information in the SB SEF Proposing Release, the Commission estimated that the aggregate burden on an estimated 20 SB SEFs to draft rules to implement Rule 822 would be 200 hours, see id. at 11026, and that the aggregate annual burden on an estimated 20 SB SEFs to comply with the reporting requirements under Rule 822 would be 19,208 hours and $1,800,000. See id. at 11029. 326 As stated in the SB SDR Proposing Release, ‘‘[t]he Commission believes that persons currently operating as SDRs may have developed and implemented aspects of the proposed rules already,’’ and that ‘‘the Commission does not believe that the one-time cost of [enhancements to their information technology systems] will be significant.’’ See supra note 297, at 77358. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 of the requirements of proposed Regulation SCI to SB SDRs and/or SB SEFs, the costs of applying proposed Regulation SCI to SB SDRs and/or SB SEFs would be incremental to the costs associated with proposed Rules 13n–6 and 822. 188. The Commission seeks commenters’ views regarding the prospective costs, as well as the potential benefits, of proposed Regulation SCI to SB SDRs and/or SB SEFs. Commenters should quantify the costs of applying proposed Regulation SCI to SB SDRs and/or SB SEFs, to the extent possible. As noted above, commenters are urged to address specifically each requirement of proposed Regulation SCI and note whether it would be reasonable to propose to apply each such requirement to SB SDRs and/or SB SEFs and what the benefits and costs of such application would be. 4. Timing and Implementation Considerations As noted above, the Commission has proposed rules providing a regulatory framework for SB SDRs and SB SEFs, but has not yet adopted final rules governing these entities. To date, the Commission has not received any comments with respect to the timing of the implementation of proposed Rule 13n–6 327 but has received one comment in connection with the timing of the implementation of proposed Rule 822.328 327 The Commission, however, has received comments that suggest a phase-in approach to the proposed SB SDR rules generally may be appropriate. These comments generally indicate that a phase-in approach would be necessary to enable existing swap data repositories and other market participants to make the necessary changes to their operations. See, e.g., Letter in response to a joint public roundtable conducted by Commission and CFTC staff on implementation issues raised by Title VII of the Dodd-Frank Act on May 2 and 3, 2011, from The Financial Services Roundtable, available on the Commission’s Web site at: https:// www.sec.gov/comments/4-625/4625-1.pdf (stating that ‘‘it may be prudent to have different portions of a single rulemaking proposal take effect at different times and with due consideration of steps that are preconditions to other steps,’’ suggesting, as an example, that ‘‘a requirement to designate a CCO should be implemented quickly, but that the CCO be given time to design, implement, and test the compliance system before any requirement to certify as to the compliance system becomes effective’’ and supporting a phase-in approach ‘‘that recognizes the varying levels of sophistication, resources and scale of operations within a particular category of market participant’’). 328 See ISDA SIFMA SB SEF Letter at 12 (‘‘Many of the proposed rules will pose significant operational and administrative hurdles for market participants and SB SEFs. For example, the proposed rules have requirements for system safeguards that will require time and systems expertise to implement fully. We strongly suggest that SB SEFs be allowed to adopt the rules on a staged basis so that the basic functioning of the SB PO 00000 Frm 00055 Fmt 4701 Sfmt 4702 18137 Although the Commission has issued a policy statement regarding the anticipated sequencing of the compliance dates of final rules to be adopted by the Commission for certain provisions of Title VII of the DoddFrank Act,329 the precise timing for adoption of or compliance with any final rules relating to SB SDRs or SB SEFs, or for adoption of or compliance with proposed Regulation SCI, is not known at this time. In addition, as the Title VII Implementation Policy Statement notes, any final rules for SB SDRs and SB SEFs potentially would be considered by the Commission at different times.330 As such, specifying the precise timing and ordering of the implementation of any requirements of proposed Regulation SCI, or Rules 13n– 6 and 822, to SB SDRs and/or SB SEFs is difficult to predict, should the Commission determine to proposed to apply some or all of the requirements of proposed Regulation SCI to SB SDRs and/or SB SEFs, or adopt Rules 13n–6 and 822 to SB SDRs and SB SEFs, respectively. 189. Nonetheless, the Commission requests comment on what—if the Commission were to propose to apply some or all of the requirements of proposed Regulation SCI to SB SDRs and/or SB SEFs—would be the most appropriate way to implement such requirements for SB SDRs and/or SB SEFs. For example, should the Commission seek to implement such requirements for SB SDRs and/or SB SEFs within the same timeframe as those entities currently defined as SCI entities under the proposal? Alternatively, should the applicability of some or all of Regulation SCI to SB SDRs and/or SB SEFs be phased in over time? If so, what provisions of proposed Regulation SCI should be phased in and SEF and the market can be established before all requirements are imposed.’’). As with the proposed SB SDR rules, the Commission has received general comments suggesting that a phase-in approach for all SB SEF Rules may be generally appropriate. See, e.g., Thomson SB SEF Letter at 8 (stating that ‘‘in order to ensure the proper operation of these markets, it may be necessary for the SEC to adopt a phased-in approach and we would urge avoiding over-hasty rulemaking which could result in unintended consequences for the markets and the broader economy’’). 329 See Securities Exchange Act Release No. 67177 (June 11, 2012), 77 FR 35625 (June 14, 2012) (Statement of General Policy on the Sequencing of the Compliance Dates for Final Rules Applicable to Security-Based Swaps Adopted Pursuant to the Securities Exchange Act of 1934 and the DoddFrank Wall Street Reform and Consumer Protection Act) (‘‘Title VII Implementation Policy Statement’’). 330 See id. at 35629 (noting that the rules pertaining to the registration and regulation of SB SDRs are in the second category of rules, whereas the rules pertaining to the registration and regulation of SB SEFs are in the fifth category of rules). E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18138 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules what would be an appropriate phase-in period? Should there be different phasein schedules for different SB SDRs and/ or SB SEFs? Why or why not? If yes, how would the SB SDRs and/or SB SEFs be selected for different phase-in schedules? Please be specific. 190. Do commenters believe that, because the Commission’s actions to implement the regulatory framework for the SB swaps market are still in progress, the Commission should not propose to apply the requirements of Regulation SCI to SB SDRs and/or SB SEFs at the same time as SCI entities, but instead should adopt the system safeguard provisions of proposed Rules 13n–6 and 822 and reconsider such requirements in the future after the SB swaps market and the Commission’s regulation of such market and its participants has developed further? Why or why not? What would be the impact of this approach for SB SDRs and/or SB SEFs? 191. As discussed in the SBS Releases,331 the system safeguards requirements in proposed Rules 13n–6 and 822 have their origins in the Commission’s ARP standards. Though they differ in scope and detail, the provisions of proposed Regulation SCI likewise trace their origin to the Commission’s ARP standards.332 If the Commission were to adopt final rules for SB SDRs and/or SB SEFs before it were to adopt Regulation SCI, and if the Commission were to decide to propose to apply some or all of the requirements of proposed Regulation SCI to SB SDRs and/or SB SEFs, should the Commission require SB SDRs and/or SB SEFs to comply with the requirements of the system safeguards rules in proposed Rules 13n–6 and 822 333 first, and apply the requirements of Regulation SCI to SB SDRs and/or SB SEFs at a specific date in the future? If the Commission were to adopt Rules 13n–6 and 822 prior to adoption of proposed Regulation SCI, and if the Commission were to decide to propose to apply some or all of the requirements of proposed Regulation SCI to SB SDRs and/or SB SEFs, should the Commission delay implementation of Rules 13n–6 and 822 and instead request that SB SDRs and/ or SB SEFs comply with the Commission’s voluntary ARP Inspection Program until such time as the Commission were to propose and adopt 331 See 332 See supra note 299 and accompanying text. supra notes 310–312 and accompanying text. 333 See supra notes 298–302 and accompanying text. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 Regulation SCI for SB SDRs and SB SEFs? G. Solicitation of Comment Regarding Potential Inclusion of Broker-Dealers, Other than SCI ATSs, and Other Types of Entities 1. Policy Considerations As discussed above, the requirements of proposed Regulation SCI would apply to national securities exchanges, registered securities associations, registered clearing agencies, the MSRB, SCI ATSs, plan processors, and exempt clearing agencies subject to ARP. They would not apply to other types of market participants, such as market makers or other broker-dealers. This proposed scope of the definition of SCI entity in part reflects the historical reach of the ARP policy statements (which apply, for example, to national securities exchanges) and existing Rule 301 of Regulation ATS (which applies systems safeguard requirements to certain ATSs). Recent events have highlighted the significance of systems integrity of a broader set of market participants than those proposed to be included within the definition of SCI entity.334 Also, some broker-dealers have grown in size and importance to the market in recent years. For example, many orders are internalized by OTC market makers, one subset of broker-dealers, who handle a large portion of order flow in the market.335 The Commission recognizes 334 For example, on August 1, 2012, Knight Capital Group, Inc. (‘‘Knight’’) reported that it ‘‘experienced a technology issue at the opening of trading at the NYSE * * * [which was] related to Knight’s installation of trading software and resulted in Knight sending numerous erroneous orders in NYSE-listed securities into the market * * *. Knight has traded out of its entire erroneous trade position, which has resulted in a realized pretax loss of approximately $440 million.’’ See Knight Capital Group Provides Update Regarding August 1st Disruption To Routing In NYSE-listed Securities (August 2, 2012), available at: https://www.knight. com/investorRelations/pressReleases.asp?compid= 105070&releaseID=1721599. Among other things, Knight provides market making services in U.S. equities and U.S. options; institutional sales and trading services; electronic execution services; and corporate and other services. See Knight Operating Subsidiaries, available at: https://www.knight.com/ourFirm/ operatingSubsidiaries.asp. Knight also operates two registered ATSs, Knight Match and Knight Bond Point. See Knight Match, available at: https://www. knight.com/electronicExecutionServices/knight Match.asp; Knight BondPoint, available at: https:// www.knight.com/electronicExecutionServices/ knightBondpoint.asp; and Alternative Trading Systems Active Filers as of April 30, 2012, available at: https://www.sec.gov/foia/ats/atslist0412.pdf. 335 See Concept Release on Equity Market Structure, supra note 42, at 3600 (stating: ‘‘OTC market makers, for example, appear to handle a very large percentage of marketable (immediately executable) order flow of individual investors that is routed by retail brokerage firms. A review of the PO 00000 Frm 00056 Fmt 4701 Sfmt 4702 that systems disruptions, systems compliance issues, and systems intrusions at broker-dealers, including for example OTC market makers and clearing broker-dealers, could pose a significant risk to the market. Such an occurrence could impact all orders being handled by a broker-dealer, which can be significant for larger brokerdealers. If a given broker-dealer handles a large portion of order flow and suddenly experiences a systems disruption or systems intrusion, the disruption or intrusion could cause ripple effects. For example, a systems issue at one broker-dealer could result in confusion about whether orders are handled correctly or whether the systems issue at the broker-dealer could have caused capacity issues elsewhere.336 The Commission is not at this time proposing to include some classes of registered broker-dealers (other than SCI ATSs) in the definition of SCI entity. Were the Commission to decide to propose to apply the requirements of proposed Regulation SCI to such entities, the Commission would issue a separate release discussing such a proposal. Rule 15c3–5, requiring brokers or dealers with market access to implement risk management controls and supervisory procedures to limit risk, already seeks to address certain risks posed to the markets by brokerdealer systems. Specifically, in 2010 when the Commission adopted Rule 15c3–5 regarding risk management controls and supervisory procedures for brokers or dealers with market access,337 the Commission stated that order routing disclosures required by Rule 606 of Regulation NMS of eight broker-dealers with significant retail customer accounts reveals that nearly 100% of their customer market orders are routed to OTC market makers.’’) 336 For example, if an e-market-maker handling 20 percent of message traffic experiences a systems issue, the order flow could be diverted elsewhere, including to entities that are unable to handle the increase in message traffic, resulting in a disruption to that entity’s systems as well. Similarly, a brokerdealer accidentally could run a test during live trading and flood markets with message traffic such that those markets hit their capacity limits, resulting in a disruption. 337 See Securities Exchange Act Release No. 63241 (November 3, 2010), 75 FR 69792 (November 15, 2010) (‘‘Market Access Release’’). Rule 15c3– 5(a)(1) defines ‘‘market access’’ to mean: (i) access to trading in securities on an exchange or ATS as a result of being a member or subscriber of the exchange or ATS, respectively; or (ii) access to trading in securities on an ATS provided by a broker-dealer operator of an ATS to a non-brokerdealer. See 17 CFR 240.15c3–5(a)(1). In adopting Rule 15c3–5(a)(1), the Commission stated that ‘‘the risks associated with market access * * * are present whenever a broker-dealer trades as a member of an exchange or subscriber to an ATS, whether for its own proprietary account or as agent for its customers, including traditional agency brokerage and through direct market access or E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 ‘‘broker-dealers, as the entities through which access to markets is obtained, should implement effective controls reasonably designed to prevent errors or other inappropriate conduct from potentially causing a significant disruption to the markets’’ and that ‘‘risk management controls and supervisory procedures that are not applied on a pre-trade basis or that, with certain limited exceptions, are not under the exclusive control of the broker-dealer, are inadequate to effectively address the risks of market access arrangements, and pose a particularly significant vulnerability in the U.S. national market system.’’ 338 Pursuant to Rule 15c3–5, a broker or dealer with market access, or that provides a customer or any other person with access to an exchange or ATS through use of its market participant identifier or otherwise, must establish, document, and maintain a system of risk management controls and supervisory procedures reasonably designed to manage the financial, regulatory, and other risks of this business activity.339 Rule 15c3–5 also specifies the baseline standards for financial and regulatory risk management controls and supervisory procedures.340 The financial risk management controls and supervisory procedures must be reasonably designed to systematically limit the financial exposure of the broker or dealer that could arise as a result of market access.341 The regulatory risk management controls and supervisory procedures must be reasonably designed to ensure compliance with all regulatory requirements.342 sponsored access arrangements.’’ See Market Access Release at 69798. As such, the Commission stated that ‘‘to effectively address these risks, Rule 15c3– 5 must apply broadly to all access to trading on an Exchange or ATS.’’ See id. 338 Id. at 69794. 339 See 17 CFR 240.15c3–5(b). Certain brokerdealers are exempt from some of the requirements under Rule 15c3–5. See id. 340 See 17 CFR 240.15c3–5(c). 341 See 17 CFR 240.15c3–5(c)(1). Such financial risk management controls and supervisory procedures must be reasonably designed to: (i) Prevent the entry of orders that exceed appropriate pre-set credit or capital thresholds in the aggregate for each customer and the broker or dealer, and where appropriate, more finely-tuned by sector, security or otherwise by rejecting orders if such orders would exceed the applicable credit or capital thresholds; and (ii) prevent the entry of erroneous orders, by rejecting orders that exceed appropriate price or size parameters, on an order-by-order basis or over a short period of time, or that indicate duplicative orders. See 17 CFR 240.15c3–5(c)(1). 342 See 17 CFR 240.15c3–5(c)(2). Such regulatory risk management controls and supervisory procedures must be reasonably designed to: (i) Prevent the entry of orders unless there has been compliance with all regulatory requirements that must be satisfied on a pre-order entry basis; (ii) VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 Under the approach set out by Rule 15c3–5, broker-dealers with market access are responsible in the first instance for establishing and maintaining appropriate risk management controls, including with respect to their systems. Although Rule 15c3–5 takes a different and more limited approach with broker-dealers than proposed Regulation SCI does with SCI entities, the requirements in Rule 15c3–5 are designed to address some of the same concerns regarding systems integrity discussed in this proposal. As an example of reasonable risk control under Rule 15c3–5, the Commission stated, ‘‘a system-driven, pre-trade control designed to reject orders that are not reasonably related to the quoted price of the security would prevent erroneously entered orders from reaching the securities markets, * * * should lead to fewer broken trades and thereby enhance the integrity of trading on the securities markets.’’ 343 In light of recent events, however, the Commission believes that it is appropriate to consider whether some types or categories of broker-dealers other than SCI ATSs should also be subject to some or all of the additional system safeguard rules that are proposed for SCI entities. Such broker-dealers could include, for example, OTC market makers (either all or those that execute a significant volume of orders), exchange market makers (either all or those that trade a significant volume on exchanges), order entry firms that handle and route order flow for execution (either all or those that handle a significant volume of investor orders), clearing broker-dealers (either all or those that engage in a significant amount of clearing activities), and large multi-service broker-dealers that engage in a variety of order handling, trading, and clearing activities. 2. Request for Comment 192. As noted above, at this time, the Commission is not proposing to apply Regulation SCI to broker-dealers other than SCI ATSs or to other types of entities that are not covered by the definition of SCI entity. Were the Commission to decide to propose to apply the requirements of Regulation prevent the entry of orders for securities for a broker or dealer, customer, or other person if such person is restricted from trading those securities; (iii) restrict access to trading systems and technology that provide market access to persons and accounts pre-approved and authorized by the broker or dealer; and (iv) assure that appropriate surveillance personnel receive immediate post-trade execution reports that result from market access. See 17 CFR 240.15c3–5(c)(2). 343 See Market Access Release, supra note 337, at 69794. PO 00000 Frm 00057 Fmt 4701 Sfmt 4702 18139 SCI to such entities, the Commission would issue a separate release discussing such a proposal. Nevertheless, the Commission is soliciting comment generally on whether it should apply the requirements of proposed Regulation SCI, in whole or in part, to such entities. Specifically: 193. What are the current practices of broker-dealers in relation to the requirements of proposed Regulation SCI? 344 Would the current practices of broker-dealers that provide market access and comply with Rule 15c3–5 change if they were also subject to proposed Regulation SCI? Why or why not? If so, how? Are there broker-dealers who do not provide the services that would require compliance with Rule 15c3–5? If so, how do the practices of those broker-dealers compare to the requirements of proposed Regulation SCI? 194. In Section VI.B.2 below, the Commission discusses potential market failures that may explain why market solutions cannot solve the problems that proposed Regulation SCI is intended to address. Does the market for brokerdealer services, including client services, market maker services, or market access services, suffer from market failures that limit the ability of the market to solve the issues that proposed Regulation SCI is intended to address? For example, are brokerdealers’ clients able to easily switch broker-dealers, and how often do clients use more than one broker-dealer simultaneously (e.g., for redundancy in case of a problem at a given brokerdealer)? Are broker-dealers subject to more market discipline than SCI entities? Please explain. Conversely, does a lack of transparency regarding events like SCI events limit this market discipline? Why or why not? 195. Given the stated goals and purpose of proposed Regulation SCI and its various provisions,345 what are commenters’ views on whether the scope of the proposed rules should be expanded to cover broker-dealers, or certain categories of broker-dealers? For example, what are commenters’ views on the impact to overall market integrity or the protection of investors if an OTC market maker was no longer able to operate due to a systems disruption, systems compliance issue, or a systems intrusion? Or an exchange market maker? Or a clearing broker-dealer? What are commenters’ views on the 344 As noted above, one ATS currently voluntarily participates in the ARP Inspection Program. See supra note 91. 345 See supra Section III. E:\FR\FM\25MRP3.SGM 25MRP3 18140 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 importance of different categories of broker-dealers to the stability of the overall securities market infrastructure, in the context of requiring them to comply with the proposed rules, in light of the stated goals and purpose of Regulation SCI? What risks do the systems of broker-dealers pose on the securities markets? 196. If the Commission were to subsequently propose to apply some or all of the requirements of proposed Regulation SCI to some types or categories of broker-dealers (in addition to SCI ATSs), what types of brokerdealers should the requirements apply to and why? Are there distinctions that should be made between different types of broker-dealers (e.g., OTC market makers, exchange market makers, order entry firms, clearing broker-dealers, and multi-service broker-dealers) for this purpose? If so, what are those distinctions and which requirements should apply? 197. The Commission notes that Roundtable panelists generally did not distinguish between national securities exchanges, ATSs, and different types of broker-dealers when addressing how to improve error prevention and error response strategies. Rather, Roundtable panelists and commenters referred more generally to ‘‘entities with market access’’ and/or ‘‘execution venues.’’ 346 In this regard, should the Commission consider expanding the application of Regulation SCI to all market centers, as that term is defined in Rule 600(b)(38) of Regulation NMS,347 which means any exchange market maker, OTC market maker, ATS, national securities exchange, or national securities association? 348 Why or why not? Would an expansion of proposed Regulation SCI to include all market centers (i.e., execution venues) inappropriately exclude the broader category of entities having market access? Why or why not? 346 See, e.g., letter from Better Markets, supra note 74, arguing that regulators should encourage firms to adopt more robust software development practices and audit any firm with direct market access or require third-party certification and mandate minimum requirements for testing any application that has direct market access. In addition, the panelist from NYSE stated that common standards for technology deployment should apply across all execution venues. 347 17 CFR 242.600(b)(38). 348 Rule 600(b)(24) defines exchange market maker to mean any member of a national securities exchange that is registered as a specialist or market maker pursuant to the rules of such exchange, and Rule 600(b)(52) defines OTC market maker to mean any dealer that holds itself out as being willing to buy from and sell to its customers, or others, in the U.S., an NMS stock for its own account on a regular or continuous basis otherwise than on a national securities exchange in amounts of less than block size. See 17 CFR 242.600(b)(24) and 17 CFR 242.600(b)(52). VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 Alternatively, should the Commission consider applying the requirements of proposed Regulation SCI to (a) any registered market maker or (b) any broker-dealer that offers market access that, in either case, with respect to any NMS stock, has a specified percentage of average daily dollar volume? If so, what should such a percentage be? Would the levels applicable to SCI ATSs that trade NMS stocks under proposed Rule 1000(a) of Regulation SCI be appropriate for registered market makers, broker-dealers that offer market access, or other broker-dealers? Why or why not? If not, what should such a threshold be? 198. If the Commission were to propose to expand the scope of proposed Regulation SCI to a subset of broker-dealers, what are commenters’ views on whether, and if so, how, the various different proposed requirements of Regulation SCI should or should not apply to such entities? 199. If the Commission were to propose to expand the scope of proposed Regulation SCI to include a subset of broker-dealers, should the Commission require such broker-dealers to have written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability, and promote the maintenance of fair and orderly markets, as proposed in Rule 1000(b)(1) for SCI entities? Why or why not? Should SCI industry standards for broker-dealers be different from those proposed for SCI entities? If so, what are the standards that should apply to broker-dealers? Please be as specific as possible and explain why a particular standard would be appropriate. 200. Should the Commission require such broker-dealers to establish, maintain, and enforce policies and procedures reasonably designed to ensure that their systems operate in the manner intended, including in a manner that complies with federal securities laws and rules and regulations thereunder, as proposed in Rule 1000(b)(2)(i) for SCI entities? Why or why not? Should the Commission establish a safe harbor from liability for such broker-dealers and their respective employees if they satisfy the elements of a safe harbor, similar to those in proposed Rules 1000(b)(2)(ii) and (iii) for SCI entities and their employees? Why or why not? 201. Should the Commission require such broker-dealers, upon any of their responsible SCI personnel becoming aware of an SCI event, to begin to take appropriate corrective action including, PO 00000 Frm 00058 Fmt 4701 Sfmt 4702 at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable, as proposed in Rule 1000(b)(3) for SCI entities? Why or why not? Should such broker-dealers’ corrective action be triggered by something other than awareness of an SCI event? If so, what would be an appropriate trigger? 202. With regard to the reporting and information dissemination requirements for SCI entities in proposed Rules 1000(b)(4) and 1000(b)(5), would it be appropriate to require such brokerdealers to report all SCI events to the Commission, and disclose dissemination SCI events to their customers? 203. Should such broker-dealers be required to notify the Commission of material systems changes, as proposed in Rule 1000(b)(6) for SCI entities? Why or why not? 204. Should such broker-dealers be required to undertake an annual SCI review of their systems, as proposed in Rule 1000(b)(7) for SCI entities? Should such broker-dealers also be required to provide the Commission with reports regarding the SCI review and material systems changes, as proposed in Rule 1000(b)(8) for SCI entities? Why or why not? 205. Should such broker-dealers be required to submit any required notices, reports, and other information to the Commission on proposed new Form SCI? Why or why not? 206. Alternatively, should the Commission propose to require that each SCI SRO establish rules requiring that its members adopt written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability, and promote the maintenance of fair and orderly markets? Why or why not? Similarly, should the Commission propose to require that each SCI SRO establish rules requiring that its members adopt written policies and procedures reasonably designed to ensure that the systems of such members operate in the manner intended, including in a manner that complies with applicable federal securities laws and rules and regulations thereunder and the SCI SRO’s rules? Why or why not? In either case, would such a proposal raise any competitive issues, such as between E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules national securities exchanges and ATSs? 349 207. In addition, should the Commission consider including other entities in the definition of SCI entity (e.g., transfer agents), thus subjecting them to some or all of the requirements under proposed Regulation SCI? If yes, to which entities should some or all of proposed Regulation SCI apply and why? If not, why not? If commenters believe other types of entities should be included in the definition of SCI entity, should the Commission include all entities of a given type in the definition? Why or why not? If not, how should the Commission distinguish those entities that should be included (e.g., size, volume, types of services performed, etc.)? Please describe and be as specific as possible. 208. If the Commission were to subsequently propose and adopt a rule applying Regulation SCI to all or certain categories of broker-dealers or other entities, what are commenters’ views as to the type and scale of the costs of such application? Please explain. In addition, what are commenters’ views as to the potential impact on efficiency, competition, and capital formation of such application? Please explain. srobinson on DSK4SPTVN1PROD with PROPOSALS3 IV. Paperwork Reduction Act Certain provisions of the proposal contain ‘‘collection of information’’ requirements within the meaning of the Paperwork Reduction Act of 1995 (‘‘PRA’’) 350 and the Commission will submit them to the Office of Management and Budget (‘‘OMB’’) for review in accordance with 44 U.S.C. 3507 and 5 CFR 1320.11. The title of the new collection of information is Regulation Systems Compliance and Integrity. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. A. Summary of Collection of Information Proposed Regulation SCI would include four categories of obligations that would require a collection of information within the meaning of the PRA. Specifically, an SCI entity would be required to: (1) Establish specified written policies and procedures, and mandate participation by designated members or participants in certain testing of the SCI entity’s business 349 The Commission notes that all broker-dealers are members of one or more SCI SROs (such as FINRA and/or a national securities exchange), while participants on ATSs may include nonbroker-dealer market participants. 350 44 U.S.C. 3501 et seq. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 continuity and disaster recovery plans; (2) provide certain notifications, disseminate certain information, and create reports; (3) take corrective actions, identify certain SCI events for which immediate Commission notification is required, and identify dissemination SCI events; and (4) comply with recordkeeping and access requirements relating to its compliance with proposed Regulation SCI. 1. Requirements To Establish Written Policies and Procedures and Mandate Participation in Certain Testing Proposed Rules 1000(b)(1) and (b)(2) would require SCI entities to establish policies and procedures with respect to various matters. Proposed Rule 1000(b)(1) would require each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. Proposed Rule 1000(b)(1)(i) specifies that such policies and procedures would be required to include, at a minimum: (A) The establishment of reasonable current and future capacity planning estimates; (B) periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (C) a program to review and keep current systems development and testing methodology for such systems; (D) regular reviews and testing of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (E) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption; and (F) standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data. Proposed Rule 1000(b)(1)(ii) states that such policies and procedures would be deemed to be reasonably designed if they are consistent with current SCI industry standards, which would be required to be: (A) Comprised of information technology practices that PO 00000 Frm 00059 Fmt 4701 Sfmt 4702 18141 are widely available for free to information technology professionals in the financial sector; and (B) issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. The proposed SCI industry standards contained in the publications identified on Table A are intended to serve as standards that SCI entities could use, if they so choose, to comply with the requirements of proposed Rule 1000(b)(1), though compliance with such SCI industry standards would not be the exclusive means to comply with the requirements of proposed Rule 1000(b)(1). Proposed Rule 1000(b)(2)(i) would require each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and the entity’s rules and governing documents, as applicable. An SCI entity would be deemed not to have violated proposed Rule 1000(b)(2)(i) if: (A) It has established and maintained policies and procedures reasonably designed to provide for: (1) testing of all such systems and any changes to such systems prior to implementation; (2) periodic testing of all such systems and any changes to such systems after their implementation; (3) a system of internal controls over changes to such systems; (4) ongoing monitoring of the functionality of such systems to detect whether they are operating in the manner intended; (5) assessments of SCI systems compliance performed by personnel familiar with applicable federal securities laws and rules and regulations thereunder and the SCI entity’s rules and governing documents, as applicable; and (6) review by regulatory personnel of SCI systems design, changes, testing, and controls to prevent, detect, and address actions that do not comply with applicable federal securities laws and rules and regulations thereunder and the SCI entity’s rules and governing documents, as applicable; (B) the SCI entity has established and maintained a system for applying such policies and procedures which would reasonably be expected to prevent and detect, insofar as practicable, any violation of such policies and procedures by the SCI entity or any person employed by the SCI entity; and (C) the SCI entity: has reasonably discharged the duties and obligations incumbent upon it by such E:\FR\FM\25MRP3.SGM 25MRP3 18142 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 policies and procedures; and was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. Further, pursuant to proposed Rule 1000(b)(2)(iii), a person employed by an SCI entity would be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity: (A) Has reasonably discharged the duties and obligations incumbent upon such person by such policies and procedures; and (B) was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. Proposed Rule 1000(b)(9)(i) would require an SCI entity, with respect to its business continuity and disaster recovery plans, including its backup systems, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans in the manner and frequency as specified by the SCI entity, at least once every 12 months (e.g., for SCI SROs, by submitting proposed rule changes under Section 19(b) of the Exchange Act; for SCI ATSs, by revising membership or subscriber agreements and internal procedures; for plan processors, through an amendment to an SCI Plan under Rule 608 of Regulation NMS; and, for exempt clearing agencies subject to ARP, by revising participant agreements and internal procedures). Proposed Rule 1000(b)(9)(ii) would further require an SCI entity to coordinate such required testing on an industry- or sector-wide basis with other SCI entities. Proposed Rule 1000(b)(9)(iii) would require an SCI entity to designate members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans, to participate in the testing of such plans. It would also require the SCI entity to notify and update the Commission of its designations and standards for designation, and promptly update such notification after any changes to its designations or standards. 2. Notice, Dissemination, and Reporting Requirements for SCI Entities A number of proposed rules under Regulation SCI would require SCI entities to notify or report information to the Commission, or disseminate information to their members or participants. Proposed Rules 1000(b)(4), (b)(5), (b)(6), (b)(7), and (b)(8) each VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 contain a notification, dissemination, or reporting requirement. Proposed Rule 1000(b)(4) would require notice of SCI events to the Commission. Proposed Rule 1000(b)(4)(i) would require an SCI entity to notify the Commission upon any responsible SCI personnel becoming aware of a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion. Proposed Rule 1000(b)(4)(ii) would require an SCI entity, within 24 hours of any responsible SCI personnel becoming aware of any SCI event, to submit a written notification to the Commission on Form SCI pertaining to such SCI event.351 Proposed Rule 1000(b)(4)(iv)(A) would specify that, for a notification made pursuant to proposed Rule 1000(b)(4)(ii), an SCI entity must include all pertinent information known about the SCI event, including: a detailed description of the SCI event; the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; and the SCI entity’s current assessment of the SCI event, including a discussion of the determination of whether the SCI event is a dissemination SCI event or not. In addition, to the extent available as of the time of the initial notification, the notification would be required to include: a description of the steps the SCI entity is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; a description of the SCI entity’s rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and an analysis of the parties that may have experienced a 351 For a written notification to the Commission of an SCI event under proposed Rule 1000(b)(4)(ii), new proposed Form SCI would require that an SCI entity indicate that the filing is being made pursuant to Rule 1000(b)(4)(ii) and provide the following information in a short, standardized format: (i) Whether the filing is a Rule 1000(b)(4)(ii) notification or Rule 1000(b)(4)(iii) update of an SCI event; (ii) the SCI event type(s) (i.e., systems compliance issue, systems intrusion, and/or systems disruption); (iii) whether the event is a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants; (iv) if so, whether the Commission has been notified of the SCI event; (v) whether the SCI event has been resolved; (vi) the date/time the SCI event started; (vii) the duration of the SCI event (viii) the date and time when responsible SCI personnel became aware of the SCI event; (ix) the estimated number of market participants impacted by the SCI event; (x) the type(s) of systems impacted; and (xi) if applicable, the type of systems disruption. PO 00000 Frm 00060 Fmt 4701 Sfmt 4702 loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. Further, for a written notification to the Commission of an SCI event under proposed Rule 1000(b)(4)(ii), an SCI entity would be required to attach a copy of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity’s publicly available Web site. Proposed Rule 1000(b)(4)(iii) would require an SCI entity to submit written updates on Form SCI pertaining to an SCI event to the Commission on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until such time as the SCI event is resolved. Proposed Rule 1000(b)(4)(iv)(B) specifies that, for a notification made pursuant to proposed Rule 1000(b)(4)(iii), the SCI entity would be required to update any information previously provided regarding an SCI event, including any information under proposed Rule 1000(b)(4)(iv)(A)(2) that was not available at the time of submission of a notification under proposed Rule 1000(b)(4)(ii). Further, for a written notification to the Commission of an SCI event under proposed Rule 1000(b)(4)(iii), an SCI entity would be required to attach a copy of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity’s publicly available Web site. Proposed Rule 1000(b)(5) would require dissemination to members or participants of dissemination SCI events and specify the nature and timing of such required dissemination, with limited exceptions for dissemination SCI events that are systems intrusions, as discussed further below.352 Proposed Rule 1000(b)(5)(i)(A) would require that an SCI entity, promptly after any responsible SCI personnel becomes aware of a dissemination SCI event, disseminate to its members or participants the following information about such SCI event: (1) The systems affected by the SCI event; and (2) a summary description of the SCI event. In addition, proposed Rule 1000(b)(5)(i)(B) would require an SCI entity to, when known, further disseminate to its members or participants: (1) a detailed description of the SCI event; (2) the SCI entity’s 352 As discussed above, the Commission proposes that the term ‘‘dissemination SCI event’’ be defined as ‘‘an SCI event that is a: (1) Systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants.’’ See supra Section III.B.4.d. E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules current assessment of the types and number of market participants potentially affected by the SCI event; and (3) a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. Proposed Rule 1000(b)(5)(i)(C) would further require that an SCI entity provide regular updates to members or participants on any of the information required to be disseminated under proposed Rules 1000(b)(5)(i)(A) and (i)(B). Proposed Rule 1000(b)(5)(ii) would provide a limited exception to the proposed requirement of prompt dissemination to members or participants of information regarding dissemination SCI events for systems intrusion. Proposed Rule 1000(b)(5)(ii) would require an SCI entity, promptly after any responsible SCI personnel becomes aware of a systems intrusion, to disseminate to its members or participants a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity’s SCI systems or SCI security systems, or an investigation of the systems intrusion, and documents the reasons for such determination. Proposed Rule 1000(b)(6) would require an SCI entity, absent exigent circumstances, to notify the Commission on Form SCI at least 30 calendar days before implementation of any planned material systems change, including a description of the planned material systems change as well as the expected dates of commencement and completion of implementation of such change. If exigent circumstances exist, or if the information previously provided to the Commission regarding any material systems change has become materially inaccurate, an SCI entity would instead be required to notify the Commission, either orally or in writing on Form SCI, with any oral notification to be memorialized within 24 hours after such oral notification by a written notification, as early as reasonably practicable.353 353 Form SCI would require an SCI entity to provide the date of the planned change. The SCI entity must also specify whether exigent circumstances exist, or if the information previously provided to the Commission regarding any material systems change has become materially inaccurate, and if so, whether the Commission has been orally notified. Further, the notification must include an Exhibit 4. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 Proposed Rule 1000(b)(7) would require an SCI entity to conduct an SCI review of the entity’s compliance with Regulation SCI not less than once each calendar year, and to submit a report of the SCI review to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review. Proposed Rule 1000(b)(8) contains two reporting requirements. Specifically, proposed Rule 1000(b)(8) would require an SCI entity to submit as an attachment to Form SCI: (i) A report of the SCI review required by proposed Rule 1000(b)(7), together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity; 354 and (ii) a report within 30 calendar days after the end of June and December of each year, containing a summary description of the progress of any material systems change during the sixmonth period ending on June 30 or December 31, as the case may be, and the date or expected date of completion of implementation of such change.355 3. Requirements To Take Corrective Actions, Identify Immediate Notification SCI Events, and Identify Dissemination SCI Events Proposed Rule 1000(b)(3) would require an SCI entity, upon any responsible SCI personnel becoming aware of an SCI event, to begin to take appropriate corrective action which would be required to include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. Given these requirements of proposed Rule 1000(b)(3), SCI entities would likely work to develop a process for ensuring that they are prepared to comply with the corrective action requirement and would likely also periodically review this process. In addition, proposed Rule 1000(a) would define a ‘‘dissemination SCI event’’ to mean an SCI event that is a: (1) Systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants. Under the proposed Commission notification and member or participant dissemination requirements of proposed Rules 1000(b)(4) and (b)(5), when an SCI 354 This report would be required to be submitted as Exhibit 5 to Form SCI. 355 This report would be required to be submitted as Exhibit 6 to Form SCI. PO 00000 Frm 00061 Fmt 4701 Sfmt 4702 18143 event occurs, an SCI entity must determine whether an SCI event is an immediate notification SCI event or a dissemination SCI event. As such, SCI entities would likely work to develop a process for ensuring that they are able to make determinations regarding the nature of the SCI event quickly and accurately, and periodically review this process. 4. Recordkeeping Requirements Proposed Rule 1000(c) would set forth recordkeeping requirements for SCI entities. Under proposed Rule 1000(c)(1), SCI SROs would be required to make, keep, and preserve all documents relating to their compliance with Regulation SCI as prescribed in Rule 17a–1 under the Exchange Act. Under proposed Rule 1000(c)(2), each SCI entity that is not an SCI SRO would be required to make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI including, but not limited to, records relating to any changes to its SCI systems and SCI security systems, for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination. Upon request of any representative of the Commission, such SCI entities would be required to promptly furnish to the possession of such representative copies of any documents required to be kept and preserved by it under proposed Rule 1000(c)(2). Under proposed Rule 1000(c)(3), upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, an SCI entity must take all necessary action to ensure that the records required to be made, kept, and preserved by this section will be accessible to the Commission and its representatives in the manner required by proposed Rule 1000(c) and for the remainder of the period required by proposed Rule 1000(c). In addition, proposed Rule 1000(e) would provide that, if the records required to be filed or kept by an SCI entity under proposed Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity would be required to ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service and signed by a E:\FR\FM\25MRP3.SGM 25MRP3 18144 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules duly authorized person at such service bureau or other recordkeeping service. focus on improving the integrity and compliance of their systems. B. Proposed Use of Information 3. Requirements To Take Corrective Actions, Identify Immediate Notification Events, and Identify Dissemination SCI Events The proposed requirement that SCI entities begin to take appropriate corrective action upon any responsible SCI personnel becoming aware of an SCI event would help ensure that SCI entities dedicate adequate resources to timely address an SCI event and place an emphasis on mitigating potential harm to investors and market integrity. The proposed threshold for notification of certain SCI events to the Commission under proposed Rule 1000(b)(4)(i) would help ensure that the Commission is made aware of significant SCI events when any responsible SCI personnel becomes aware of such events. The proposed definition of dissemination SCI event would help ensure potentially impacted members or participants have basic information about SCI events so that they might be able to better assess whether they should use the services of an SCI entity.356 srobinson on DSK4SPTVN1PROD with PROPOSALS3 1. Requirements To Establish Written Policies and Procedures and Mandate Participation in Certain Testing The proposed requirements that SCI entities establish certain written policies and procedures with respect to their systems, and that they require designated members or participants to participate in the testing of their business continuity and disaster recovery plans, would further the goals of the national market system and reinforce Exchange Act obligations by requiring entities important to the functioning of the U.S. securities markets to carefully design, develop, test, maintain, and surveil systems integral to their operations, and operate them in compliance with relevant federal securities laws and the rules and regulations thereunder, as well as their own rules and policies. 2. Notification, Dissemination, and Reporting Requirements for SCI Entities The information that would be collected pursuant to the proposed requirements for notifications, disseminations of information, and reports would assist the Commission in its oversight of SCI entities and the securities markets, help ensure the orderly operation of the U.S. securities markets, and help protect investors and the public interest. In particular, the proposed requirements that SCI entities notify the Commission of all SCI events, disseminate information to members or participants, undertake and submit to the Commission an SCI review not less than once each calendar year, and submit reports of material systems changes are designed to help ensure compliance with the other provisions of proposed Regulation SCI and accountability of SCI entities in the event of systems problems. Further, the Commission preliminarily believes that the member or participant information dissemination requirement for dissemination SCI events would make members or participants aware that their trading activity might have been or might be impacted by the occurrence of a dissemination SCI event, so that they could consider that information in making trading decisions, seeking corrective action, or pursuing remedies, among other things. The Commission also preliminarily believes that the prospect of disseminating information regarding dissemination SCI events to members or participants would provide an incentive for SCI entities to better VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 5. Recordkeeping Requirements The proposed recordkeeping requirements in Rules 1000(c) and (e) would assist Commission staff during an examination of an SCI entity to assess its compliance with the proposed rules. In addition, access to the records of SCI entities would help Commission staff to carry out its oversight responsibilities of SCI entities and the securities markets. Further, the proposed recordkeeping requirements would aid SCI entities and the Commission in documenting, reviewing, and correcting any SCI event, as well as in identifying market participants that may have been harmed by such an event. C. Respondents The ‘‘collection of information’’ requirements contained in proposed Regulation SCI would apply to SCI entities, as described below. Currently, there are 26 entities that would satisfy the proposed definition of SCI SRO,357 15 entities that would satisfy the proposed definition of SCI ATS,358 2 entities that would satisfy the definition of plan processor,359 and 1 entity that would meet the definition of exempt 356 See infra Section III.B.3.d (discussing the threshold for dissemination SCI events). 357 See supra notes 93–96 and accompanying text (listing 17 registered national securities exchanges, 7 registered clearing agencies, FINRA, and the MSRB). 358 See supra Section III.B.1. 359 See supra note 565. PO 00000 Frm 00062 Fmt 4701 Sfmt 4702 clearing agency subject to ARP.360 Accordingly, the Commission estimates that there are currently 44 entities that would meet the definition of SCI entity and be subject to the collection of information requirements of proposed Regulation SCI. The Commission requests comment on the accuracy of these estimated figures. D. Total Initial and Annual Reporting and Recordkeeping Burdens As discussed above, all of the national securities exchanges, national securities associations, registered clearing agencies, and plan processors currently participate on a voluntary basis in the ARP Inspection Program.361 Under the ARP Inspection Program, Commission staff conducts on-site inspections and attends periodic technology briefings by staff of these entities, generally covering systems capacity and testing, review of systems vulnerability, review of planned systems development, and business continuity planning.362 In addition, Commission staff monitors systems failures and planned major systems changes at these entities.363 Under proposed Regulation SCI, many of the principles of the ARP policy statements with which SCI SROs are familiar would be codified. However, because the proposed regulation would have a broader scope than the current ARP Inspection Program and would impose mandatory recordkeeping obligations on entities subject to the rules,364 proposed Regulation SCI would impose paperwork burdens on all SCI entities. The Commission’s total burden estimates reflect the total burdens on all SCI entities, taking into account the extent to which some SCI entities already comply with some of the proposed requirements of Regulation SCI. As discussed below, the Commission preliminarily believes that the extent of these burdens will vary for different types of SCI entities. The Commission notes that the hour figures set forth in this section are the Commission’s preliminary best estimate of the paperwork burden for compliance with proposed Regulation SCI based on a variety of sources, including the 360 See supra note 133 and accompanying text. supra Section I.A. 362 See id. 363 See id. 364 As discussed more fully in supra Section III.D and infra Section IV.D.4, SCI SROs are already subject to existing recordkeeping and retention requirements under Rule 17a–1 and thus the Commission believes that the proposed recordkeeping obligations would not impose any new burden on SCI SROs that is not already accounted for in the burden estimates for Rule 17a–1. 361 See E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules Commission’s experience with the current ARP Inspection Program and other similar estimated burdens for analogous rulemakings. However, the Commission recognizes that commenters may have other informed views of the actual burdens that would be imposed by these requirements and thus, the Commission solicits comment on the appropriateness and accuracy of each of the estimated burdens below. 1. Requirements To Establish Written Policies and Procedures and Mandate Participation in Certain Testing The proposed rules that would require an SCI entity to establish policies and procedures and to mandate member or participant participation in business continuity and disaster recovery plans testing are discussed more fully in Section III.C above. srobinson on DSK4SPTVN1PROD with PROPOSALS3 a. Policies and Procedures Required by Proposed Rule 1000(b)(1) The Commission preliminarily estimates that an SCI entity that has not previously participated in the ARP Inspection Program would require an average of 210 burden hours to develop and draft policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets, as proposed to be required by Rule 1000(b)(1) of Regulation SCI (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data, which are addressed separately).365 The estimated 210 hours required for such entities would include the time expended to draft relevant policies and procedures and the time expended for review of the draft policies and procedures by the SCI 365 This estimate is based on the Commission’s experience with the ARP Inspection Program and its preliminary estimate in the SB SDR Proposing Release for a similar requirement. See SB SDR Proposing Release, supra note 297, at 77349 (estimating the number of hours it would take to draft policies and procedures reasonably designed to ensure that the SDR’s systems provide adequate levels of capacity, resiliency, and security). This estimate is for the number of hours an SCI entity would require over and above the usual and customary amount of time it would devote to developing policies and procedures designed to ensure its systems’ capacity, integrity, resiliency, availability, and security. These estimated burdens may vary depending on an SCI entity’s business and regulatory responsibilities. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 entity’s management. The Commission preliminarily believes that all SCI entities 366 would conduct this work internally.367 For SCI entities that currently participate in the ARP Inspection Program (29 entities, nearly all of which are SCI SROs 368), the Commission preliminarily believes that in developing their policies and procedures, these entities would be starting from a baseline of fifty percent, and therefore the average paperwork burden of developing the proposed policies and procedures would be 105 burden hours.369 The Commission preliminarily believes that a fifty percent baseline for SCI entities that participate in the ARP Inspection Program is appropriate because, although these entities already have substantial policies and procedures in place, proposed Rule 1000(b)(1) would require these entities to devote substantial time to reviewing and revising their existing policies and procedures to ensure that they are sufficiently robust in the context of a new and expanded regulatory regime. The Commission preliminarily believes that these entities would conduct this work internally.370 With regard to the proposed requirement in Rule 1000(b)(1) that an SCI entity’s policies and procedures include standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates 366 The Commission estimates that there are 44 SCI entities. Of these, 29 entities currently participate in the ARP Inspection Program and 15 do not. Because the MSRB is not currently a participant in the ARP Inspection Program, the estimated burden hours for the MSRB to develop policies and procedures as required by proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) is 210 hours, which is higher than the number estimated for all other SCI SROs that currently participate in the ARP Inspection Program, as discussed below. 367 But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. 368 17 registered national securities exchanges + 7 registered clearing agencies + 1 national securities association + 2 plan processors + 1 exempt clearing agency subject to ARP + 1 ATS = 29 entities. 369 In establishing this baseline estimate, the Commission has considered what the entities do today; that is, in the absence of the proposed rule. 370 But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. PO 00000 Frm 00063 Fmt 4701 Sfmt 4702 18145 the successful collection, processing, and dissemination of market data, the Commission preliminarily estimates that each SCI entity would spend an average of 130 hours annually to comply with this requirement.371 As this proposed requirement is not currently addressed by the ARP Inspection Program, the Commission preliminarily estimates that the total initial and ongoing burden would be the same for all SCI entities and SCI entities would conduct this work internally.372 As noted above, the Commission preliminarily believes that SCI entities would handle internally most of the work associated with establishing, maintaining, and enforcing written policies and procedures as proposed to be required by Rule 1000(b)(1). However, based on its experience with the ARP Inspection Program, the Commission preliminarily believes that SCI entities also would seek outside legal and/or consulting services in the initial preparation of such policies and procedures, and that the average cost of such outside legal and/or consulting advice would be $20,000 per respondent,373 for a total of $880,000 for all respondents.374 As noted above, the Commission preliminarily estimates that the average initial number of burden hours per respondent to comply with proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) would be 105 hours for SCI entities that are current ARP Inspection Program participants and 210 hours for SCI entities that are not current ARP 371 This estimate is based on the Commission’s experience with the ARP Inspection Program, and includes the time necessary to program systems to meet the proposed standard. 372 But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. 373 This estimate is based on the Commission’s experience with the ARP Inspection Program, as well as industry sources. In addition, the Commission has considered its estimate of the cost burden under Regulation SDR in connection with the establishment of certain policies and procedures. See SB SDR Proposing Release, supra note 297, at 77349 (preliminarily estimating that it would cost $100,000 to establish, maintain, and enforce five sets of written policies and procedures, one of which requires policies and procedures reasonably designed to ensure that the SDR’s systems provide adequate levels of capacity, resiliency, and security). 374 ($20,000 outside legal cost) × (44 SCI entities) = $880,000. E:\FR\FM\25MRP3.SGM 25MRP3 18146 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 Inspection Program participants, for a total of 6,195 hours.375 In addition, the Commission preliminarily estimates that the average initial number of burden hours per respondent to comply with the requirement for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data would be 130 hours for a total of 5,720 hours for all respondents.376 The Commission preliminarily estimates that, once an SCI entity has drafted the policies and procedures proposed to be required by Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data), it would spend on average approximately 60 hours annually to review its written policies and procedures to ensure that they are upto-date and to prepare any necessary new or amended policies and procedures.377 Using a fifty percent baseline for SCI entities that participate in the ARP Inspection Program and therefore currently review and revise policies and procedures from time to time, the Commission preliminarily estimates that the total annual ongoing burden to comply with proposed Rule 375 The Commission preliminarily believes that an Attorney and a Compliance Manager working in collaboration would develop and draft the required policies and procedures, assisted by, and in consultation with, Senior Systems Analysts and Operational Specialists. Thus, the Commission estimates: (Compliance Manager (including Senior Management Review) at 80 hours + Attorney at 80 hours + Senior Systems Analyst at 25 hours + Operations Specialist at 25 hours) × (15 potential respondents) + (Compliance Manager (including Senior Management Review) at 40 hours + Attorney at 40 hours + Senior Systems Analyst at 12.5 hours + Operations Specialist at 12.5 hours) × (29 potential respondents) = 6,195 burden hours. 376 Based on its experience with the ARP Inspection Program, the Commission estimates: (Compliance Attorney at 30 hours + Senior Systems Analyst at 100 hours) × (44 potential respondents) = 5,720 burden hours. 377 This estimate is based on the Commission’s experience with the ARP Inspection Program. The Commission has also considered its preliminary estimate in the SB SDR Proposing Release for a similar requirement. See SB SDR Proposing Release, supra note 297, at 77349 (estimating the ongoing burden associated with maintaining policies and procedures reasonably designed to ensure that the SDR’s systems provide adequate levels of capacity, resiliency, and security). This estimate is for the number of hours an SCI entity would require over and above the usual and customary amount of time it would devote to maintaining policies and procedures designed to ensure its systems’ capacity, integrity, resiliency, availability, and security. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) would be 30 hours per respondent for this group of respondents. The Commission therefore estimates the ongoing burden to comply with proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) to be 870 hours 378 for SCI entities that are current ARP Inspection Program participants and 900 hours 379 for SCI entities that are not ARP Inspection Program participants, for a total of 1,770 hours for all respondents.380 As noted above, the Commission preliminarily estimates that the average ongoing number of burden hours per respondent to comply with the proposed requirement for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data would be 130 hours for each respondent, for a total of 5,720 hours for all respondents.381 The Commission preliminarily believes that the work associated with updating the policies and procedures proposed to be required by proposed Rule 1000(b)(1) would be done internally.382 b. Policies and Procedures Required by Proposed Rule 1000(b)(2) With regard to proposed Rule 1000(b)(2)(i), which would require each SCI entity to establish, maintain, and 378 (Compliance Manager at 15 hours + Attorney at 15 hours) × (29 potential respondents currently participating in the ARP Inspection Program) = 870 hours. 379 (Compliance Manager at 30 hours + Attorney at 30 hours) × (15 potential respondents not currently participating in the ARP inspection Program) = 900 hours. 380 870 hours for SCI entities that are current ARP Inspection Program participants + 900 hours for SCI entities that are not current ARP Inspection Program participants = 1,770 burden hours. 381 (Compliance Attorney at 30 hours + Senior Systems Analyst at 100 hours) × (44 potential respondents) = 5,720 burden hours. 382 But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. PO 00000 Frm 00064 Fmt 4701 Sfmt 4702 enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and, as applicable, the entity’s rules and governing documents, the Commission preliminarily believes that each SCI entity would elect to comply with the safe harbor provisions in proposed Rules 1000(b)(2)(ii) and (iii), and preliminarily estimates that each SCI entity would initially spend approximately 180 hours to design their policies and procedures accordingly. This estimate would include the time necessary to review and revise any existing policies and procedures to ensure that they satisfy the proposed safe harbor provisions, and the Commission preliminarily believes this estimate would be the same for all SCI entities.383 Therefore, the Commission preliminarily estimates that proposed Rule 1000(b)(2) would carry an initial one-time burden of 180 hours per respondent, for a total initial one-time burden of 7,920 hours for all respondents.384 The Commission also preliminarily estimates that each SCI entity that is an SRO would spend approximately 120 hours annually to review these written policies and procedures to ensure that they are upto-date and to prepare any necessary new or amended policies and procedures, and that other types of SCI entities would spend approximately 60 hours to do this work.385 Therefore, the 383 This estimate is based on the Commission’s experience with the ARP Inspection Program and OCIE examinations, which review policies and procedures of registered entities in conjunction with examinations of such entities for compliance with the federal securities laws. Although not currently explicitly required under the existing ARP Inspection Program or other laws or regulations, the Commission expects that most, if not all, SCI entities already voluntarily have certain policies and procedures in place as part of good business management and oversight to ensure that their SCI systems operate in the manner intended. However, proposed Rule 1000(b)(2)(i) would set forth specific new requirements with respect to such policies and procedures, and proposed Rules 1000(b)(2)(ii) and (iii) would specify how an SCI entity and its employees could satisfy the new requirement through safe harbors. Because proposed Rule 1000(b)(2)(i) has no analogue in the ARP Inspection Program and would create a new requirement for all SCI entities, for purposes of the PRA, the Commission preliminarily estimates that all SCI entities would elect to comply with the proposed safe harbor of proposed Rule 1000(b)(2)(ii) and be subject to the same initial burden to ensure that their policies and procedures satisfy the requirements of the proposed safe harbor. 384 Based on its experience with OCIE examinations and the ARP Inspection Program, the Commission estimates: (Compliance Attorney at 30 hours + Senior Systems Analyst at 150 hours) × (44 potential respondents) = 7,920 burden hours. 385 These estimates are based on the Commission’s experience with the ARP Inspection E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 Commission preliminarily estimates that proposed Rule 1000(b)(2) would carry an ongoing annual burden of 120 hours per SRO respondent and 60 hours per non-SRO respondent, for a total ongoing annual burden of 4,200 hours for all respondents.386 These estimated burdens per respondent also would include the time expended for the review of the draft policies and procedures by the SCI entity’s management. As with proposed Rule 1000(b)(1), the Commission preliminarily believes that SCI entities would handle internally most of the work associated with establishing and maintaining written policies and procedures that are reasonably designed to ensure that their SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and, as applicable, the entity’s rules and governing documents, and that meet the requirements of the proposed safe harbor provisions of proposed Rule 1000(b)(2)(ii).387 However, based on its experience with the ARP Inspection Program, the Commission preliminarily believes that SCI entities also would seek outside legal and/or consulting advice in the initial preparation of such policies and procedures, and that the average cost of outside legal/consulting advice would be $20,000 per respondent, for a total of $880,000 for all respondents.388 Program and OCIE examinations. The Commission notes that its estimate of 120 hours for SCI SROs to annually review and update the written policies and procedures proposed to be required by Rule 1000(b)(2)(i), to satisfy the elements of the safe harbor provisions in proposed Rules 1000(b)(2)(ii) and (iii), is higher than its estimate for SCI SROs to review and update the policies and procedures proposed to be required by Rule 1000(b)(1) and its estimate for SCI entities that are not SCI SROs to review and update the policies and procedures proposed to be required by Rule 1000(b)(2)(i), to satisfy the elements of the safe harbor provisions in proposed Rules 1000(b)(2)(ii) and (iii). This higher estimate is based on the Commission’s preliminary belief that the burden for SCI SROs would be greater because the rules of such entities generally change their rules with greater frequency. The Commission solicits comment on the accuracy of this information. 386 Based on its experience with OCIE examinations and the ARP Inspection Program, the Commission estimates: (Compliance Attorney at 20 hours + Senior Systems Analyst at 100 hours) × (26 potential SCI SRO respondents) + (Compliance Attorney at 10 hours + Senior Systems Analyst at 50 hours) × (18 potential non-SCI SRO respondents) = 4,200 burden hours. 387 But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. 388 ($20,000 outside legal cost) × (44 entities) = $880,000. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 c. Mandate Participation in Certain Testing Proposed Rule 1000(b)(9) would require each SCI entity, with respect to its business continuity and disaster recovery plans, including its backup systems, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans at specified intervals, and coordinate such testing on an industry- or sector-wide basis with other SCI entities. The Commission preliminarily believes that all SCI entities would be subject to this proposed requirement, and that none of these entities currently require participation by members or participants in scheduled functional and performance testing of their business continuity and disaster recovery plans, as proposed Rule 1000(b)(9) would have them require. Although SCI entities may seek to implement the proposed requirements in different ways (e.g., for SCI SROs, by submitting proposed rule changes under Section 19(b) of the Exchange Act; for SCI ATSs, by revising membership or subscriber agreements and internal procedures; for plan processors, through an amendment to an SCI Plan under Rule 608 of Regulation NMS; and, for exempt clearing agencies subject to ARP, by revising participant agreements and internal procedures), the Commission preliminarily believes that the average paperwork burden associated with the proposed rule would be the same for all SCI entities because they would likely make similar changes to their rules, agreements, procedures, or SCI Plans, and would likely take similar actions to implement and coordinate mandatory testing. Based on its experience with SCI entities, the Commission preliminarily believes that SCI entities, other than plan processors, would handle this work internally. The Commission preliminarily estimates that each SCI entity (other than plan processors) would spend approximately 130 hours initially to meet the requirements of proposed Rules 1000(b)(9)(i) and (ii). This estimate takes into consideration the requirement to mandate participation by designated members or participants in testing under proposed Rule 1000(b)(9)(i), as well as the requirement under proposed Rule 1000(b)(9)(ii) that an SCI entity coordinate required testing with other SCI entities. Specifically, the estimated 130 hours assumes that it would take an SCI entity 35 hours to write a proposed rule, or revise a membership/subscriber agreement or PO 00000 Frm 00065 Fmt 4701 Sfmt 4702 18147 participant agreement, as the case may be, to establish the participation requirement for the SCI entity’s designated members or participants,389 and an additional 95 hours of follow-up work (e.g., notice and schedule coordination) to ensure implementation. Therefore, the Commission preliminarily estimates that proposed Rules 1000(b)(9)(i) and (ii) would carry an initial burden of 130 hours per respondent, for a total initial burden of 5,460 hours for all respondents.390 For plan processors, the Commission preliminarily estimates that proposed Rules 1000(b)(9)(i) and (ii) would carry an initial cost of $52,000 per respondent,391 for a total initial cost of $104,000 hours for all plan processors.392 The Commission also preliminarily estimates that each SCI entity (other than plan processors) would spend approximately 95 hours annually to review the written rules or requirements to ensure that they remain up-to-date and to prepare any necessary amendments and undertake necessary coordination to ensure implementation and enforcement of the requirement.393 Therefore, the Commission preliminarily estimates that proposed Rules 1000(b)(9)(i) and (ii) would carry an ongoing annual burden of 95 hours per respondent, for a total ongoing annual burden of 3,990 hours for all respondents.394 For plan processors, the Commission preliminarily estimates that proposed Rules 1000(b)(9)(i) and (ii) would carry an ongoing annual cost of $38,000 hours per respondent,395 for 389 In establishing this estimate, the Commission considered its estimate of the burden for an SRO to file an average proposed rule change. See 2012 Rule 19b–4 collection of information revision Supporting Statement, Office of Management and Budget, available at: https://www.reginfo.gov/public/do/ PRAViewDocument?ref_nbr=201207-3235-002. 390 Based on Commission staff experience in reviewing SRO proposed rule change filings and past estimates for Rule 19b–4 and Form 19b–4, the Commission estimates as follows: (Compliance Manager at 10 hours + Attorney at 15 hours + Compliance Clerk at 10 hours) × (42 potential respondents) + (Compliance Manager at 10 hours + Attorney at 15 hours + Operations Specialist at 70 hours) × (42 potential respondents) = 5,460 hours to comply with proposed Rules 1000(b)(9)(i) and (ii). 391 130 hours × $400 per hour for outside legal services = $52,000. See infra note 463. 392 $52,000 × 2 plan processors = $104,000. 393 As noted above, the initial burden includes 35 hours to write a proposed rule, revise an agreement, or amend an SCI Plan. The Commission does not believe this 35-hour burden would be applicable on an ongoing basis. 394 (Compliance Manager at 10 hours + Attorney at 15 hours + Operations Specialist at 70 hours) × (42 potential respondents) = 3,990 hours. See supra note 390. 395 95 hours × $400 per hour for outside legal services = $38,000. See infra note 463. E:\FR\FM\25MRP3.SGM 25MRP3 18148 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules a total ongoing annual cost of $76,000 for all plan processors.396 The Commission preliminarily estimates that each SCI entity (other than plan processors) would spend approximately 35 hours initially to meet the requirements of proposed Rule 1000(b)(9)(iii). This estimate takes into consideration the burden for an SCI entity to establish standards for designating members or participants who must participate in its business continuity and disaster recovery plans testing and file such standards with the Commission on Form SCI, as well as the burden for an SCI entity to determine, compile, and submit its list of designated members or participants on Form SCI. Specifically, the Commission estimates that each SCI entity would take 35 hours to write a proposed rule or an internal procedure, as the case may be, to establish standards for designating members or participants, to apply the standards to compile the list of designees, and to file such standards and the list of designees on Form SCI.397 Therefore, the Commission preliminarily estimates that proposed Rule 1000(b)(9)(iii) would carry an initial burden of 35 hours per respondent, for a total initial burden of 1,470 hours for all respondents.398 For plan processors, the Commission preliminarily estimates that proposed Rule 1000(b)(9)(iii) would carry an initial cost of $14,000 per respondent,399 for a total initial cost of $28,000 hours for all plan processors.400 The Commission also preliminarily estimates that each SCI entity (other than plan processors) would spend approximately 3 hours annually to review the designation standards to ensure that they remain up-to-date and to prepare any necessary amendments, to review its list of designated members or participants, and to update prior Commission notifications with respect to the standards for designation and the × 2 plan processors = $76,000. establishing this estimate, the Commission considered its estimate of the burden for an SRO to file an average proposed rule change. See 2012 Rule 19b–4 collection of information revision Supporting Statement, Office of Management and Budget, available at: https://www.reginfo.gov/public/do/ PRAViewDocument?ref_nbr=201207-3235-002. 398 Based on Commission staff experience in reviewing SRO proposed rule change filings and past estimates for Rule 19b–4 and Form 19b–4, the Commission estimates as follows: (Compliance Manager at 10 hours + Attorney at 15 hours + Compliance Clerk at 10 hours) × (42 potential respondents) = 1,470 hours to comply with Rule 1000(b)(9)(iii). 399 35 hours × $400 per hour for outside legal services = $14,000. See infra note 463. 400 $14,000 × 2 plan processors = $28,000. 396 $38,000 srobinson on DSK4SPTVN1PROD with PROPOSALS3 397 In VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 list of designees.401 Therefore, the Commission preliminarily estimates that proposed Rule 1000(b)(9)(iii) would carry an ongoing annual burden of 3 hours per respondent, for a total ongoing annual burden of 126 hours for all respondents.402 For plan processors, the Commission preliminarily estimates that proposed Rule 1000(b)(9)(iii) would carry an ongoing annual cost of $1,200 hours per respondent,403 for a total ongoing annual cost of $2,400 for all plan processors.404 2. Notice, Dissemination, and Reporting Requirements for SCI Entities The proposed rules that would require an SCI entity to notify the Commission of SCI events, disseminate certain SCI events to members or participants, and submit specified reports are discussed more fully in Section III.C above. a. Notices Required by Proposed Rule 1000(b)(4) Proposed Rule 1000(b)(4) would require notice of SCI events to the Commission.405 The burden estimates to comply with proposed Rule 1000(b)(4) include the burdens associated with Commission notification of immediate notification SCI events and the submission of Form SCI in accordance with the instructions thereto. Proposed Rule 1000(b)(4)(i) would require an SCI entity, upon any responsible SCI personnel becoming aware of a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems 401 In establishing this estimate, the Commission has considered its estimate of the burden for an SRO to amend a Form 19b–4. Specifically, the Commission estimated that an amendment to Form 19b–4 would require approximately 3 hours to complete. See Securities Exchange Act Release No. 50486 (October 4, 2004), 69 FR 60287, 60294 (October 8, 2004). 402 (Compliance Manager at 1.5 hours + Attorney at 1.5 hours) × (42 potential respondents) = 126 hours. 403 3 hours × $400 per hour for outside legal services = $1,200. See infra note 463. 404 $1,200 × 2 plan processors = $2,400. 405 See supra note 351 and accompanying text for details regarding the content of Form SCI. Currently, there is no law or rule specifically requiring SCI entities to notify the Commission of systems problems in writing or in a specific format. Nevertheless, voluntary communications of systems problems to Commission staff occur in a variety of ways, including by telephone and email. The Commission notes that proposed Rule 1000(b)(4) would impose a new reporting requirement on SCI entities, regardless of whether they currently voluntarily notify the Commission of SCI events on an ad hoc basis. As such, the Commission preliminarily believes that a history of voluntarily reporting such events to the Commission would not lessen the future burden of reporting such events to the Commission on Form SCI as required under proposed Rule 1000(b)(4). PO 00000 Frm 00066 Fmt 4701 Sfmt 4702 compliance issue, or any systems intrusion, to notify the Commission of such SCI event. As noted above, notification required by proposed Rule 1000(b)(4)(i) may be done orally or in writing. The Commission preliminarily estimates that each SCI entity would experience an average of 40 immediate notification SCI events per year.406 The Commission further preliminarily estimates that one-fourth of the notifications under proposed Rule 1000(b)(4)(i) would be in writing (i.e., 10 written notifications and 30 oral notifications), and that each written notification would require an in-house attorney half an hour to prepare and submit to the Commission.407 Thus, the Commission preliminarily estimates that the initial and ongoing burden to comply with the notification requirement of proposed Rule 1000(b)(4)(i) would be 5 hours annually per respondent, and 220 hours annually for all respondents.408 Proposed Rule 1000(b)(4)(ii) would require an SCI entity, within 24 hours of any responsible SCI personnel becoming aware of any SCI event, to submit a written notification to the Commission on Form SCI pertaining to such SCI event. The Commission preliminarily estimates that each SCI entity would experience an average of 65 SCI events per year.409 Thus, the 406 Because the threshold for immediate notification SCI events is lower than the threshold for dissemination SCI events, the estimate for the number of immediate notification SCI events is higher than the estimate for the number of dissemination SCI events (i.e., 15 dissemination SCI events). See infra notes 414 and 424 and accompanying text. 407 The Commission preliminarily believes this estimate is appropriate because the notification required by proposed Rule 1000(b)(4)(i) would not be submitted through Form SCI, and is intended to be an immediate initial notification when responsible SCI personnel becomes aware of an immediate notification SCI event which contains only information known to the SCI entity at that time. 408 (Attorney at 0.5 hour for each notice) × (10 notices) = 5 hours. 5 hours × (44 potential respondents) = 220 burden hours. The Commission preliminarily believes that SCI entities would handle internally the work associated with the notification requirement of proposed Rule 1000(b)(4)(i). But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. 409 This estimate is based on Commission’s experience with the ARP Inspection Program. Approximately 175 ARP incidents were reported to the Commission in 2011 by entities that currently participate in the ARP Inspection Program. Of those entities, the Commission believes that 28 would fall under the proposed definition of SCI entity (since 2011, an additional entity has become part of the ARP Inspection Program, for a total of 29 SCI entities that participate in the ARP Inspection Program). Thus, each entity reported an average of E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 Commission preliminarily estimates that there would be an average of 65 SCI event notices per year for each respondent. The Commission preliminarily estimates that each notification under proposed Rule 1000(b)(4)(ii) would require an average of 20 burden hours,410 with a compliance manager and in-house attorney each spending approximately 10 hours in collaboration to draft, review, and submit the report. Thus, the Commission preliminarily estimates that the initial and ongoing burden to comply with the reporting requirement of proposed Rule 1000(b)(4)(ii) would be 1,300 hours annually per respondent, and 57,200 hours annually for all respondents.411 Proposed Rule 1000(b)(4)(iii) would require an SCI entity to submit written updates to the Commission on Form SCI pertaining to SCI events on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until such time as the SCI approximately 6 incidents in 2011. Because the proposed definition of ‘‘SCI event’’ is broader than the types of events covered by the current ARP Inspection Program, and SCI entities are not currently required by law or rule to report systems issues to the Commission, the Commission preliminarily believes that the number of SCI events that would be reported to the Commission would be significantly more than the number of incidents reported in 2011. The Commission acknowledges that, because these types of incidents are not required to be reported under the current ARP Inspection Program, this figure is largely an estimate and is difficult to ascertain. As such, the Commission seeks comment on the accuracy of this estimate. 410 This estimate includes the burden for attaching an Exhibit 3 (i.e., a copy in pdf or html format of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity’s publicly available Web site). This estimate is based on Commission staff experience with the ARP Inspection Program. The Commission has also considered its estimate of the burden to complete Form 19b–4. Specifically, the Commission has estimated that an SRO would spend approximately 39 hours to complete a Form 19b–4. See 2012 Rule 19b–4 collection of information revision Supporting Statement, Office of Management and Budget, available at: https:// www.reginfo.gov/public/do/PRAViewDocument? ref_nbr=201207-3235-002. However, the Commission notes that, unlike Form 19b–4, the information contained in Form SCI would only be factual. As such, the Commission preliminarily believes that the amount of time for an SCI entity to complete Form SCI would be less than the amount of time for an SRO to complete Form 19b– 4. 411 (Compliance Manager at 10 hours for each notice + Attorney at 10 hours for each notice) × (65 notices) = 1,300 hours. 1,300 hours × (44 potential respondents) = 57,200 burden hours. The Commission preliminarily believes that SCI entities would handle internally the work associated with the notification requirement of proposed Rule 1000(b)(4)(ii). But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 event is resolved. Based on Commission staff’s experience with the ARP Inspection Program, the Commission preliminarily estimates that, on average, each SCI entity would submit 5 updates per year under proposed Rule 1000(b)(4)(iii), and that each update would require an average of 3 burden hours,412 with a compliance manager and in-house attorney each spending approximately 1.5 hours in collaboration to draft, review, and submit the update. Thus, the Commission preliminarily estimates that the initial and ongoing burden to comply with the continuous update requirement of proposed Rule 1000(b)(4)(iii) would be 15 hours annually per respondent, and 660 hours annually for all respondents.413 b. Disseminations Required by Proposed Rule 1000(b)(5) Proposed Rule 1000(b)(5) would require disseminations of information to members or participants relating to dissemination SCI events. Based on the definition of dissemination SCI event, the Commission preliminarily estimates that each SCI entity would experience an average of 14 dissemination SCI events each year that are not systems intrusions, resulting in an average of 14 member or participant dissemination per respondent per year under proposed Rule 1000(b)(5)(i).414 412 This estimate includes the burden for attaching an Exhibit 3 (i.e., a copy in pdf or html format of any information disclosed to date regarding the SCI event to its members or participants or on the SCI entity’s publicly available Web site). In determining this estimate, the Commission has considered its estimate of the burden for an SRO to amend a Form 19b–4. Specifically, the Commission estimated that an amendment to Form 19b–4 would require approximately 3 hours to complete. See Securities Exchange Act Release No. 50486 (October 4, 2004), 69 FR 60287, 60294 (October 8, 2004). 413 (Compliance Manager at 1.5 hours for each update + Attorney at 1.5 hours for each update) × (5 updates) = 15 hours. 15 hours × (44 potential respondents) = 660 burden hours. The Commission preliminarily believes that SCI entities would handle internally the work associated with the reporting requirement of proposed Rule 1000(b)(4)(iii). But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. 414 This estimate is based on the Commission’s experience with the ARP Inspection Program. Specifically, as indicated in the Economic Analysis Section, approximately 175 ARP incidents were reported to the Commission in 2011 by entities that currently participate in the ARP Inspection Program. Of those entities, the Commission believes that 28 would fall under the proposed definition of SCI entity (since 2011, an additional entity has become part of the ARP Inspection Program, for a total of 29 SCI entities that participate in the ARP Inspection Program). Thus, each entity reported an average of approximately 6 incidents in 2011. PO 00000 Frm 00067 Fmt 4701 Sfmt 4702 18149 Proposed Rule 1000(b)(5)(i)(A) would require an SCI entity, promptly after any responsible SCI personnel becomes aware of a dissemination SCI event other than a systems intrusion, to disseminate to its members or participants the following information about such SCI event: (1) The systems affected by the SCI event; and (2) a summary description of the SCI event. In addition to the costs for outside legal advice discussed below,415 the Commission estimates that each initial member or participant dissemination would require an average of 3 hours to prepare and make available to members or participants, with an in-house attorney spending approximately 2.67 hours in drafting and reviewing the dissemination, and a webmaster spending approximately 0.33 hours in making the dissemination available to members or participants.416 Thus, the Commission preliminarily estimates that the initial and ongoing burden to comply with the initial member or participant dissemination requirement of proposed Rule 1000(b)(5)(i)(A) would be approximately 42 hours annually per respondent, and 1,848 hours annually for all respondents.417 Proposed Rule 1000(b)(5)(i)(B) would require the SCI entity to further disseminate, when known, the following information to its members or Further, because proposed Rule 1000(a) would define an SCI event to mean a systems disruption, systems compliance issue, or systems intrusion, the scope of proposed Regulation SCI is broader than the scope of incidents reported to the ARP Inspection Program, which covers certain systems disruptions and intrusions. As such, the Commission preliminarily believes that an estimate of 14 dissemination SCI events per year per SCI entity (other than systems disruptions) is appropriate. 415 See infra note 428. 416 This estimate is based on Commission staff’s experience with the ARP Inspection Program. The Commission estimates that each initial member or participant dissemination would require an average of 3 hours to prepare and make available the information to members or participants, instead of 20 hours as estimated for proposed Rule 1000(b)(4)(ii), because the information required to be disseminated to members or participants would have been used for the initial written notification on Form SCI. For the same reason, the Commission preliminarily believes that an in-house attorney will prepare the dissemination, which will be made available to members or participants by the webmaster. 417 (Attorney at 2.67 hours for each notification + Webmaster at 0.33 hour for each notification) × (14 notifications per year) = 42 hours. 42 hours × (44 potential respondents) = 1,848 burden hours. The Commission preliminarily believes that SCI entities would handle internally most of the work associated with the notification requirement of proposed Rule 1000(b)(5)(i)(A). But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. E:\FR\FM\25MRP3.SGM 25MRP3 18150 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules participants: (1) A detailed description of the SCI event; (2) the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; and (3) a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. In addition to the outside costs discussed below,418 the Commission preliminarily estimates that each update under proposed Rule 1000(b)(5)(i)(B) would require an average of 5 hours to prepare and make available to members or participants,419 with an in-house attorney spending approximately 4.67 hours in drafting and reviewing the update, and a webmaster spending approximately 0.33 hour in making the update available to members or participants. Thus, the Commission preliminarily estimates that the initial and ongoing burden to comply with the update requirement of proposed Rule 1000(b)(5)(i)(B) would be approximately 70 hours annually per respondent, and 3,080 hours annually for all respondents.420 Proposed Rule 1000(b)(5)(i)(C) would require an SCI entity to provide regular updates to members or participants of any information required to be disseminated under proposed Rule 1000(b)(5). As noted above, there were approximately 175 ARP incidents reported to the Commission in 2011. These incidents had durations ranging from under one minute to 24 hours, with most incidents having a duration of less than 2 hours. Based on the relatively short duration of the ARP incidents reported to the Commission in 2011, the Commission preliminarily estimates that, on average, each SCI entity would provide one regular update per year per dissemination SCI event under proposed Rule 1000(b)(5)(i)(C). In addition to the costs for outside legal 418 See infra note 428. Commission estimates that each update under proposed Rule 1000(b)(5)(i)(B) would require an average of 5 hours to prepare and make available to members or participants, instead of 20 hours as estimated for proposed Rule 1000(b)(4)(ii), because the information required to be disseminated to members or participants would have been used for the initial written notification on Form SCI. 420 (Attorney at 4.67 hours for each update + Webmaster at 0.33 hour for each update) × (14 updates per year) = 70 hours. 70 hours × (44 potential respondents) = 3,080 burden hours. This estimate is based on Commission staff’s experience with the ARP Inspection Program. The Commission preliminarily believes that SCI entities would handle internally most of the work associated with the update requirement of proposed Rule 1000(b)(5)(i)(B). But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. srobinson on DSK4SPTVN1PROD with PROPOSALS3 419 The VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 advice discussed below,421 the Commission preliminarily estimates that each update would require an average of 1 hour to prepare and make available to members or participants,422 with an in-house attorney spending approximately 0.67 hour in drafting and reviewing the update, and a webmaster spending approximately 0.33 hour in making the update available to members or participants. Thus, the Commission preliminarily estimates that the initial and ongoing burden to comply with the regular update requirement of proposed Rule 1000(b)(5)(i)(C) would be approximately 14 hours annually per respondent, and 616 hours annually for all respondents.423 Under proposed Rule 1000(b)(5)(ii), promptly after any responsible SCI personnel becomes aware of a systems intrusion, the SCI entity would be required to disseminate to its members or participants a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity’s SCI systems or SCI security systems, or an investigation of the systems intrusion, and documents the reasons for such determination. Based on the definition of dissemination SCI event, the Commission preliminarily estimates that each SCI entity would experience an average of 1 dissemination SCI event that is a systems intrusion each year, resulting in an average of 1 member or participant 421 See infra note 428. estimate is based on the estimated burden to complete and submit a written update for an SCI event on Form SCI. See supra note 412. The Commission estimates that each regular update to a member or participant dissemination would require an average of 1 hour to prepare and make available to members or participants, instead of 3 hours, because the information required to be provided to the Commission in the updates on Form SCI would also be used for updating the member or participation dissemination. For the same reason, the Commission preliminarily believes that an attorney will prepare the update, which will be made available by the webmaster. 423 (Attorney at 0.67 hour for each update + Webmaster at 0.33 hour for each update) × (14 updates per year) = 14 hours. 14 hours × (44 potential respondents) = 616 burden hours. This estimate is based on Commission staff’s experience with the ARP Inspection Program. The Commission preliminarily believes that SCI entities would handle internally most of the work associated with the update requirement of proposed Rule 1000(b)(5)(i)(C). But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. 422 This PO 00000 Frm 00068 Fmt 4701 Sfmt 4702 dissemination per respondent per year under proposed Rule 1000(b)(5)(ii).424 In addition to the costs for outside legal advice discussed below,425 the Commission estimates that each member or participant dissemination under proposed Rule 1000(b)(5)(ii) would require an average of 3 hours to prepare and make available to members or participants, with an in-house attorney spending approximately 2.67 hours in drafting and reviewing the dissemination, and a webmaster spending approximately 0.33 hours in making the dissemination available to members or participants.426 Thus, the Commission preliminarily estimates that the initial and ongoing burden to comply with the member or participant dissemination requirement under proposed Rule 1000(b)(5)(ii) would be approximately 3 hours annually per respondent, and 132 hours annually for all respondents.427 The Commission preliminarily believes that SCI entities would internally handle most of the work associated with disseminating information on dissemination SCI events to members or participants. However, based on its experience with the ARP Inspection Program, the Commission preliminarily believes that SCI entities also would seek outside legal advice in the preparation of the disseminations required under proposed Rule 1000(b)(5), and that the average cost of outside legal advice would be 424 Based on Commission’s experience with the ARP Inspection Program, the Commission preliminarily believes each SCI entity will experience on average less than one systems intrusion per year. However, for purposes of the PRA, the Commission preliminarily estimates one systems intrusion per respondent per year. 425 See infra note 428. 426 This estimate includes any burden for an SCI entity to document its reason for determining that dissemination of information regarding a systems intrusion would likely compromise the security of the SCI entity’s SCI systems or SCI security systems, or an investigation of the systems intrusion. This estimate is based on Commission staff’s experience with the ARP Inspection Program. In determining this estimate, the Commission considered its burden estimate for proposed Rule 1000(b)(5)(i)(A) because both rules would require the dissemination of certain basic information about a dissemination SCI event. For the same reason, the Commission preliminarily believes that an in-house attorney will prepare the dissemination, which will be made available by the webmaster. 427 (Attorney at 2.67 hours for each notification + Webmaster at 0.33 hour for each notification) × (1 notification per year) = 3 hours. 3 hours × (44 potential respondents) = 132 burden hours. The Commission preliminarily believes that SCI entities would handle internally most of the work associated with the dissemination requirement of proposed Rule 1000(b)(5)(ii). But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules $15,000 per respondent per year, for a total of $660,000 for all respondents per year.428 srobinson on DSK4SPTVN1PROD with PROPOSALS3 c. Notices Required by Proposed Rules 1000(b)(6) Proposed Rules 1000(b)(6) would require notification to the Commission on Form SCI of material systems changes. The Commission preliminarily believes this work would be conducted internally.429 The burden estimates to comply with proposed Rule 1000(b)(6) include the burdens associated with submission of Form SCI in accordance with the instructions thereto. Specifically, proposed Rule 1000(b)(6) would require the SCI entity, absent exigent circumstances, to notify the Commission on Form SCI at least 30 calendar days before the implementation of any planned material systems change, including a description of the planned material systems change as well as the expected dates of commencement and completion of the implementation of such change.430 Based on its experience with the ARP Inspection Program, Commission preliminarily estimates that there would be an average of 60 planned material systems changes per respondent per year.431 As such, the Commission preliminarily estimates that there would be an average of 60 notifications per respondent per year, and each notification would require an average of 2 hours to prepare and submit,432 with an attorney spending approximately 428 ($15,000 outside legal cost) × (44 potential respondents) = $660,000. 429 But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. 430 If exigent circumstances exist, or if the information previously provided to the Commission regarding any planned material systems change becomes materially inaccurate, the SCI entity would be required to notify the Commission, either orally or in writing, with any oral notification to be memorialized within 24 hours after such oral notification by a written notification, as early as reasonably practicable. 431 This estimate includes instances where the information previously provided to the Commission regarding any planned material systems change becomes materially inaccurate. 432 In estimating the burden imposed by proposed Rule 1000(b)(6), the Commission also considered its burden estimate for the same reporting requirement that was proposed for SB SEFs. Specifically, proposed Rule 822(a)(4) in the SB SEF Proposing Release would require an SB SEF to notify the Commission in writing at least 30 calendar days before the implementation of material systems changes. The Commission estimated that there would be an average of 60 notifications per respondent per year, and that each notification would require an average of 2 internal burden hours. See SB SEF Proposing Release, supra note 297, at 11029. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 0.33 hours and a senior systems analyst spending approximately 1.67 hours in drafting and reviewing the notification. For the 15 SCI entity respondents that do not currently participate in the ARP Inspection Program, the Commission preliminarily estimates that the initial and ongoing burden to comply with the notice requirement of proposed Rule 1000(b)(6) would be approximately 120 hours annually per respondent, and 1,800 hours annually for all respondents.433 Because SCI entities that currently participate in the ARP Inspection Program already notify the Commission of planned material systems changes, the Commission preliminarily estimates that these entities would be starting from a baseline of fifty percent, and that the increased burden for these 30 SCI entities would be 60 hours annually per respondent.434 The Commission preliminarily estimates that the total initial and ongoing burden for SCI entities that currently participate in the ARP Inspection Program would be 60 hours annually per respondent, for a total burden of 1,740 hours for all of these respondents.435 Thus, the total estimated initial and ongoing burden to comply with proposed Rule 1000(b)(6) would be 3,540 for all respondents.436 d. SCI Review Required by Proposed Rule 1000(b)(7) Proposed Rule 1000(b)(7) would require each SCI entity to conduct an SCI review of its compliance with Regulation SCI not less than once each calendar year, and submit a report of the SCI review to its senior management for review no more than 30 calendar days after completion of such SCI review. The Commission preliminarily estimates that the initial and ongoing burden of conducting an SCI review and submitting the SCI review to senior management of the SCI entity for review would be approximately 625 hours for 433 (Attorney at 0.33 hour for each notification + Senior Systems Analyst at 1.67 hours for each notification) × (60 notifications per year) = 120 hours. 120 hours × (15 potential respondents) = 1,800 burden hours. 434 (Attorney at 0.33 hour for each notification + Senior Systems Analyst at 1.67 hours for each notification) × (30 additional notifications per year) = 60 hours. The Commission preliminarily believes that the burden would result from the proposed broadened definitions of ‘‘SCI systems’’ and ‘‘SCI security systems’’ in Regulation SCI, as well as the shift from a voluntary to a mandatory regulatory environment. 435 (60 burden hours) × (29 potential respondents) = 1,740 burden hours. 436 (1,800 burden hours for SCI entities that do not currently participate in the ARP Inspection Program + 1,740 burden hours for SCI entities that currently participate in the ARP Inspection Program) = 3,540 burden hours. PO 00000 Frm 00069 Fmt 4701 Sfmt 4702 18151 each respondent 437 and 27,500 hours annually for all respondents.438 e. Reports Required by Proposed Rule 1000(b)(8) Proposed Rule 1000(b)(8) would require each SCI entity to submit certain reports to the Commission. The burden estimates to comply with proposed Rule 1000(b)(8) include the burdens associated with submission of Form SCI in accordance with the instructions thereto. Pursuant to proposed Rule 1000(b)(8)(i), each SCI entity would be required to submit to the Commission, as an attachment to Form SCI, a report of the SCI review required by proposed Rule 1000(b)(7), together with any response by senior management of the SCI entity, within 60 calendar days after its submission to senior management of the SCI entity. The Commission estimates that each SCI entity would require 1 hour to submit the SCI review using Form SCI, for a total annual initial and ongoing burden of 44 hours for all respondents.439 Proposed Rule 1000(b)(8)(ii) would require each SCI entity to submit, using Form SCI, a report within 30 calendar days after the end of June and December of each year, containing a summary description of the progress of any material systems changes during the sixmonth period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of their implementation. 437 This estimate is the Commission’s preliminary best estimate and is based on Commission staff’s experience with SCI entities participating in the ARP Inspection Program. This estimate also is the same as the Commission’s burden estimate for internal audits of SB SEFs. See SB SEF Proposing Release, supra note 297, at 11028. Proposed Rule 822 in the SB SEF Proposing Release would require an SB SEF to submit to the Commission an annual objective review of the capability of its systems that support or are integrally related to the performance of its activities, provided that if a review is performed internally, an external firm shall report on the objectivity, competency, and work performance with respect to the internal review. The Commission recognizes that the annual review requirement proposed for SB SEFs is different, in certain respects, from the requirement under proposed Rule 1000(b)(7). Specifically, the scopes of the reviews are different because proposed Rule 1000(b)(7) would require an SCI review of an SCI entity’s compliance with proposed Regulation SCI. Further, proposed Rule 1000(b)(7) would not require an external review of an internal SCI review. Nevertheless, the Commission preliminarily believes that these differences should not result in differences in the burden estimate for these similar internal audits. 438 (Attorney at 80 hours + Manager Internal Auditor at 170 hours + Senior Systems Analyst at 375 hours) × (44 potential respondents) = 27,500 burden hours. 439 (Attorney at 1 hour for each submission) × (1 submission per year) = 1 burden hour. (1 burden hour) × (44 potential respondents) = 44 burden hours. E:\FR\FM\25MRP3.SGM 25MRP3 18152 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules The Commission preliminarily estimates that the initial and ongoing burden to comply with proposed Rule 1000(b)(8)(ii) would be approximately 60 hours per respondent per report or 120 hours annually,440 and 5,280 hours annually for all respondents.441 3. Requirements To Take Corrective Actions, Identify Immediate Notification SCI Events, and Identify Dissemination SCI Events Rule 1000(b)(3) also may impose periodic burdens on SCI entities in reviewing that process. The Commission preliminarily estimates that the initial burden to implement such a process would be 42 hours per SCI entity 442 or 1,848 hours for all SCI entities.443 The Commission also preliminarily estimates that the ongoing burden to review such a process would be 12 The proposed rules that could result in SCI entities establishing additional processes for compliance with proposed Regulation SCI are discussed more fully in Section III.C above. a. Requirement To Take Corrective Actions srobinson on DSK4SPTVN1PROD with PROPOSALS3 Proposed Rule 1000(b)(3) would require an SCI entity, upon any responsible SCI personnel becoming aware of an SCI event, to begin to take corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. Based on its experience with the ARP Inspection Program, the Commission believes that entities that participate in the ARP Inspection Program already take corrective actions in response to a systems issue, and believes that other SCI entities also take corrective actions in response to a systems issue. Nevertheless, the Commission preliminarily believes that proposed Rule 1000(b)(3) would likely result in SCI entities revising their policies in this regard, which would help to ensure that their information technology staff has the ability to access systems in order to take appropriate corrective actions. As such, proposed Rule 1000(b)(3) may impose a one-time implementation burden on SCI entities associated with developing a process for ensuring that they are prepared for the corrective action requirement. Proposed 440 The Commission notes that SCI entities currently do not submit to the Commission written semi-annual notifications of material systems changes. This estimate is based on Commission staff’s experience with various entities through the ARP Inspection Program. 441 (Attorney at 10 hours for each report + Senior Systems Analyst at 50 hours for each report) × (2 reports per year) = 120 burden hours. (120 burden hours) × (43 potential respondents) = 5,280 burden hours. The Commission preliminarily believes that SCI entities would handle internally the work associated with the reporting requirement of proposed Rule 1000(b)(8)(ii). But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 442 This estimate is based on the Commission’s burden estimate for proposed Rule 1000(b)(1) because both proposed Rule 1000(b)(1) and proposed Rule 1000(b)(3) would result in certain policies and procedures or processes. Because proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) would require the establishment of five policies and procedures at a minimum, the Commission preliminarily estimates that the initial burden to establish the process to comply with proposed Rule 1000(b)(3) would be one-fifth of the initial burden to comply with proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data), or 42 hours (210 hours ÷ 5). Further, the Commission preliminarily estimates that the hourly breakdown between different staff of the SCI entity would be in the same ratio as the Commission’s estimate for proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data)—Compliance Manager at 16 hours, Attorney at 16 hours, Senior Systems Analyst at 5 hours, and Operations Specialist at 5 hours. These estimates reflect the Commission’s preliminary view that SCI entities would establish the process for compliance with proposed Rule 1000(b)(3) internally. But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. 443 (42 hours) × (44 potential respondents) = 1,848 burden hours. PO 00000 Frm 00070 Fmt 4701 Sfmt 4702 hours annually per SCI entity 444 or 528 hours annually for all SCI entities.445 b. Requirements To Identify Immediate Notification SCI Events and Dissemination SCI Events Proposed Rule 1000(a) would define a ‘‘dissemination SCI event’’ to mean an SCI event that is a: (1) Systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants. When an SCI event occurs, an SCI entity would need to determine whether the event is an immediate notification SCI event or a dissemination SCI event, because the proposed rules would impose different obligations on SCI entities for these types of SCI events. As such, immediate notification SCI events and dissemination SCI events may impose an initial one-time implementation burden on SCI entities in developing a process to ensure that they are able to quickly and correctly make a determination regarding whether the SCI event is subject to proposed Rule 1000(b)(4)(i) or (b)(5). The definition may also impose periodic burdens on SCI entities in reviewing that process. 444 This estimate is based on the Commission’s burden estimate for proposed Rule 1000(b)(1) because both proposed Rule 1000(b)(1) and proposed Rule 1000(b)(3) would result in certain policies and procedures or processes. Because proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) would require the establishment and review of five policies and procedures at a minimum, the Commission preliminarily estimates that the ongoing burden to review the process to comply with proposed Rule 1000(b)(3) would be one-fifth of the ongoing burden to comply with proposed Rule 1000(b)(1) (except for policies and procedures for Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data), or 12 hours (60 hours ÷ 5). Further, the Commission preliminarily estimates that the hourly breakdown between different staff of the SCI entity would be in the same ratio as the Commission’s estimate for proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data)—Compliance Manager at 6 hours and Attorney at 6 hours. These estimates reflect the Commission’s preliminary view that SCI entities would review the process for compliance with proposed Rule 1000(b)(3) internally. But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. 445 (12 hours) × (44 potential respondents) = 528 burden hours. E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules Because the ARP Inspection Program already provides for the reporting of ‘‘significant system changes’’ and ‘‘significant system outages’’ to Commission staff,446 the Commission believes that, as compared to entities that do not participate in the ARP Inspection Program, entities that currently participate in the ARP Inspection Program would already have internal processes for determining the significance of a systems issue.447 Therefore, the Commission preliminarily estimates that the proposed definition would impose half as much burden on entities that participate in the ARP Inspection Program as compared to entities that do not participate in the ARP Inspection Program. For SCI entities that currently do not participate in the ARP Inspection Program, the Commission preliminarily believes that the initial burden would be 42 hours per entity 448 or 630 hours for 446 See supra notes 33 and 35 and accompanying srobinson on DSK4SPTVN1PROD with PROPOSALS3 text. 447 The Commission recognizes that ‘‘significant system changes’’ and ‘‘significant system outages’’ differ from the proposed definitions of ‘‘immediate notification SCI event’’ and ‘‘dissemination SCI event.’’ 448 This estimate is based on the Commission’s burden estimate for proposed Rule 1000(b)(1) because proposed Rule 1000(b)(1), the proposed definition of ‘‘immediate notification SCI event,’’ and the definition of ‘‘dissemination SCI event’’ would result in certain policies and procedures or processes. Because proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) would require the establishment of five policies and procedures at a minimum, the Commission preliminarily estimates that the initial burden to establish the process regarding the SCI event determinations would be one-fifth of the initial burden to comply with proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data), or 42 hours (210 hours ÷ 5). Further, the Commission preliminarily estimates that the hourly breakdown between different staff of the SCI entity would be in the same ratio as the Commission’s estimate for proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data)—Compliance Manager at 16 hours, Attorney at 16 hours, Senior Systems Analyst at 5 hours, and Operations Specialist at 5 hours. These estimates reflect the Commission’s preliminary view that SCI entities would internally establish the process for determining whether an SCI event is an immediate notification SCI event or dissemination SCI event. But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 all such entities.449 For entities that currently participate in the ARP Inspection Program, the Commission preliminarily believes that the initial burden would be 21 hours 450 per entity or 609 hours for all such entities.451 For SCI entities that currently do not participate in the ARP Inspection Program, the Commission preliminarily believes that ongoing burden would be 12 hours annually per entity 452 or 180 hours for all such entities.453 For SCI entities that currently participate in the ARP Inspection Program, the Commission preliminarily believes that ongoing burden would be 6 hours 449 (42 hours) × (15 potential respondents) = 630 burden hours. 450 42 burden hours × 50% = 21 burden hours. These estimates reflect the Commission’s preliminary view that SCI entities would internally establish the process for determining whether an SCI event is an immediate notification SCI event or dissemination SCI event. But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. 451 (21 burden hours) × (29 potential respondents) = 609 burden hours. 452 This estimate is based on the Commission’s burden estimate for proposed Rule 1000(b)(1) because proposed Rule 1000(b)(1), the proposed definition of ‘‘immediate notification SCI event,’’ and the proposed definition of ‘‘dissemination SCI event’’ would result in certain policies and procedures or processes. Because proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) would require the establishment and maintenance of five policies and procedures at a minimum, the Commission preliminarily estimates that the ongoing burden to review the process regarding the SCI event determinations would be one-fifth of the ongoing burden to comply with proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data), or 12 hours (60 hours ÷ 5). Further, the Commission preliminarily estimates that the hourly breakdown between different staff of the SCI entity would be in the same ratio as the Commission’s estimate for proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data)—Compliance Manager at 6 hours and Attorney at 6 hours. These estimates reflect the Commission’s preliminary view that SCI entities would internally review the process for determining whether an SCI event is an immediate notification SCI event or dissemination SCI event. But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. 453 (12 burden hours) × (15 potential respondents) = 180 burden hours. PO 00000 Frm 00071 Fmt 4701 Sfmt 4702 18153 annually 454 per entity or 174 hours for all such entities.455 4. Recordkeeping Requirements As more fully discussed in Section III.D above, proposed Rule 1000(c) would specifically require SCI entities other than SCI SROs to make, keep, and preserve at least one copy of all documents relating to its compliance with proposed Regulation SCI. The Commission is not proposing a new recordkeeping requirement for SCI SROs because the documents relating to compliance with proposed Regulation SCI are subject to their existing recordkeeping and retention requirements under Rule 17a–1 under the Exchange Act.456 Because Rule 17a– 1 under the Exchange Act requires every SRO to keep on file for a period of not less than 5 years, the first 2 years in an easily accessible place, at least one copy of all documents that it makes or receives respecting its self-regulatory activities, and that all such documents be made available for examination by the Commission and its representatives, the Commission believes that proposed Rule 1000(c) would not result in any burden that is not already accounted for in the Commission’s burden estimates for Rule 17a–1. For SCI entities other than SCI SROs, Regulation SCI-related records would be required to be kept for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination.457 Upon the request of any representative of the Commission, an SCI entity would be required to promptly furnish to the possession of such representative copies of any documents required to be kept and preserved by it pursuant to proposed Rule 1000(c). 454 12 burden hours × 50% = 6 burden hours. These estimates reflect the Commission’s preliminary view that SCI entities would internally review the process for determining whether an SCI event is an immediate notification SCI event or dissemination SCI event. But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. 455 (6 burden hours) × (29 potential respondents) = 174 burden hours. 456 See 17 CFR 240.17a–1. 457 Under the proposal, upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, an SCI entity would be required to take all necessary action to ensure that the records required to be made, kept, and preserved by Rule 1000(c) would be accessible to the Commission and its representatives in the manner required and for the remainder of the period required by proposed Rule 1000(c). See proposed Rule 1000(c)(3). E:\FR\FM\25MRP3.SGM 25MRP3 18154 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 For SCI entities other than SCI SROs, the Commission preliminarily estimates that the initial and ongoing burden to make, keep, and preserve records relating to compliance with proposed Regulation SCI would be approximately 25 hours annually per respondent 458 for a total annual burden of 450 hours for all respondents.459 In addition, the Commission estimates that each SCI entity other than an SCI SRO would incur a one-time burden to set up or modify an existing recordkeeping system to comply with proposed Rule 1000(c). Specifically, the Commission estimates that, for each SCI entity other than an SCI SRO, setting up or modifying a recordkeeping system would create an initial burden of 170 hours and $900 in information technology costs for purchasing recordkeeping software,460 for a total 458 This estimate is based on the Commission’s experience with examinations of registered entities, the Commission’s estimated burden for an SRO to comply with Rule 17a–1, and the Commission’s estimated burden for a SB SEF to keep and preserve documents made or received in the conduct of its business. Specifically, the Commission estimated 50 burden hours per respondent per year in connection with Rule 17a–1 and proposed Rule 818(a) and (b) in the SB SEF Proposing Release. See 2010 Extension of Rule 17a–1 Supporting Statement, Office of Management and Budget, available at: https://www.reginfo.gov/public/do/ PRAViewICR?ref_nbr=201007-3235-003 and SB SEF Proposing Release, supra note 297, at 11029. Because the recordkeeping requirements under Rule 17a–1 and under proposed Rule 818(a) and (b) are broader than the recordkeeping requirement under proposed Rule 1000(c), the Commission preliminarily believes that an estimate of 25 burden hours per year per SCI entity is appropriate. Further, the Commission notes that this burden estimate includes the burden imposed by proposed Rule 1000(e). Specifically, proposed Rule 1000(e) would provide that, if the records required to be filed or kept by an SCI entity under proposed Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity would be required to ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service, which is signed by a duly authorized person at such service bureau or other recordkeeping service. 459 (Compliance Clerk at 25 hours) × (18 potential respondents) = 450 burden hours. 460 This estimate is based on the Commission’s experience with examinations of registered entities and the Commission’s estimated burden for an SB SEF to keep and preserve documents made or received in the conduct of its business. Specifically, the Commission estimated that setting up or modifying a recordkeeping system under proposed Rule 818 would create an initial burden of 345 hours and $1,800 in information technology costs per respondent. See SB SEF Proposing Release, supra note 297, at 11030. Because the recordkeeping requirements under proposed Rule 818 are broader than the recordkeeping requirement under proposed Rule 1000(c), the Commission preliminarily believes that the estimates of 170 initial burden hours and $900 in initial cost are appropriate. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 initial burden of 3,060 hours 461 and a total initial cost of $16,200.462 The Commission preliminarily believes that proposed Rule 1000(c)(3), which would require an SCI entity, upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, to take all necessary action to ensure that the records required to be made, kept, and preserved by Rule 1000(c)(1) and Rule (c)(2) remain accessible to the Commission and its representatives in the manner and for the remainder of the period required by Rule 1000(c), would not result in any additional paperwork burden that is not already accounted for in the Commission’s burden estimates for proposed Rule 1000(c)(1) and Rule 1000(c)(2). 6. Request for Comment on Extent and Cost of Outsourcing 209. The Commission’s estimates of the hourly burdens discussed above reflect the Commission’s preliminary view that SCI entities would conduct the work proposed to be required by proposed Rules 1000(a), 1000(b)(1), 1000(b)(2), 1000(b)(3), 1000(b)(4), 1000(b)(5), 1000(b)(6), 1000(b)(7), 1000(b)(8), and 1000(b)(9) internally. The Commission acknowledges, however, that some SCI entities, particularly smaller SCI entities, and/or SCI entities that do not currently participate in the ARP Inspection Program, may elect to outsource the work if it would be more cost effective to so do. The Commission does not at this time have sufficient information to reasonably estimate the cost to outsource the work proposed to be required by proposed Rules 1000(a), 1000(b)(1), 1000(b)(2), 1000(b)(3), 1000(b)(4), 1000(b)(5), 1000(b)(6), 1000(b)(7), 1000(b)(8), and 1000(b)(9), or the number of entities that would choose to outsource this work, for purposes of the PRA. The Commission seeks comment, however, on its preliminary view that SCI entities would conduct such work internally. Further, the Commission seeks comment on whether some SCI entities would in fact find it more cost effective to outsource the work that would be required to comply with the proposed rules, and if so, how many of these SCI entities would therefore outsource this work and at what cost. For purposes of facilitating such comment, presented below are certain preliminary assumptions and calculations regarding such potential 461 (170 burden hours) × (18 potential respondents) = 3,060 burden hours. 462 ($900) × (18 potential respondents) = $16,200. PO 00000 Frm 00072 Fmt 4701 Sfmt 4702 outsourcing on which the Commission requests comment. Specifically, for purposes of soliciting comment, the Commission is assuming that it would take the same number of hours for a consultant and/or outside attorney to complete the work to be required by proposed Rules 1000(a), 1000(b)(1), 1000(b)(2), 1000(b)(3), 1000(b)(4), 1000(b)(5), 1000(b)(6), 1000(b)(7), 1000(b)(8), and 1000(b)(9), as it would take for an SCI entity to complete that work internally (using the Commission’s preliminary estimates above). Further, the Commission is assuming that work would be conducted at a rate of $400 per hour.463 Based on the forgoing assumptions, the estimated cost to outsource the work that the Commission preliminarily assumed would be done internally would be as follows: For identification of immediate notification SCI events and dissemination SCI events: The initial cost would be (a) for an SCI entity that has not participated in the ARP Inspection Program, $16,800; 464 and (b) for an SCI entity that currently participates in the ARP Inspection Program, $8,400.465 The ongoing annual cost would be (a) for an SCI entity that has not participated in the ARP Inspection Program, $4,800; 466 and (b) for an SCI entity that currently participates in the ARP Inspection Program, $2,400.467 For proposed Rule 1000(b)(1) except proposed Rule 1000(b)(1)(i)(F): The initial cost would be (a) for an SCI entity that has not participated in the ARP Inspection Program, $84,000; 468 and (b) for an SCI entity that currently participates in the ARP Inspection Program, $42,000.469 The ongoing annual costs would be (a) for an SCI entity that has not participated in the ARP Inspection Program, $24,000; 470 and (b) for an SCI entity that currently participates in the ARP Inspection Program, $12,000.471 For proposed Rule 1000(b)(1)(i)(F): The initial cost for each SCI entity would be $52,000.472 The ongoing 463 This is based on an estimated $400 per hour cost for outside consulting and/or legal services. This is the same estimate used for the Commission’s consolidated audit trail rule. See Securities Exchange Act Release No. 67457 (July 18, 2012), 77 FR 45722 (August 1, 2012). 464 42 hours × $400 = $16,800. 465 21 hours × $400 = $8,400. 466 12 hours × $400 = $4,800. 467 6 hours × $400 = $2,400. 468 210 hours × $400 = $84,000. 469 105 hours × $400 = $42,000. 470 60 hours × $400 = $24,000. 471 30 hours × $400 = $12,000. 472 130 hours × $400 = 52,000. E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules annual cost for each SCI entity would be $52,000.473 For proposed Rule 1000(b)(2): The initial cost for each SCI entity would be $72,000.474 The ongoing annual cost would be (a) for an SCI entity that is an SCI SRO, $48,000; 475 and (b) for an SCI entity that is not an SCI SRO, $24,000.476 For proposed Rule 1000(b)(3): The initial cost for each SCI entity would be $16,800.477 The ongoing annual cost for each SCI entity would be $4,800.478 For proposed Rule 1000(b)(4): The initial and the ongoing annual cost for each SCI entity would be (a) for proposed Rule 1000(b)(4)(i), $2,000; 479 (b) for proposed Rule 1000(b)(4)(ii), $520,000; 480 and (c) for proposed Rule 1000(b)(4)(iii), $6,000.481 For proposed Rule 1000(b)(5): The initial and the ongoing annual cost for each SCI entity would be (a) for proposed Rule 1000(b)(5)(i)(A), $16,800; 482 (b) for proposed Rule 1000(b)(5)(i)(B), $28,000; 483 (c) for proposed Rule 1000(b)(5)(i)(C), $5,600; 484 and (d) for proposed Rule 1000(b)(5)(ii), $1,200.485 For proposed Rule 1000(b)(6): The initial and ongoing annual cost would be (a) for SCI entities that do not currently participate in the ARP Inspection Program, $48,000; 486 and (b) for SCI entities that currently participate in the ARP Inspection Program, $24,000.487 For proposed Rule 1000(b)(7): The initial and ongoing annual cost would be $250,000 for each SCI entity.488 For proposed Rule 1000(b)(8): The initial and ongoing annual cost for each SCI entity would be (a) for proposed Rule 1000(b)(8)(i), $400; 489 and (b) for proposed Rule 1000(b)(8)(ii), $48,000 for each SCI entity.490 For proposed Rule 1000(b)(9)(i) and (ii): The initial annual cost would be $52,000 for each SCI entity.491 The hours × $400 = 52,000. 474 180 hours × $400 = $72,000. 475 120 hours × $400 = $48,000. 476 60 hours × $400 = $24,000. 477 42 hours × $400 = $16,800. 478 12 hours × $400 = $4,800. 479 5 hours × $400 = $2,000. 480 1,300 hours × $400 = $520,000. 481 15 hours × $400 = $6,000. 482 42 hours × $400 = $16,800. 483 70 hours × $400 = $28,000. 484 14 hours × $400 = $5,600. 485 3 hours × $400 = $1,200. 486 120 hours × $400 = $48,000. 487 60 hours × $400 = $24,000. 488 625 hours × $400 = $250,000. 489 1 hour × $400 = $400. 490 120 hours × $400 = 48,000. 491 130 hours × $400 = $52,000. srobinson on DSK4SPTVN1PROD with PROPOSALS3 473 130 VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 ongoing annual cost would be $38,000 for each SCI entity.492 For proposed Rule 1000(b)(9)(iii): The initial annual cost would be $14,000 for each SCI entity.493 The ongoing annual cost would be $1,200 for each SCI entity.494 210. As discussed above, the Commission requests comment on these preliminary estimates regarding potential outsourcing and the underlying assumptions. For example, is it reasonable to assume that the number of hours for a consultant and/ or outside attorney to complete the work would be the same as the number of hours for internal staff to complete the work? If not, why not? Are there certain types of SCI entities (e.g., those having relatively few employees or a smaller number of systems) that would be more likely to find it cost effective to outsource the work, either initially or an ongoing basis? Please explain. Would the cost to outsource vary depending on the extent and volume of the outsourcing, or the period of time over which such outsourcing took place? Please explain. 7. Total Paperwork Burden Under Regulation SCI Based on the foregoing, the Commission preliminarily estimates that the total one-time initial burden for all SCI entities to comply with Regulation SCI would be 133,482 hours 495 and the total one-time initial cost would be $2.6 million.496 The Commission preliminarily estimates that the total annual ongoing burden for all SCI entities to comply with Regulation SCI would be 117,258 hours 497 and the total annual ongoing cost would be $738,400.498 211. The Commission seeks comment on the collection of information burdens hours × $400 = $38,000. hours × $400 = $14,000. 494 3 hours × $400 = $1,200. 495 133,482 hours = 26,765 (policies and procedures/mandatory testing requirements) + 100,120 (notification, dissemination, and reporting) + 3,087 (requirements to take corrective actions, identify immediate notification SCI events, and identify dissemination SCI events) + 3,510 (recordkeeping). 496 $2.6 million = $1.9 million (policies and procedures/mandatory testing requirements) + $660,000 (notification, dissemination, and reporting) + $16,200 (recordkeeping). 497 117,258 hours = 15,806 (policies and procedures/mandatory testing requirements) + 100,120 (notification, dissemination, and reporting) + 882 (requirements to take corrective actions, identify immediate notification SCI events, and identify dissemination SCI events) + 450 (recordkeeping). 498 $738,400 = $78,400 (policies and procedures/ mandatory testing requirements) + $660,000 (notification, dissemination, and reporting). 492 95 493 35 PO 00000 Frm 00073 Fmt 4701 Sfmt 4702 18155 associated with proposed Regulation SCI. Specifically: 212. Do commenters agree with the Commission’s estimate of the number of respondents required to comply with proposed Regulation SCI? Why or why not? 213. Do commenters agree with the Commission’s estimate of the burden for SCI entities to comply proposed Regulation SCI? Why or why not? 214. Would there be additional burdens, beyond those described here, associated with the collection of information under proposed Regulation SCI? Please explain. 215. How much additional burden would proposed Regulation SCI impose upon those SCI entities that already are voluntarily in compliance with existing ARP Policy Statements? 216. Would SCI entities generally perform the work required by proposed Regulation SCI internally or outsource the work? E. Collection of Information Is Mandatory All collections of information pursuant to the proposed rules would be a mandatory collection of information. F. Confidentiality To the extent that the Commission receives confidential information pursuant to the reports and submissions that SCI entities would submit under proposed Form SCI, such information would be kept confidential, subject to the provisions of applicable law.499 G. Retention Period of Recordkeeping Requirements SCI entities would be required to retain records and information under proposed Regulation SCI for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives.500 H. Request for Comments 217. Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits comment to: (1) Evaluate whether the proposed collection of information is necessary for the proper performance of 499 See, e.g., 5 U.S.C. 552. Exemption 4 of the Freedom of Information Act provides an exemption for ‘‘trade secrets and commercial or financial information obtained from a person and privileged or confidential.’’ 5 U.S.C. 552(b)(4). Exemption 8 of the Freedom of Information Act provides an exemption for matters that are ‘‘contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions.’’ 5 U.S.C. 552(b)(8)). 500 See proposed Rule 1000(c). E:\FR\FM\25MRP3.SGM 25MRP3 18156 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules the functions of the agency, including whether the information shall have practical utility; (2) evaluate the accuracy of the agency’s estimate of the burden of the proposed collection of information; (3) enhance the quality, utility, and clarity of the information to be collected; and (4) minimize the burden of collection of information on those who are to respond, including through the use of automated collection techniques or other forms of information technology. Persons wishing to submit comments on the collection of information requirements should direct them to the Office of Management and Budget, Attention: Desk Officer for the Securities and Exchange Commission, Office of Information and Regulatory Affairs, Room 3208, New Executive Office Building, Washington, DC 20503; and should send a copy to Elizabeth M. Murphy, Secretary, Securities and Exchange Commission, 100 F Street NE., Washington, DC 20549–1090 with reference to File No. S7–01–13. OMB is required to make a decision concerning the collection of information between 30 and 60 days after publication, so a comment to OMB is best assured of having its full effect if OMB receives it within 30 calendar days of publication. The Commission will submit the proposed collection of information to OMB for approval. Requests for the materials to be submitted to OMB by the Commission with regard to this collection of information should be in writing, refer to File No. S7–01–13, and be submitted to the Securities and Exchange Commission, Office of Investor Education and Advocacy, 100 F Street NE., Washington, DC 20549– 0213. srobinson on DSK4SPTVN1PROD with PROPOSALS3 I. Reduced Burdens From Proposed Repeal of Rule 301(b)(6) (OMB Control Number 3235–0509) The instant proposal also would amend Regulation ATS under the Exchange Act, by removing paragraph (b)(6) of Rule 301 thereunder.501 Removal of Rule 301(b)(6) would eliminate certain ‘‘collection of information’’ requirements within the meaning of the PRA that the Commission has submitted to OMB in accordance with 44 U.S.C. 3507 and 5 CFR 1320.11, and that OMB has approved. The approved collection of information is titled ‘‘Rule 301: Requirements for Alternative Trading Systems,’’ and has a valid OMB control 501 See 17 CFR 242.301(b)(6). See also Securities Exchange Act Release No. 40760 (December 8, 1998), 63 FR 70844 (December 22, 1998) (‘‘ATS Release’’). VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 number of 3235–0509.502 Some of the information collection burdens imposed by Regulation ATS would be reduced by the proposed repeal of Rule 301(b)(6). Specifically, the paperwork burdens that would be eliminated by the repeal of Rule 301(b)(6) would be: (i) Burdens on ATSs associated with the requirement to make records relating to any steps taken to comply with systems capacity, integrity and security requirements under Rule 301 (estimated to be 20 hours and $2,212); 503 and (ii) burdens on ATSs associated with the requirement to provide notices to the Commission to report systems outages (estimated to be 2.5 hours and $276.50).504 The Commission will submit the proposed amended collection of information to reflect these reductions to OMB for approval. Requests for the materials to be submitted to OMB by the Commission with regard to this collection of information should be in writing, refer to File No. S7–01–13, and be submitted to the Securities and Exchange Commission, Office of Investor Education and Advocacy, 100 F Street NE., Washington, DC 20549– 0213. V. Economic Analysis A. Background As discussed more fully above, the Commission believes that the convergence of several developments— the evolution of the markets to become significantly more dependent upon sophisticated automated systems (driven by regulatory developments and 502 See Rule 301: Requirements for Alternative Trading Systems OMB Control No: 3235–0509 (Rule 301 supporting statement), available at: https:// www.reginfo.gov. This approval has an expiration date of February 28, 2014. 503 The Commission estimated that two alternative trading systems that register as brokerdealers and comply with Regulation ATS would trigger this requirement, and that the average compliance burden for each response would be 10 hours of in-house professional work at $316 per hour. Thus, the total compliance burden per year was estimated to be 20 hours (2 respondents × 10 hours = 20 hours). The total annualized cost burden was estimated to be $2,212 ($316 × 20 hours × 35% = $2,212). See Rule 301: Requirements for Alternative Trading Systems OMB Control No: 3235–0509 (Rule 301 supporting statement), available at: https://www.reginfo.gov. 504 The Commission estimated that two alternative trading systems that register as brokerdealers and comply with Regulation ATS would meet the volume thresholds that trigger systems outage notice obligations approximately 5 times a year, and that the average compliance burden for each response would be .25 hours of in-house professional work at $316 per hour. Thus, the total compliance burden per year was estimated to be 2.5 hours (2 respondents × 5 responses each × .25 hours = 2.5 hours). The total annualized cost burden was estimated to be $276.50 ($316 × .25 hours per response × 10 responses × 35% = $276.50). See id. PO 00000 Frm 00074 Fmt 4701 Sfmt 4702 the continual evolution of technologies for generating, routing, and executing orders), the limitations of the existing ARP Inspection Program, and the lessons of recent events (as discussed in Section I.D above)—highlight the need to consider an updated and formalized regulatory framework for ensuring that the U.S. securities trading markets develop and maintain systems with adequate capacity, integrity, resiliency, availability, and security, and reinforce the requirement that SCI systems operate in compliance with the Exchange Act. The Commission is also cognizant of the comments made at the Roundtable and the comment letters submitted in connection with the Roundtable.505 Proposed Regulation SCI would codify and enhance the Commission’s ARP Inspection Program, as well as establish specific requirements to help ensure that the SCI systems of SCI entities operate in compliance with the federal securities laws and rules. Specifically, proposed Regulation SCI would require each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets, as well as written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner in compliance with the federal securities laws and rules, and its own rules or governing documents, as applicable. Proposed Regulation SCI also would require SCI entities to provide certain notices and reports to the Commission on Form SCI regarding, among other things, SCI events and material systems changes. Further, proposed Regulation SCI would require SCI entities to disseminate information to members or participants relating to dissemination SCI events and to begin taking appropriate corrective action upon any responsible SCI personnel becoming aware of an SCI event. Additionally, proposed Regulation SCI would require each SCI entity to conduct an SCI review at least annually, and submit a report of such review to the Commission, together with any response by senior management. Further, proposed Regulation SCI would require an SCI entity, with respect to its business continuity and disaster 505 See E:\FR\FM\25MRP3.SGM supra Section I.D. 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules recovery plans, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans and coordinate such testing with other SCI entities. Proposed Regulation SCI would also require SCI entities to make, keep, and preserve books and records related to compliance with Regulation SCI. The Commission is sensitive to the economic effects of proposed Regulation SCI, including its costs and benefits.506 As discussed further below, the Commission requests comment on all aspects of the costs and benefits of the proposal, including any effects the proposed rules may have on efficiency, competition, and capital formation. srobinson on DSK4SPTVN1PROD with PROPOSALS3 B. Economic Baseline As noted in Section I.A above, all registered national securities exchanges, all active registered clearing agencies, FINRA, two plan processors, one ATS, and one exempt clearing agency participate in the current ARP Inspection Program, which covers their automated systems.507 Under the ARP policy statements and through the ARP Inspection Program, these entities, among other things, are expected to establish current and future capacity estimates, conduct capacity stress tests, conduct annual reviews of whether affected systems can perform adequately in light of estimated capacity levels, and identify possible threats to the systems.508 The ARP policy statements and Commission staff letters address, among other things, independent reviews, the reporting of certain systems changes, intrusions, and outages, and the need to comply with relevant laws and rules.509 Trading volume in the securities markets has become increasingly dispersed across a broader range of market centers in recent years,510 with 506 See also supra Section III.F (requesting comment on applying proposed Regulation SCI to SB SDRs and/or SB SEFs and discussing the potential costs and benefits of applying proposed Regulation SCI to SB SDRs and/or SB SEFs). 507 As noted above, the Commission, in the ARP I Release, defined the term ‘‘automated systems’’ to refer ‘‘collectively to computer systems for listed and OTC equities, as well as options, that electronically route orders to applicable market makers and systems that electronically route and execute orders, including the data networks that feed the systems * * * [and encompasses] systems that disseminate transaction and quotation information and conduct trade comparisons prior to settlement, including the associated communication networks.’’ See supra note 12. 508 A more complete description of the history of the ARP Inspection Program is discussed in supra Section I.A. 509 The ARP policy statements and Commission staff letters are discussed in supra Section I.A. 510 See supra notes 44, 47, and 51. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 ATSs accounting for a significant portion of volume.511 However, no ATSs currently meet or exceed the volume thresholds that would trigger compliance with the system safeguard requirements of Rule 301(b)(6) of Regulation ATS.512 Thus, while ATSs comprise a significant portion of consolidated volume, only one ATS currently participates in the ARP Inspection Program.513 Dark pools alone comprised approximately 13 percent of consolidated volume last spring,514 but also are not part of the ARP Inspection Program. Further, ATSs that trade fixed income securities, including municipal and corporate debt securities, and nonNMS stocks (also referred to as OTC equities) are not represented in the ARP Inspection Program and do not meet the current thresholds in Regulation ATS for the application of systems safeguard rules. Proposed Regulation SCI would apply to SROs (including national securities exchanges,515 national securities associations, registered clearing agencies, and the MSRB 516), SCI ATSs,517 plan processors,518 and exempt clearing agencies subject to ARP.519 As such, proposed Regulation SCI would specifically cover the trading of NMS stocks, OTC equities, listed options, and debt securities. The proposed rules also would impact multiple markets for services, including the markets for trading services, listing services, regulation and surveillance services, clearing and settlement services, and market data. As indicated above, many of the entities in these service markets are currently covered by the ARP Inspection Program. Therefore, the Commission recognizes that any economic effects, 511 See supra note 50 and accompanying text. supra Section III.B.1. 513 See supra note 25 and accompanying text. 514 See Nina Mehta, Dark Pools Capture Record U.S. Volume Share, Bloomberg (March 1, 2012), available at: https://rblt.com/ news_details.aspx?id=187. 515 Proposed Regulation SCI would not apply to an exchange that lists or trades security futures products that is notice-registered with the Commission as a national securities exchange pursuant to Section 6(g) of the Exchange Act, including security futures exchanges. See supra note 97 and accompanying text. 516 In 2011, the total par amount of municipal securities traded was approximately $3.3 trillion in approximately 10.4 million trades. See MSRB 2011 Fact Book at 8–9, available at: https://www.msrb.org/ msrb1/pdfs/MSRB2011FactBook.pdf. 517 See supra Section III.B.1 for the discussion of SCI ATSs. 518 In addition, the Commission is soliciting comment on whether, and if so how, proposed Regulation SCI should apply to SB SDRs and/or SB SEFs. See supra Section III.F. 519 See supra Section III.B.1 for the discussion of exempt clearing agencies subject to ARP. 512 See PO 00000 Frm 00075 Fmt 4701 Sfmt 4702 18157 including costs and benefits, should be compared to a baseline of current practices that recognizes current practices pursuant to the ARP Inspection Program and the limitations of the ARP Inspection Program discussed in Section I.C above.520 In addition to the ARP Inspection Program, Commission staff has provided guidance to ARP entities on certain aspects of the ARP Inspection Program (e.g., in the 2001 Staff ARP Interpretive Letter).521 Further, Commission staff has provided guidance on issues outside the current scope of the ARP Inspection Program (e.g., in the 2009 Staff Systems Compliance Letter), but that are proposed to be addressed by Regulation SCI.522 Below, the Commission provides information on the current practices related to the types of market events addressed by proposed Regulation SCI, including, where available, information the Commission may have on the frequency of such events. In addition, the Commission describes why each relevant service market may not be structured in a way as to create a competitive incentive to prevent the occurrence of these market events.523 1. SCI Events a. Systems Disruptions Currently, market participants employ a variety of measures to avoid systems disruptions for a variety of reasons, including to maintain competitive advantages, to provide optimal service to members with access to the trading and/or other services provided by the entity, to comply with legal obligations and, where applicable, to participate in the ARP Inspection Program. The range of such measures are possibly highly variable among SCI entities and within the systems employed by SCI entities. For example, matching engines are likely accorded high priority given the importance of low latency in trading. Industry standards are not codified for such entities and systems, except such as in an entity’s rulebook or subscriber agreement. Typically, however, market participants follow industry standards and take measures that include weekend 520 See also supra Section I.A for the discussion of the current scope of the ARP Inspection Program. The Commission acknowledges that, to the extent current practices of SCI entities have been informed by the ARP policy statements, such practices have not been subject to a cost-benefit analysis and that the discussion herein considers only the incremental costs and benefits (i.e., compared to current practices). 521 See 2001 Staff ARP Interpretive Letter, supra note 35. 522 See 2009 Staff Systems Compliance Letter, supra note 36. 523 The Commission compares current practices to each of the proposed rules in infra Section V.B.3. E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18158 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules system testing and internal performance monitoring. When system disruptions do occur, market participants take corrective action in the interest of remaining competitive, to provide optimal service, and to comply with legal obligations. To place the effectiveness of the current ARP Inspection Program in perspective, there were approximately 175 ARP incidents reported to the Commission in 2011. These incidents had durations ranging from under one minute to 24 hours, with most incidents having a duration of less than 2 hours. As noted above, the Commission believes that clearing systems and matching engines generally are given greater priority than other systems at SCI entities with regard to corrective action. In addition, the Commission believes that SCI entities that currently participate in the ARP Inspection Program strive to adhere to the next business day resumption standard for trading and two-hour resumption standard for clearance and settlement services, standards which the proposed rule would codify for all SCI entities. As discussed in Section I.A, participation in the ARP Inspection Program entails, among other things, conducting annual assessments of affected systems, providing notifications of significant system changes to the Commission, and reporting significant system outages to the Commission. Further, Commission staff has provided guidance to the SROs and other participants in the ARP Inspection Program on what should be considered a ‘‘significant system change’’ and a ‘‘significant system outage’’ for purposes of reporting systems changes and problems to Commission staff.524 As such, the Commission believes that entities that currently participate in the ARP Inspection Program have certain processes for determining whether a systems change or outage is ‘‘significant.’’ Specifically, the 2001 Staff ARP Interpretive Letter sets forth the types of outages and changes that should be reported to the Commission and the timing of reporting. Also, as discussed below, the ARP policy statements are focused on automated systems. Specifically, entities that participate in the ARP Inspection Program follow the ARP policy statements with respect to systems that directly support trading, clearance and settlement, order routing, and market data. While generally only trading, clearance and settlement, order routing, and market data systems follow the guidelines in the ARP policy statements, 524 See supra note 35. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 ARP staff inspects all the categories of systems that are included in the proposed definition of ‘‘SCI systems.’’ 525 However, ARP staff generally inspects systems that are not directly related to trading, clearance and settlement, order routing, or market data only if they detect red flags. As discussed above, the ARP Inspection Program has garnered participation by all active registered clearing agencies, all registered national securities exchanges, FINRA, plan processors, one ATS, and one exempt clearing agency.526 Specifically, the Commission estimates that there are currently 29 SCI entities that are participants in the ARP Inspection Program.527 As noted, there were approximately 175 ARP incidents reported to the Commission in 2011. Although some entities provide the public with notices of outages,528 others may choose otherwise and are not required to do so. Further, as discussed above, pursuant to Rule 301(b)(6) of Regulation ATS, certain aspects of the ARP policy statements apply to ATSs that meet the thresholds set forth in that rule.529 Currently, no ATSs meet such thresholds and, as such, none are required by Commission rule to implement systems safeguard measures. The Commission recognizes that it is in the interest of every market participant that does not participate in the ARP Inspection Program to try to avoid systems disruptions. Specifically, the Commission understands that generally, ATSs, like entities that currently participate in the ARP Inspection Program, employ a variety of measures to avoid systems disruptions, including systems testing, performance 525 See supra Section III.B.2. supra Section I.A. 527 See supra note 368. 528 See e.g., NYSE Market Status, available at: https://usequities.nyx.com/nyse/market-status; NYSE Amex Options Outage Update, available at: https://www.nyse.com/pdfs/ Trader_Update_Amex_Outage_0928.pdf; and NYSE Arca, Recap: Exchange Outage on Monday Morning March 7, 2011, available at: https://www.nyse.com/ pdfs/2011037ExchangeOutageNotice.pdf. 529 Specifically, Rule 301(b)(6) of Regulation ATS applies to ATSs that, during at least four of the preceding six months, had: (A) With respect to any NMS stock, 20 percent or more of the average daily volume reported by an effective transaction reporting plan; (B) with respect to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, 20 percent or more of the average daily volume as calculated by the self-regulatory organization to which such transactions are reported; (C) with respect to municipal securities, 20 percent or more of the average daily volume traded in the United States; or (D) with respect to corporate debt securities, 20 percent or more of the average daily volume traded in the United States. See 17 CFR 242.301(b)(6)(i). 526 See PO 00000 Frm 00076 Fmt 4701 Sfmt 4702 monitoring, and the use of fail-over back-up systems. In fact, one ATS currently voluntarily participates in the ARP Inspection Program.530 However, inasmuch as the ARP Inspection Program and the testing done and other measures taken by those entities that participate in the program have been beneficial to the industry, the systems of SCI entities could still be improved. For example, contingency planning in preparation of catastrophic events has not been fully adequate, as evidenced in the wake of Superstorm Sandy, when an extended shutdown of the equities and options markets resulted from, among other things, the exchanges’ belief regarding the inability of some market participants to adequately operate from the backup facilities of all market centers.531 Although testing protocols were in place and the chance to participate in such testing was available, not all members or participants participated in such testing.532 Proposed Regulation SCI would require that designated members or participants of an SCI entity participate in scheduled functional and performance testing of the operation of the SCI entity’s business continuity and disaster recovery plans, including its backup systems, and further require that SCI entities coordinate the testing of such plans on an industry- or sector-wide basis with other SCI entities. The Commission preliminarily believes that these proposed requirements would mitigate the chances of similar disruptions in the future.533 b. Systems Compliance Issues Currently, systems compliance issues (as proposed to be defined in Rule 1000(a)) are not covered by the ARP Inspection Program. However, national securities exchanges are subject to Section 6(b) of the Exchange Act, which requires an exchange to be organized and to have the capacity to carry out the purposes of the Exchange Act and to comply with the provisions of the Exchange Act, the rules and regulations thereunder, and its own rules.534 FINRA is subject to Section 15A(b) of the Exchange Act, which requires a national securities association to be organized and have the capacity to carry out the purposes of the Exchange Act and to comply with the provisions of the 530 See 531 See supra note 91. supra Section I.D; see also supra Section III.C.7. 532 See supra Section I.D. In addition, the Commission understands that the scope of testing was limited. 533 See proposed Rule 1000(b)(9); see also supra Section III.C.7. 534 See 15 U.S.C. 78f(b). E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules Exchange Act, the rules and regulations thereunder, the MSRB rules, and its own rules.535 Further, an ATS could face Commission sanctions if it fails to comply with relevant federal securities laws and rules and regulations thereunder. Events such as those described above have recently drawn attention to systems compliance issues.536 In part due to the fact that systems compliance issues are not part of the ARP Inspection Program, the Commission does not receive comprehensive data regarding such issues and, thus, their incidence cannot be concretely quantified. However, based on Commission staff’s experience with SROs and the rule filing process, the Commission estimates that there are likely approximately seven systems compliance issues per SCI entity per year. c. Systems Intrusions In ARP I, the Commission stated its view that SROs should promptly notify Commission staff of any instances in which unauthorized persons gained or attempted to gain access to SRO systems.537 Market participants employ a wide variety of measures to prevent and respond to systems intrusions. Generally, market participants use measures such as firewalls to prevent systems intrusions, and use detection software to identify systems intrusions. Once an intrusion has been identified, the affected systems typically would be isolated and quarantined, and forensics would be performed. Several SCI entities have been the subject of security issues in recent years.538 The Commission believes that, currently, these events are rarely revealed to the public or to the members or participants of SCI entities. 2. Potential for Market Solutions srobinson on DSK4SPTVN1PROD with PROPOSALS3 This section discusses potential market solutions and their shortcomings. Various SCI and non-SCI entities offer and compete to provide services in markets for trading services, listing services, regulatory services, clearance and settlement services, and market data. The markets for each of these services are regulated and competitive, which may make it difficult to determine if markets are 535 See 15 U.S.C. 78o–3(b). e.g., supra notes 62–63 and accompanying text. 537 See ARP I, supra note 1. See also text accompanying supra note 17. 538 For example, as discussed above, in February 2011, NASDAQ OMX Group, Inc. announced that hackers had penetrated certain of its computer networks. See supra note 61 and accompanying text. 536 See, VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 functioning well due to competitive pressure or regulation, and how much can be attributed to each. However, there are limitations to such competition and following is a discussion of some limitations that are common to all of these markets. Notwithstanding what may be the limitations to competition in each of these markets, the Commission is also mindful, in evaluating whether, and if so, how, to regulate in this space, of the need to craft rules that appropriately take into account the tradeoffs between the resulting costs and benefits, and the effects on efficiency, competition, and capital formation, that would accompany such regulation. Market participants may be unaware when SCI events disrupt transactions due to, for example, a lack of timely and consistently disseminated information about SCI events. First, providers of services that experience SCI events may lack the incentive to disclose such events. Second, other providers of services may choose to not publicly comment on the identity of providers who experienced SCI events.539 For example, providers of trading services may choose not to point to other providers because the next SCI event may occur on their own systems. In addition, a person or entity pointing at other providers may be exposed to litigation risks. While some SCI events may not directly impact markets, they are still an indication of the risk of SCI events at a given SCI entity. It is likely that market participants assume that services operate as promised until an SCI event occurs. Reputation and good experiences with a trading venue may cause market participants to trust its effectiveness. In the absence of problems, however, a system may be assumed to be fully functional. Once a problem occurs, market participants will update their prior assumptions and should correctly infer that the system is not as robust as previously believed. Moreover, in the case of SCI events that disrupt the entire market or large portions of it (e.g., the data outages during the flash crash on May 6, 2010), 539 The Commission notes, however, that certain providers of trading services do provide public disclosure of systems issues at another provider. For example, when one trading venue perceives that a second venue is non-responsive when orders are routed to that second venue, the first venue will declare self-help under Rule 611 of Regulation NMS, which permits the first venue to cease to route orders to the second venue in certain instances. Certain trading venues would provide public notification of self-help. See, e.g., NASDAQ Market System Status, available at: https:// www.nasdaqtrader.com/ Trader.aspx?id=MarketSystemStatus. PO 00000 Frm 00077 Fmt 4701 Sfmt 4702 18159 all providers of trading services may be affected at the same time and, as a result, market participants may find it challenging to identify service providers with lower risks of such SCI events. In light of the foregoing, members and participants of SCI entities would be important recipients of information disseminated about SCI events because they are the parties who would most naturally need, want, and be able to act on the information and, where applicable, share such disseminated information to other interested market participants, as discussed further below. a. Market for Trading Services Trading services are offered by entities that would meet the definition of SCI entity, including equities exchanges, options exchanges, and SCI ATSs, as well as by entities that would not be included in the proposed definition of SCI entity, such as ATSs that are not SCI ATSs, OTC market makers, and broker-dealers. As discussed above in Section I.B, there are currently 13 national securities exchanges that trade equity securities, with none having an overall market share of greater than 20 percent.540 There are currently 11 national securities exchanges that trade options.541 Of these exchanges, CBOE, ISE, and Nasdaq OMX Phlx have the most significant market share.542 ATSs—both ECNs and dark pools—as well as OTC market makers and brokerdealers also execute substantial volumes of stocks and bonds.543 With respect to the competitive nature of the market for trading services, as well as the limitations to the competitive effects, all providers of trading services compete and have incentives to avoid systems disruptions, systems compliance issues, and systems intrusions because, for example, brokers and other entities will be inclined to route orders away from trading venues 540 See supra note 47 and accompanying text. These national securities exchanges are: BATS; BATS–Y; CBOE; CHX; EDGA; EDGX; Nasdaq OMX BX; Nasdaq OMX Phlx; Nasdaq; NSX; NYSE; NYSE MKT; and NYSE Arca. 541 These national securities exchanges are: BATS Exchange Options Market; BOX; C2; CBOE; ISE; MIAX; NASDAQ Options Market; Nasdaq OMX BX Options; Nasdaq OMX Phlx; NYSE Amex Options; and NYSE Arca. 542 Specifically, during 2012, CBOE had 26.46% of the market share, Nasdaq OMX Phlx had 19.77%, and ISE had 15.78%. Calculated using data regarding number of contracts traded from Options Clearing Corporation, available at: https:// www.theocc.com/market-data/volume/. 543 As discussed above in Section III.B.1, the Commission estimates that the proposed definition of ‘‘SCI entity’’ would capture approximately 15 SCI ATSs (10 SCI ATSs in NMS stocks, two SCI ATSs in non-NMS stocks, and three SCI ATSs in municipal securities and corporate debt securities). E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18160 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules that have frequent systems problems. Indeed, trading service providers expend resources to provide quality services and attempt to mitigate systems disruptions, systems compliance issues, and systems intrusions; however, it is not clear how to distinguish between efforts attributable to competitive pressures, rather than existing legal requirements and regulatory programs such as the ARP Inspection Program.544 The Commission recognizes that there may be limits with respect to the extent to which competition ameliorates systems problems associated with trading services. However, the Commission remains mindful of the need to craft rules that appropriately take into account the tradeoffs between the costs and benefits, and the effects on efficiency, competition, and capital formation, associated with any such rules. The Commission preliminarily believes that it is important for SCI entity members or participants to know about risks for SCI events at a given service provider. As discussed above, if information about SCI events is not disseminated to members or participants of SCI entities or are not attributable to specific SCI entities, market participants may misjudge the quality of trading services or otherwise make decisions without fully accounting for such risks. Furthermore, as evidenced by the extended shutdown of the equities and options markets that resulted from, among other things, the exchanges’ belief regarding the inability of some market participants to adequately operate from the backup facilities of all market centers, contingency planning has not been adequate to help prevent market-wide outages.545 For example, as noted above, the NYSE offered its members the opportunity to participate in testing of its backup systems, but not all members chose to participate in such testing, and the Commission understands that the scope of the test was limited.546 In addition, even though there are multiple trading venues, suppliers of trading services may have limited ability to transact in particular securities (e.g., certain index options may only trade on one options exchange). As a result, competition in the market for trading services may not sufficiently mitigate the occurrence of SCI events, and there may be insufficient disclosure of information regarding the quality of trading services offered by SCI entities. 544 See also supra Section V.B.1, noting the various reasons why SCI entities currently take action to address systems problems. 545 See supra Section I.D. 546 See supra Section I.D. See also supra notes 83 and 532 and accompanying text. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 b. Market for Listing Services Certain SCI entities are in the market for listing services. In this market, exchanges compete to list issuers to collect listing fees and to provide ancillary services to listed companies. The NYSE and Nasdaq are the largest U.S. exchanges in terms of the number of equity securities listed, with the NYSE and Nasdaq serving as the listing market for 3,262 and 2,691 securities, respectively, as of February 4, 2013.547 U.S. exchanges face competition from other U.S. exchanges and from non-U.S. exchanges. Competition for listings may be limited by many factors. With respect to the limitations of competitive forces in the market for listing services, first, while a company can be listed on a certain exchange, trading does not necessarily occur on that exchange. In fact, the majority of trading occurs away from the listing exchange in today’s U.S. equities markets.548 Second, there are switching costs associated with moving a listing from one exchange to another, which may cause issuers to remain at their current exchange, even in response to the occurrence of some SCI events. Third, certain exchanges also may be considered more ‘‘prestigious’’ than others and, to this extent, they may wield market power over other exchanges when competing for issuers. As a result, these exchanges may not be properly incentivized to provide the level of service they otherwise might if they were subject to greater competition. Members and participants of SCI entities that serve as underwriters to issuers would be important recipients of information disseminated by SCI entities about dissemination SCI events, particularly if they share such information with issuers making listing decisions. c. Market for Regulation and Surveillance Services Regulation and surveillance are required by statutes and rules and, therefore, all regulated market participants (e.g., exchanges or ATSs) have a demand for regulation and surveillance services. Suppliers in this market may be in-house or third parties, and potentially include all of the exchanges and FINRA. Because of regulatory services agreements (‘‘RSAs’’) 547 See NASDAQ Company List, available at: https://www.nasdaq.com/screening/companylist.aspx, for the list of companies listed on NYSE and NASDAQ. 548 See BATS Market Volume Summary, available at: https://www.batstrading.com/market_summary/ (displaying the dispersion of trading in equity securities, which indicates that trading occurs away from listing exchanges). PO 00000 Frm 00078 Fmt 4701 Sfmt 4702 between FINRA and several national securities exchanges, as of February 2011, FINRA’s Market Regulation Department was responsible for surveillance of 80 percent of the trading volume in U.S. equity markets and 35 percent of the volume in U.S. options markets.549 Also, in 2011, BATS and BATS–Y entered into RSAs with CBOE as the supplier.550 On the other hand, some exchanges have not entered into RSAs. There are other regulatory services arrangements in addition to RSAs. For example, in 2008, the Commission declared effective a plan for allocating regulatory responsibilities pursuant to Rule 17d–2,551 which among other things, allocated regulatory responsibility for the surveillance, investigation, and enforcement of Common Rules 552 over Common NYSE Members,553 with respect to NYSE– listed stocks and NYSE Arca–listed stocks, to NYSE and over Common FINRA Members,554 with respect to NASDAQ–listed stocks, Amex–listed stocks, and any CHX solely–listed stock, to FINRA.555 549 See FINRA 2011 Annual Regulatory and Examination Priorities Letter (February 8, 2011), available at: https://www.finra.org/web/groups/ industry/@ip/@reg/@guide/documents/industry/ p122863.pdf. 550 See BATS Global Markets, Inc., Amendment No. 5 to Form S–1, dated March 21, 2012 (Registration No. 333–174166). 551 See Securities Exchange Act Release No. 58536 (September 12, 2008), 73 FR 54646 (September 22, 2008). See also 17 CFR 240.17d–2 (permitting SROs to propose joint plans for the allocation of regulatory responsibilities with respect to their common members). 552 Such rules include federal securities laws and rules promulgated by the Commission pertaining to insider trading, and the rules of the plan participants that are related to insider trading as provided on Exhibit A to a Rule 17d–2 Plan. See Agreement for the Allocation of Regulatory Responsibility of Surveillance, Investigation and Enforcement for Insider Trading pursuant to § 17(d) of the Securities Exchange Act of 1934, 15 U.S.C. § 78q(d), and Rule 17d–2 thereunder. 553 Common NYSE Members include those who are members of the NYSE and of at least one of the plan participants. See id. 554 Common FINRA Members include those who are members of FINRA and of at least one of the plan participants. See id. 555 Participants in this plan are: BATS, BATS–Y, CBOE, CHX, EDGA, EDGX, FINRA, Nasdaq OMX BX, Nasdaq OMX Phlx, Nasdaq, NSX, NYSE, NYSE Amex, and NYSE Arca. See id. In January 2011, this Rule 17d–2 plan was amended as a result of an agreement under which FINRA assumed the responsibility for performing the market surveillance and enforcement functions previously conducted by NYSE Regulation for its U.S. equities and options markets. Under the plan, FINRA charges participants a fee for the performance of regulatory responsibilities. See Securities Exchange Act Release No. 63750 (January 21, 2011), 76 FR 4948 (January 27, 2011). There are other types of Rule 17d–2 plans, including multilateral and bilateral plans. While other SROs perform some regulatory functions under the options-related E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules With respect to limitations of competition that are specific to the market for regulatory and surveillance services, if investors, issuers, or other market participants become aware of SCI events by virtue of the members or participants of SCI entities sharing information they have received about dissemination SCI events, and such information suggests that an SRO has low-quality regulation and surveillance, they may avoid such venues since they may feel that their interests are not being adequately protected. In the case of an RSA, there is competition among providers of such services because the user of the service can enter into a contract with a different provider. An SRO that purchases regulatory and surveillance services pursuant to an RSA retains the ultimate responsibility and liability for its self-regulatory obligations, and has an interest in seeking a service provider that would provide a high level of regulatory and surveillance services.556 Since the purchaser of these services could face Commission sanctions and experience damages to their reputation for violations resulting from inadequate regulation and surveillance, providers of these services may have the incentive to ensure that they provide a high level of service. A factor that limits competition in this market is that it is highly concentrated. As noted above, FINRA accounts for the surveillance of 80 percent of trading volume in U.S. equity markets and, although any SRO could potentially be a provider of such services, not all choose to do so, and thus there may not be many alternatives for RSAs. With respect to the market for Rule 17d–2 plans, the Commission recognizes that the level of competition may be limited, as Rule 17d–2 was intended to address regulatory duplication for broker-dealers that are members of more than one SRO, and one of which is usually FINRA. srobinson on DSK4SPTVN1PROD with PROPOSALS3 d. Market for Clearance and Settlement Services Certain SCI entities are in the market for clearance and settlement services. There are seven registered clearing agencies with active operations—DTC, FICC, NSCC, OCC, ICE Clear Credit, ICE market surveillance and Regulation NMS multiparty 17d–2 plans, FINRA provides the bulk of services under all other 17d–2 plans. 556 In contrast to an RSA, under Rule 17d–2(d) under the Exchange Act, ‘‘[u]pon the effectiveness of such a plan or part thereof, any self-regulatory organization which is a party to the plan shall be relieved of responsibility as to any person for whom such responsibility is allocated under the plan to another self-regulatory organization to the extent of such allocation.’’ 17 CFR 240.17d–2(d). VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 Clear Europe, and CME 557—as well as one exempt clearing agency.558 An SCI event in this market could have very disruptive and widespread effects on the financial markets. Because each clearing agency has a critical role in the operation of a particular product market, clearing agencies may already have heightened incentives to ensure that their systems have adequate levels of capacity, integrity, resiliency, availability, and security.559 At the same time, one of the major impediments to competition in this market is that it is highly concentrated in particular classes of securities (e.g., equities or options). This may limit incentives for clearing agencies to have levels of capacity, integrity, resiliency, availability, and security that are appropriate for their role in the securities market. Thus, for the market for clearance and settlement services, it is especially important for the Commission and clearing agency participants to have current and accurate information about SCI events to help ensure that the clearing agencies are properly incentivized to provide high-quality service. e. Market for Market Data Finally, certain SCI entities provide market data. There are two different types of market data, namely consolidated data and proprietary data. As discussed above, when Congress mandated a national market system in 1975, it emphasized that the systems for collecting and distributing consolidated market data would ‘‘form the heart of the national market system.’’ 560 Moreover, the Commission has identified certain benefits of consolidated market data, including providing the public with access to a comprehensive, accurate, and reliable source of information for NMS stocks.561 One of the Commission’s primary concerns is that the market for consolidated data functions properly. Market data is a critical part of the investment and trading process.562 The data is needed for pre- and post-trade transparency and allows market participants to make well-informed 557 As noted above, active registered clearing agencies are part of the current ARP Inspection Program. See supra note 95 and accompanying text. 558 As noted above, Omgeo is part of the current ARP Inspection Program. See supra notes 133–135 and accompanying text. 559 See generally 2003 Interagency White Paper, supra note 31. 560 See Concept Release on Equity Market Structure, supra note 42, at 3600 (quoting H.R. Rep. No. 94–229, 94th Cong., 1st Sess. 93 (1975)). 561 See supra note 187 and accompanying text. 562 See supra notes 187–189 and accompanying text. PO 00000 Frm 00079 Fmt 4701 Sfmt 4702 18161 investment and trading decisions.563 Indeed, based on Commission staff experience, the Commission understands that many trading algorithms make trading decisions based primarily on market data and rely on that data being current and accurate. An SCI event in connection with market data could significantly disrupt markets.564 The process of collecting and disseminating consolidated quotation and transaction data is governed by the SCI plans. For securities listed on Nasdaq, data distribution is governed by the Nasdaq UTP Plan. For securities listed on NYSE, NYSE Amex, and several other exchanges, data distribution is governed by the CTA Plan and the CQS Plan. For options, data distribution is governed by the OPRA Plan. These SCI plans also oversee the collection of fees for access to the consolidated data network, and the allocation of the resulting revenue across the exchanges. Currently, there are two entities designated as plan processors by SCI plans—SIAC and Nasdaq.565 Due to the extreme concentration in the market segment for consolidated data, there is virtually no competition between SCI plan processors which could lead to little incentive in ensuring a high-quality product with minimal disruptions. 3. Proposed Regulation SCI and Its Impact on Current Practices Proposed Regulation SCI would be a codification and enhancement of the current ARP Inspection Program. As discussed further below with respect to each of the proposed rules, proposed Regulation SCI would: (A) Be mandatory and codify many aspects of the ARP policy statements; (B) expand the scope of the ARP policy statements to other types of systems and event types; and (C) expand the scope of the ARP Inspection Program to other types of entities. 563 See id. example, on January 3, 2013, Nasdaq reported that its securities information processor (which is the plan processor of the CQS Plan, an SCI plan) experienced ‘‘an issue with stale data,’’ which lasted approximately 10 to 15 minutes. See https://www.nasdaq.com/article/update-tradersreport-technical-issue-involving-nasdaq-listedsecurities-20130103-01046#.URutFaVEHmd. See also https://www.reuters.com/article/2013/01/03/ exchanges-data-outage-idUSL1E9C3DQL20130103. As a result, last sale and quotation data was not available for Nasdaq-listed (‘‘Tape C’’) securities during that time. See id. Although proprietary data feeds were available, only subscribers receiving such feeds could continue trading with current market data during the outage. Market centers EDGA and EDGX temporarily suspended trading in all Tape C securities in response to the outage. See id. 565 See supra note 131. 564 For E:\FR\FM\25MRP3.SGM 25MRP3 18162 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 With respect to different types of systems, as discussed in more detail above, the ARP policy statements are focused on automated systems.566 Specifically, entities that participate in the ARP Inspection Program follow the ARP policy statements with respect to systems that directly support trading, clearance and settlement, order routing, and market data.567 Proposed Regulation SCI, on the other hand, would apply to more types of systems than the ARP policy statements. As discussed above, in addition to the systems covered by the ARP Inspection Program, the proposed definition of ‘‘SCI systems’’ would also include systems that directly support regulation and surveillance that are not currently part of the ARP Inspection Program. Further, the provisions of proposed Regulation SCI relating to security standards and systems intrusions would also apply to ‘‘SCI security systems,’’ which would be defined to mean any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems. Additionally, while the ARP Inspection Program and proposed Regulation SCI both cover certain types of systems disruptions 568 and systems intrusions,569 proposed Regulation SCI also would cover systems compliance 566 See supra Section I.A for more discussion of the ARP policy statements and the ARP Inspection Program. According to ARP I, the term ‘‘automated systems’’ or ‘‘automated trading systems’’ means computer systems for listed and OTC equities, as well as options, that electronically route orders to applicable market makers and systems that electronically route and execute orders, including the data networks that feed the systems. The term ‘‘automated systems’’ also encompasses systems that disseminate transaction and quotation information and conduct trade comparisons prior to settlement, including the associated communication networks. Moreover, ARP I states that because lack of adequate communications capacity can be as damaging to the overall performance of an exchange during peak periods as poorly designed order processing, capacity tests of the data networks that feed the computer systems also should be conducted. See ARP I, supra note 1, at n.21. 567 While generally only trading, clearance and settlement, order routing, and market data systems follow the guidelines in the ARP policy statements, ARP staff inspects all the categories of systems that are included in the proposed definition of ‘‘SCI systems.’’ However, ARP staff generally inspects systems that do not directly support trading, clearance and settlement, order routing, or market data only if staff detects red flags. 568 See 2001 Staff ARP Interpretive Letter, supra note 35. See also supra Section III.B.3.a for a discussion of the differences between the definition of ‘‘significant system outage’’ as used currently in the ARP Inspection Program and the proposed definition of ‘‘systems disruption.’’ 569 See ARP I, supra note 1, at 48707 (referring to instances where unauthorized persons gained or attempted to gain access to systems). Proposed Rule 1000(a) would define ‘‘systems intrusion’’ to mean any unauthorized entry into the SCI systems or SCI security systems of the SCI entity. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 issues. Finally, the ARP Inspection Program includes 29 participants that are SCI entities, consisting of 17 registered national securities exchanges, seven registered clearing agencies, FINRA, two plan processors, one ATS, and one exempt clearing agency. Because no ATSs currently satisfy the thresholds in Rule 306(b)(6)(i) of Regulation ATS, no ATSs currently are subject to the systems safeguard requirements of Regulation ATS 570 although, as noted above, one ATS voluntarily participates in the ARP Inspection Program. Proposed Regulation SCI would include all of the entities currently under the ARP Inspection Program. With respect to ATSs, proposed Regulation SCI would include an estimated 10 SCI ATSs in NMS stocks, an estimated two SCI ATSs in non-NMS stocks, an estimated three SCI ATSs in municipal securities and corporate debt securities, and one SRO (i.e., the MSRB). Proposed Rules 1000(b)(4) and (b)(5) would require, respectively, that all SCI events be reported to the Commission, and that information relating to dissemination SCI events be disseminated to members or participants of an SCI entity. Proposed Rule 1000(a) would define a dissemination SCI event to mean an SCI event that is a: (1) Systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants. Under the ARP Inspection Program, only ‘‘significant’’ outages should be reported to the Commission, and there are no quantitative standards to define ‘‘significant’’ outage. Similarly, proposed Regulation SCI would not specify a quantitative standard for immediate notification SCI events or dissemination SCI events. Instead, immediate notification SCI events would include any systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems compliance issue, and any systems intrusion. With respect to dissemination SCI events, certain information about all systems compliance issues and systems intrusions would be required to be disseminated to members or participants, although information about systems intrusions in some cases could be delayed. Systems disruptions would also be dissemination SCI events, however, only if they result, or the SCI entity reasonably estimates would 570 See PO 00000 17 CFR 242.301(b)(6). Frm 00080 Fmt 4701 Sfmt 4702 result, in significant harm or loss to market participants. Proposed Rule 1000(b)(1) (Capacity, Integrity, Resiliency, Availability, and Security) addresses the capacity, integrity, resiliency, availability, and security of the systems of SCI entities. Rule 1000(b)(1) would require an SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. Proposed Rule 1000(b)(1)(i) would further require that an SCI entity’s policies and procedures include the establishment of reasonable current and future capacity planning estimates, periodic capacity stress tests, a program to review and keep current systems development and testing methodology, regular reviews and testing of such systems, including backup systems, business continuity and disaster recovery plans, and standards that result in systems that facilitate the successful collection, processing, and dissemination of market data. The items in proposed Rule 1000(b)(1)(i)(A)–(E) are the same as those in the ARP Inspection Program and Rule 301(b)(6) of Regulation ATS.571 Proposed Rule 1000(b)(1)(ii) would further provide that an SCI entity’s policies and procedures would be deemed to be reasonably designed if they are consistent with current SCI industry standards.572 The Commission preliminarily believes that SCI entities would be familiar with such standards because they would be required to be widely available for free to information technology professionals in the financial sector, and must be issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization.573 As noted above, compliance with the identified SCI industry standards would not be the exclusive means to comply with the 571 See supra Section III.C.1 for a detailed discussion of proposed Rule 1000(b)(1), including comparisons to the provisions of the ARP Inspection Program. 572 See proposed Rule 1000(b)(1)(ii). 573 See infra text commencing at note 630, discussing examples of SCI industry standards that may originate from NIST publications and/or other publications listed in Table A, and the potential costs they may impose on SCI entities. E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules requirements of proposed Rule 1000(b)(1). Proposed Rule 1000(b)(2)(i) (Systems Compliance) is not currently part of the ARP Inspection program and would require each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and the entity’s rules and governing documents, as applicable.574 Proposed Rule 1000(b)(3) (Corrective Action) would require that, upon any responsible SCI personnel becoming aware of an SCI event, an SCI entity begin to take appropriate corrective action. The Commission understands that market participants already take steps to address systems issues should they occur, but preliminarily believes that proposed Rule 1000(b)(3) may result in SCI entities incurring additional information technology costs, primarily because proposed Rule 1000(b)(3) requires each SCI entity, upon any responsible SCI personnel becoming aware of an SCI event, to begin to take appropriate corrective action. Thus, SCI entities would not be able to delay the start of taking corrective action, which in turn could result in some SCI entities potentially seeking to, for example, update their systems with newer technology earlier than they might have otherwise. As these increased costs would likely occur primarily as a result of SCI entities making usual and customary investments sooner than they would otherwise, these costs are difficult to quantify. Proposed Rule 1000(b)(4) (Commission Notification) would require that an SCI entity notify the Commission of all SCI events. Proposed Rule 1000(b)(4) would apply to more entities, systems, and types of systems issues than the ARP policy statements (or the 2001 Staff ARP Interpretive Letter) and also require more detailed reporting to the Commission.575 Proposed Rule 1000(b)(5) (Dissemination of Information to Members or Participants) would require an SCI entity to disseminate information relating to dissemination SCI events to 574 However, as noted above in Section V.B.1.b, SCI entities are already required to comply with relevant laws and rules. 575 See discussion of proposed Rule 1000(b)(4) in supra Section III.C.4. In addition, proposed Rule 1000(d) would require, with limited exception, that any written notification, review, description, analysis, or report to the Commission be submitted electronically on Form SCI. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 members or participants. Proposed Rule 1000(b)(5) would impose a new requirement that is not currently part of the ARP Inspection Program. As noted above in Section V.B.1.a, some entities provide their members or participants with notices of outages currently. However, although proposed Rule 1000(b)(5) would permit information regarding some systems intrusions to be delayed,576 the Commission expects that dissemination of information to members or participants about dissemination SCI events would increase significantly. With respect to proposed Rule 1000(b)(6) (Material Systems Changes), while entities may voluntarily submit similar material systems change notifications to the Commission under the ARP Inspection Program, proposed Regulation SCI would set forth more detailed requirements.577 Proposed Rule 1000(b)(6) would require an SCI entity to notify the Commission of planned material systems changes on proposed Form SCI at least 30 calendar days in advance of such change, unless exigent circumstances exist or information previously provided to the Commission regarding a planned material systems change has become materially inaccurate, necessitating notice regarding a material systems change with less than 30 calendar days’ notice. Proposed Rule 1000(b)(7) (SCI Review) would require an SCI entity to conduct an SCI review of its compliance with Regulation SCI at least annually, and submit a report of the SCI review to senior management of the SCI entity for review no more than 30 calendar days after completion of the SCI review. Because systems reviews have always been part of the ARP Inspection Program, the Commission believes that most SCI entities currently undertake annual systems reviews, reports of which the Commission understands are reviewed by senior management. The Commission believes, however, that the scope of the systems review undertaken by ARP entities, and senior management involvement in in such reviews, varies among ARP entities. The Commission expects that proposed Regulation SCI, which defines the parameters of an SCI review, would foster greater consistency in the approach that SCI entities take with respect to systems reviews. Proposed Rule 1000(b)(8) (Reports) would require an SCI entity to submit various reports to the Commission. Specifically, proposed Rule 1000(b)(8)(i) 576 See proposed Rule 1000(b)(5)(ii). supra Sections III.C.4 and III.E.2 discussing the reporting requirements in proposed Rule 1000(b)(6). 577 See PO 00000 Frm 00081 Fmt 4701 Sfmt 4702 18163 would require an SCI entity to submit a report of the SCI review required by proposed Rule 1000(b)(7), together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. Proposed Rule 1000(b)(8)(ii) would require an SCI entity to submit a report, within 30 calendar days after the end of June and December of each year, containing a summary description of the progress of any material systems change during the six-month period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of implementation of such changes. Such reports to be filed with the Commission pursuant to proposed Rule 1000(b)(8) would be required to be filed electronically on Form SCI. Proposed Rule 1000(b)(8) would codify current practice under the ARP Inspection Program, in which ARP entities submit reports of systems reviews and report progress on material systems changes to ARP staff. However, proposed Rule 1000(8) would specify a more detailed process for submission of such reports. Proposed Rule 1000(b)(9) (SCI Entity Business Continuity and Disaster Recovery Plans Testing Requirements for Members or Participants) is not part of the current ARP Inspection Program and would require an SCI entity, with respect to its business continuity and disaster recovery plans, including its backup systems, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency as specified by the SCI entity, at least once every 12 months. In addition, the proposed rule would require an SCI entity to coordinate such testing on an industry- or sector-wide basis with other SCI entities.578 Further, the proposed rule would require each SCI entity to designate those members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans, to participate in the testing of such plans. Each SCI entity would be required to notify the Commission of such designations and its standards for designation, and promptly update such notification after any changes to its designations or standards. Although nothing prevents SCI entities from doing so, the Commission currently does not mandate that members or participants of SCI entities test the business continuity and disaster recovery plans, including 578 See E:\FR\FM\25MRP3.SGM supra note 269 and accompanying text. 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18164 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules backup systems, of SCI entities. This proposed rule would allow greater oversight by the Commission over the business continuity and disaster recovery capabilities of SCI entities. While the Commission believes that many SCI entities currently provide the opportunity for their members or participants to test their business continuity and disaster recovery plans, the Commission believes that few require participation by all or designated members or participants in such testing.579 In addition, the Commission understands that, to the extent such participation occurs, it may in many cases be limited in nature (e.g., testing for connectivity to backup systems). Finally, while the securities industry does coordinate certain testing, the Commission believes that the twoday closure of the equities and options markets in the wake of Superstorm Sandy has shown that more significant testing and better coordination of such testing could benefit market participants.580 Proposed Rules 1000(c) and (e) relate to the recordkeeping requirements under proposed Regulation SCI. As discussed above, SCI SROs already are subject to recordkeeping requirements that would apply to all documents relating to their compliance with proposed Regulation SCI.581 Further, entities that participate in the ARP Inspection Program currently keep records related to the ARP Inspection Program, and the Commission recognizes that all SCI entities are subject to some recordkeeping requirement. Nevertheless, with respect to SCI entities other than SCI SROs, proposed Rules 1000(c) and (e) would impose specific recordkeeping requirements with respect to documents related to compliance with Regulation SCI and thus would impose a burden on such entities. Lastly, proposed Rule 1000(f) would require SCI entities to provide Commission representatives reasonable access to its SCI systems and SCI security systems to allow Commission representatives to assess the entity’s compliance with proposed Regulation SCI. As discussed above, although the Commission believes that Section 17(b) of the Exchange Act already provides the Commission with authority to access the systems of SCI entities, the Commission is proposing Rule 1000(f) to highlight such authority and help ensure that Commission representatives have ready access to systems of SCI entities.582 C. Consideration of Costs and Benefits, and the Effect on Efficiency, Competition, and Capital Formation Section 3(f) of the Exchange Act requires the Commission, whenever it engages in rulemaking pursuant to the Exchange Act and is required to consider or determine whether an action is necessary or appropriate in the public interest, to consider, in addition to the protection of investors, whether the action would promote efficiency, competition, and capital formation.583 In addition, Section 23(a)(2) of the Exchange Act requires the Commission, when making rules under the Exchange Act, to consider the impact such rules would have on competition.584 Exchange Act Section 23(a)(2) prohibits the Commission from adopting any rule that would impose a burden on competition not necessary or appropriate in furtherance of the purposes of the Exchange Act.585 In considering these matters, the Commission has been mindful of the history and background discussed above and has considered the impact proposed Regulation SCI would have on competition, and preliminarily believes that proposed Regulation SCI would promote efficiency, competition, and capital formation, and would not impose a burden on competition not necessary or appropriate in furtherance of the purposes of the Exchange Act. 1. Summary of Benefits, Costs and Quantification While the current practices of some SCI entities already satisfy some of the requirements of proposed Regulation SCI, the Commission preliminarily believes proposed Regulation SCI could benefit the U.S. financial markets in several ways. The Commission preliminarily believes that Regulation SCI should result in fewer systems disruptions, systems compliance issues, and systems intrusions. It should also increase the information available to the Commission regarding any systems disruptions, systems compliance issues, and systems intrusions that do occur. In addition, it should increase the information available to members or participants of SCI entities regarding dissemination SCI events. As explained further below, such disseminations of information could promote the ability of market participants to assess the 582 See supra Section III.D.3. U.S.C. 78c(f). 584 15 U.S.C. 78w(a)(2). 585 15 U.S.C. 78w(a)(2). 579 See infra note 641. 580 See supra Section I.D. 581 See supra Section III.D.1. VerDate Mar<15>2010 17:55 Mar 22, 2013 583 15 Jkt 229001 PO 00000 Frm 00082 Fmt 4701 Sfmt 4702 operation of markets because events would be more transparent. The changes also could reduce market participants’ search costs, ultimately improving the ability of competition to discourage SCI events and potentially improving the allocative efficiency of capital. To the extent that Regulation SCI promotes the allocation of capital to its most efficient uses, the Commission preliminarily believes that Regulation SCI may promote capital formation.586 The potential economic costs of proposed Regulation SCI include compliance costs, which the Commission attempts to quantify, and other costs. Such other costs include costs associated with the increase in costs and time needed to make systems changes to comply with new and amended rules and regulations, the impact on innovation, and barriers to entry.587 The Commission discusses below a number of costs and benefits that are related to proposed Regulation SCI. Many of these costs and benefits are difficult to quantify with any degree of certainty, especially as the practices of market participants are expected to evolve and appropriately adapt to changes in technology and market developments. In addition, the extent to which the proposed rule’s standards and the ability to enforce such standards will help reduce the frequency and severity of SCI events is unknown. Therefore, much of the discussion is qualitative in nature but, where possible, the Commission quantifies the costs. Many, but not all, of the costs of the proposed rules involve a collection of information, and these costs and burdens are discussed in the Paperwork Reduction Act Section above.588 When monetized, those estimated burdens and costs for SCI entities total approximately $44 million in initial costs and approximately $37 million in annual ongoing costs. In addition, in the Economic Cost Section below,589 the 586 The Commission notes, however, that whether there is ultimately an effect on capital formation will depend, in part, on the degree of the potential effects on allocative efficiency. 587 See infra Section V.C.3.b. 588 See supra Section IV. 589 See infra Section V.C.4.a (estimating the cost for: (i) Complying with the substantive requirements that are the subject of the policies and procedures required by proposed Rules 1000(b)(1) and (2), including consistency with SCI industry standards (which, solely for purposes of this Economic Analysis, would be the proposed SCI industry standards contained in the publications identified in Table A); (2) establishing and maintaining a methodology for ensuring that the SCI entity is prepared for the corrective action requirement under proposed Rule 1000(b)(3); and (iii) establishing and maintaining a methodology for determining whether an SCI event is an immediate E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 Commission has quantified other costs for SCI entities that total between approximately $17.6 million 590 and $132 million 591 in initial costs and between $11.7 million 592 and $88 million 593 in annual ongoing costs. When aggregated, the total quantified costs for SCI entities are estimated as between approximately $61.6 million 594 and $176 million 595 in initial costs and between $48.7 million 596 and $125 million 597 in annual ongoing costs. In addition to the costs to SCI entities, the Commission also preliminarily estimates the total costs to members or participants of SCI entities to participate in the business continuity and disaster recovery plans testing specified by proposed Rule 1000(b)(9) to be $66 million annually.598 Thus, the total quantified costs for SCI entities and members or participants of SCI entities are estimated as between approximately $127.6 million 599 and $242 million 600 in initial costs and between $114.7 million 601 and $191 million 602 in annual ongoing costs. A detailed discussion of other potential economic costs of the proposal, such as potential costs to the Commission and potential burdens on competition, is provided below. notification SCI event or a dissemination SCI event). 590 See infra note 634 (estimating cost for complying with the substantive requirements underlying policies and procedures required by proposed Rules 1000(b)(1) and (2)). 591 See infra note 635 (estimating cost for complying with the substantive requirements underlying policies and procedures required by proposed Rules 1000(b)(1) and (2)). 592 See infra note 639 (estimating cost for complying with the substantive requirements underlying policies and procedures required by proposed Rules 1000(b)(1) and (2)). 593 See infra note 640 (estimating cost for complying with the substantive requirements underlying policies and procedures required by proposed Rules 1000(b)(1) and (2)). 594 $61.6 million = $44 million (PRA cost) + $17.6 million (other costs for SCI entities). 595 $176 million = $44 million (PRA cost) + $132 million (other costs for SCI entities). 596 $48.7 million = $37 million (PRA cost) + $11.7 million (other costs for SCI entities). 597 $125 million = $37 million (PRA cost) + $88 million (other costs for SCI entities). 598 See infra note 643 and accompanying text. 599 $127.6 million = $44 million (PRA cost) + $17.6 million (other costs for SCI entities) + $66 million (costs for members or participants of SCI entities). 600 $242 million = $44 million (PRA cost) + $132 million (other costs for SCI entities) + $66 million (costs for members or participants of SCI entities). 601 $114.7 million = $37 million (PRA cost) + $11.7 million (other costs for SCI entities) + $66 million (costs for members or participants of SCI entities). 602 $191 million = $37 million (PRA cost) + $88 million (other costs for SCI entities) + $66 million (costs for members or participants of SCI entities). VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 2. Economic Benefits 18165 Third, the Commission preliminarily believes that fewer market-wide, unscheduled shutdowns would have many of the same benefits as avoidance of temporary shutdowns, but on a greater scale. Fourth, the Commission preliminarily believes that its own ability to monitor the markets and ensure their smooth functioning would be significantly enhanced by proposed Regulation SCI. These potential benefits are discussed in more detail below in relation to each of the proposed rules. Broadly, although the current practices of some SCI entities already satisfy some of the requirements of proposed Regulation SCI, the Commission preliminarily believes that proposed Regulation SCI would bring several overarching benefits to the securities markets. First and most significantly, the Commission preliminarily believes that proposed Regulation SCI would promote more robust systems and hence fewer systems disruptions and market-wide closures, systems compliance issues, and systems intrusions. As a result, the Commission expects fewer interruptions to SCI systems, including systems that directly support execution facilities, matching engines, and the dissemination of market data, and fewer errors with the pricing of securities, which should promote price efficiency. The Commission also expects fewer interruptions to other SCI systems, including systems that directly support regulatory systems and surveillance systems, which should help ensure compliance with relevant laws and rules. In addition, the Commission would expect fewer interruptions to SCI security systems, which should help prevent problems that could lead to disruption of an SCI entity’s general operations and, ultimately, its marketrelated activities.603 Second, the Commission preliminarily believes that proposed Regulation SCI would enhance the availability of relevant information to members or participants of SCI entities and promote dissemination of information to persons (i.e., members or participants of SCI entities) who are most directly affected by dissemination SCI events and who would most naturally need, want, and be able to act on the information. The increased availability of information regarding SCI events should reduce the costs to members or participants of SCI entities when evaluating SCI entities and improve their ability to make more informed decisions about whether or not to avoid dealing with entities that experience significant systems issues. This enhanced information, as well as the improved price efficiency, should lead to greater allocative efficiency of capital. Moreover, it is expected that the increased awareness of dissemination SCI events would enhance competition among SCI entities with respect to the maintenance of robust systems. i. SCI Entities As explained above, the difference between the entities that currently participate in the ARP Inspection Program and the entities covered by proposed Regulation SCI is the inclusion of additional ATSs and the MSRB. Because no ATSs currently meet the thresholds specified in Rule 301(b)(6) of Regulation ATS, other than the one ATS that currently participates in the ARP Inspection Program, none are subject to the systems safeguard requirements under that rule even though they comprise a significant portion of consolidated volume.604 The Commission preliminarily believes that the inclusion of SCI ATSs under proposed Regulation SCI would help ensure that ATSs, which serve as markets to bring buyers and sellers together in the national market system, are subject to rules regarding systems capacity, integrity, resiliency, availability, security, and compliance, including those rules that could help prevent SCI events and that require Commission reporting and the dissemination of information to 603 See supra Section III.B.2, discussing the Commission’s proposed definitions of SCI systems and SCI security systems. 604 As noted above, one ATS voluntarily participates in the ARP Inspection Program. See supra note 25. PO 00000 Frm 00083 Fmt 4701 Sfmt 4702 a. Rule 1000(a) Definitions In general, the definitions in Rule 1000(a) either clarify a provision or circumscribe the scope of a provision in proposed Regulation SCI. Therefore, many of the costs and benefits associated with the impacts of the definitions are incorporated in the discussion below on the costs and benefits of the substantive provisions where the definitions are used. This section contains a discussion of the benefits of the expansion in scope that are not discussed above. In summary, the Commission preliminarily believes that the proposed definition of ‘‘SCI entity’’ and ‘‘SCI event,’’ although they would broaden the scope of Regulation SCI beyond the scope of the ARP Inspection Program, are essential parts of proposed Regulation SCI. E:\FR\FM\25MRP3.SGM 25MRP3 18166 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules members or participants of SCI entities.605 The Commission preliminarily believes that the inclusion of the MSRB in proposed Regulation SCI would provide benefits to the market because, as noted above, the MSRB is the only SRO relating to municipal securities and the sole provider of consolidated market data for the municipal securities market.606 ii. Systems and SCI Events srobinson on DSK4SPTVN1PROD with PROPOSALS3 As stated above, proposed Regulation SCI would expand on current practice, would apply a broader range of systems, and would include more event types. Specifically, entities that participate in the ARP Inspection Program follow the ARP policy statements with respect to systems that directly support trading, clearance and settlement, order routing, and market data. The proposed definition of ‘‘SCI systems’’ would include the foregoing systems as well as those that directly support regulation and surveillance. The Commission preliminarily believes that including regulation and surveillance systems could help ensure the SCI entity’s ability to monitor its compliance with relevant laws, rules, and its own rules, and detect any violations of such laws or rules. Further, the provisions of proposed Regulation SCI regarding systems security and intrusions also would apply to ‘‘SCI security systems.’’ 607 Because SCI security systems may present potentially vulnerable entry points to an SCI entity’s network, the Commission also preliminarily believes that it is important for proposed Regulation SCI to include those systems with respect to 605 Proposed Regulation SCI would not expand the types of securities currently covered by the ARP Inspection Program and Rule 301(b)(6) of Regulation ATS. The Commission recognizes that although currently no ATSs are subject to the systems safeguard requirements under Rule 301(b)(6) because they do not satisfy the thresholds in that rule, the Commission estimates that approximately 15 ATSs would be subject to proposed Regulation SCI. 606 As discussed above, in 2008, the Commission amended Rule 15c2–12 to designate the MSRB as the single centralized disclosure repository for continuing municipal securities disclosure. In 2009, the MSRB established EMMA, which serves as the official repository of municipal securities disclosure, providing the public with free access to relevant municipal securities data, and is the central database for information about municipal securities offerings, issuers, and obligors. Additionally, the MSRB’s RTRS, with limited exceptions, requires municipal bond dealers to submit transaction data to the MSRB within 15 minutes of trade execution, and such near real-time post-trade transaction data can be accessed through the MSRB’s EMMA Web site. See supra note 96. 607 See supra Section III.B.2, discussing the Commission’s proposed definitions of SCI systems and SCI security systems. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 security standards and systems intrusions.608 By defining SCI events to include systems disruptions, systems compliance issues, and systems intrusions, proposed Regulation SCI would further assist the Commission in its oversight of SCI entities. As stated above, SCI entities already follow practices similar to parts of proposed Regulation SCI for certain systems disruptions and systems intrusions. The inclusion of systems compliance issues should help the Commission and market participants to become better informed of the efforts of the SCI entities to comply with relevant laws and rules, and their own rules as applicable, and could enhance the enforcement of such laws and rules. Further, by defining a dissemination SCI event to include a subset of SCI events (i.e., a systems compliance issue, systems intrusion, or systems disruption that would result, or the SCI entity reasonably estimates would result in significant harm or loss to market participants), proposed Regulation SCI would further assist SCI entity members or participants in their decisions regarding whether or not to utilize the systems of a given SCI entity. b. Rule 1000(b)(1)–(10) Requirements for SCI Entities The development and growth of automated electronic trading have allowed increasing volumes of securities transactions across the multitude of trading centers that constitute the U.S. national market system. These securities transactions take place within an interconnected market where systems disruptions, systems compliance issues, and systems intrusions at one market center can impact or harm trading throughout the entire national market system. Thus, there is a need for operators of significant market systems, such as SCI entities, to have in place robust systems to prevent systems issues or, in the event that systems issues occur, to recover quickly. Proposed Rule 1000(b)(1)–(2) would set forth requirements relating to written policies and procedures that SCI entities would be required to establish, maintain, and enforce. Proposed Rule 1000(b)(1) would require an SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s 608 See PO 00000 id. Frm 00084 Fmt 4701 Sfmt 4702 operational capability and promote the maintenance of fair and orderly markets. The rule would further provide that an SCI entity’s policies and procedures must include the establishment of reasonable current and future capacity planning estimates, periodic capacity stress tests, a program to review and keep current systems development and testing methodology of such systems, regular reviews and testing of such systems, including backup systems, business continuity and disaster recovery plans, and standards that result in such systems facilitating the successful collection, processing, and dissemination of market data.609 As discussed above, the Commission regards SCI entities as part of the critical infrastructure of the U.S. securities markets and therefore, although proposed Rule 1000(b)(1)(i)(A)–(E) would codify certain provisions of the ARP policy statements, the Commission preliminarily believes that specifically setting forth these requirements in a Commission rule would benefit the securities markets by helping to diminish the risks and incidences of systems intrusions, systems compliance issues, and systems disruptions. Such policies and procedures should also assist in speedy recoveries from systems intrusions, systems compliance issues, and systems disruptions. Proposed Rule 1000(b)(1)(i)(F) does not have precedent in Regulation ATS or the ARP policy statements, and would require SCI entities to have standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data. The Commission preliminarily believes that this proposal should help to ensure that timely and accurate market data is available to all market participants. Proposed Rule 1000(b)(1)(ii) would deem an SCI entity’s policies and procedures required by proposed Rule 1000(b)(1) to be reasonably designed if they are consistent with current SCI industry standards.610 Thus, the SCI industry standards would provide flexibility to allow each SCI entity to determine how to best meet the requirements in proposed Rule 1000(b)(1), taking into account, for example, its nature, size, technology, business model, and other aspects of its business, because compliance with SCI 609 See proposed Rule 1000(b)(1)(i)(A)–(F), discussed in supra Section III.C.1.a. 610 Proposed SCI industry standards are contained in the publications that are set forth in Table A. See supra Section III.C.1.b. E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules industry standards would not be the exclusive means by which an SCI entity could satisfy the requirements of proposed Rule 1000(b)(1). Proposed Rule 1000(b)(2)(i), which would require written policies and procedures reasonably designed to ensure that an SCI entity’s SCI systems operate in the manner intended, should help to minimize instances where systems do not operate in compliance with the federal securities laws and rules and regulations thereunder and, as applicable, the entity’s rules and governing documents. In particular, the elements of the safe harbor for SCI entities in proposed Rule 1000(b)(2)(ii)(A) relating to policies and procedures on testing and monitoring also should help to ensure, on an ongoing basis, that an SCI entity’s SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and, as applicable, the entity’s rules and governing documents, thus minimizing systems compliance issues and consequently the total time needed to bring a system back into compliance.611 In addition, the elements of the safe harbor in proposed Rule 1000(b)(2)(ii)(A) relating to policies and procedures for systems compliance assessments by personnel familiar with applicable laws and rules and systems reviews by regulatory personnel should help ensure the performance of effective compliance audits and reviews, and should help provide assurance that SCI entities are operating in compliance with applicable laws and rules. Proposed Rule 1000(b)(3), which would require an SCI entity to begin taking appropriate corrective action upon any responsible SCI personnel becoming aware of an SCI event, should further help ensure that SCI entities invest sufficient resources as soon as reasonably practicable to address systems intrusions, systems compliance issues, and systems disruptions.612 Moreover, proposed Rules 1000(b)(1)– (3) should improve price efficiency by reducing the likelihood and duration of systems issues, thereby helping to avoid the price inefficiencies that occur during times when systems disruptions, systems compliance issues, or systems intrusions can make systems unavailable or unreliable. Specifically, systems issues that could impact the 611 As noted above, the Commission recognizes that SCI entities are already required to comply with federal securities laws, rules and regulations thereunder, and their own rules. 612 As noted above, the Commission believes that SCI entities already take corrective actions in response to systems issues. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 accuracy or the timeliness, and thus the reliability, of market data could lead to inaccuracies in pricing and slow-down pricing, and make data less reliable. Therefore, to the extent that proposed Rules 1000(b)(1)–(3) could reduce the likelihood or duration of systems issues, they may lead to more reliable market data (because there would be less inaccuracies and the market data would be more timely), which could help improve the quality of market data. This, in turn, could enhance price efficiency in the market for market data, which then could promote allocative efficiency of capital and capital formation. Proposed Regulation SCI is intended, in part, to facilitate the Commission’s ability to monitor the impact on the securities markets by SCI entities’ systems that support the performance of the entities’ activities. The Commission preliminarily believes that proposed Rules 1000(b)(1)–(3), as well as 1000(b)(4), would provide for more effective Commission oversight of the operation of the systems of SCI entities. Specifically, while entities that participate in the ARP Inspection Program already notify Commission staff of certain systems issues, the Commission preliminarily believes that proposed Rule 1000(b)(4), relating to Commission notification of SCI events, should further enhance the effectiveness of Commission oversight of the operation of SCI entities. Under the proposed rule, upon any responsible SCI personnel becoming aware of an immediate notification SCI event,613 an SCI entity would be required to notify the Commission of the SCI event. Within 24 hours of any responsible SCI personnel becoming aware of an SCI event, an SCI entity would be required to submit a written notification pertaining to such SCI event on Form SCI. Until such time as the SCI event is resolved, the SCI entity would be required to provide updates regularly, or at such frequency as requested by an authorized representative of the Commission. Although this process would represent costs to an SCI entity,614 the documentation of SCI events will help prevent such systems failures from being dismissed or ignored as glitches or momentary issues because it would focus the SCI entity’s attention on the issue and encourage allocation of SCI entity resources to resolve the issue as soon as reasonably practicable. As noted above, the Commission is concerned that members or participants of SCI entities may be unaware of the 613 See 614 See PO 00000 supra Section III.C.3.b. supra Section IV.D.2.a. Frm 00085 Fmt 4701 Sfmt 4702 18167 occurrence of some SCI events, and therefore may make decisions without all relevant information. Proposed Rule 1000(b)(5) would require an SCI entity, upon any responsible SCI personnel becoming aware of a dissemination SCI event other than a systems intrusion, to disseminate certain information regarding the dissemination SCI event to its members or participants.615 Such information would include the systems affected by the event and a summary description of the event. When known, the SCI entity would be required to further disseminate to its members or participants: a detailed description of the SCI event; its current assessment of the types and number of market participants potentially affected by the SCI event; and a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. An SCI entity also would be required to provide regular updates to members or participants regarding the disseminated information. The Commission preliminarily believes that proposed Rule 1000(b)(5) would help market participants—specifically the members or participants of SCI entities—to better evaluate the operations of SCI entities based on more readily available information. As discussed above,616 the Commission believes that the existing competition among the markets has not sufficiently mitigated the occurrence of certain systems problems, and thus preliminarily believes that requiring the dissemination of information about certain SCI events, as described above, to members or participants could potentially further incentivize SCI entities to create more robust systems. In addition, targeting this set of market participants (i.e., an SCI entity’s members or participants) to receive information about dissemination SCI events has the benefit of providing the information to those that are most likely to need, want, and act on the information, without imposing the additional costs associated with requiring broader public dissemination. Moreover, another benefit of increased dissemination of information about dissemination SCI events to SCI entity 615 For a dissemination SCI event that is a systems intrusion, an SCI entity must disseminate to members or participants a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless it determines that dissemination of such information would likely compromise the security of the SCI entity’s SCI systems or SCI security systems, or an investigation of the systems intrusion. 616 See supra Section V.B.2. E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18168 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules members or participants would be the resultant reduction in search costs for market participants when they are gathering information to make a determination with respect to the use of an entity’s services. Also, proposed Rule 1000(b)(5) would require SCI entities to disseminate specified information for dissemination SCI events, which would allow market participants to more easily compare the available information from all SCI entities for which they are members or participants. The foregoing benefits would be further enhanced to the extent information relating to dissemination SCI events is shared by members or participants of SCI entities with other market participants. Lastly, because an SCI entity would be permitted to delay dissemination of information regarding a systems intrusion to members or participants if it determines that such information would likely compromise the security of its SCI systems or SCI security systems, or an investigation of the systems intrusion, proposed Rule 1000(b)(5) would not undermine the need to maintain the non-public nature of certain systems intrusions for a temporary period (until the SCI entity determines that dissemination of such information would not likely compromise the security of the SCI entity’s SCI systems or SCI security systems, or an investigation of the systems intrusion). In summary, because proposed Regulation SCI would, among other things, require SCI entities to provide members and participants with more information regarding their operations, the Commission preliminarily believes that SCI entities would have additional incentives to establish and maintain more robust automated systems to minimize the occurrence of SCI events. Fewer systems issues could improve pricing efficiency which, in turn, could promote allocative efficiency of capital and thus, capital formation. In addition to the Commission notification requirements under proposed Rule 1000(b)(4), the Commission preliminarily believes that proposed Rule 1000(b)(6) would enhance the Commission’s oversight of the operation of SCI entities, even though entities participating in the ARP Inspection Program may already provide these types of notifications to Commission staff. Proposed Rule 1000(b)(6) would require an SCI entity to notify the Commission on Form SCI of material systems changes at least 30 calendar days before the implementation of any planned material systems change. In the case of exigent circumstances, or if the information VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 previously provided regarding a planned material systems change becomes materially inaccurate, proposed Rule 1000(b)(6) would require oral or written notification as early as reasonably practicable. Any oral notification of planned material systems change must be memorialized within 24 hours by a written notification on Form SCI. The Commission preliminarily believes that this provision would provide the Commission and its staff advance notice and time to evaluate planned material systems changes by SCI entities, thus improving the Commission’s ability to oversee SCI entities. Proposed Rule 1000(b)(7) would require an SCI entity to conduct an SCI review of its compliance with Regulation SCI not less than once each calendar year, and submit a report of the SCI review to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review. The Commission preliminarily believes that the proposal to require SCI entities to conduct an objective assessment of their systems at least annually would result in SCI entities having an improved awareness of the relative strengths and weaknesses of their systems independent of the assessment of ARP staff, which should in turn improve the value and efficiency of an ARP inspection. Proposed Rule 1000(b)(8) would require each SCI entity to submit certain periodic reports to the Commission through Form SCI, including annual reports on the SCI reviews of its compliance with Regulation SCI and semi-annual reports on the progress of material systems changes. These reports should keep the Commission informed, on an ongoing basis, by providing information with which the Commission could evaluate each SCI entity’s compliance with Regulation SCI and the progress of its material systems changes. The Commission preliminarily believes that proposed Rules 1000(b)(1)– (8), taken together, should result in actual systems improvements as well as enhanced availability of relevant information regarding SCI events to the Commission and members or participants of SCI entities. This, in turn, could facilitate better decisions by market participants, which could promote allocative efficiency of capital and capital formation, potentially providing an overall benefit to the securities markets and promoting the protection of investors and the public interest. Additionally, the means by which trading is conducted may be altered as a result of Regulation SCI. For PO 00000 Frm 00086 Fmt 4701 Sfmt 4702 example, if an SCI entity member or participant submits orders to a particular market for execution, and subsequently learns that the execution venue’s systems in use may be prone to failure, such member or participant may choose to favor another market in the future. This change would potentially enhance competition as SCI entity members or participants rely on information disseminated regarding dissemination SCI events to make more informed choices about the best venue for execution. Proposed Rule 1000(b)(9)(i) would require an SCI entity, with respect to its business continuity and disaster recovery plans, including its backup systems, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency as specified by the SCI entity, at least once every 12 months. Proposed Rule 1000(b)(9)(ii) would further require an SCI entity to coordinate such testing on an industryor sector-wide basis with other SCI entities. The Commission expects that this proposed requirement should help ensure that the securities markets will have improved backup infrastructure and fewer market-wide shutdowns, thus helping SCI entities and other market participants to avoid lost revenues and profits that would otherwise result from such shutdowns. Further, the notifications required by proposed Rule 1000(b)(9)(iii) should keep the Commission informed, on an ongoing basis, of an SCI entity’s current standards for designating members or participants and current list of designees. c. Rule 1000(c)–(f)—Recordkeeping, Electronic Filing, and Access While all SCI entities already are subject to some recordkeeping and access requirements, the Commission preliminarily believes the proposed recordkeeping and access requirements specifically related to proposed Regulation SCI would enhance the ability of the Commission to evaluate SCI entities’ compliance. Specifically, proposed Rule 1000(c) would require each SCI entity, other than an SCI SRO, to make, keep, and preserve at least one copy of all documents and records relating to its compliance with Regulation SCI for a period of not less than five years.617 Each SCI entity also would be required to furnish such 617 As discussed above in Section III.D.1, Regulation SCI-related documents would already be included in SCI SROs’ comprehensive recordkeeping requirements under Rule 17a–1 under the Exchange Act. E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules documents to Commission representatives upon request. Further, according to proposed Rule 1000(e), if the records required to be filed or kept by an SCI entity under proposed Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity must ensure that such records are available to review by the Commission and its representatives by submitting a written undertaking by such service bureau or recordkeeping service to that effect. The Commission preliminarily believes that these proposed rules should allow Commission staff to perform efficient inspections and examinations of SCI entities for their compliance with the proposed rules, and should increase the likelihood that Commission staff may identify conduct inconsistent with the proposed rules at earlier stages in the inspection and examination process. Proposed Rule 1000(d) would require SCI entities to electronically submit all written information to the Commission through Form SCI (except any written notification submitted pursuant to proposed Rule 1000(b)(4)(i)). The Commission preliminarily believes that this provision would allow the Commission to receive information in a uniform electronic format with specified content, which would enhance Commission staff’s ability to review and analyze submitted information. Finally, proposed Rule 1000(f) would require each SCI entity to give Commission representatives reasonable access to its SCI systems and SCI security systems to allow Commission representatives to assess its compliance with proposed Regulation SCI. The Commission preliminarily believes that this provision would enhance Commission oversight by specifically highlighting the Commission’s authority to have its representatives directly access and examine SCI entities’ systems to confirm their compliance with proposed Regulation SCI. The Commission preliminarily believes that these requirements would place the Commission in a stronger position to assess the risks relating to SCI entities’ systems and, thus, would provide the Commission with greater ability to protect investors. The Commission also preliminarily believes that its oversight should help ensure that SCI entities are reasonably equipped to handle market demand and provide liquidity, including during periods of market distress. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 3. Economic Costs a. Direct Compliance Costs The Commission recognizes that proposed Regulation SCI would impose costs on SCI entities, as well as costs on certain members or participants of SCI entities. The Commission preliminarily believes that the majority of these costs would be direct compliance costs. SCI entities would incur costs in establishing, maintaining, and enforcing policies and procedures related to systems capacity, integrity, resiliency, availability, security, and compliance.618 SCI entities also would incur costs in taking appropriate corrective actions upon any responsible SCI personnel becoming aware of an SCI event,619 notifying and updating the Commission with respect to the occurrence of SCI events,620 disseminating information to members or participants regarding dissemination SCI events,621 notifying the Commission of material systems changes,622 conducting SCI reviews,623 submitting to the Commission periodic reports,624 requiring designated members to participate in testing of business continuity and disaster recovery plans and coordinating such testing,625 and complying with recordkeeping and access requirements.626 As stated above in Section IV.D, proposed Regulation SCI would codify many of the ARP policy statement principles familiar and applicable to current participants in the ARP Inspection Program. The Commission recognizes, however, that the proposed rules would apply to entities that are not currently covered by the ARP Inspection Program, and would cover areas not currently within the scope of the ARP Inspection Program. Thus, those costs are incremental relative to the current compliance cost of the ARP Inspection Program. While proposed Regulation SCI would codify the provisions of the ARP policy statements, the proposed definitions of ‘‘SCI entity,’’ ‘‘SCI event,’’ ‘‘SCI systems,’’ and ‘‘SCI security systems’’ 618 See proposed Rules 1000(b)(1) and (2). These proposed rules would also impose costs for outside legal and/or consulting advice, as set forth in the Paperwork Reduction Act Section above. See supra Section IV. 619 See proposed Rule 1000(b)(3). 620 See proposed Rule 1000(b)(4). 621 See proposed Rule 1000(b)(5). This proposed rule would also impose costs for outside legal advice, as set forth in the Paperwork Reduction Act discussion above. See supra Section IV. 622 See proposed Rule 1000(b)(6). 623 See proposed Rule 1000(b)(7). 624 See proposed Rule 1000(b)(8). 625 See proposed Rule 1000(b)(9). 626 See proposed Rules 1000(c), (e), and (f). PO 00000 Frm 00087 Fmt 4701 Sfmt 4702 18169 are broader than the entities, events, and systems covered by the ARP Inspection Program and, as stated above, will include more entities, events, and systems. Specifically, proposed Rule 1000(b)(1)(i) would codify aspects of the ARP policy statements 627 with the exception of Rule 1000(b)(1)(i)(F), which would require policies and procedures regarding standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data. In addition, because the ARP policy statements provide that SROs should promptly notify Commission staff of certain system outages and any instances in which unauthorized persons gained or attempted to gain access to their systems, proposed Rule 1000(b)(4), among other things, would codify parts of the ARP policy statements.628 Further, because the ARP policy statements provide that SROs should notify Commission staff of certain changes to their automated systems, proposed Rule 1000(b)(6) would codify a part of the ARP policy statements.629 Lastly, because the ARP policy statements provide that SROs should undertake reviews of their systems, proposed Rule 1000(b)(7), among other things, would reflect this part of the ARP policy statements. With respect to the proposed requirements that are not currently covered by the ARP Inspection Program, they include: policies and procedures in addition to those required by proposed Rule 1000(b)(1)(i)(A)–(E) that would be necessary to achieve policies and procedures reasonably designed to ensure that systems of an SCI entity have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets; policies and procedures reasonably designed to ensure the operation of SCI systems in the manner intended; the initiation of appropriate corrective actions upon any responsible SCI personnel becoming aware of an SCI event; the dissemination of information to members or participants; 627 Rule 301(b)(6) of Regulation ATS also contains similar requirements for ATSs that meet the thresholds in that rule. 628 However, because of the proposed definition of ‘‘SCI event,’’ SCI entities must also report systems compliance issues to the Commission. Proposed Regulation SCI would also set forth detailed and specific requirements with respect to Commission notifications. 629 Again, proposed Regulation SCI would also set forth more detailed and specific requirements with respect to such Commission notifications. E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18170 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules requirements regarding member or participant testing; and recordkeeping and access with respect to Regulation SCI-related documents. Many of these incremental costs are calculated in detail in the Paperwork Reduction Act Section above, which estimates that the total one-time initial burden for all SCI entities to comply with Regulation SCI would be approximately 133,482 hours and $2.6 million, and that the total annual ongoing burden for all SCI entities to comply with Regulation SCI would be approximately 117,258 hours and $738,400. In addition to the direct cost estimates derived from the Paperwork Reduction Act burdens, the Commission preliminarily believes that SCI entities could incur costs when enforcing the policies and procedures required under proposed Rules 1000(b)(1) and (2), taking corrective action to mitigate the potential harm resulting from an SCI event under proposed Rule 1000(b)(3), and in determining whether an SCI event is an immediate notification SCI event or meets the definition of a dissemination SCI event under proposed Rule 1000(a). As discussed in detail in Section III.C.1 above, proposed Rule 1000(b)(1) would require SCI entities to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that their SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. In addition to the burden of establishing and maintaining such policies and procedures as set forth in the Paperwork Reduction Act Section above, the Commission preliminarily believes that SCI entities would incur costs in enforcing the substantive requirements that are the subject of the policies and procedures. Further, as discussed in detail in Section III.C.2 above, proposed Rule 1000(b)(2) would require SCI entities to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that their SCI systems operate in the manner intended, including in a manner that complies with federal securities laws and rules and regulations thereunder and the entity’s rules and governing documents, as applicable. In addition to the burden of establishing and maintaining such policies and procedures as set forth in the Paperwork Reduction Act Section above, the Commission preliminarily VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 believes that SCI entities would incur costs in enforcing the substantive requirements that are the subject of the policies and procedures. As noted above,630 NIST is an agency within the U.S. Department of Commerce that has issued numerous special publications regarding information technology systems. For example, one of the publications listed in Table A is the NIST Draft Security and Privacy Controls for Federal Information Systems and Organizations (Special Publication 800–53 Rev. 4) (February 2012) (‘‘NIST 800–53’’).631 This publication is a security controls catalog providing guidance for selecting and specifying security controls for federal information systems and organizations. NIST 800–53 addresses how federal entities should achieve secure information systems, taking into account the fundamental elements of: (i) Multitiered risk management; (ii) the structure and organization of controls; (iii) security control baselines; (iv) the use of common controls and inheritance of security capabilities; (v) external environments and service providers; (vi) assurance and trustworthiness; and (vii) revisions and extensions to security controls and control baselines, among others. Although NIST 800–53 sets forth standards for federal agencies, it is also intended to serve a diverse audience of information system and information security professionals, including those having information system, security, and/or risk management and oversight responsibilities, information system development responsibilities, information security implementation and operational responsibilities, information security assessment and monitoring responsibilities, as well as commercial companies producing information technology products, systems, security-related technologies, and security services.632 The Commission preliminarily believes that many SCI entities will choose to establish, maintain, and enforce policies and procedures that are consistent with the proposed SCI industry standards contained in the publications set forth in Table A for purposes of satisfying the requirements of proposed Rule 1000(b)(1). However, as noted above, compliance with the identified SCI industry standards would not be the exclusive means to comply with the requirements of proposed Rule 1000(b)(1). The Commission 630 See supra Section III.C.1.b. NIST 800–53, available at: https:// csrc.nist.gov/publications/drafts/800-53-rev4/ sp800-53-rev4-ipd.pdf. 632 See id. at 3. 631 See PO 00000 Frm 00088 Fmt 4701 Sfmt 4702 understands that the Table A publications, including NIST 800–53, are familiar to information technology personnel employed by many SCI entities, and that some SCI entities, particularly the SCI SROs and plan processors that participate in the ARP Inspection Program, currently adhere to all or at least some of the standards in NIST 800–53, or similar standards set forth in publications issued by other standards setting bodies, with some entities fully or nearly fully implementing such standards, while other entities may not have implemented such standards as broadly. For SCI entities that are not part of the ARP Inspection Program, while such entities may be familiar with such publications and standards generally, the Commission is not certain as to the level of compliance with such standards, and believes that there may be some such entities that are fully or nearly fully complaint, while others may have little or no compliance with such standards. With respect to the substantive systems requirements resulting from adherence to SCI industry standards (which, solely for purposes of this Economic Analysis Section, the Commission assumes to be the proposed SCI industry standards contained in the publications identified in Table A, or publications setting forth substantially similar standards) underlying proposed Rule 1000(b)(1), as noted above, the Commission believes that certain entities that would satisfy the definition of SCI entity, particularly some that currently participate in the ARP Inspection Program, already comply with some of the requirements. On the other hand, the Commission believes that some SCI entities, including some that currently participate in the ARP Inspection Program, do not currently comply with some or all of the proposed requirements. Further, although the Commission believes that each SCI entity would incur costs in complying with these requirements, the Commission believes that some entities already comply with SCI industry standards with respect to some of their systems. Moreover, the Commission acknowledges that certain SCI entities are larger or more complex than others, and that proposed Rule 1000(b)(1) would impose higher costs on larger and more complex systems. Because the Commission does not at this time have sufficient information to reasonably estimate each SCI entity’s current level of compliance with the proposed SCI industry standards contained in the publications set forth in Table A, the Commission estimates a E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules range of average costs for each SCI entity to comply with such standards. The Commission acknowledges that some SCI entities would incur costs near the bottom of the range because their systems policies and procedures currently meet SCI industry standards (which, as noted above, solely for purposes of this Economic Analysis Section, the Commission assumes to be the proposed SCI industry standards contained in the publications identified in Table A or in substantially similar publications). On the other hand, some SCI entities would incur costs near the middle or top of the range because their systems policies and procedures do not currently meet such standards. Because the Commission lacks sufficient information regarding the current practices of all SCI entities, the Commission seeks comment on the extent to which SCI entities already have in place systems policies and procedures that would meet the proposed SCI industry standards (which, solely for purposes of this Economic Analysis Section, the Commission assumes to be the proposed SCI industry standards contained in the publications identified in Table A or in substantially similar publications). Further, unlike the Paperwork Reduction Act Section where the Commission estimates a fifty-percent baseline with respect to proposed Rule 1000(b)(1)(i)(A)–(E) for entities that currently participate in the ARP Inspection Program, the Commission preliminarily estimates the same cost range for all SCI entities for compliance with the proposed substantive requirements that are the subject of the policies and procedures. On the one hand, the Commission believes that certain SCI entities (in particular, some entities that participate in the ARP Inspection Program) may already comply with some of the substantive requirements and thus would incur less incremental cost for complying with such requirements. On the other hand, the Commission believes that some SCI entities that currently participate in the ARP Inspection Program are larger and have more complex systems than those that do not participate in the ARP Inspection Program and, therefore, would incur more incremental cost for complying with the substantive requirements. As such, the Commission preliminarily believes it is unlikely that SCI entities that do not participate in the ARP Inspection Program would incur twice the cost as SCI entities that participate in the ARP Inspection Program to comply with the substantive systems requirements underlying the VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 policies and procedures required by proposed Regulation SCI. Based on discussion with industry participants, the Commission preliminarily estimates that, to comply with the substantive requirements that are the subject of the policies and procedures required by proposed Rules 1000(b)(1) and (2), including consistency with the SCI industry standards (which, solely for purposes of this Economic Analysis, the Commission assumes to be the proposed SCI industry standards contained in the publications identified in Table A or in substantially similar publications) in connection with proposed Rule 1000(b)(1), on average, each SCI entity would incur an initial cost of between approximately $400,000 and $3 million.633 Based on this average, the Commission preliminarily estimates that SCI entities would incur a total initial cost of between approximately $17.6 million 634 and $132 million.635 The Commission seeks comment on the estimated average initial cost range for SCI entities to comply with the substantive requirements underlying the policies and procedures required by proposed Rules 1000(b)(1) and (2). The preliminary cost estimates described above represent an estimated average cost range per SCI entity, and the Commission acknowledges that some of the costs to comply with the substantive requirements of proposed Rules 1000(b)(1) and (2) may be significantly higher than the estimated average for some SCI entities, while some of the costs may be significantly lower for other SCI entities. In particular, the Commission preliminarily believes that the costs associated with the requirement in proposed Rule 1000(b)(1)(i)(E) that an SCI entity have policies and procedures that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of 633 The Commission preliminarily estimates a range of cost for complying with the substantive requirements that are the subject of the policies and procedures required by proposed Rules 1000(b)(1) and (2) because some SCI entities are already in compliance with some of these substantive requirements. For example, the Commission believes that many SCI SROs (e.g., certain national securities exchanges and registered clearing agencies) already have or have begun implementation of business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a widescale disruption. 634 $17.6 million = ($400,000) × (44 SCI entities). 635 $132 million = ($3 million) × (44 SCI entities). PO 00000 Frm 00089 Fmt 4701 Sfmt 4702 18171 clearance and settlement services following a wide-scale disruption is an area in which different SCI entities may encounter significantly different compliance costs. For example, among national securities exchanges, the Commission understands that many, though not all, national securities exchanges already have or soon expect to have backup facilities that do not rely on the same infrastructure components used by their primary facility. For those national securities exchanges that do not have such backup facilities, the cost to build and maintain such facilities may result in their compliance costs being significantly higher than those of national securities exchanges that already satisfy the proposed requirement.636 The application of the geographic diversity requirement to other entities, such as ATSs, under the proposed rule, would depend on the nature, size, technology, business model, and other aspects of their business. 218. The Commission requests commenters’ views on how many SCI entities would not currently satisfy the proposed requirement relating to geographic diversity of backup sites. The Commission requests commenters’ views on the costs of establishing backup sites to satisfy the proposed geographic diversity requirement, particularly for entities that currently would not satisfy the proposed requirement. In such a case, given the likely significant cost and time associated with building such backup sites, how long do commenters believe it would take for SCI entities to come into compliance with such a proposed requirement? Would it be appropriate for the Commission to allow an extended period prior to which compliance with this proposed requirement would be effective? Why or why not? If so, how long should such period be and why? Should such an extended period only be permitted for a subset of SCI entities. If so, how should such a subset be determined? Please describe. As noted above, because the Commission does not at this time have sufficient information to reasonably estimate each SCI entity’s current level 636 As noted, solely for purposes of this Economic Analysis, the Commission has assumed that the SCI industry standards would be those contained in the publications identified in Table A or in substantially similar publications. However, as proposed Rule 1000(b)(1)(ii) makes clear, compliance with such current industry standards, including the geographic diversity requirements contained in the 2003 Interagency White Paper, supra note 31, is not the exclusive means to comply with the requirements of proposed Rule 1000(b)(1). See also supra note 182. E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18172 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules of compliance with the substantive requirements underlying the policies and procedures, the Commission preliminarily estimates a range of average initial costs for each SCI entity to comply with the substantive requirements underlying the policies and procedures required by proposed Rules 1000(b)(1) and (2). Based on the estimates of the initial costs, Commission estimates a range of average ongoing cost for each SCI entity to comply with the requirements using two-thirds of the initial cost. The Commission preliminarily believes that a two-thirds estimate is appropriate because although proposed Rules 1000(b)(1) and (2) would require SCI entities to comply with certain systems requirements including, for example, establishing reasonable current and future capacity planning estimates on an ongoing basis, as well as conducting tests and reviews of their systems on an going basis, the Commission preliminarily believes that SCI entities would incur an additional initial cost to, for example, revise the underlying software code of their systems to the extent needed to bring those systems into compliance with the requirements of the proposed rules. Therefore, the Commission preliminarily estimates that, to comply with the substantive requirements that are the subject of the policies and procedures required by proposed Rules 1000(b)(1) and (2), including consistency with SCI industry standards in connection with proposed Rule 1000(b)(1), on average, each SCI entity would incur an ongoing annual cost of between approximately $267,000 637 and $2 million.638 Based on this estimated range, the Commission preliminarily estimates that SCI entities would incur a total ongoing cost of between approximately $11.7 million 639 and $88 million.640 The Commission seeks comment on the estimated average ongoing cost range for SCI entities to comply with the substantive requirements underlying the policies and procedures required by proposed Rules 1000(b)(1) and (2). The mandatory testing of SCI entity business continuity and disaster recovery plans, including backup systems, as proposed to be required under proposed Rule 1000(b)(9), would place an additional burden on SCI entities. The Commission believes that some SCI entities require some or all of 637 $266,667 = $400,000 (estimated initial cost to comply with the substantive requirements) × (2⁄3). 638 $2 million = $3 million (estimated initial cost to comply with the substantive requirements) × (2⁄3). 639 $11.7 million = ($266,667) × (44 SCI entities). 640 $88 million = ($2 million) × (44 SCI entities). VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 their members or participants to connect to their backup systems 641 and that most, if not all, SCI entities already offer their members or participants the opportunity to test such plans, although they do not currently mandate participation by all members or participants in such testing. In addition, market participants, including SCI entities, already coordinate certain business continuity plan testing to some extent. Thus, the Commission preliminarily believes that additional costs of proposed Rule 1000(b)(9) to SCI entities would be minimal. However, for SCI entity members or participants, additional costs could be significant, and highly variable depending on the business continuity and disaster recovery plans being tested. However, based on discussions with market participants, the Commission preliminarily estimates the cost of the testing of such plans to range from immaterial administrative costs (for SCI entity members and participants that currently maintain connections to SCI entity backup systems) to a range of $24,000 to $60,000 per year per member or participant in connection with each SCI entity. Costs at the higher end of this range would accrue for members or participants who would need to invest in additional infrastructure and to maintain connectivity with an SCI entity’s backup systems in order to participate in testing.642 The Commission is unable at this time to provide a precise cost estimate for the 641 See, e.g., CBOE Rule 6.18 (requiring Trading Permit Holders to take appropriate actions as instructed by CBOE to accommodate CBOE’s ability to trade options via the back-up data center); CBOE Regulatory Circular RG12–163 (stating that Trading Permit Holders are required to maintain connectivity with the back-up data center and have the ability to operate in the back-up data center should circumstances arise that require it to be used); NYSE Rule 49(b)(2)(iii) (requiring NYSE members to have contingency plans to accommodate the use of the systems and facilities of NYSE Arca, NYSE’s designated backup facility). See also Securities Exchange Act Release No. 52446 (September 15, 2005), 70 FR 55435 (September 21, 2005) (approving a proposed rule change by each of DTC, FICC, and NSCC imposing fines on ‘‘top tier’’ members that fail to conduct required connectivity testing for business continuity purposes, as reflected, e.g., in NSCC Rules and Procedures, Addendum P, available at: https:// www.dtcc.com/legal/rules_proc/nscc_rules.pdf). See also, e.g., BATS Rule 18.38, Nasdaq Options Rule 13, and BOX Rule 3180 (permitting each exchange to require members to participate in computer systems testing in the manner and frequency prescribed by such exchange). 642 Based on industry sources, the Commission understands that most of the larger members or participants of SCI entities already maintain connectivity with the backup systems of SCI entities while, among smaller members or participants of SCI entities, there is a lower incidence of members or participants maintaining such connectivity. The Commission requests comment on the accuracy of this understanding. PO 00000 Frm 00090 Fmt 4701 Sfmt 4702 total aggregate cost to SCI entity members and participants of the requirements relating to proposed Rule 1000(b)(9), as it does not know how each SCI entity will determine its standards for designating members or participants that it would require to participate in the testing required by proposed Rule 1000(b)(9)(i), and thus does not know the number of members or participants at each SCI entity that would be designated as required to participate in testing, and whether such designated members and participants are those that already maintain connections to SCI entity backup systems. However, the Commission preliminarily believes that an aggregate annual cost of approximately $66 million to designated members and participants is a reasonable estimate.643 The Commission requests comment on these estimates and the assumptions underlying them. The Commission preliminarily believes that the corrective action to mitigate harm resulting from SCI events would impose modest incremental costs on SCI entities because in the usual course of business, SCI entities already take corrective actions in response to systems issues. Proposed Rule 1000(b)(3) supplements the existing incentives of SCI entities to correct an SCI event quickly by focusing on potential harm to investors and market integrity and by requiring SCI entities to devote adequate resources to begin to take corrective action as soon as reasonably practicable. Based on its experience with the ARP Inspection Program, the Commission believes that entities currently participating in the ARP Inspection Program already take 643 This estimate assumes that 44 SCI entities would each designate an average of 150 members or participants to participate in the necessary testing. Based on industry sources, the Commission understands that many SCI entities have between 200 and 400 members or participants, though some have more and some have fewer. In addition, the Commission preliminarily believes that is reasonable to estimate that the members or participants of SCI entities that are most likely to be designated to be required participate in testing are those that conduct a high level of activity with the SCI entity, or that play an important role for the SCI entity (such as market makers) and that such members or participants currently are likely to already maintain connectivity with an SCI entity’s backup systems. Therefore, the Commission estimates the average cost for each member or participant of an SCI entity to be $10,000, which takes into account the fact that the Commission preliminarily believes that many members or participants of SCI entities that would be required to participate in such testing would already have such connectivity, and thus have minimal cost. Based on these assumptions, the Commission estimates that the total aggregate cost to all members or participants of all SCI entities to be approximately $66 million (44 SCI entities × 150 members or participants × $10,000 = $66 million). E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 corrective actions in response to a systems issue, and believes that other SCI entities also take corrective actions in response to a systems issue. Nevertheless, the Commission preliminarily believes that proposed Rule 1000(b)(3) could result in modestly increased costs for SCI entities per SCI event for corrective action relative to current practice for SCI entities, as a result of undertaking corrective action sooner than they might have otherwise and/or increasing investment in newer more updated systems earlier than they might have otherwise. If, however, proposed Regulation SCI reduces the frequency and severity of SCI events, the overall costs to SCI entities of corrective action may not increase significantly from the costs incurred without proposed Regulation SCI. However, the degree to which proposed Regulation SCI will reduce the frequency and severity of SCI events is unknown. Thus, the Commission is, at this time, unable to estimate the precise impact of proposed Regulation SCI due to an SCI entity’s corrective action. Thus, the Commission requests comment regarding the costs associated with proposed Regulation SCI’s corrective action requirements, including what such costs would be on an annualized basis.644 When an SCI event occurs, an SCI entity needs to determine whether the event is an immediate notification SCI event or dissemination SCI event because the proposed rule would impose different obligations on SCI entities for such events. Identifying these types of SCI events may impose one-time implementation costs on SCI entities associated with developing a process for ensuring that they are able to quickly and correctly make such determinations, as well as periodic costs in reviewing the adopted process.645 The Commission notes that proposed Rule 1000(d) would require that any written notification, review, description, analysis, or report to the Commission (except any written notification submitted pursuant to proposed Rule 1000(b)(4)(i)) be submitted electronically and contain an electronic signature. This proposed rule would 644 See also supra Section IV.D.3 (estimating paperwork burdens associated with SCI entities developing a process for ensuring that they are prepared to take corrective action as required by proposed Rule 1000(b)(3), and reviewing that process on an ongoing basis). 645 The initial and ongoing burden associated with making these determinations are discussed in the Paperwork Reduction Act Section above. See supra Section IV.D.3 (estimating burdens resulting from SCI entities determining whether an SCI event is an immediate notification SCI event or dissemination SCI event). VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 require that every SCI entity have the ability to submit forms electronically with an electronic signature. The Commission believes that most, if not all, SCI entities currently have the ability to access and submit an electronic form such that the requirement to submit Form SCI electronically will not impose new implementation costs. The initial and ongoing costs associated with various electronic submissions of Form SCI are discussed in the Paperwork Reduction Act Section above.646 The Commission recognizes that some of the costs imposed by proposed Regulation SCI may ultimately be transferred to intermediaries, such as market participants that access national securities exchanges or clearing agencies, for example, in the form of higher fees. The Commission recognizes that, if costs relating to compliance with proposed Regulation SCI are passed on in the form of increased prices to users of SCI entities, there may be a loss of efficiency as a result of the net increase in costs to SCI entity customers. The Commission also preliminarily believes that, for some SCI entities, the cost estimates may be lower than the actual costs to be incurred, such as for entities that are not currently part of the ARP Inspection Program or that have complex automated systems. However, on balance, the Commission preliminarily believes that the incremental direct cost estimates above are appropriate. b. Other Costs The Commission recognizes that proposed Regulation SCI could have other potential costs that cannot be quantified at this time. For example, entities covered by the proposed rule frequently make systems changes to comply with new and amended rules and regulations such as rules and regulations under federal securities laws and SRO rules. The Commission recognizes that, for entities that meet the definition of SCI entities, because they must continue to comply with proposed Regulation SCI when they make systems changes, proposed Regulation SCI could increase the costs and time needed to make systems changes to comply with new and amended rules and regulations. The Commission requests comment on the nature of such additional costs and time. The Commission also considered whether proposed Regulation SCI would impact innovation in ATSs or raise 646 See supra Section IV.D.2 (estimating burdens resulting from notice, dissemination, and reporting requirements for SCI entities). PO 00000 Frm 00091 Fmt 4701 Sfmt 4702 18173 barriers to entry. The Commission recognizes that, if proposed Regulation SCI were to cause SCI entities, including ATSs, to allocate resources towards ensuring they have robust systems and the personnel necessary to comply with proposed Regulation SCI’s requirements and away from new features for their systems, or investing in research and development, proposed Regulation SCI may have a negative impact on innovation among such entities and thus impact competition. Similarly, if the costs of proposed Regulation SCI were to be viewed by persons considering forming new ATSs to be so onerous so as to dissuade them from starting new ATSs, competition would also be negatively impacted. To balance any concern about discouraging innovation and raising barriers to entry against the need for regulation, the Commission proposes thresholds for SCI ATSs that are designed to include only the ATSs that are most likely to have a significant impact on markets due to an SCI event, and requests comment on the thresholds.647 The tradeoffs associated with these thresholds are discussed in more detail below. Finally, by specifying the timing, type, and format of information to be submitted to the Commission and by requiring electronic submission of Form SCI, Commission staff should be able to more efficiently review and analyze the information submitted. It is particularly important for the Commission to be able to review and analyze filings on Form SCI efficiently because proposed Regulation SCI would require all SCI events to be reported to the Commission. The Commission is not proposing at this time to require the data to be submitted in a tagged data format (e.g., XML, XBRL, or another structured data format that may be tagged), although it has requested specific comment as to whether it should, and the costs and benefits of doing so.648 The Commission recognizes that it could more readily analyze filings submitted in a tagged data format than in PDF format, and the subsequent potential benefits to investors may be greater. However, these benefits are balanced against the costs to the SCI entities of submitting filings in a tagged format. c. Scaling The Commission recognizes that the benefits of every provision of proposed Regulation SCI may not justify the costs 647 See supra Section III.B.1 and supra notes 100– 123 and accompanying text. 648 See, e.g., request for comment in supra Section III.D.1. E:\FR\FM\25MRP3.SGM 25MRP3 18174 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 of the provision if every requirement applied to every SCI entity and SCI event. In particular, the Commission recognizes that applying each requirement to every SCI entity and every SCI event could adversely affect competition and efficiency. Therefore, the Commission has proposed that not all SCI events be subject to the same requirements as immediate notification SCI events and dissemination SCI events and that ATSs that do not meet the definition of SCI ATS, and brokerdealers who are not ATSs, should not be subject to same requirements as SCI entities. The discussion that follows lays out the tradeoffs associated with determining the appropriate cutoffs for determining which events are immediate notification SCI events or dissemination SCI events, and which ATSs are SCI ATSs. In sum, the Commission believes that the requirements balance the need for regulation against the potential efficiency, competition, and capital formation concerns of the regulation. In the Commission’s judgment, the cost of complying with the proposed rules would not be so large as to significantly raise barriers to entry or otherwise alter the competitive landscape of the entities involved. As defined in proposed Rule 1000(a), a dissemination SCI event is an SCI event that is a: systems compliance issue; systems intrusion; or system disruption that results, or the SCI entity reasonably estimate would result, in a significant harm or loss to market participants. If the criteria for dissemination SCI events is set too low, the member or participant dissemination requirements under proposed Regulation SCI could be very costly.649 Therefore, the Commission carefully considered tradeoffs in defining the term dissemination SCI event. On the one hand, the definition should ensure that SCI events that have significant impacts on the markets are captured as dissemination SCI events.650 On the other hand, not every 649 As noted above, an immediate notification SCI event includes any systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion. See supra Section III.C.3.b. As with dissemination SCI events, if the criteria for immediate notification SCI events is set too low, SCI entities would incur additional costs in providing immediate notification to the Commission. 650 With respect to immediate Commission notification, the Commission should be immediately notified of any systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 SCI event should be included. There are higher costs associated with dealing with dissemination SCI events as compared to SCI events that are not dissemination SCI events due to the additional requirements relating to dissemination of information to members or participants. Second, SCI entity members or participants may be provided with unnecessary information if information about too many SCI events that do not have significant impact on the markets is disseminated to members or participants. If there is excessive dissemination of insignificant events, truly important events may get hidden among others that do not have the same degree of significance or impact on the securities markets.651 SCI entity members or participants also may not pay attention to disseminated SCI events if an excessive number of insignificant events are disseminated and notifications about SCI events may become routine. The proposed definition of dissemination SCI event is an attempt to balance these concerns. Section III.B.1 discusses the definition of ‘‘SCI ATS’’ in proposed Rule 1000(a). The proposal would replace the threshold for NMS stocks of 20 percent or more of the average daily volume in any NMS stock. The proposal bases the definition of SCI ATS on average daily dollar volume and sets the threshold at five percent or more in any single NMS stock and one-quarter percent of more in all NMS stocks, or one percent or more in all NMS stocks. The proposal changes the threshold for non-NMS stocks to at least five percent of the aggregate average daily dollar volume from twenty percent of the average daily share volume. These proposed thresholds reflect developments in equities markets that resulted in a higher number of trading venues and less concentrated trading, and are designed to ensure that the proposed rule is applied to all ATSs that trade more than a limited amount of securities and for which SCI events may cause significant impact on the overall market. The main benefit of the proposed thresholds is to bring more ATSs into the SCI ATS definition than currently subject to the systems safeguard provisions of Rule 301(b)(6) of Regulation ATS, which in turn would make them SCI entities. This would help ensure that SCI ATSs that trade a certain amount of securities are covered by the proposed regulation. The Commission recognizes the potential for 651 Similarly, immediate Commission notification of only immediate notification SCI events should help the Commission focus its attention on SCI events that may potentially impact an SCI entity’s operations or market participants. PO 00000 Frm 00092 Fmt 4701 Sfmt 4702 a low threshold to discourage automation and innovation but, as noted below, the Commission has balanced the concerns regarding discouraging automation and innovation against the need for regulation, and preliminarily believes that innovation is unlikely to be hampered and automation is likely to continue to increase. To that extent, the proposed rule uses a two-prong approach for NMS stocks. The threshold is based on market share in individual stocks. However, it is also required that the ATS has a certain market share of the overall market in all NMS stocks to prevent an ATS from being subject to proposed Regulation SCI for meeting the five percent threshold in any single NMS stock for a micro-cap stock, but not having significant market share in all NMS stocks. As discussed above, the Commission believes that approximately 10 NMS stock ATSs and two non-NMS stock ATSs would fall within the definition of SCI ATS.652 For municipal and corporate debt securities, the proposal would lower the threshold from 20 percent or more to five percent or more. However, the proposal contemplates a two-prong approach considering either average daily dollar volume or average daily transaction volume, and exceeding the threshold in either one would qualify an ATS as an SCI ATS. The use of the two metrics is intended to take into account the fact that ATSs in the debt securities markets may handle primarily retail trades (i.e., large transaction volume but small dollar volume) or institutionalsized trades (i.e., large dollar volume but small transaction volume). The proposed thresholds for municipal and corporate debt securities are different from the proposed thresholds for NMS stocks. This difference reflects the fact that, in the debt securities markets (i.e., municipal securities and corporate debt securities), the degree of automation and electronic trading is much lower than in the markets for NMS stocks, which the Commission preliminarily believes may reduce the need for more stringent rules and regulations. In addition, the Commission preliminarily believes that the imposition of a threshold lower than five percent on the current debt securities markets could have the unintended effect of discouraging automation in these markets and discouraging new entrants into these markets. Also, due to the large number of issues outstanding in these debt securities markets, trading volume may be extremely low in a given issue, but also may fluctuate significantly from 652 See E:\FR\FM\25MRP3.SGM supra Section III.B.1. 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 day to day and issue to issue. Therefore, the thresholds for debt securities consider aggregate volume instead of volume in an individual issue. As discussed above, the Commission preliminarily believes that three municipal securities and corporate debt securities ATSs would fall within the definition of SCI ATS.653 D. Request for Comment on Economic Analysis 219. The Commission is sensitive to the potential economic effects, including the costs and benefits, of proposed Regulation SCI. The Commission has identified above certain costs and benefits associated with the proposal and requests comment on all aspects of its preliminary economic analysis.654 The Commission encourages commenters to identify, discuss, analyze, and supply relevant data, information, or statistics regarding any such costs or benefits. In particular, the Commission seeks comment on the following: 220. Do commenters agree that the release provides a fair representation of current practices and how those current practices would change under proposed Regulation SCI? Why or why not? Please be specific in your response regarding current practices and how they would change under proposed Regulation SCI. 221. Do commenters agree with the Commission’s characterization of the relevant markets in which SCI entities participate, as well as the market failures identified with respect to each of the relevant markets? Why or why not? Specifically, do commenters agree with the identified level of competition in each of the relevant markets? Why or why not? 222. What is a typical market participant’s general level of expectation of how well the market operates? Do market participants currently have all the information they need to make informed decisions that manage their exposure to SCI events? If not, would proposed Regulation SCI provide the needed information? Why or why not? 223. Do commenters agree with the Commission’s analysis of the costs and benefits of each provision of proposed Regulation SCI, including the definitions under proposed Rule 1000(a)? Why or why not? 224. Do commenters believe that there are additional benefits or costs that could be quantified or otherwise 653 See id. Commission has also considered the views expressed in comment letters submitted in connection with the Roundtable, as well as the views expressed by Roundtable participants. See supra Section I.C. 654 The VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 monetized? If so, please identify these categories and, if possible, provide specific estimates or data. 225. Are there any additional benefits that may arise from proposed Regulation SCI? Or are there benefits described above that would not likely result from proposed Regulation SCI? If so, please explain these benefits or lack of benefits in detail. 226. Are there any additional costs that may arise from proposed Regulation SCI? Are there any potential unintended consequences of proposed Regulation SCI? Or are there costs described above that would not likely result from proposed Regulation SCI? If so, please explain these costs or lack of costs in detail. 227. Do the types or extent of any anticipated benefits or costs from proposed Regulation SCI differ between the different types of SCI entities? For example, do potential benefits or costs differ with respect to SCI SROs as compared to SCI ATSs? Please explain. 228. Are there methods (including any suggested by Roundtable panelists or commenters) by which the Commission could reduce the costs imposed by Regulation SCI while still achieving the goals? Please explain. 229. Does the release appropriately describe the potential impacts of proposed Regulation SCI on the promotion of efficiency, competition, and capital formation? Why or why not? 230. To the extent that there are reasonable alternatives to any of the rules under proposed Regulation SCI, what are the potential costs and benefits of those reasonable alternatives relative to the proposed rules? What are the potential impacts on the promotion of efficiency, competition, and capital formation of those reasonable alternatives? For example, what would be the effect on the economic analysis of requiring SCI entities to conduct an SCI review that requires penetration testing annually? What would be the effect on the economic analysis of requiring SCI entities to inform members and participants of all SCI events? What would be the effect on the economic analysis of requiring filing in a tagged data format (e.g., XML, XBRL, or another structured data format that may be tagged)? What would be the effect on the economic analysis of including broker-dealers, or a subset thereof, in the definition of SCI entities? 231. In addition, as noted above, the proposed requirement that an SCI entity disseminate information relating to dissemination SCI events to its members or participants is focused on disseminating information to those who need, want, and can act on the PO 00000 Frm 00093 Fmt 4701 Sfmt 4702 18175 information disseminated. The Commission also preliminarily believes that this proposed requirement could promote competition and capital formation. Are there alternative mechanisms for achieving the Commission’s goals while promoting competition and capital formation? Are there costs associated with this proposed approach that have not been considered? For example, would the requirement to disseminate information to members or participants about dissemination SCI events increase an SCI entity’s litigation costs, or cause an SCI entity to lose business (e.g., if market participants misjudge the meaning of information disseminated about dissemination SCI events)? Would the benefits of the proposed information dissemination outweigh the costs? Why or why not? Please explain. 232. The Commission also generally requests comment on the competitive or anticompetitive effects, as well as the efficiency and capital formation effects, of proposed Regulation SCI on market participants if the proposed rules are adopted as proposed. Commenters should provide analysis and empirical data to support their views on the competitive or anticompetitive effects, as well as the efficiency and capital formation effects, of proposed Regulation SCI. 233. Finally, as stated above, proposed Rule 1000(b)(1) would require SCI entities to establish, maintain, and enforce written policies and procedures, reasonably designed to ensure that their SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. As discussed above, the Commission is proposing that an SCI entity’s policies and procedures required by proposed Rule 1000(b)(1) be deemed to be reasonably designed if they are consistent with current SCI industry standards.655 However, the costs identified above may not fully incorporate all of the costs of adhering to initial or future SCI industry standards. For example, if a SCI industry standard is based on the standards of NIST (which issues a number of the publications listed in Table A), it could include additional requirements not otherwise required in proposed Regulation SCI such as establishment of assurance-related 655 Proposed SCI industry standards are contained in the publications identified in Table A. See supra Section III.C.1.b. E:\FR\FM\25MRP3.SGM 25MRP3 18176 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 controls (including, for example, conduct of integrity checks on software and firmware components, or monitoring of established secure configuration settings). Any additional requirements would likely impose costs on SCI entities. Therefore, the Commission requests comment on what benefits or costs, quantifiable or otherwise, could potentially be imposed by the identification of SCI industry standards. What are market participants’ current level of compliance with the industry standards contained in the publications listed in Table A? What would be the costs to SCI entities (in addition to the cost of adhering to current practice) of the Commission identifying examples of industry standards? What would be the benefits? Please explain. determine the impact of such rulemaking on ‘‘small entities.’’ 660 Section 605(b) of the RFA states that this requirement shall not apply to any proposed rule or proposed rule amendment, which if adopted, would not have significant economic impact on a substantial number of small entities. A. SCI Entities Paragraph (a) of Rule 0–10 provides that for purposes of the RFA, a small entity when used with reference to a ‘‘person’’ other than an investment company means a person that, on the last day of its most recent fiscal year, had total assets of $5 million or less.661 With regard to broker-dealers, small entity means a broker or dealer that had total capital of less than $500,000 on the date in the prior fiscal year as of which its audited financial statements were VI. Consideration of Impact on the prepared pursuant to Rule 17a–5(d) Economy under the Exchange Act, or, if not For purposes of the Small Business required to file such statements, total Regulatory Enforcement Fairness Act of capital of less than $500,000 on the last 1996, or ‘‘SBREFA,’’ 656 the Commission business day of the preceding fiscal year must advise OMB as to whether (or in the time that it has been in proposed Regulation SCI constitutes a business, if shorter), and that is not ‘‘major’’ rule. Under SBREFA, a rule is affiliated with any person that is not a considered ‘‘major’’ where, if adopted, it small business or small organization.662 results or is likely to result in: (1) An With regard to clearing agencies, small annual effect on the economy of $100 entity means a clearing agency that million or more (either in the form of an compared, cleared, and settled less than increase or decrease); (2) a major $500 million in securities transactions increase in costs or prices for consumers during the preceding fiscal year (or in or individual industries; or (3) a the time that it has been in business, if significant adverse effect on shorter), had less than $200 million of competition, investment or innovation. funds and securities in its custody or 234. The Commission requests control at all times during the preceding comment on the potential impact of fiscal year (or in the time that it has proposed Regulation SCI on the been in business, if shorter), and is not economy on an annual basis, on the affiliated with any person (other than a costs or prices for consumers or natural person) that is not a small individual industries, and any potential business or small organization.663 With effect on competition, investment, or regard to exchanges, a small entity is an innovation. Commenters are requested exchange that has been exempt from the to provide empirical data and other reporting requirements of Rule 601 factual support for their views to the under Regulation NMS, and is not extent possible. affiliated with any person (other than a natural person) that is not a small VII. Regulatory Flexibility Act business or small organization.664 With Certification regard to securities information The Regulatory Flexibility Act processors, a small entity is a securities 657 requires Federal agencies, in (‘‘RFA’’) information processor that had gross promulgating rules, to consider the revenue of less than $10 million during impact of those rules on small entities. Section 603(a) 658 of the Administrative 660 Although Section 601(b) of the RFA defines Procedure Act,659 as amended by the the term ‘‘small entity,’’ the statute permits agencies RFA, generally requires the Commission to formulate their own definitions. The Commission has adopted definitions for the term ‘‘small entity’’ to undertake a regulatory flexibility for purposes of Commission rulemaking in analysis of all proposed rules, or accordance with the RFA. Those definitions, as proposed rule amendments, to relevant to this proposed rulemaking, are set forth 656 Public Law 104–121, Title II, 110 Stat. 857 (1996) (codified in various sections of 5 U.S.C., 15 U.S.C. and as a note to 5 U.S.C. 601). 657 5 U.S.C. 601 et seq. 658 5 U.S.C. 603(a). 659 5 U.S.C. 551 et seq. VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 in Rule 0–10, 17 CFR 240.0–10. See Securities Exchange Act Release No. 18451 (January 28, 1982), 47 FR 5215 (February 4, 1982) (File No. AS–305). 661 See 17 CFR 240.0–10(a). 662 See 17 CFR 240.0–10(c). 663 See 17 CFR 240.0–10(d). 664 See 17 CFR 240.0–10(e). PO 00000 Frm 00094 Fmt 4701 Sfmt 4702 the preceding year (or in the time it has been in business, if shorter), provided service to fewer than 100 interrogation devices or moving tickers at all times during the preceding fiscal year (or in the time it has been in business, if shorter), and is not affiliated with any person (that is not a natural person) that is not a small business or small organization.665 Under the standards adopted by the Small Business Administration (‘‘SBA’’), entities engaged in financial investments and related activities are considered small entities if they have $7 million or less in annual receipts.666 Based on the Commission’s existing information about the entities that will be subject to proposed Regulation SCI, the Commission preliminarily believes that SCI entities that are self-regulatory organizations (national securities exchanges, national securities associations, registered clearing agencies, and the MSRB) or exempt clearing agencies subject to ARP would not fall within the definition of ‘‘small entity’’ as described above. With regard to plan processors, which are defined under Rule 600(b)(55) of Regulation NMS to mean a self-regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective NMS plan,667 the Commission’s definition of ‘‘small entity’’ as it relates to self-regulatory organizations and securities information processors would apply. The Commission preliminarily does not believe that any plan processor would be a ‘‘small entity’’ as defined above. With regard to SCI ATSs, because they are registered as broker-dealers, the Commission’s definition of ‘‘small entity’’ as it relates to broker-dealers would apply. As stated above, the Commission preliminarily believes that approximately 15 ATSs would satisfy the definition of SCI ATSs and would be impacted by proposed Regulation SCI.668 The Commission preliminarily does not believe that any of these 15 SCI 665 See 17 CFR 240.0–10(g). SBA’s Table of Small Business Size Standards, Subsector 523 and 13 CFR 121.201. Such entities include firms engaged in investment banking and securities dealing, securities brokerage, commodity contracts dealing, commodity contracts brokerage, securities and commodity exchanges, miscellaneous intermediation, portfolio management, investment advice, trust, fiduciary and custody activities, and miscellaneous financial investment activities. 667 See 17 CFR 242.600(b)(55). 668 See supra Section III.B.1, discussing the proposed definition of SCI entity. 666 See E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules ATSs would be a ‘‘small entity’’ as defined above. B. Certification For the foregoing reasons, the Commission certifies that proposed Regulation SCI would not have a significant economic impact on a substantial number of small entities for the purposes of the RFA. 235. The Commission requests comment regarding this certification. The Commission requests that commenters describe the nature of any impact on small entities and provide empirical data to illustrate the extent of the impact. VIII. Statutory Authority and Text of Proposed Amendments Pursuant to the Exchange Act, 15 U.S.C. 78a et seq., and particularly, Sections 2, 3, 5, 6, 11A, 15, 15A, 17, 17A, and 23(a) thereof, 15 U.S.C. 78b, 78c, 78e, 78f, 78k–1, 78o, 78o–3, 78q, 78q–1, and 78w(a), the Commission proposes to adopt Regulation SCI under the Exchange Act and Form SCI under the Exchange Act, and to amend Regulation ATS under the Exchange Act. List of Subjects in 17 CFR Parts 242 and 249 Securities, brokers, reporting and recordkeeping requirements. For the reasons stated in the preamble, the Commission is proposing to amend title 17, chapter II of the Code of Federal Regulations as follows: PART 242—REGULATIONS M, SHO, ATS, AC, NMS AND SCI AND CUSTOMER MARGIN REQUIREMENTS FOR SECURITY FUTURES 1a. The authority citation for part 242 continues to read as follows: ■ Authority: 15 U.S.C. 77g, 77q(a), 77s(a), 78b, 78c, 78g(c)(2), 78i(a), 78j, 78k–1(c), 78l, 78m, 78n, 78o(b), 78o(c), 78o(g), 78q(a), 78q(b), 78q(h), 78w(a), 78dd–1, 78mm, 80a23, 80a–29, and 80a–37. 1b. The heading of part 242 is revised to read as set forth above. ■ § 242.301—[Amended] 2. In § 242.301, remove and reserve paragraph (b)(6). ■ 3. Add an undesignated center heading and § 242.1000 to read as follows: srobinson on DSK4SPTVN1PROD with PROPOSALS3 ■ Regulation SCI—Systems Compliance and Integrity § 242.1000 Definitions and requirements for SCI entities (a) Definitions. For purposes of this section, the following definitions shall apply: VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 Dissemination SCI event means an SCI event that is a: (1) Systems compliance issue; (2) Systems intrusion; or (3) Systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants. Electronic signature has the meaning set forth in § 240.19b–4(j) of this chapter. Exempt clearing agency subject to ARP means an entity that has received from the Commission an exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to the Commission’s Automation Review Policies (ARP), or any Commission regulation that supersedes or replaces such policies. Material systems change means a change to one or more: (1) SCI systems of an SCI entity that: (i) Materially affects the existing capacity, integrity, resiliency, availability, or security of such systems; (ii) Relies upon materially new or different technology; (iii) Provides a new material service or material function; or (iv) Otherwise materially affects the operations of the SCI entity; or (2) SCI security systems of an SCI entity that materially affects the existing security of such systems. Plan processor has the meaning set forth in § 242.600(b)(55). Responsible SCI personnel means, for a particular SCI system or SCI security system impacted by an SCI event, any personnel, whether an employee or agent, of the SCI entity having responsibility for such system. SCI alternative trading system or SCI ATS means an alternative trading system, as defined in § 242.300(a), which during at least four of the preceding six calendar months, had: (1) With respect to NMS stocks: (i) Five percent (5%) or more in any single NMS stock, and one-quarter percent (0.25%) or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan; or (ii) One percent (1%) or more in all NMS stocks of the average daily dollar volume reported by an effective transaction reporting plan; (2) With respect to equity securities that are not NMS stocks and for which transactions are reported to a selfregulatory organization, five percent (5%) or more of the average daily dollar volume as calculated by the selfregulatory organization to which such transactions are reported; PO 00000 Frm 00095 Fmt 4701 Sfmt 4702 18177 (3) With respect to municipal securities, five percent (5%) or more of either: (i) The average daily dollar volume traded in the United States; or (ii) The average daily transaction volume traded in the United States; or (4) With respect to corporate debt securities, five percent (5%) or more of either: (i) The average daily dollar volume traded in the United States; or (ii) The average daily transaction volume traded in the United States. SCI entity means an SCI selfregulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP. SCI event means an event at an SCI entity that constitutes: (1) A systems disruption; (2) A systems compliance issue; or (3) A systems intrusion. SCI review means a review, following established procedures and standards, that is performed by objective personnel having appropriate experience in conducting reviews of SCI systems and SCI security systems, and which review contains: (1) A risk assessment with respect to such systems of an SCI entity; and (2) An assessment of internal control design and effectiveness to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards; provided however, that such review shall include penetration test reviews of the network, firewalls, development, testing, and production systems at a frequency of not less than once every three years. SCI security systems means any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems. SCI self-regulatory organization or SCI SRO means any national securities exchange, registered securities association, or registered clearing agency, or the Municipal Securities Rulemaking Board; provided however, that for purposes of this section, the term SCI self-regulatory organization shall not include an exchange that is notice registered with the Commission pursuant to 15 U.S.C. 78f(g) or a limited purpose national securities association registered with the Commission pursuant to 15 U.S.C. 78o–3(k). SCI systems means all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity, whether in production, development, or testing, that directly support trading, clearance and E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18178 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules settlement, order routing, market data, regulation, or surveillance. Systems compliance issue means an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the federal securities laws and rules and regulations thereunder or the entity’s rules or governing documents, as applicable. Systems disruption means an event in an SCI entity’s SCI systems that results in: (1) A failure to maintain service level agreements or constraints; (2) A disruption of normal operations, including switchover to back-up equipment with near-term recovery of primary hardware unlikely; (3) A loss of use of any such system; (4) A loss of transaction or clearance and settlement data; (5) Significant back-ups or delays in processing; (6) A significant diminution of ability to disseminate timely and accurate market data; or (7) A queuing of data between system components or queuing of messages to or from customers of such duration that normal service delivery is affected. Systems intrusion means any unauthorized entry into the SCI systems or SCI security systems of an SCI entity. (b) Requirements for SCI entities. Each SCI entity shall: (1) Capacity, Integrity, Resiliency, Availability, and Security. Establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. (i) Such policies and procedures shall include, at a minimum: (A) The establishment of reasonable current and future capacity planning estimates; (B) Periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (C) A program to review and keep current systems development and testing methodology for such systems; (D) Regular reviews and testing of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (E) Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption; and (F) Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and (ii) For purposes of this paragraph (b)(1), such policies and procedures shall be deemed to be reasonably designed if they are consistent with current SCI industry standards, which shall be: (A) Comprised of information technology practices that are widely available for free to information technology professionals in the financial sector; and (B) Issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. Compliance with such current SCI industry standards, however, shall not be the exclusive means to comply with the requirements of this paragraph (b)(1). (2) Systems Compliance. (i) Establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and the entity’s rules and governing documents, as applicable. (ii) Safe harbor from liability for SCI entities. An SCI entity shall be deemed not to have violated paragraph (b)(2)(i) of this section if: (A) The SCI entity has established and maintained policies and procedures reasonably designed to provide for: (1) Testing of all such systems and any changes to such systems prior to implementation; (2) Periodic testing of all such systems and any changes to such systems after their implementation; (3) A system of internal controls over changes to such systems; (4) Ongoing monitoring of the functionality of such systems to detect whether they are operating in the manner intended; (5) Assessments of SCI systems compliance performed by personnel familiar with applicable federal securities laws and rules and regulations thereunder and the SCI entity’s rules and governing documents, as applicable; and PO 00000 Frm 00096 Fmt 4701 Sfmt 4702 (6) Review by regulatory personnel of SCI systems design, changes, testing, and controls to prevent, detect, and address actions that do not comply with applicable federal securities laws and rules and regulations thereunder and the SCI entity’s rules and governing documents, as applicable; (B) The SCI entity has established and maintained a system for applying such policies and procedures which would reasonably be expected to prevent and detect, insofar as practicable, any violations of such policies and procedures by the SCI entity or any person employed by the SCI entity, and (C) The SCI entity: (1) Has reasonably discharged the duties and obligations incumbent upon the SCI entity by such policies and procedures; and (2) Was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. (iii) Safe harbor from liability for individuals. A person employed by an SCI entity shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of paragraph (b)(2)(i) of this section if the person employed by the SCI entity: (A) Has reasonably discharged the duties and obligations incumbent upon such person by such policies and procedures; and (B) Was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. (3) Corrective Action. Upon any responsible SCI personnel becoming aware of an SCI event, begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. (4) Commission Notification. (i) Upon any responsible SCI personnel becoming aware of a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion, notify the Commission of such SCI event. (ii) Within 24 hours of any responsible SCI personnel becoming aware of any SCI event, submit a written notification pertaining to such SCI event to the Commission. (iii) Until such time as the SCI event is resolved, submit written updates pertaining to such SCI event to the Commission on a regular basis, or at E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules such frequency as reasonably requested by a representative of the Commission. (iv) Any written notification to the Commission made pursuant to paragraphs (b)(4)(ii) or (b)(4)(iii) of this section shall be made electronically on Form SCI (§ 249.1900 of this chapter), and shall include all information as prescribed in Form SCI and the instructions thereto, including: (A) For a notification made pursuant to paragraph (b)(4)(ii) of this section: (1) All pertinent information known about an SCI event, including: a detailed description of the SCI event; the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; and the SCI entity’s current assessment of the SCI event, including a discussion of the determination of whether the SCI event is a dissemination SCI event or not; and (2) To the extent available as of the time of the notification: A description of the steps the SCI entity is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; a description of the SCI entity’s rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. (B) For a notification made pursuant to paragraph (b)(4)(iii) of this section, an update of any information previously provided regarding the SCI event, including any information required by paragraph (b)(4)(iv)(A)(2) of this section which was not available at the time of submission of the notification made pursuant to paragraph (b)(4)(ii) of this section. Subsequent updates shall update any information provided regarding the SCI event until the SCI event is resolved. (C) For notifications made pursuant to paragraphs (b)(4)(ii) or (b)(4)(iii) of this section, attach a copy of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity’s publicly available Web site. (5) Dissemination of information to members or participants. (i)(A) Promptly after any responsible SCI personnel becomes aware of a dissemination SCI event other than a systems intrusion, disseminate to its members or participants the following information about such SCI event: (1) The systems affected by the SCI event; and VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 (2) A summary description of the SCI event; and (B) When known, further disseminate to its members or participants: (1) A detailed description of the SCI event; (2) The SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; and (3) A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and (C) Provide regular updates to members or participants of any information required to be disseminated under paragraphs (b)(5)(i)(A) and (b)(5)(i)(B) of this section. (ii) Promptly after any responsible SCI personnel becomes aware of a systems intrusion, disseminate to its members or participants a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity’s SCI systems or SCI security systems, or an investigation of the systems intrusion, and documents the reasons for such determination. (6) Material Systems Changes. (i) Absent exigent circumstances, notify the Commission in writing at least 30 calendar days before implementation of any planned material systems change, including a description of the planned material systems change as well as the expected dates of commencement and completion of implementation of such changes. (ii) If exigent circumstances exist, or if the information previously provided to the Commission regarding any planned material systems change has become materially inaccurate, notify the Commission, either orally or in writing, with any oral notification to be memorialized within 24 hours after such oral notification by a written notification, as early as reasonably practicable. (iii) A written notification to the Commission made pursuant to this paragraph (b)(6) shall be made electronically on Form SCI (§ 249.1900 of this chapter), and shall include all information as prescribed in Form SCI and the instructions thereto. (7) SCI Review. Conduct an SCI review of the SCI entity’s compliance with Regulation SCI not less than once each calendar year, and submit a report of the SCI review to senior management of the SCI entity for review no more PO 00000 Frm 00097 Fmt 4701 Sfmt 4702 18179 than 30 calendar days after completion of such SCI review. (8) Reports. Submit to the Commission: (i) A report of the SCI review required by paragraph (b)(7) of this section, together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity; (ii) A report, within 30 calendar days after the end of June and December of each year, containing a summary description of the progress of any material systems change during the sixmonth period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of implementation of such changes; and (iii) Any reports to be filed with the Commission pursuant to this paragraph (b)(8) shall be filed electronically on Form SCI (§ 249.1900 of this chapter), and shall include all information as prescribed in Form SCI and the instructions thereto. (9) SCI Entity Business Continuity and Disaster Recovery Plans Testing Requirements for Members or Participants. With respect to an SCI entity’s business continuity and disaster recovery plans, including its backup systems: (i) Require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency as specified by the SCI entity, at least once every 12 months; and (ii) Coordinate the testing of such plans on an industry- or sector-wide basis with other SCI entities. (iii) Each SCI entity shall designate those members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans, to participate in the testing of such plans pursuant to paragraph (i) of this section. Each SCI entity shall notify the Commission of such designations and its standards for designation, and promptly update such notification after any changes to its designations or standards. A written notification made pursuant to this paragraph (b)(9)(iii) shall be made electronically on Form SCI (§ 249.1900 of this chapter), and shall include all information as prescribed in Form SCI and the instructions thereto. (c) Recordkeeping Requirements Related to Compliance with Regulation SCI. (1) An SCI SRO shall make, keep, and preserve all documents relating to its compliance with Regulation SCI as E:\FR\FM\25MRP3.SGM 25MRP3 srobinson on DSK4SPTVN1PROD with PROPOSALS3 18180 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules prescribed in § 240.17a–1 of this chapter. (2) An SCI entity that is not an SCI SRO shall: (i) Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and SCI security systems; (ii) Keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and (iii) Upon request of any representative of the Commission, promptly furnish to the possession of such representative copies of any documents required to be kept and preserved by it pursuant to paragraphs (c)(2)(i) and (c)(2)(ii) of this section. (3) Upon or immediately prior to ceasing to do business or ceasing to be registered under the Securities Exchange Act of 1934, an SCI entity shall take all necessary action to ensure that the records required to be made, kept, and preserved by this section shall be accessible to the Commission and its representatives in the manner required by this section and for the remainder of the period required by this section. (d) Electronic Submission. (1) Except with respect to notifications to the Commission made pursuant to paragraph (b)(4)(i) of this section or oral notifications to the Commission made pursuant to paragraph (b)(6)(ii) of this section, any notification, review, description, analysis, or report to the Commission required under this rule shall be submitted electronically on Form SCI (§ 249.1900 of this chapter) and shall contain an electronic signature; and (2) The signatory to an electronically submitted Form SCI shall manually sign a signature page or document, in the manner prescribed by Form SCI, authenticating, acknowledging, or otherwise adopting his or her signature that appears in typed form within the electronic filing. Such document shall be executed before or at the time Form SCI is electronically submitted and shall be retained by the SCI entity in accordance with paragraph (c) of this section. (e) Requirements for Service Bureaus. If records required to be filed or kept by an SCI entity under this rule are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 entity shall ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service, signed by a duly authorized person at such service bureau or other recordkeeping service. Such a written undertaking shall include an agreement by the service bureau to permit the Commission and its representatives to examine such records at any time or from time to time during business hours, and to promptly furnish to the Commission and its representatives true, correct, and current electronic files in a form acceptable to the Commission or its representatives or hard copies of any or all or any part of such records, upon request, periodically, or continuously and, in any case, within the same time periods as would apply to the SCI entity for such records. The preparation or maintenance of records by a service bureau or other recordkeeping service shall not relieve an SCI entity from its obligation to prepare, maintain, and provide the Commission and its representatives access to such records. (f) Access. Each SCI entity shall provide Commission representatives reasonable access to its SCI systems and SCI security systems to allow Commission representatives to assess the SCI entity’s compliance with this rule. PART 249—FORMS, SECURITIES EXCHANGE ACT OF 1934 4. The general authority citation for part 249 continues to read in part as follows: ■ Authority: 15 U.S.C. 78a et seq. and 7201 et seq.; 12 U.S.C. 5461 et seq.; and 18 U.S.C. 1350, unless otherwise noted. * * * * * 5. Add subpart T, consisting of § 249.1900, to read as follows: ■ Subpart T—Form SCI, for filing notices and reports as required by Regulation SCI. § 249.1900 Form SCI, for filing notices and reports as required by Regulation SCI. Form SCI shall be used to file notice and reports as required by § 242.1000 of this chapter. Note: The text of Form SCI does not, and the amendments will not, appear in the Code of Federal Regulations. General Instructions for Form SCI A. Use of the Form Except with respect to notifications to the Commission made pursuant to PO 00000 Frm 00098 Fmt 4701 Sfmt 4702 proposed Rule 1000(b)(4)(i) or oral notifications to the Commission made pursuant to proposed Rule 1000(b)(6)(ii), all notifications and reports required to be submitted pursuant to Rule 1000 of Regulation SCI under the Securities Exchange Act of 1934 (‘‘Act’’) shall be filed in an electronic format through an electronic form filing system (‘‘EFFS’’), a secure Web site operated by the Securities and Exchange Commission (‘‘Commission’’). B. Need for Careful Preparation of the Completed Form, Including Exhibits This form, including the exhibits, is intended to elicit information necessary for Commission staff to work with SCI self-regulatory organizations, SCI alternative trading systems, plan processors, and exempt clearing agencies subject to ARP (collectively, ‘‘SCI entities’’) to ensure the capacity, integrity, resiliency, availability, and security of their automated systems. An SCI entity must provide all the information required by the form, including the exhibits, and must present the information in a clear and comprehensible manner. Form SCI shall not be considered filed unless it complies with applicable requirements. C. When To Use the Form Form SCI is comprised of five distinct types of filings to the Commission required by Rule 1000(b). The first type of filings is ‘‘(b)(4)’’ filings for notifications regarding systems disruptions, systems compliance issues, or systems intrusions (collectively, ‘‘SCI events’’). The other four types of filings are: ‘‘(b)(6)’’ filings for notifications of planned material systems changes; ‘‘(b)(8)(i)’’ filings for reports of SCI reviews; ‘‘(b)(8)(ii)’’ filings for semiannual reports of material systems changes; and ‘‘(b)(9)(iii)’’ filings for notifications of designations and standards under Rule 1000(b)(9). In filling out Form SCI, an SCI entity shall select the type of filing and provide all information required under Rule 1000(b) specific to that type of filing. Notifications for SCI Events For (b)(4) filings, an SCI entity must notify the Commission using Form SCI by selecting the appropriate box in Section 1 and filling out all information required by the form. Initial notifications of an SCI event require the inclusion of an Exhibit 1 and must be submitted no later than 24 hours after any responsible SCI personnel becomes aware of the SCI event. For the initial notification of an SCI event, the SCI entity must include the information required by each item under Part 1 of E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules Exhibit 1. To the extent available as of the time of the initial notification, the SCI entity must also include the information listed under the items under Part 2 of Exhibit 1. If the SCI entity has not provided all the information required by Part 2 of Exhibit 1, any information required by Exhibit 1 requires updating, or the SCI event has not been resolved, the SCI entity must file one or more updates regarding the SCI event by attaching an Exhibit 2. Such updates must be submitted on a regular basis, or at such frequency as reasonably requested by a representative of the Commission. The notification to the Commission regarding an SCI event is not considered complete until all information required by Exhibit 1, including all information required by Part 2 of Exhibit 1, has been submitted to the Commission. For each SCI event, an SCI entity must also attach an Exhibit 3 (which may be included with an Exhibit 1 or Exhibit 2, as the case may be) for any information disseminated regarding the SCI event to its members or participants or on the SCI entity’s publicly available Web site. srobinson on DSK4SPTVN1PROD with PROPOSALS3 Other Notifications and Reports For (b)(6) filings, absent exigent circumstances, an SCI entity must notify the Commission using Form SCI at least 30 calendar days before implementation of any planned material systems change. If exigent circumstances exist, or if the information previously provided to the Commission regarding any planned material systems change has become materially inaccurate, an SCI entity must notify the Commission, either orally or in writing, with any oral notification to be memorialized within 24 hours after such oral notification by a written notification, as early as reasonably practicable. For (b)(6) filings, the SCI entity must select the appropriate box in Section 2 and fill out all information required by the form, including Exhibit 4. Exhibit 4 must include a description of the planned material systems change as well as the expected dates of commencement and completion of implementation of such change. For (b)(8)(i) filings, an SCI entity must submit its report of its SCI review to the Commission using Form SCI. A (b)(8)(i) filing must be submitted to the Commission within 60 calendar days after the SCI review has been submitted to senior management of the SCI entity. The SCI entity must select the appropriate box in Section 2 and fill out all information required by the form, including Exhibit 5. Exhibit 5 must include the report of the SCI review, VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 together with any response by senior management. For (b)(8)(ii) filings, an SCI entity must submit its semi-annual report of material systems changes to the Commission using Form SCI. A (b)(8)(ii) filing must be submitted to the Commission within 30 calendar days after the end of June and December of each year. The SCI entity must select the appropriate box in Section 2 and fill out all information required by the form, including Exhibit 6. Exhibit 6 must include a report with a summary description of the progress of any material systems change during the sixmonth period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of implementation of such changes. For (b)(9) filings, an SCI entity must notify the Commission of its designations and standards under Rule 1000(b)(9). The SCI entity must select the appropriate box in Section 2 and fill out all information required by the form, including Exhibit 7. Exhibit 7 must include the SCI entity’s standards for designating members or participants that it deems necessary, for the maintenance of fair and orderly markets in the event of activation of its business continuity and disaster recovery plans, to participate in the testing of such plans pursuant to Rule 1000(b)(9)(i), as well as the SCI entity’s list of designated members or participants. If an SCI entity changes its designations or standards, it must promptly notify the Commission of such changes on Exhibit 7. D. Documents Comprising the Completed Form The completed form filed with the Commission shall consist of Form SCI, responses to all applicable items, and any exhibits required in connection with the filing. Each filing shall be marked on Form SCI with the initials of the SCI entity, the four-digit year, and the number of the filing for the year. E. Contact Information; Signature; and Filing of the Completed Form Each time an SCI entity submits a filing to the Commission on Form SCI, the SCI entity must provide the contact information required by Section 4 of Form SCI. The contact information for systems personnel, regulatory personnel, and a senior officer is required. Space for additional contact information, if appropriate, is also provided. All notifications and reports required to be submitted through Form SCI shall be filed through the EFFS. In order to file Form SCI through the EFFS, SCI PO 00000 Frm 00099 Fmt 4701 Sfmt 4702 18181 entities must request access to the Commission’s External Application Server by completing a request for an external account user ID and password. Initial requests will be received by contacting (202) 551–5777. An email will be sent to the requestor that will provide a link to a secure Web site where basic profile information will be requested. A duly authorized individual of the SCI entity shall electronically sign the completed Form SCI as indicated in Section 5 of the form. In addition, a duly authorized individual of the SCI entity shall manually sign one copy of the completed Form SCI, and the manually signed signature page shall be preserved pursuant to the requirements of Rule 1000(c). F. Paperwork Reduction Act Disclosure This collection of information will be reviewed by the Office of Management and Budget in accordance with the clearance requirements of 44 U.S.C. 3507. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid control number. The Commission estimates that the average burden to respond to Form SCI will be between one and sixty hours depending upon the purpose for which the form is being filed. Any member of the public may direct to the Commission any comments concerning the accuracy of this burden estimate and any suggestions for reducing this burden. Except with respect to notifications to the Commission made pursuant to proposed Rule 1000(b)(4)(i) or oral notifications to the Commission made pursuant to proposed Rule 1000(b)(6)(ii), it is mandatory that an SCI entity file all notifications, updates, and reports required by Regulation SCI using Form SCI. The Commission will treat as confidential all information collected pursuant to Form SCI. Subject to the provisions of the Freedom of Information Act, 5 U.S.C. 522 (‘‘FOIA’’), and the Commission’s rules thereunder (17 CFR 200.80(b)(4)(iii)), the Commission does not generally publish or make available information contained in any reports, summaries, analyses, letters, or memoranda arising out of, in anticipation of, or in connection with an examination or inspection of the books and records of any person or any other investigation. G. Exhibits List of exhibits to be filed, as applicable: Exhibit 1. Notification of SCI Event. The SCI entity shall include: E:\FR\FM\25MRP3.SGM 25MRP3 18182 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules srobinson on DSK4SPTVN1PROD with PROPOSALS3 Part 1: All pertinent information known about the SCI event, including: (1) A detailed description of the SCI event; (2) the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; (3) the potential impact of the SCI event on the market; and (4) the SCI entity’s current assessment of the SCI event, including a discussion of the determination of whether the SCI event is a dissemination SCI event or not. Part 2: To the extent available as of the time of the notification: (1) A description of the steps the SCI entity is taking, or plans to take, with respect to the SCI event; (2) the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; (3) a description of the SCI entity’s rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and (4) an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. Exhibit 2. Update Notification of SCI Event. The SCI entity shall provide an update of any information previously provided regarding an SCI event on Exhibit 1, including any information under Part 2 of Exhibit 1 which was not available at the time of submission of Exhibit 1. Subsequent updates shall update any information provided regarding the SCI event until the SCI event is resolved. Exhibit 3. Information Disseminated. The SCI entity shall attach a copy in pdf or html format of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity’s publicly available Web site. Exhibit 4. Notification of Planned Material Systems Change. The SCI entity shall, absent exigent circumstances, notify the Commission in writing at least 30 calendar days before implementation of any planned material systems change, including a description of the planned material systems change as well as the expected dates of commencement and completion of implementation of such changes. If exigent circumstances exist, or if the VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 information previously provided to the Commission regarding any planned material systems change has become materially inaccurate, the SCI entity shall notify the Commission, either orally or in writing, with any oral notification to be memorialized within 24 hours after such oral notification by a written notification on Form SCI, as early as reasonably practicable. Exhibit 5. Report of SCI Review. Within 60 calendars days after its submission to senior management of the SCI entity, the SCI entity shall attach the report of the SCI review of the SCI entity’s compliance with Regulation SCI, together with any response by senior management. Exhibit 6. Semi-Annual Report of Material Systems Changes. Within 30 calendar days after the end June and December of each year, the SCI entity shall attach the report containing a summary description of the progress of any material systems change during the six-month period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of implementation of such changes. Exhibit 7. Notification of Designations and Standards under Rule 1000(b)(9). The SCI entity shall attach: (1) Its standards for designating members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans, to participate in the testing of such plans pursuant to Rule 1000(b)(9)(i); and (2) a list of the designated members or participants, including the name and address of such members or participants. H. Explanation of Terms Dissemination SCI Event means an SCI event that is a: (1) Systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants. Material Systems Change means a change to one or more: (1) SCI systems of an SCI entity that: (i) Materially affects the existing capacity, integrity, resiliency, PO 00000 Frm 00100 Fmt 4701 Sfmt 4702 availability, or security of such systems; (ii) relies upon materially new or different technology; (iii) provides a new material service or material function; or (iv) otherwise materially affects the operations of the SCI entity; or (2) SCI security systems of an SCI entity that materially affects the existing security of such systems. Responsible SCI personnel means, for a particular SCI system or SCI security system impacted by an SCI event, any personnel, whether an employee or agent, of the SCI entity having responsibility for such system. SCI entity means an SCI self-regulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP. SCI event means an event at an SCI entity that constitutes: (1) A systems disruption; (2) a systems compliance issue; or (3) a systems intrusion. Systems Compliance Issue means an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the federal securities laws and rules and regulations thereunder or the entity’s rules or governing documents, as applicable. Systems Disruption means an event in an SCI entity’s SCI systems or procedures that results in: (1) A failure to maintain service level agreements or constraints; (2) a disruption of normal operations, including switchover to back-up equipment with near-term recovery of primary hardware unlikely; (3) a loss of use of any such system; (4) a loss of transaction or clearance and settlement data; (5) significant backups or delays in processing; (6) a significant diminution of ability to disseminate timely and accurate market data; or (7) a queuing of data between system components or queuing of messages to or from customers of such duration that normal service delivery is affected. Systems Intrusion means any unauthorized entry into the SCI systems or SCI security systems of the SCI entity. [See attachment—proposed Form SCI] BILLING CODE P E:\FR\FM\25MRP3.SGM 25MRP3 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules I)f 18183 Securities and Exchange Cl:.mmissiw \Vumngttm. D.C 2<1S·49 Form SCI Co.w.wissiol1 Notification. of SCI Event - Rule 1000(0)(4) [] notmcatie.n of SCI event Notification of SCI ellen! [] SCI event [] COltnpl1a!lce issue Is the event a systems disruption that the SCI or on market YeslNo reasonably estimates ,vould have a material impact 00 its has the Comnisslon been notified of the SCI event? Yes"No Has the SCI event been resolved? YesJNo Date/time SCI event started: Duration of SCI event: Date/time resf)orlSwle SCI f)er·soEL11el beca!11e 2.'\'vare of the SCI event: Estimated number of market participants impacted the SCI event (numeric field) Other Commissioo ;"iotificatioo and Reporting [] Rille Notificatioo material systems Do. exigent circumstances or has the information any material systems Date flirf~VH}Usfv re~:arcl1ng Yes/No has the Co.mmission been no.tified [] Rille pro\1ded to. the Commission inaccurate? Yes/No Report of SCIre,iew Date cOlnpl.e:ll()n ·of SCI rev1e,v: Date of submission of SCI review to senior management: Notification 17:55 Mar 22, 2013 Jkt 229001 PO 00000 ofmaterial de.5,tgnlalli~ns Frm 00101 Fmt 4701 and standards under Rille Sfmt 4725 E:\FR\FM\25MRP3.SGM 25MRP3 EP25MR13.034</GPH> VerDate Mar<15>2010 Seml-a!1!lual [] Rille srobinson on DSK4SPTVN1PROD with PROPOSALS3 [] Rille 18184 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules (continued) R.ule y system that shares ner.'liCcrl!: resources ",ith 'system listed above tha!:, if breached, would reasonablylikely to pose a securitytln-eat to inBCI ailure to maintain senice level agreements Ke!illltmg in: Check anthllt Of constraints -sruption of nQrmal operations, in.duding sv;itchover to back-up equipment v;ith nearenn recover'll of rimarv hardware unlikelv ossofuse of any such s'llstem VerDate Mar<15>2010 of transaction or c1earance and settlement data 17:55 Mar 22, 2013 Jkt 229001 PO 00000 Frm 00102 Fmt 4701 Sfmt 4725 E:\FR\FM\25MRP3.SGM 25MRP3 EP25MR13.035</GPH> srobinson on DSK4SPTVN1PROD with PROPOSALS3 OSS Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules Fo! cOlnpllete Form SCI U1SUUCm)US 18185 to [e] a ~QPY i:n pdf ar httul fo1l1u1 of arry infmnation di~~!i1Uted the 5; C~[ €:"',;8'£bJ: to its fl1,:t11bs1'S or :pmicipanrs or 00 t.~ f:du'bil3: I IlI'm'lWIlimi IHss:ewmllted }too RE~"'& \" ie;;t< h:hlhiit4l Rule 1 ()I)}(b){6) i'ii iJl:iDc:lidoo of Pbimed 3.blB'w S$'SI:em Ckmges VerDate Mar<15>2010 RE1110ya y i~'1V 17:55 Mar 22, 2013 Jkt 229001 PO 00000 Frm 00103 Fmt 4701 Sfmt 4725 E:\FR\FM\25MRP3.SGM 25MRP3 EP25MR13.036</GPH> srobinson on DSK4SPTVN1PROD with PROPOSALS3 A.·dd 18186 Federal Register / Vol. 78, No. 57 / Monday, March 25, 2013 / Proposed Rules Dated: March 8, 2013. By the Commission. Kevin M. O’Neill, Deputy Secretary. [FR Doc. 2013–05888 Filed 3–22–13; 8:45 am] VerDate Mar<15>2010 17:55 Mar 22, 2013 Jkt 229001 PO 00000 Frm 00104 Fmt 4701 Sfmt 9990 E:\FR\FM\25MRP3.SGM 25MRP3 EP25MR13.037</GPH> srobinson on DSK4SPTVN1PROD with PROPOSALS3 BILLING CODE C

Agencies

[Federal Register Volume 78, Number 57 (Monday, March 25, 2013)]
[Proposed Rules]
[Pages 18083-18186]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-05888]



[[Page 18083]]

Vol. 78

Monday,

No. 57

March 25, 2013

Part III





Securities and Exchange Commission





-----------------------------------------------------------------------





17 CFR Parts 242 and 249





Regulation Systems Compliance and Integrity; Proposed Rule

Federal Register / Vol. 78 , No. 57 / Monday, March 25, 2013 / 
Proposed Rules

[[Page 18084]]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR Parts 242 and 249

[Release No. 34-69077; File No. S7-01-13]
RIN 3235-AL43


Regulation Systems Compliance and Integrity

AGENCY: Securities and Exchange Commission.

ACTION: Proposed rule and form; proposed rule amendment.

-----------------------------------------------------------------------

SUMMARY: The Securities and Exchange Commission (``Commission'') is 
proposing Regulation Systems Compliance and Integrity (``Regulation 
SCI'') under the Securities Exchange Act of 1934 (``Exchange Act'') and 
conforming amendments to Regulation ATS under the Exchange Act. 
Proposed Regulation SCI would apply to certain self-regulatory 
organizations (including registered clearing agencies), alternative 
trading systems (``ATSs''), plan processors, and exempt clearing 
agencies subject to the Commission's Automation Review Policy 
(collectively, ``SCI entities''), and would require these SCI entities 
to comply with requirements with respect to their automated systems 
that support the performance of their regulated activities.

DATES: Comments should be submitted on or before May 24, 2013.

ADDRESSES: Interested persons should submit comments by any of the 
following methods:

Electronic Comments

    [ssquf] Use the Commission's Internet comment form (https://www.sec.gov/rules/proposed.shtml); or
    [ssquf] Send an email to rule-comments@sec.gov. Please include File 
Number S7-01-13 on the subject line; or
    [ssquf] Use the Federal eRulemaking Portal (https://www.regulations.gov). Follow the instructions for submitting comments.

Paper Comments

    [ssquf] Send paper comments in triplicate to Elizabeth M. Murphy, 
Secretary, Securities and Exchange Commission, 100 F Street NE., 
Washington, DC 20549-1090.

All comment letters should refer to File No. S7-01-13. This file number 
should be included on the subject line if email is used. To help us 
process and review your comments more efficiently, please use only one 
method. The Commission will post all comments on the Commission's 
Internet Web site (https://www.sec.gov/rules/proposed.shtml). Comments 
are also available for public inspection and copying in the 
Commission's Public Reference Room, 100 F Street NE., Washington, DC 
20549 on official business days between the hours of 10 a.m. and 3 p.m. 
All comments received will be posted without change; we do not edit 
personal information from submissions. You should submit only 
information that you wish to make publicly available.

FOR FURTHER INFORMATION CONTACT: Heidi Pilpel, Special Counsel, Office 
of Market Supervision, at (202) 551-5666, Sara Hawkins, Special 
Counsel, Office of Market Supervision, at (202) 551-5523, Jonathan 
Balcom, Special Counsel, Office of Market Supervision, at (202) 551-
5737, Yue Ding, Attorney, Office of Market Supervision, at (202) 551-
5842, Dhawal Sharma, Attorney, Office of Market Supervision, at (202) 
551-5779, Elizabeth C. Badawy, Senior Accountant, Office of Market 
Supervision, at (202) 551-5612, and Gordon Fuller, Senior Special 
Counsel, Office of Market Operations, at (202) 551-5686, Division of 
Trading and Markets, Securities and Exchange Commission, 100 F Street 
NE., Washington, DC 20549-7010.

SUPPLEMENTARY INFORMATION: Proposed Regulation SCI would supersede and 
replace the Commission's current Automation Review Policy (``ARP''), 
established by the Commission's two policy statements, each titled 
``Automated Systems of Self-Regulatory Organizations,'' issued in 1989 
and 1991.\1\ Regulation SCI also would supersede and replace aspects of 
those policy statements codified in Rule 301(b)(6) under the Exchange 
Act,\2\ applicable to significant-volume ATSs.\3\ Proposed Regulation 
SCI would require SCI entities to establish written policies and 
procedures reasonably designed to ensure that their systems have levels 
of capacity, integrity, resiliency, availability, and security adequate 
to maintain their operational capability and promote the maintenance of 
fair and orderly markets, and that they operate in the manner intended. 
It would also require SCI entities to mandate participation by 
designated members or participants in scheduled testing of the 
operation of their business continuity and disaster recovery plans, 
including backup systems, and to coordinate such testing on an 
industry- or sector-wide basis with other SCI entities. In addition, 
proposed Regulation SCI would require notices and reports to be 
provided to the Commission on a new proposed Form SCI regarding, among 
other things, SCI events and material systems changes, and would 
require SCI entities to take corrective action upon any responsible SCI 
personnel becoming aware of SCI events. SCI events would be defined to 
include systems disruptions, systems compliance issues, and systems 
intrusions. The proposed regulation would further require that 
information regarding certain types of SCI events be disseminated to 
members or participants of SCI entities. In addition, proposed 
Regulation SCI would require SCI entities to conduct a review of their 
systems by objective personnel at least annually, and would require SCI 
entities to maintain certain books and records. The Commission also is 
proposing to modify the volume thresholds in Regulation ATS \4\ for 
significant-volume ATSs, apply them to SCI ATSs (as defined below), and 
move this standard from Regulation ATS to proposed Regulation SCI.
---------------------------------------------------------------------------

    \1\ See Securities Exchange Act Release Nos. 27445 (November 16, 
1989), 54 FR 48703 (November 24, 1989) (``ARP I Release'' or ``ARP 
I'') and 29185 (May 9, 1991), 56 FR 22490 (May 15, 1991) (``ARP II 
Release'' or ``ARP II'' and, together with ARP I, the ``ARP policy 
statements'').
    \2\ See 17 CFR 242.301(b)(6). See also Securities Exchange Act 
Release No. 40760 (December 8, 1998), 63 FR 70844 (December 22, 
1998) (``ATS Release'').
    \3\ See infra note 26.
    \4\ 17 CFR 242.300-303 (``Regulation ATS'').
---------------------------------------------------------------------------

Table of Contents

I. Background
    A. History and Evolution of the Automation Review Policy 
Inspection Program
    B. Evolution of the Markets Since the Inception of the ARP 
Inspection Program
    C. Successes and Limitations of the Current ARP Inspection 
Program
    D. Recent Events
II. Proposed Codification and Enhancement of ARP Inspection Program
III. Proposed Regulation SCI
    A. Overview
    B. Proposed Rule 1000(a): Definitions Establishing the Scope of 
Regulation SCI
    1. SCI Entities
    2. Definition of SCI Systems and SCI Security Systems
    3. SCI Events
    a. Systems Disruption
    b. Systems Compliance Issue
    c. Systems Intrusion
    d. Dissemination SCI events
    4. Material Systems Changes
    C. Proposed Rule 1000(b): Obligations of SCI Entities
    1. Policies and Procedures to Safeguard Capacity, Integrity, 
Resiliency, Availability, and Security
    a. Proposed Rule 1000(b)(1)(i)
    b. Proposed Rule 1000(b)(1)(ii)
    2. Systems Compliance
    3. SCI Events--Action required; Notification
    a. Corrective Action

[[Page 18085]]

    b. Commission Notification
    c. Dissemination of Information to Members or Participants
    4. Notification of Material Systems Changes
    5. Review of Systems
    6. Periodic Reports
    7. Proposed Rule 1000(b)(9): SCI Entity Business Continuity and 
Disaster Recovery Plans Testing Requirements for Members or 
Participants
    D. Proposed Rule 1000(c)-(f): Recordkeeping, Electronic Filing 
on Form SCI, and Access
    1. Recordkeeping Requirements
    2. Electronic Submission of Reports, Notifications, and Other 
Communications on Form SCI
    3. Access to the Systems of an SCI Entity
    E. New Proposed Form SCI
    1. Notice of SCI Events Pursuant to Proposed Rule 1000(b)(4)
    2. Notices of Material Changes Pursuant to Proposed Rule 
1000(b)(6)
    3. Reports Submitted Pursuant to Rule 1000(b)(8)
    4. Notifications of Member or Participant Designation Standards 
and List of Designees Pursuant to Proposed Rule 1000(b)(9)
    5. Other Information and Electronic Signature
    F. Request for Comment on Applying Proposed Regulation SCI to 
Security-Based Swap Data Repositories and Security-Based Swap 
Execution Facilities
    G. Solicitation of Comment Regarding Potential Inclusion of 
Broker-Dealers, Other than SCI ATSs, and Other Types of Entities
    IV. Paperwork Reduction Act
    V. Economic Analysis
    A. Background
    B. Economic Baseline
    C. Consideration of Costs and Benefits, and the Effect on 
Efficiency, Competition, and Capital Formation
    D. Request for Comment on Economic Analysis
VI. Consideration of Impact on the Economy
VII. Regulatory Flexibility Act Certification
VIII. Statutory Authority and Text of Proposed Amendments

I. Background

A. History and Evolution of the Automation Review Policy Inspection 
Program

    Section 11A(a)(2) of the Exchange Act,\5\ enacted as part of the 
Securities Acts Amendments of 1975 (``1975 Amendments''),\6\ directs 
the Commission, having due regard for the public interest, the 
protection of investors, and the maintenance of fair and orderly 
markets, to use its authority under the Exchange Act to facilitate the 
establishment of a national market system for securities in accordance 
with the Congressional findings and objectives set forth in Section 
11A(a)(1) of the Exchange Act.\7\ Among the findings and objectives in 
Section 11A(a)(1) is that ``[n]ew data processing and communications 
techniques create the opportunity for more efficient and effective 
market operations'' \8\ and ``[i]t is in the public interest and 
appropriate for the protection of investors and the maintenance of fair 
and orderly markets to assure * * * the economically efficient 
execution of securities transactions.'' \9\ In addition, Sections 6(b), 
15A, and 17A(b)(3) of the Exchange Act impose obligations on national 
securities exchanges, national securities associations, and clearing 
agencies, respectively, to be ``so organized'' and ``[have] the 
capacity to * * * carry out the purposes of [the Exchange Act].'' \10\
---------------------------------------------------------------------------

    \5\ 15 U.S.C. 78k-1(a)(2).
    \6\ Public Law 94-29, 89 Stat. 97 (1975).
    \7\ 15 U.S.C. 78k-1(a)(1).
    \8\ Section 11A(a)(1)(B) of the Exchange Act, 15 U.S.C. 78k-
1(a)(1)(B).
    \9\ Section 11A(a)(1)(C)(i) of the Exchange Act, 15 U.S.C. 78k-
1(a)(1)(C)(i). Further, the Senate Committee Report accompanying the 
1975 Amendments states further that a paramount objective of a 
national market system is ``the maintenance of stable and orderly 
markets with maximum capacity for absorbing trading imbalances 
without undue price movements.'' Senate Comm. On Banking, Housing 
and Urban Affairs, Report to accompany S. 249, Sen. Rep. 94-75, 94th 
Cong., 1st Sess. at 7 (1975).
    \10\ See Sections 6(b)(1), 15A(b)(2), and 17A(b)(3) of the 
Exchange Act, 15 U.S.C. 78f(b)(1), 78o-3(b)(2), 78q-1(b)(3), 
respectively. See also Section 2 of the Exchange Act, 15 U.S.C. 78b, 
and Section 19 of the Exchange Act, 15 U.S.C. 78s.
---------------------------------------------------------------------------

    For over two decades, Commission staff has worked with SROs to 
assess their automated systems under the Commission's ARP inspection 
program (``ARP Inspection Program''), a voluntary information 
technology review program created in response to the October 1987 
market break.\11\ In 1989, the Commission published ARP I, its first 
formal policy statement regarding steps that SROs should take in 
connection with their automated systems.\12\ In ARP I, the Commission 
discussed the development by SROs of automated execution, market 
information, and trade comparison systems to accommodate increased 
trading activity from the 1960s through the 1980s.\13\ The Commission 
acknowledged improvements in efficiency during that time period, but 
noted that the October 1987 market break had exposed that automated 
systems remained vulnerable to operational problems during extreme high 
volume periods. The Commission also expressed concern about the 
potential for systems failures to negatively impact public investors, 
broker-dealer risk exposure, and market efficiency.\14\ The Commission 
further stated in ARP I that market movements should be ``the result of 
market participants' changing expectations about the direction of the 
market for a particular security, or group of securities, and not the 
result of investor confusion or panic resulting from operational 
failures or delays in SRO automated trading or market information 
systems.'' \15\ The Commission issued ARP I as a result of these 
concerns, and stated that SROs should ``establish comprehensive 
planning and assessment programs to test systems capacity and 
vulnerability.'' \16\ In particular, the Commission recommended that 
each SRO should: (1) Establish current and future capacity estimates 
for its automated order routing and execution, market information, and 
trade comparison systems; (2) periodically conduct capacity stress 
tests to determine the behavior of automated systems under a variety of 
simulated conditions; and (3) contract with independent reviewers to 
assess annually whether these systems could perform adequately at their 
estimated current and future capacity levels and have adequate 
protection against physical threat.\17\ In addition, ARP I

[[Page 18086]]

called for each SRO to have its automated systems reviewed annually by 
an ``independent reviewer.'' \18\
---------------------------------------------------------------------------

    \11\ See ARP I, supra note 1, 54 FR 48706.
    \12\ See ARP I, supra note 1, 54 FR 48705-48706, stating that 
SROs should ``take certain steps to ensure that their automated 
systems have the capacity to accommodate current and reasonably 
anticipated future trading volume levels and respond to localized 
emergency conditions.'' In ARP I, the Commission also defined the 
terms ``automated systems'' and ``automated trading systems'' to 
refer ``collectively to computer systems for listed and OTC 
equities, as well as options, that electronically route orders to 
applicable market makers and systems that electronically route and 
execute orders, including the data networks that feed the systems * 
* * [and encompass] systems that disseminate transaction and 
quotation information and conduct trade comparisons prior to 
settlement, including the associated communication networks.'' See 
id. at n. 21. See also id. at n. 26 (stating that the Commission may 
suggest expansion of the ARP I policy statement to cover ``other SRO 
computer-driven support systems for, among other things, clearance 
and settlement, and market surveillance, if the Commission finds it 
necessary to ensure the maintenance of fair and orderly markets'').
    \13\ See id. at 48705.
    \14\ See id. at 48705. The Commission noted that problems 
encountered by trading systems during the October 1987 market break 
included: (i) Inadequate computer capacity causing queues of 
unprocessed orders to develop that, in turn, resulted in significant 
delays in order execution; (ii) inadequate contingency plans to 
accommodate increased order traffic; (iii) delays in the 
transmission of transaction reports to both member firms and 
markets; and (iv) delays in order processing.
    \15\ See id. at 48705.
    \16\ See id. at 48705-48706.
    \17\ See id. at 48706-48707. With respect to capacity estimates 
and testing, the Commission urged SROs to institute procedures for 
stress testing using ``standards generally set by the computer 
industry,'' and report the results of stress testing to Commission 
staff. The Commission also requested comment on whether it should 
mandate specific standards for the SROs to follow, and if so, what 
those standards should be. See id. With respect to vulnerability of 
systems to external and internal threat, the Commission requested in 
ARP I that SROs assess the susceptibility of automated systems to 
computer viruses, unauthorized use, computer vandalism, and failures 
as result of catastrophic events (such as fire, power outages, and 
earthquakes), and promptly notify Commission staff of any instances 
in which unauthorized persons gained or attempted to gain access to 
SRO systems, and follow up with a written report of the problem, its 
cause, and the steps taken to prevent a recurrence.
    \18\ See id.
---------------------------------------------------------------------------

    In 1991, the Commission published ARP II.\19\ In ARP II, the 
Commission further articulated its views on how SROs should conduct 
independent reviews.\20\ ARP II stated that such reviews and analysis 
should: ``(1) Cover significant elements of the operations of the 
automation process, including the capacity planning and testing 
process, contingency planning, systems development methodology and 
vulnerability assessment; (2) be performed on a cyclical basis by 
competent and independent audit personnel following established audit 
procedures and standards; and (3) result in the presentation of a 
report to senior SRO management on the recommendations and conclusions 
of the independent reviewer, which report should be made available to 
Commission staff for its review and comment.'' \21\
---------------------------------------------------------------------------

    \19\ See ARP II Release, 56 FR 22490, supra note 1.
    \20\ See id.
    \21\ See id. at 22491. In ARP II the Commission also explained 
that, in its view, ``a critical element to the success of the 
capacity planning and testing, security assessment and contingency 
planning processes for [automated] systems is obtaining an objective 
review of those planning processes by persons independent of the 
planning process to ensure that adequate controls and procedures 
have been developed and implemented.'' Id.
---------------------------------------------------------------------------

    In addition, ARP II addressed how SROs should notify the Commission 
of material systems changes and significant systems problems. 
Specifically, ARP II stated that SROs should notify Commission staff of 
significant additions, deletions, or other changes to their automated 
systems on an annual and an as-needed basis, as well as provide real-
time notification of unusual events, such as significant outages 
involving automated systems.\22\ Further, in ARP II, the Commission 
again suggested development of standards to meet the ARP policy 
statements, stating that ``the SROs, and other interested parties 
should begin the process of exploring the establishment of (1) 
standards for determining capacity levels for the SROs' automated 
trading systems; (2) generally accepted computer security standards 
that would be effective for SRO automated systems; and (3) additional 
standards regarding audits of computer systems.'' \23\
---------------------------------------------------------------------------

    \22\ See id. at 22491.
    \23\ See id.
---------------------------------------------------------------------------

    The current ARP Inspection Program was developed by Commission 
staff to implement the ARP policy statements,\24\ and has garnered 
participation by all active registered clearing agencies, all 
registered national securities exchanges, the Financial Industry 
Regulatory Authority (``FINRA''), the only registered national 
securities association, one exempt clearing agency, and one ATS.\25\ In 
1998, the Commission adopted Regulation ATS which, among other things, 
imposed by rule certain aspects of ARP I and ARP II on significant-
volume ATSs.\26\ Thereafter, administration of these aspects of 
Regulation ATS was incorporated into the ARP Inspection Program.
---------------------------------------------------------------------------

    \24\ While participation in the ARP Inspection Program is 
voluntary, the underpinnings of ARP I and ARP II are rooted in 
Exchange Act requirements. See supra notes 5-10 and accompanying 
text.
    \25\ See infra note 91 and accompanying text. One ATS currently 
complies voluntarily with the ARP Inspection Program. However, ARP 
staff has conducted ARP inspections of other ATSs over the course of 
the history of the ARP Inspection Program. See also infra notes, 
134-135 and accompanying text.
    \26\ See Rule 301(b)(6) of Regulation ATS, 17 CFR 242.301(b)(6). 
With regard to systems that support order entry, order routing, 
order execution, transaction reporting, and trade comparison, 
Regulation ATS requires significant-volume ATSs to: establish 
reasonable current and future capacity estimates; conduct periodic 
capacity stress tests of critical systems to determine their ability 
to accurately, timely and efficiently process transactions; develop 
and implement reasonable procedures to review and keep current 
system development and testing methodology; review system and data 
center vulnerability to threats; establish adequate contingency and 
disaster recovery plans; perform annual independent reviews of 
systems to ensure compliance with the above listed requirements and 
perform review by senior management of reports containing the 
recommendations and conclusions of the independent review; and 
promptly notify the Commission of material systems outages and 
significant systems changes. See Rule 301(b)(6)(ii) of Regulation 
ATS, 17 CFR 242.301(b)(6)(ii). Regulation ATS defines significant-
volume ATSs as ATSs that, during at least 4 of the preceding 6 
calendar months, had: (i) with respect to any NMS stock, 20 percent 
or more of the average daily volume reported by an effective 
transaction reporting plan; (ii) with respect to equity securities 
that are not NMS stocks and for which transactions are reported to a 
self-regulatory organization, 20 percent or more of the average 
daily volume as calculated by the self-regulatory organization to 
which such transactions are reported; (iii) with respect to 
municipal securities, 20 percent or more of the average daily volume 
traded in the United States; or (iv) with respect to corporate debt 
securities, 20 percent or more of the average daily volume traded in 
the United States. See Rule 301(b)(6)(i) of Regulation ATS, 17 CFR 
242.301(b)(6)(i).
---------------------------------------------------------------------------

    Under the ARP Inspection Program, staff in the Commission's 
Division of Trading and Markets (``ARP staff'') conduct inspections of 
ARP entity systems, attend periodic technology briefings presented by 
ARP entity staff, monitor the progress of planned significant system 
changes, and respond to reports of system failures, disruptions, and 
other systems problems of ARP entities. An ARP inspection typically 
includes ARP staff review of information technology documentation, 
testing of selected controls, and interviews with information 
technology staff and management of the ARP entity.\27\
---------------------------------------------------------------------------

    \27\ ARP inspections are typically conducted independently from 
the inspections and examinations of SROs, ATSs, and broker-dealers 
conducted by staff in the Commission's Office of Compliance 
Inspections and Examinations (``OCIE'') for compliance with the 
federal securities laws and rules thereunder.
---------------------------------------------------------------------------

    Just as markets have become increasingly automated and information 
technology programs and practices at ARP entities have changed, ARP 
inspections also have evolved considerably over the past 20 years. 
Today, the ARP Inspection Program covers nine general inspection areas, 
or information technology ``domains:'' application controls; capacity 
planning; computer operations and production environment controls; 
contingency planning; information security and networking; audit; 
outsourcing; physical security; and systems development 
methodology.\28\ The goal of an ARP inspection is to evaluate whether 
an ARP entity's controls over its information technology resources in 
each domain are consistent with ARP and industry guidelines,\29\ as 
identified by ARP staff from a variety of information technology 
publications that ARP staff believes reflect industry standards for 
securities market participants.
---------------------------------------------------------------------------

    \28\ Each domain itself contains subcategories. For example, 
``contingency planning'' includes business continuity, disaster 
recovery, and pandemic planning, among other things.
    \29\ The domains covered during an ARP inspection depend in part 
upon whether the inspection is a regular inspection or a ``for-
cause'' inspection. Typically, however, to make the most efficient 
use of resources, a single ARP inspection will cover fewer than nine 
domains.
---------------------------------------------------------------------------

    Most recently, these publications have included, among others, 
publications issued by the Federal Financial Institutions Examination 
Council (``FFIEC'') and the National Institute of

[[Page 18087]]

Standards and Technology (``NIST'').\30\ ARP staff has also relied on 
the 2003 Interagency White Paper on Sound Practices to Strengthen the 
Resiliency of the U.S. Financial System \31\ and the 2003 Policy 
Statement on Business Continuity Planning for Trading Markets.\32\ 
Since 2003, however, the Commission has not issued formal guidance on 
which publications establish the most appropriate guidelines for ARP 
entities. At the conclusion of an ARP inspection, ARP staff typically 
issues a report to the ARP entity with an assessment of its information 
technology program with respect to its critical systems, including any 
recommendations for improvement.
---------------------------------------------------------------------------

    \30\ Other examples of publications that ARP staff has referred 
to include those issued by the Center for Internet Security (https://benchmarks.cisecurity.org/en-us/?route=downloads.benchmarks); 
Information Systems Audit and Control Association (Control 
Objections for Information Technology Framework, available at: 
https://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Online.aspx); Defense Information Systems Agency, Security Technical 
Implementation Guides (available at https://iase.disa.mil/stigs/); and Government Accountability Office (Federal 
Information System Controls Audit Manual (February 2009), available 
at: https://www.gao.gov/assets/80/77142.pdf).
    \31\ See Securities Exchange Act Release No. 47638 (April 7, 
2003), 68 FR 17809 (April 11, 2003) (Interagency Paper on Sound 
Practices to Strengthen the Resilience of the U.S. Financial 
Systems) (``2003 Interagency White Paper'').
    \32\ See Securities Exchange Act Release No. 48545 (September 
25, 2003), 68 FR 56656 (October 1, 2003) (Policy Statement: Business 
Continuity Planning for Trading Markets) (``2003 Policy Statement on 
Business Continuity Planning for Trading Markets'').
---------------------------------------------------------------------------

    Another significant aspect of the ARP Inspection Program relates to 
the monitoring of planned significant systems changes and reports of 
systems problems at ARP entities. As noted above, ARP II stated that 
SROs should notify Commission staff of significant additions, 
deletions, or other changes to their automated systems on an annual and 
an as-needed basis, as well as provide real-time notification of 
unusual events, such as significant outages involving automated 
systems.\33\ Likewise, Regulation ATS requires significant-volume ATSs 
to promptly notify the Commission of material systems outages and 
significant systems changes.\34\
---------------------------------------------------------------------------

    \33\ See supra note 22 and accompanying text.
    \34\ See 17 CFR 242.301(b)(6)(ii)(G). See also supra note 26.
---------------------------------------------------------------------------

    In addition to the Commission's ARP policy statements and Rule 
301(b)(6) of Regulation ATS, Commission staff has provided guidance to 
ARP entities on how the staff believes they should report planned 
systems changes and systems issues to the Commission. For example, in 
2001, Commission staff sent a letter to the SROs and other participants 
in the ARP Inspection Program to clarify what should be considered a 
``significant system change'' and a ``significant system outage'' for 
purposes of reporting systems changes and problems to Commission 
staff.\35\ Further, in 2009, Commission staff sent a letter to the 
national securities exchanges and FINRA expressing the staff's view 
that SROs are obligated to ensure that their systems' operations comply 
with the federal securities laws and rules and the SRO's rules, and 
that failure to satisfy this obligation could lead to sanctions under 
Section 19(h)(1) of the Exchange Act.\36\ Unlike ARP I, ARP II, and 
Rule 301(b)(6) of Regulation ATS, the 2001 Staff ARP Interpretive 
Letter and 2009 Staff Systems Compliance Letter were not issued by the 
Commission and constitute only staff guidance. Proposed Regulation SCI, 
if adopted, would consolidate and supersede all such staff guidance, as 
well as the Commission's ARP policy statements and Rule 301(b)(6) of 
Regulation ATS.
---------------------------------------------------------------------------

    \35\ In June 2001, staff from the Division of Market Regulation 
sent a letter to the SROs and other participants in the ARP 
Inspection Program regarding Guidance for Systems Outage and System 
Change Notifications (``2001 Staff ARP Interpretive Letter''), 
advising them that the staff considers a significant system change 
to include: (i) Major systems architectural changes; (ii) 
reconfiguration of systems that cause a variance greater than five 
percent in throughput or storage; (iii) introduction of new business 
functions or services; (iv) material changes in systems; (v) changes 
to external interfaces; (vi) changes that could increase 
susceptibility to major outages; (vii) changes that could increase 
risks to data security; (viii) a change that was, or will be, 
reported or referred to the entity's board of directors or senior 
management; or (ix) changes that may require allocation or use of 
significant resources. The 2001 Staff ARP Interpretive Letter also 
advised that Commission staff considers a ``significant system 
outage'' to include an outage that results in: (i) Failure to 
maintain service level agreements or constraints; (ii) disruption of 
normal operations, including switchover to back-up equipment with no 
possibility of near-term recovery of primary hardware; (iii) loss of 
use of any system; (iv) loss of transactions; (v) excessive back-ups 
or delays in processing; (vi) loss of ability to disseminate vital 
information; (vii) communication of an outage situation to other 
external entities; (viii) a report or referral of an event to the 
entity's board of directors or senior management; (ix) a serious 
threat to systems operations even though systems operations are not 
disrupted; or (x) a queuing of data between system components or 
queuing of messages to or from customers of such duration that a 
customer's normal service delivery is affected. The 2001 Staff ARP 
Interpretive Letter is available at https://www.sec.gov/divisions/marketreg/sroautomation.shtml.
    \36\ In December 2009, staff from the Division of Trading and 
Markets and Office of Compliance Inspections and Examinations sent a 
letter (``2009 Staff Systems Compliance Letter'') to each national 
securities exchange and FINRA reminding each of its obligation to 
ensure that its systems' operations are consistent with the federal 
securities laws and rules and the SRO's rules, and clarifying the 
staff's expectations regarding SRO systems compliance. The 2009 
Staff Systems Compliance Letter also expressed the staff's view that 
SROs and other participants in the ARP Inspection Program should 
have effective written policies and procedures for systems 
development and maintenance that provide for adequate regulatory 
oversight, including testing of system changes, controls over system 
changes, and independent audits. The 2009 Staff Systems Compliance 
Letter also expressed the staff's expectation that, if an SRO 
becomes aware of a system function that could lead or has led to a 
failure to comply with the federal securities laws or rules, or the 
SRO's rules, the SRO should immediately take appropriate corrective 
action including, at a minimum, devoting adequate resources to 
remedy the issue as soon as possible, and notifying Commission staff 
and (if appropriate) the public of the compliance issue and efforts 
to rectify it. The 2009 Staff Systems Compliance Letter was sent to 
BATS, BATS-Y, CBOE, C2, CHX, EDGA, EDGX, FINRA, ISE, Nasdaq, Nasdaq 
OMX BX, Nasdaq OMX Phlx, NSX, NYSE, NYSE MKT (f/k/a NYSE Amex), NYSE 
Arca. See infra notes 47 and 51.
---------------------------------------------------------------------------

    In addition, OCIE conducts inspections of SROs, as part of the 
Commission's oversight of them. Unlike ARP inspections, however, which 
focus on information technology controls, OCIE primarily conducts risk-
based examinations of securities exchanges, FINRA, and other SROs to 
evaluate whether they and their member firms are complying with the 
Exchange Act and the rules thereunder, as well as SRO rules. Examples 
of OCIE risk-based examination areas include: governance, regulatory 
funding, trading regulation, member firm examination programs, 
disciplinary programs for member firms, and exchange programs for 
listing compliance. In 2011, OCIE conducted baseline assessments of all 
of the national securities exchanges then operating. These assessments 
included these areas, among others, but did not include examinations of 
the exchanges' systems, as systems inspections are conducted under the 
ARP Inspection Program.\37\ As part of the Commission's oversight of 
the SROs, OCIE also reviews systems compliance issues reported to 
Commission staff. The information gained from OCIE's review of reported 
systems compliance issues helps to inform its examination risk-
assessments for SROs.
---------------------------------------------------------------------------

    \37\ See text accompanying notes 24-29.
---------------------------------------------------------------------------

B. Evolution of the Markets Since the Inception of the ARP Inspection 
Program

    Since the inception of the ARP Inspection Program more than two 
decades ago, the securities markets have experienced sweeping changes, 
evolving from a collection of relatively few, mostly manual markets, to 
a larger number and broader variety of trading centers that are almost 
completely automated, and dependent upon sophisticated technology and 
extremely

[[Page 18088]]

fast and interconnected systems. Regulatory developments, such as 
Regulation NMS,\38\ decimalization,\39\ Regulation ATS,\40\ and the 
Order Handling Rules,\41\ also have impacted the structure of the 
markets by, among other things, mandating and providing incentives that 
encourage automation and speed. Although some markets today retain 
trading floors and accommodate some degree of manual interaction, these 
markets also have implemented electronic trading for their products. In 
stock markets, for example, in almost all cases, the volume of 
electronic trading dominates any residual manual activity.\42\ In 
addition, in recent years, the new trading systems developed by 
existing or new exchanges and ATSs rely almost exclusively on fully-
electronic, automated technology to execute trades.\43\ As a result, 
the overwhelming majority of securities transactions today are executed 
on such automated systems.\44\ A primary driver and catalyst of this 
transformation has been the continual evolution of technologies for 
generating, routing, and executing orders. These technologies have 
dramatically improved the speed, capacity, and sophistication of the 
trading functions that are available to market participants.\45\ The 
increased speed and capacity of automated systems in the current market 
structure has contributed to surging message traffic.\46\
---------------------------------------------------------------------------

    \38\ 17 CFR 242.600-612. See also Securities Exchange Act 
Release No. 51808 (June 9, 2005), 70 FR 37496 (June 29, 2005).
    \39\ See Securities Exchange Act Release No. 42360 (January 28, 
2000), 65 FR 5003 (February 2, 2000).
    \40\ 17 CFR 242.300-303. See also ATS Release, supra note 2.
    \41\ Securities Exchange Act Release No. (September 6, 1996), 61 
FR 48290 (September 12, 1996). See also Concept Release on Equity 
Market Structure, supra note 42, at 3594.
    \42\ See, e.g., Securities Exchange Act Release No. 61358 
(January 14, 2010), 75 FR 3594, 3594-95 (January 21, 2010) (Concept 
Release on Equity Market Structure). See also Securities Exchange 
Act Release No. 58845 (October 24, 2008), 73 FR 64379 (October 29, 
2008) (SR-NYSE-2008-46) (order approving NYSE's New Market Model, an 
electronic trading system with floor-based components).
    \43\ See, e.g., Securities Exchange Act Release Nos. 62716 
(August 13, 2010), 75 FR 51295 (August 19, 2010) (order approving 
the exchange registration application of BATS-Y Exchange, Inc.); 
61698 (March 12, 2010), 75 FR 13151 (March 18, 2010) (order 
approving the exchange registration applications of EDGA Exchange 
Inc. and EDGX Exchange Inc.); 57478 (March 12, 2008), 73 FR 14521 
(March 18, 2008) (order approving a proposed rule change, as 
amended, by the NASDAQ Stock Market LLC to establish rules governing 
the trading of options on the NASDAQ Options Market).
    \44\ For example, less than 30 percent of stock trading takes 
place on listing exchanges as orders are dispersed to more than 50 
competing venues, almost all of which are fully electronic. See, 
e.g., https://www.batstrading.com/market_summary. See also Concept 
Release on Equity Market Structure, supra note 42, for a more 
detailed discussion of equity market structure.
    \45\ For example, the speed of trading has increased to the 
point that the fastest traders now measure their latencies in 
microseconds. See Concept Release on Equity Market Structure, supra 
note 42, at 3598.
    \46\ See, e.g., ``Climbing Mount Message: How Exchanges are 
Managing Peaks,'' Markets Media (posted on June 29, 2012), available 
at: https://marketsmedia.com/climbing-mount-message-exchanges-managing-peaks/ (noting that message volumes across U.S. exchanges 
hit a daily peak of 4.47 million messages per second).
---------------------------------------------------------------------------

    In addition to these changes, there has been an increase in the 
number of trading venues, particularly for equities. No longer is 
trading in equities dominated by one or two trading venues. Today, 13 
national securities exchanges trade equities, with no single stock 
exchange having an overall market share of greater than twenty percent 
of consolidated volume for all NMS stocks,\47\ but each with a 
protected quotation \48\ that may not be traded through by other 
markets.\49\ ATSs, including electronic communications networks 
(``ECNs'') and dark pools, as well as broker-dealer internalizers, also 
execute substantial volumes of securities transactions.\50\ Each of 
these trading venues is connected with the others through a vast web of 
linkages, including those that provide connectivity, routing services, 
and market data. The number of venues trading options has likewise 
grown, with 11 national securities exchanges currently trading options, 
up from five as recently as 2004.\51\
---------------------------------------------------------------------------

    \47\ See, e.g., market volume statistics reported by BATS 
Exchange, Inc., available at: https://www.batstrading.com/market_summary (no single national securities exchange executed more than 
20 percent of volume in NMS stocks during the 5-day period ending 
February 7, 2013). The following national securities exchanges have 
equities trading platforms: (1) BATS Exchange, Inc. (``BATS''); (2) 
BATS Y-Exchange, Inc. (``BATS-Y''); (3) Chicago Board Options 
Exchange, Incorporated (``CBOE''); (4) Chicago Stock Exchange, Inc. 
(``CHX''); (5) EDGA Exchange, Inc. (``EDGA''); (6) EDGX Exchange, 
Inc. (``EDGX''); (7) NASDAQ OMX BX, Inc. (``Nasdaq OMX BX''); (8) 
NASDAQ OMX PHLX LLC (``Nasdaq OMX Phlx''); (9) NASDAQ Stock Market 
LLC (``Nasdaq''); (10) National Stock Exchange, Inc. (``NSX''); (11) 
New York Stock Exchange LLC (``NYSE''); (12) NYSE MKT LLC (``NYSE 
MKT''); and (13) NYSE Arca, Inc. (``NYSE Arca'').
    \48\ A ``protected quotation'' is defined by Regulation NMS as a 
quotation in an NMS stock that (i) is displayed by an automated 
trading center; (ii) is disseminated pursuant to an effective 
national market system plan; and (iii) is an automated quotation 
that is the best bid or best offer of a national securities 
exchange, the best bid or best offer of The Nasdaq Stock Market, 
Inc., or the best bid or best offer of a national securities 
association other than the best bid or best offer of The Nasdaq 
Stock Market, Inc. See Rule 600(b)(57)-(58) of Regulation NMS, 17 
CFR 242.600(b)(57)-(58).
    \49\ See Rule 611(a)(1) of Regulation NMS, 17 CFR 242.601(a)(1).
    \50\ See Concept Release on Equity Market Structure, supra note 
42.
    \51\ The following venues trade options today: (1) BATS Exchange 
Options Market; (2) Boston Options Exchange LLC (``BOX''); (3) C2 
Options Exchange, Incorporated (``C2''); (4) CBOE; (5) International 
Securities Exchange, LLC (``ISE''); (6) Miami International 
Securities Exchange, LLC (``MIAX''); (7) NASDAQ Options Market; (8) 
NASDAQ OMX BX Options; (9) Nasdaq OMX Phlx; (10) NYSE Amex Options; 
and (11) NYSE Arca.
---------------------------------------------------------------------------

    The increased number of trading venues, dispersal of trading 
volume, and the resulting reliance on a variety of automated systems 
and intermarket linkages have increased competition and thus investor 
choice, but have also increased the complexity of the markets and the 
challenges for market participants seeking to manage their information 
technology programs and to ensure compliance with Commission rules.\52\ 
These changes have also substantially heightened the potential for 
systems problems originating from any number of sources to broadly 
affect the market. Given the increased interconnectedness of the 
markets, a trading venue may not always recognize the true impact and 
cost of a problem that originates with one of its systems.
---------------------------------------------------------------------------

    \52\ For example, one important type of linkage in the current 
market structure was created to comply with legal obligations to 
protect against trade-throughs as required by Rule 611 of Regulation 
NMS under the Exchange Act, 17 CFR 242.611. A trade-through is the 
execution of a trade at a price inferior to a protected quotation 
for an NMS stock. Importantly, Rule 611 applies to all trading 
centers, not just those that display protected quotations. Trading 
center is defined broadly in Rule 600(b)(78) of Regulation NMS to 
include, among others, all exchanges, all ATSs (including ECNs and 
dark pools), all OTC market makers, and any other broker-dealer that 
executes orders internally, whether as agent or principal. See 
Concept Release on Equity Market Structure, supra note 42, at 3601.
---------------------------------------------------------------------------

C. Successes and Limitations of the Current ARP Inspection Program

    While the Commission generally considers the ARP Inspection Program 
to have been successful in improving the automated systems of the SROs 
and other entities participating in the program over the past 20 years, 
the Commission is mindful of its limitations. For example, because the 
ARP Inspection Program is established pursuant to Commission policy 
statements, rather than Commission rules,\53\ the Commission's ability 
to assure compliance with ARP standards with certainty or adequate 
thoroughness is limited. In particular, the Commission may not be able 
to fully address major or systemic market problems at all entities that 
would meet the proposed definition of SCI entity. Further, the 
Government Accountability Office

[[Page 18089]]

(``GAO'') has identified the voluntary nature of the ARP Inspection 
Program as a limitation of the program and recommended that the 
Commission make compliance with ARP guidelines mandatory.\54\
---------------------------------------------------------------------------

    \53\ As discussed in infra Section III.B.1, no ATS currently 
meets the volume thresholds in Rule 301(b)(6) of Regulation ATS.
    \54\ See GAO, Financial Market Preparedness: Improvements Made, 
but More Action Needed to Prepare for Wide-Scale Disasters, Report 
No. GAO-04-984 (September 27, 2004). GAO cited instances in which 
the GAO believed that entities participating in the ARP Inspection 
Program failed to adequately address or implement ARP staff 
recommendations as the reasoning behind its recommendation to make 
compliance with ARP guidelines mandatory. As noted in supra Section 
I.A, the obligations underlying the policy statements are 
statutorily mandated.
---------------------------------------------------------------------------

    The Commission believes that the continuing evolution of the 
securities markets to the current state, where they have become almost 
entirely electronic and highly dependent on sophisticated trading and 
other technology (including complex regulatory and surveillance 
systems, as well as systems relating to the provision of market data, 
intermarket routing and connectivity, and a variety of other member and 
issuer services), has posed challenges for the ARP Inspection Program. 
Accordingly, the Commission believes that the guidance in the ARP 
policy statements should be updated and formalized, and that clarity 
with respect to a variety of important matters, including regarding 
appropriate industry practices, notice to the Commission of all SCI 
events and to members or participants of SCI entities of certain 
systems problems, Commission access to systems, and procedures designed 
to better ensure that SRO systems comply with the SRO's own rules, 
would improve the Commission's oversight capabilities. Furthermore, 
given the importance of ensuring that an SRO's trading and other 
systems are operated in accordance with its rules, the Commission 
believes that improvements in SRO procedures could help to ensure that 
such systems are operating in compliance with relevant rules, and to 
promptly identify and address any instances of non-compliance.\55\
---------------------------------------------------------------------------

    \55\ Section 19(b)(1) of the Exchange Act requires each SRO to 
file with the Commission any proposed rule or any proposed change 
in, addition to, or deletion from the rules of such SRO (a 
``proposed rule change''), accompanied by a concise general 
statement of the basis and purpose of such proposed rule change, and 
provides that no proposed rule change shall take effect unless 
approved by the Commission or otherwise permitted in accordance with 
the provisions of this section. See 15 U.S.C. 78s(b)(1). An SRO's 
failure to file a proposed rule change when required would be a 
violation of Section 19(b)(1).
---------------------------------------------------------------------------

D. Recent Events

    In the Commission's view, recent events further highlight why 
rulemaking in this area may be warranted. On May 6, 2010, according to 
a report by the staffs of the Commission and the Commodity Futures 
Trading Commission (``CFTC''), the prices of many U.S.-based equity 
products experienced an extraordinarily rapid decline and recovery, 
with major equity indices in both the futures and securities markets, 
each already down over four percent from their prior day close, 
suddenly plummeting a further five to six percent in a matter of 
minutes before rebounding almost as quickly.\56\ According to the May 6 
Staff Report, many individual equity securities and exchange traded 
funds suffered similar price declines and reversals within a short 
period of time, falling 5, 10, or even 15 percent before recovering 
most, if not all, of their losses.\57\ The May 6 Staff Report stated 
that some equities experienced even more severe price moves, both up 
and down, with over 20,000 trades in more than 300 securities executed 
at prices more than 60 percent away from their values just moments 
before.\58\
---------------------------------------------------------------------------

    \56\ See Findings Regarding The Market Events Of May 6, 2010, 
Report Of The Staffs Of The CFTC And SEC To The Joint Advisory 
Committee On Emerging Regulatory Issues, September 30, 2010 (``May 6 
Staff Report'').
    \57\ See id.
    \58\ These trades subsequently were broken by the exchanges and 
FINRA. See id.
---------------------------------------------------------------------------

    Among the key findings in the May 6 Staff Report was that the 
interaction between automated execution programs and algorithmic 
trading strategies can quickly erode liquidity and result in disorderly 
markets, and that concerns about data integrity, especially those that 
involve the publication of trades and quotes to the consolidated tape, 
can contribute to pauses or halts in many automated trading systems and 
in turn lead to a reduction in general market liquidity.\59\ According 
to the May 6 Staff Report, the events of May 6, 2010 clearly 
demonstrate the importance of data in today's world of fully automated 
trading strategies and systems, and that fair and orderly markets 
require the maintenance of high standards for robust, accessible, and 
timely market data.\60\
---------------------------------------------------------------------------

    \59\ See id. at 78.
    \60\ See id. at 8.
---------------------------------------------------------------------------

    Both before and after the May 6, 2010 incident, individual markets 
have also experienced other systems-related issues. In February 2011, 
NASDAQ OMX Group, Inc. revealed that hackers had penetrated certain of 
its computer networks, though Nasdaq reported that at no point did this 
intrusion compromise Nasdaq's trading systems.\61\ In October 2011, the 
Commission sanctioned EDGX and EDGA, two national securities exchanges, 
and their affiliated broker, Direct Edge ECN LLC, for violations of 
federal securities laws arising from systems incidents.\62\ In the 
Direct Edge Order, the Commission noted that the ``violations occurred 
against the backdrop of weaknesses in Respondents' systems, processes, 
and controls.'' \63\
---------------------------------------------------------------------------

    \61\ See announcement by Nasdaq OMX (February 5, 2011), 
available at: https://www.nasdaq.com/includes/announcement-2-5-11.aspx (accessed May 20, 2011). See also Devlin Barrett, ``Hackers 
Penetrate NASDAQ Computers,'' Wall St. J., February 5, 2011, at A1; 
Devlin Barrett et al., ``NASDAQ Confirms Breach in Network,'' Wall 
St. J., February 7, 2011, at C1.
    \62\ See Securities Exchange Act Release No. 65556, In the 
Matter of EDGX Exchange, Inc., EDGA Exchange, Inc. and Direct Edge 
ECN LLC (settled action: October 13, 2011), available at: https://www.sec.gov/litigation/admin/2011/34-65556.pdf (``Direct Edge 
Order''); see also Commission News Release, 2011-208, ``SEC 
Sanctions Direct Edge Electronic Exchanges and Orders Remedial 
Measures to Strengthen Systems and Controls'' (October 13, 2011). 
EDGX, EDGA, and their affiliated routing broker, Direct Edge ECN LLC 
(dba DE Route), consented to an Order Instituting Administrative and 
Cease-and-Desist Proceedings Pursuant to Sections 19(h) and 21C of 
the Securities Exchange Act of 1934, Making Findings, and Imposing 
Remedial Sanctions and a Cease-and-Desist Order.
    \63\ See Direct Edge Order, supra note 62, at 3.
---------------------------------------------------------------------------

    More recently, in 2012, systems issues hampered the initial public 
offerings of BATS Global Markets, Inc. and Facebook, Inc.\64\ On March 
23, 2012, BATS announced that a ``software bug'' caused BATS to shut 
down the IPO of its own stock, BATS Global Markets, Inc.\65\ On May 18, 
2012, issues with Nasdaq's trading systems delayed the start of trading 
in the high-profile IPO of Facebook, Inc. and some market participants 
experienced delays in notifications over whether orders had been 
filled.\66\
---------------------------------------------------------------------------

    \64\ See also infra note 334 and accompanying text.
    \65\ See ``BATS BZX Exchange Post-Mortem'' by BATS, March 23, 
2012, available at: www.batstrading.com/alerts (accessed July 2, 
2012).
    \66\ See ``Post-Mortem for NASDAQ issues related to the Facebook 
Inc. (FB) IPO Cross on Friday, May 18, 2012'' by NASDAQ, May 18, 
2012, available at: https://www.nasdaqtrader.com/TraderNews.aspx?id=ETA2012-20 (accessed July 2, 2012).
---------------------------------------------------------------------------

    While these are illustrative high-profile examples, they are not 
the only instances of disruptions and other systems problems 
experienced by SROs and ATSs.\67\ Moreover, the risks

[[Page 18090]]

associated with cybersecurity, and how to protect against systems 
intrusions, are increasingly of concern to all types of entities, 
including public companies.\68\
---------------------------------------------------------------------------

    \67\ The Commission notes that outages have occurred on foreign 
markets recently as well. See, e.g., Kana Inagaki and Kosaku 
Narioka, ``Tokyo Tackles Trading Glitch,'' Wall St. J., February 2, 
2012; and Neil Shah and Carrick Mellenkamp, ``London Exchange 
Paralyzed by Glitch,'' Wall St. J., September 9, 2008, Europe 
Business News. See also discussion in infra Section III.C.1.b 
regarding business continuity planning during October 2012 due to 
Superstorm Sandy.
    \68\ See, e.g., CF Disclosure Guidance: Topic No. 2, 
Cybersecurity (October 13, 2011), available at: https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm (providing the 
Division of Corporation Finance's views regarding disclosure 
obligations relating to cybersecurity risks and cyber incidents).
---------------------------------------------------------------------------

    On October 2, 2012, the Commission conducted a roundtable entitled 
``Technology and Trading: Promoting Stability in Today's Markets'' 
(``Roundtable'').\69\ The Roundtable examined the relationship between 
the operational stability and integrity of the securities market and 
the ways in which market participants design, implement, and manage 
complex and interconnected trading technologies.\70\ Panelists offered 
their views on how market participants could prevent, or at least 
mitigate, technology errors as well as how error response could be 
improved.
---------------------------------------------------------------------------

    \69\ See Securities Exchange Act Release No. 67802 (September 7, 
2012), 77 FR 56697 (September 13, 2012) (File No. 4-652). A webcast 
of the Roundtable is available at: www.sec.gov/news/otherwebcasts/2012/ttr100212.shtml.
    \70\ See Securities Exchange Act Release No. 67725 (August 24, 
2012), 77 FR 52766 (August 30, 2012) (File No. 4-652). The 
Roundtable included panelists from academia, clearing agencies, 
national securities exchanges, broker-dealers, and other 
organizations. Panelists for the first panel were: Dr. Nancy 
Leveson, Professor of Aeronautics and Astronautics and Engineering 
Systems, MIT (``MIT''); Sudhanshu Arya, Managing Director, ITG 
(``ITG''); Chris Isaacson, Chief Operating Officer, BATS Exchange 
(``BATS''); Dave Lauer, Market Structure and HFT Consultant, Better 
Markets, Inc. (``Better Markets''); Jamil Nazarali, Head of Citadel 
Execution Services, Citadel (``Citadel''); Lou Pastina, Executive 
Vice President--NYSE Operations, NYSE (``NYSE''); Christopher Rigg, 
Partner--Financial Services Industry, IBM (``IBM''); and Jonathan 
Ross, Chief Technology Officer, GETCO LLC (``Getco'').
    Panelists for the second panel were: Dr. M. Lynne Markus, 
Professor of Information and Process Management, Bentley University 
(``Bentley''); David Bloom, Head of UBS Group Technology (``UBS''); 
Chad Cook, Chief Technology Officer, Lime Brokerage LLC (``Lime''); 
Anna Ewing, Executive Vice President and Chief Information Officer, 
Nasdaq; Albert Gambale, Managing Director and Chief Development 
Officer, Depository Trust and Clearing Corp. (``DTCC''); Saro 
Jahani, Chief Information Officer, Direct Edge (``DE''); and Lou 
Steinberg, Chief Technology Officer, TD Ameritrade (``TDA''). See 
Technology and Trading: Promoting Stability in Today's Markets 
Roundtable -- Participant Bios, available at: https://www.sec.gov/news/otherwebcasts/2012/ttr100212-bios.htm.
    The Roundtable was announced on August 3, 2012, following a 
report by Knight Capital Group, Inc. (``Knight'') that, on August 1, 
2012, it ``experienced a technology issue at the opening of trading 
at the NYSE * * * [which was] related to Knight's installation of 
trading software and resulted in Knight sending numerous erroneous 
orders in NYSE-listed securities into the market * * * Knight * * * 
traded out of its entire erroneous trade position, which * * * 
resulted in a realized pre-tax loss of approximately $440 million.'' 
See Knight Capital Group Provides Update Regarding August 1st 
Disruption To Routing In NYSE-listed Securities (August 2, 2012), 
available at: https://www.knight.com/investorRelations/pressReleases.asp?compid=105070&releaseID=1721599.
     Although the Knight incident highlights the importance of the 
integrity of broker-dealer systems, the focus of the Roundtable was 
not limited to broker-dealers. But see infra Section III.G, 
soliciting comment regarding the potential inclusion of broker-
dealers, other than SCI ATSs, in the proposed definition of SCI 
entity.
---------------------------------------------------------------------------

    Although the discussion was wide-ranging, several themes emerged, 
with panelists generally agreeing that areas of focus across the 
industry should be on adherence to best practices, improved quality 
assurance, more robust testing, increased pre-trade and post-trade risk 
controls, real-time monitoring of systems, and improved communications 
when systems problems occur. The panelists also discussed whether there 
should be regulatory or other mandates for quality standards and 
industry testing, and whether specific mechanisms, such as ``kill 
switches,'' \71\ would be useful to protect the markets from technology 
errors and to advance the goal of bolstering investor confidence in the 
markets.\72\ Several panelists also stated that, given the frequency of 
coding changes in the current market environment, testing of software 
changes should be far more robust.\73\
---------------------------------------------------------------------------

    \71\ The term ``kill switch'' is a shorthand expression used by 
market participants, including Roundtable participants and 
Roundtable commenters, to refer to mechanisms pursuant to which one 
or more limits on trading could be established by a trading venue 
for its participants that, if exceeded, would authorize the trading 
venue to stop accepting incoming orders from such participant. See 
also infra note 76 and accompanying text.
    \72\ With regard to quality assurance in particular, Roundtable 
panelists differed on the role of third parties in providing quality 
assurance, with some panelists believing that, given the difficulty 
for an outside party to understand the complex systems of trading 
firms and other market participants, such a role should be performed 
by internal staff who are better able to understand such systems, 
with other panelists opining that there it was critical that 
independent parties provide quality assurance.
    \73\ Panelists urging greater testing in general and industry 
testing in particular included those from BATS, Better Markets, DE, 
ITG, Getco, Nasdaq, NYSE, and TDA.
---------------------------------------------------------------------------

    In addition to the Roundtable panels, the Commission solicited 
comment with respect to the Roundtable's topics, and received 
statements from some of the Roundtable panelists, as well as comment 
letters from the public.\74\ Many comment letters specifically 
recommended improved testing as a way to aid error prevention.\75\ In 
addition, several commenters expressed support for a ``kill-switch'' 
mechanism that would permit exchanges or other market centers to 
terminate a firm's trading activity if such activity was posing a 
threat to market integrity.\76\
---------------------------------------------------------------------------

    \74\ See https://www.sec.gov/comments/4-652/4-652.shtml, listing 
and publishing all comment letters received by the Commission with 
respect to the Roundtable. The letters received cover a broad array 
of topics, some of which are unrelated to proposed Regulation SCI. 
This proposing release discusses and references the following 
letters when relevant to the discussion of proposed Regulation SCI: 
Letter dated September 5, 2012, from James J. Angel, Ph.D., CFA, 
Georgetown University and the Wharton School, University of 
Pennsylvania (``Angel''); Letter dated September 27, 2012, from Eric 
Swanson, BATS Global Markets, Inc.; Letter dated October 2, 2012, 
from Dave Lauer, Market Structure and HFT Consultant, Better Markets 
(``Better Markets''); Letter dated October 1, 2012, from Jamil 
Nazarali, Citadel (``Citadel''); Letter dated October 23, 2012, from 
Scott Goebel, Senior Vice President and General Counsel, Fidelity 
Management & Research Company (``Fidelity''); Letter dated November 
1, 2012, from Arsalan Shahid, Program Director, Financial 
Information Forum (``FIF''); Letter dated October 19, 2012, from 
Courtney Doyle McGuinn, Operations Director, FIX Protocol Ltd. 
(``FIX''); Letter dated October 1, 2012, from Elizabeth K. King, 
Head of Regulatory Affairs, GETCO LLC (``Getco''); Letter dated 
October 18, 2012, from Adam Nunes, President, Hudson River Trading 
LLC (``Hudson''); Letter dated September 23, 2012, from Patrick J. 
Healy, CEO, Issuer Advisory Group LLC (``IAG''); Letter dated 
October 23, 2012, from Karrie McMillan, General Counsel, Investment 
Company Institute (``ICI''); Letter dated October 22, 2012, from 
James P. Selway III, Managing Director, Head of Liquidity 
Management, and Sudhanshu Arya, Managing Director, Head of 
Technology for Liquidity Management, ITG Inc. (``ITG''); Letter 
dated September 28, 2012, from Joseph M. Mecane, NYSE Euronext; 
Richard G. Ketchum, FINRA; Eric Noll, Nasdaq OMX, Inc.; Christopher 
A. Isaacson, BATS Global Markets, Inc.; Bryan Harkins, DirectEdge; 
David Herron, Chicago Stock Exchange; Murray Pozmanter, The 
Depository Trust & Clearing Corporation; Bank of America Merrill 
Lynch; Citadel LLC; Citigroup Global Markets Inc.; Deutsche Bank 
Securities Inc.; GETCO; Goldman, Sachs & Co/Goldman Sachs Execution 
and Clearing; IMC Chicago LLC; ITG, Inc.; Jane Street; J.P. Morgan 
Securities LLC; RBC Capital Markets, LLC; RGM Advisors, LLC; Two 
Sigma Securities; UBS Securities LLC; Virtu Financial; Wells Fargo 
Securities (``Industry Working Group''); Letter dated September 25, 
2012, from R. T. Leuchtkafer (``Leuchtkafer''); Letter dated August 
14, 2012, from Stuart J. Kaswell, Executive Vice President, Managing 
Director & General Counsel, Managed Funds Association (``MFA''); 
Letter dated October 1, 2012, from Richard Gorelick, RGM Advisors, 
Cameron Smith, Quantlab, and Peter Nabicht, Allston Trading 
(``RGM''); Letter dated September 28, 2012, from Nasser A. Sharara, 
Managing Director, Product Management, Raptor Trading Systems 
(``Raptor''); Letter dated October 1, 2012, from Lou Steinberg, 
Managing Director, Chief Technology Officer, TDA (``TDA''); Letter 
dated October 24, 2012, from David Weisberger, Executive Principal, 
Two Sigma Securities, LLC (``Two Sigma'').
    \75\ See, e.g., letters from Angel, BATS, Better Markets, 
Citadel, Fidelity, FIF, FIX, Getco, Hudson, IAG, ICI, ITG, Industry 
Working Group, Leuchtkafer, MFA, RGM, and Two Sigma, supra note 74. 
Some of these commenters specifically urged greater integration 
testing and stated that testing with exchanges and other market 
centers under simulated market conditions were necessary in today's 
extremely fast and interconnected markets. One commenter (Angel) 
suggested that exchanges operate completely from their backup data 
centers one day each year to test such systems and market 
participants' connectivity to them.
    \76\ See, e.g., letters from Angel, BATS, Citadel, FIF, Getco, 
IAG, Industry Working Group, MFA, RGM, and Raptor, supra note 74. 
See also letters from Fidelity, FIX, Hudson and ITG, supra note 74, 
submitted after the Roundtable, suggesting possible approaches for 
establishing kill switch criteria. See also supra note 71, 
describing the use of the term ``kill switch'' in this release.

---------------------------------------------------------------------------

[[Page 18091]]

    The Commission believes that the information presented at the 
Roundtable and received from commenters, as broadly outlined above, 
highlights that quality standards, testing, and improved error response 
mechanisms are among the issues needing very thoughtful and focused 
attention in today's securities markets.\77\ In formulating proposed 
Regulation SCI, the Commission has considered the information and views 
discussed at the Roundtable and received from commenters.
---------------------------------------------------------------------------

    \77\ The Commission notes that Roundtable panelists and 
commenters offering their views and suggestions generally did so in 
the context of discussing the market as a whole, rather than 
focusing on the roles and regulatory status of different types of 
market participants. However, some commented on the utility of the 
ARP Inspection Program and suggested that it could be expanded. See, 
e.g., letter from Leuchtkafer, supra note 74. In addition, the 
panelists from Getco, Nasdaq, and NYSE also suggested that ARP could 
be expanded, with the panelist from NYSE in particular advocating 
that the applicability of any new ARP-related regulations not be 
limited to SROs. One commenter suggested that the Commission update 
and formalize the ARP Inspection Program before extending it to 
other market participants. See letter from Fidelity, supra note 74. 
This commenter added further that, if the ARP program is extended to 
other market participants, it should not include a requirement that 
broker-dealers submit certain information, such as algorithmic code 
changes, for independent review. See also infra Section III.G, 
soliciting comment on whether the requirements of proposed 
Regulation SCI should apply, in whole or in part, to broker-dealers 
or a subset thereof.
---------------------------------------------------------------------------

    Most recently, the U.S. national securities exchanges closed for 
two business days in the wake of Superstorm Sandy, a major storm that 
hit the East Coast of the United States during October 2012, and which 
caused significant damage in lower Manhattan, among other places.\78\ 
Press reports stated that, while the markets planned to open on the 
first day of the storm (with the NYSE planning to operate under its 
contingency plan as an electronic-only venue),\79\ after consultation 
with market participants, including the Commission and its staff, and 
in light of concerns over the physical safety of personnel and the 
possibility of technical issues, the national securities exchanges 
jointly decided not to open for trading on October 29 and October 30, 
2012.\80\ The market closures occurred even though the securities 
industry's annual test of how trading firms, market operators and their 
utilities could operate through an emergency using backup sites, backup 
communications, and disaster recovery facilities occurred on October 
27, 2012, just two days before the storm.\81\ According to press 
reports, the test did not uncover issues that would preclude markets 
from opening two days later with backup systems, if they so chose.\82\ 
In addition, NYSE's contingency plan was tested seven months prior to 
the storm, though press reports indicate that a large number of NYSE 
members did not participate.\83\ The Commission also has considered the 
impact of Superstorm Sandy on the securities markets, particularly with 
respect to business continuity planning and testing, in formulating 
proposed Regulation SCI.
---------------------------------------------------------------------------

    \78\ See ``NYSE to Remain Open for Trading While Physical 
Trading Floor and New York Building Close in Accordance with Actions 
Taken by City and State Officials,'' (October 28, 2012) (``NYSE 
Floor Closure Statement''), available at: https://www.nyse.com/press/1351243407197.html; and ``NYSE Euronext Statement on Closure of U.S. 
Markets on Monday Oct. 29 and Pending Confirmation on Tuesday, Oct. 
30, 2012,'' (October 28, 2012) (``NYSE Closure Statement''), 
available at: https://www.nyse.com/press/1351243418010.html.
    \79\ The NYSE had initially planned to act pursuant to NYSE Rule 
49 (Emergency Powers), which permits a designated official of the 
NYSE, in the event of an emergency (as defined in Section 12(k)(7) 
of the Exchange Act), to designate NYSE Arca to receive and process 
bids and offers and to execute orders on behalf of the NYSE. See 
``NYSE Contingency Trading Plan in effect for Monday, October 29, 
2012,'' (October 28, 2012) (``Market Operations Update''), available 
at: https://markets.nyx.com/nyse/trader-updates/view/11503. The 
Commission approved NYSE Rule 49 on December 16, 2009. See 
Securities Exchange Act Release No. 61177 (December 16, 2009), 74 FR 
68643 (December 28, 2009) (SR-NYSE-2009-105) (approving proposed 
rule change by the NYSE relating to the designation of NYSE Arca as 
the NYSE's alternative trading facility in an emergency).
    \80\ See, e.g., ``A giant storm and the struggle over closing 
Wall Street,'' October 31, 2012, available at: https://www.reuters.com/article/2012/10/31/us-storm-sandy-nyse-insight-idUSBRE89T0F920121031. See also, e.g., NYSE Closure Statement, supra 
note 78.
    \81\ See, e.g., ``Storm Over Wall Street Going Dark,'' November 
12, 2012, available at: https://www.tradersmagazine.com/news/storm-over-wall-street-going-dark-110526-1.html.
    \82\ See id. See also https://www.sifma.org/services/bcp/industry-testing.
    \83\ See id. and NYSE Floor Closure Statement, supra note 78.
---------------------------------------------------------------------------

II. Proposed Codification and Enhancement of ARP Inspection Program

    In the Commission's view, the convergence of several developments--
the evolution of the markets to become significantly more dependent 
upon sophisticated automated systems, the limitations of the existing 
ARP Inspection Program, and the lessons of recent events--highlight the 
need to consider an updated and formalized regulatory framework for 
ensuring that the U.S. securities trading markets develop and maintain 
systems with adequate capacity, integrity, resiliency, availability, 
and security, and reinforce the requirement that such systems operate 
in compliance with the Exchange Act. The Commission is proposing new 
Regulation SCI because the Commission preliminarily believes that it 
would further the goals of the national market system and reinforce 
Exchange Act obligations to require entities important to the 
functioning of the U.S. securities markets to carefully design, 
develop, test, maintain, and surveil systems integral to their 
operations.
    Proposed Regulation SCI would replace the two ARP policy 
statements. Although proposed Regulation SCI would codify in a 
Commission rule many of the principles of the ARP policy statements 
with which SROs and other participants in the ARP Inspection Program 
are familiar, the proposed rule would apply to more entities than the 
current ARP Inspection Program and would place obligations not 
currently included in the ARP policy statements on entities subject to 
the rule. Specifically, proposed Regulation SCI would apply to ``SCI 
entities,'' a term that would include ``SCI SROs,'' ``SCI ATSs,'' 
``plan processors,'' and ``exempt clearing agencies subject to ARP.'' 
\84\
---------------------------------------------------------------------------

    \84\ Each of these terms is discussed in detail in Section 
III.B.1 below.
---------------------------------------------------------------------------

    Further, to help ensure that the proposed rule covers key systems 
of SCI entities, the proposed rule would define (for purposes of 
Regulation SCI) the term ``SCI systems'' to mean those systems of, or 
operated by or on behalf of, an SCI entity that directly support 
trading, clearance and settlement, order routing, market data, 
regulation, or surveillance. In addition, the term ``SCI security 
systems'' would include systems that share network resources with SCI 
systems that, if breached, would be reasonably likely to pose a 
security threat to such systems.\85\ The proposed rule also would 
define several other terms intended to specify what types of systems 
changes and problems (``SCI events'') the Commission considers to be 
most significant and, therefore, preliminarily believes should be 
covered by the proposed rule's requirements.
---------------------------------------------------------------------------

    \85\ See infra Section III.B.2 for a discussion of the proposed 
definitions of SCI systems and SCI security systems.
---------------------------------------------------------------------------

    In addition, proposed Regulation SCI would specify the obligations 
SCI entities would have with respect to covered systems and SCI events. 
Specifically, proposed Regulation SCI would require that each SCI 
entity: (1)

[[Page 18092]]

Establish, maintain, and enforce written policies and procedures 
reasonably designed to ensure that its SCI systems and, for purposes of 
security standards, SCI security systems, have levels of capacity, 
integrity, resiliency, availability, and security, adequate to maintain 
the SCI entity's operational capability and promote the maintenance of 
fair and orderly markets; (2) establish, maintain, and enforce written 
policies and procedures reasonably designed to ensure that its SCI 
systems operate in the manner intended; (3) respond to SCI events with 
appropriate corrective action; (4) report SCI events to the Commission 
and submit follow-up reports, as applicable; (5) disseminate 
information regarding certain SCI events to members or participants of 
the SCI entity; (6) report material systems changes to the Commission; 
(7) conduct an SCI review of its systems not less than once each 
calendar year; (8) submit certain periodic reports to the Commission, 
including a report of the SCI review, together with any response by 
senior management; (9) mandate participation by designated members or 
participants in scheduled testing of the operation of the SCI entity's 
business continuity and disaster recovery plans, including backup 
systems, and coordinate such testing on an industry- or sector-wide 
basis \86\ with other SCI entities; and (10) make, keep, and preserve 
records relating to the matters covered by Regulation SCI, and provide 
them to Commission representatives upon request. The proposal also 
would require that an SCI entity submit all required written 
notifications and reports to the Commission electronically using new 
proposed Form SCI.
---------------------------------------------------------------------------

    \86\ See infra Section III.C.7 for a discussion of the terms 
industry-wide and sector-wide.
---------------------------------------------------------------------------

III. Proposed Regulation SCI

A. Overview

    The purpose of proposed Regulation SCI is to enhance the 
Commission's regulatory supervision of SCI entities and thereby further 
the goals of the national market system by helping to ensure the 
capacity, integrity, resiliency, availability, and security, and 
enhance compliance with federal securities laws and regulations, of 
automated systems relating to the U.S. securities markets through the 
formalization of standards to which their automated systems would be 
held, and a regulatory framework for ensuring more effective Commission 
oversight of these systems. Proposed Rule 1000(a) sets forth several 
definitions designed to establish the scope of the new rule. Proposed 
Rule 1000(b) sets forth the obligations that would be imposed on SCI 
entities with respect to systems and systems issues. Proposed Rules 
1000(c)-(f) set forth recordkeeping and electronic filing requirements 
and address certain other related matters.

B. Proposed Rule 1000(a): Definitions Establishing the Scope of 
Regulation SCI

    A series of definitions set forth in proposed Rule 1000(a) relate 
to the scope of proposed Regulation SCI. These include the definitions 
for ``SCI entity,'' ``SCI systems,'' ``SCI security systems,'' ``SCI 
event,'' ``systems disruption,'' ``systems compliance issue,'' 
``systems intrusion,'' ``dissemination SCI event,'' and ``material 
systems change.''
1. SCI Entities
    Although the ARP policy statements are rooted in Exchange Act 
requirements, the ARP Inspection Program has developed without the 
promulgation of Commission rules applicable to SROs or plan processors. 
Under the ARP Inspection Program, Commission staff conducts inspections 
of SROs to assess the capacity, integrity, resiliency, availability, 
and security of their systems. These inspections also have historically 
included the systems of entities that process and disseminate quotation 
and transaction data on behalf of the Consolidated Tape Association 
System (``CTA Plan''), Consolidated Quotation System (``CQS Plan''), 
Joint Self-Regulatory Organization Plan Governing the Collection, 
Consolidation, and Dissemination of Quotation and Transaction 
Information for Nasdaq-Listed Securities Traded on Exchanges on an 
Unlisted Trading Privileges Basis (``Nasdaq UTP Plan''), and Options 
Price Reporting Authority (``OPRA Plan'').\87\ The ARP Inspection 
Program has also included one exempt clearing agency.\88\ Pursuant to 
Rule 301(b)(6) of Regulation ATS, certain aspects of the ARP policy 
statements apply mandatorily to significant-volume ATSs, as they are 
currently defined under Regulation ATS.\89\ However, because no ATSs 
currently meet the significant-volume thresholds specified in Rule 
301(b)(6) of Regulation ATS,\90\ compliance with the ARP Inspection 
Program is not mandatory at this time for any ATS.\91\ Proposed 
Regulation SCI would provide mandatory uniform requirements for ``SCI 
entities.'' Proposed Rule 1000(a) would define ``SCI entity'' as an 
``SCI self-regulatory organization, SCI alternative trading system, 
plan processor, or exempt clearing agency subject to ARP.'' The 
proposed rule also would define each of these terms for the purpose of 
designating specifically the entities that the Commission preliminarily 
believes should be subject to the rule.
---------------------------------------------------------------------------

    \87\ See ARP I Release, supra note 1, at n. 8 and n. 17. Each of 
the CTA Plan, CQS Plan, Nasdaq UTP Plan, and OPRA Plan, is a 
``national market system plan'' (``NMS Plan'') as defined under Rule 
600(a)(43) of Regulation NMS under the Exchange Act, 17 CFR 
242.600(a)(43). Rule 600(a)(55) of Regulation NMS under the Exchange 
Act, 17 CFR 242.600(a)(55), defines a ``plan processor'' as ``any 
self-regulatory organization or securities information processor 
acting as an exclusive processor in connection with the development, 
implementation and/or operation of any facility contemplated by an 
effective national market system plan.'' Section 3(a)(22)(B) of the 
Exchange Act, 15 U.S.C. 78c(22)(B), defines ``exclusive processor'' 
to mean ``any securities information processor or self-regulatory 
organization which, directly or indirectly, engages on an exclusive 
basis on behalf of any national securities exchange or registered 
securities association, or any national securities exchange or 
registered securities association which engages on an exclusive 
basis on its own behalf, in collecting, processing, or preparing for 
distribution or publication any information with respect to (i) 
transactions or quotations on or effected or made by means of any 
facility of such exchange or (ii) quotations distributed or 
published by means of any electronic system operated or controlled 
by such association.''
    As a processor involved in collecting, processing, and preparing 
for distribution transaction and quotation information, the 
processor of each of the CTA Plan, CQS Plan, Nasdaq UTP Plan, and 
OPRA Plan meets the definition of ``exclusive processor;'' and 
because each acts as an exclusive processor in connection with an 
NMS Plan, each also meets the definition of ``plan processor'' under 
Rule 600(a)(55) of Regulation NMS, as well as proposed Rule 1000(a) 
of Regulation SCI. For ease of reference, an NMS Plan having a 
current or future ``plan processor'' is referred to herein as an 
``SCI Plan.'' The Commission notes that not every processor of an 
NMS Plan would be a ``plan processor,'' as proposed to be defined in 
Rule 1000(a), and therefore not every processor of an NMS Plan would 
be an SCI entity subject to the requirements of proposed Regulation 
SCI. For example, the processor of the Symbol Reservation System 
associated with the National Market System Plan for the Selection 
and Reservation of Securities Symbols (File No. 4-533) would not be 
a ``plan processor'' subject to Regulation SCI because it does not 
meet the ``exclusive processor'' statutory definition, as it is not 
involved in collecting, processing, and preparing for distribution 
transaction and quotation information.
    \88\ See infra notes 133-135 and accompanying text.
    \89\ See 17 CFR 242.301(b)(6). See also supra note 26.
    \90\ 17 CFR 242.301(b)(6).
    \91\ One ATS currently participates voluntarily in the ARP 
Inspection Program, though, in the past, other ATSs have also 
participated in the ARP Inspection Program.
---------------------------------------------------------------------------

    Proposed Rule 1000(a) would define the term ``SCI self-regulatory 
organization.'' The definition of ``SCI self-regulatory organization,'' 
or ``SCI SRO,'' would be consistent with the definition of ``self-
regulatory organization'' set forth in Section 3(a)(26) of the Exchange 
Act,\92\ and

[[Page 18093]]

would cover all national securities exchanges registered under Section 
6(b) of the Exchange Act,\93\ registered securities associations,\94\ 
registered clearing agencies,\95\ and the Municipal Securities 
Rulemaking Board (``MSRB'').\96\ The definition would, however, exclude 
an exchange that lists or trades security futures products that is 
notice-registered with the Commission as a national securities exchange 
pursuant to Section 6(g) of the Exchange Act, as well as any limited 
purpose national securities association registered with the Commission 
pursuant to Exchange Act Section 15A(k).\97\ Accordingly, the 
definition of SCI SRO in proposed Rule 1000(a) would mandate that all 
national securities exchanges registered under Section 6(b) of the 
Exchange Act, all registered securities associations, all registered 
clearing agencies, and the MSRB, comply with Regulation SCI.\98\
---------------------------------------------------------------------------

    \92\ See 15 U.S.C. 78c(a)(26): ``The term `self-regulatory 
organization' means any national securities exchange, registered 
securities association, or registered clearing agency, or (solely 
for purposes of sections 19(b), 19(c), and 23(b) of this title) the 
Municipal Securities Rulemaking Board established by section 15B of 
this title.'' See infra note 96.
    \93\ Currently, these registered national securities exchanges 
are: (1) BATS; (2) BATS-Y; (3) BOX; (4) CBOE; (5) C2; (6) CHX; (7) 
EDGA; (8) EDGX; (9) ISE; (10) MIAX; (11) Nasdaq OMX BX; (12) Nasdaq 
OMX Phlx; (13) Nasdaq; (14) NSX; (15) NYSE; (16) NYSE MKT; and (17) 
NYSE Arca.
    \94\ FINRA is the only registered national securities 
association.
    \95\ Currently, there are seven clearing agencies (Depository 
Trust Company (``DTC''); Fixed Income Clearing Corporation 
(``FICC''); National Securities Clearing Corporation (``NSCC''); 
Options Clearing Corporation (``OCC''); ICE Clear Credit; ICE Clear 
Europe; and CME) with active operations that are registered with the 
Commission. See also infra notes 133-135 and accompanying text. The 
Commission notes that it recently adopted Rule 17Ad-22, which 
requires registered clearing agencies to have effective risk 
management policies and procedures in place. See Securities Exchange 
Act Release No. 68080 (October 22, 2012), 77 FR 66220 (November 2, 
2012). Among other things, Rule 17Ad-22(d)(4) requires that 
registered clearing agencies ``[i]dentify sources of operational 
risk and minimize them through the development of appropriate 
systems, controls, and procedures; implement systems that are 
reliable, resilient and secure, and have adequate, scalable 
capacity; and have business continuity plans that allow for timely 
recovery of operations and fulfillment of a clearing agency's 
obligations.'' In its adopting release, the Commission stated that 
Rule 17Ad-22(d)(4) ``* * * complements the existing guidance 
provided by the Commission in its Automation Review Policy 
Statements and the Interagency White Paper on Sound Practices to 
Strengthen the Resilience of the U.S. Financial System.'' Similarly, 
the Commission preliminarily believes that proposed Regulation SCI, 
to the extent it addresses areas of risk management similar to those 
addressed by Rule 17Ad-22(d)(4), complements Rule 17Ad-22(d)(4). See 
also infra note 203.
    \96\ 15 U.S.C. 78c(a)(26). See also supra note 92. Historically, 
the ARP Inspection Program has not included the MSRB, but instead 
has focused on entities having trading, quotation and transaction 
reporting, and clearance and settlement systems more closely 
connected to the equities and options markets. In considering the 
entities that should be subject to proposed Regulation SCI, the 
Commission preliminarily believes that it would be appropriate to 
apply proposed Regulation SCI to all SROs (subject to the exception 
noted in infra note 97), of which the MSRB is one, particularly 
given the fact that the MSRB is the only SRO relating to municipal 
securities and is the sole provider of consolidated market data for 
the municipal securities market. Specifically, in 2008, the 
Commission amended Rule 15c2-12 to designate the MSRB as the single 
centralized disclosure repository for continuing municipal 
securities disclosure. In 2009, the MSRB established the Electronic 
Municipal Market Access system (``EMMA''). EMMA now serves as the 
official repository of municipal securities disclosure, providing 
the public with free access to relevant municipal securities data, 
and is the central database for information about municipal 
securities offerings, issuers, and obligors. Additionally, the 
MSRB's Real-Time Transaction Reporting System (``RTRS''), with 
limited exceptions, requires municipal bond dealers to submit 
transaction data to the MSRB within 15 minutes of trade execution, 
and such near real-time post-trade transaction data can be accessed 
through the MSRB's EMMA Web site. While pre-trade price information 
is not as readily available in the municipal securities market, the 
Commission's Report on the Municipal Securities Market also 
recommends that the Commission and MSRB explore the feasibility of 
enhancing EMMA to collect best bids and offers from material ATSs 
and make them publicly available on fair and reasonable terms. See 
Report on the Municipal Securities Market (July 31, 2012), available 
at: https://www.sec.gov/news/studies/2012/munireport073112.pdf.
    \97\ See 15 U.S.C. 78f(g); 15 U.S.C. 78o-3(k). These entities 
are security futures exchanges and the National Futures Association, 
for which the CFTC serves as their primary regulator. The Commission 
preliminarily believes that it would be appropriate to defer to the 
CFTC regarding the systems integrity of these entities.
    \98\ For any SCI SRO that is a national securities exchange, any 
facility of such national securities exchange, as defined in Section 
3(a)(2) of the Exchange Act, 15 U.S.C. 78c(a)(2), also would be 
covered because such facilities are included within the definition 
of ``exchange'' in Section 3(a)(1) of the Exchange Act, 15 U.S.C. 
78c(a)(1).
---------------------------------------------------------------------------

    Proposed Rule 1000(a) would define the term ``SCI alternative 
trading system,'' or ``SCI ATS,'' as an alternative trading system, as 
defined in Sec.  242.300(a), which during at least four of the 
preceding six calendar months, had: (1) With respect to NMS stocks--(i) 
five percent or more in any single NMS stock, and 0.25 percent or more 
in all NMS stocks, of the average daily dollar volume reported by an 
effective transaction reporting plan, or (ii) one percent or more, in 
all NMS stocks, of the average daily dollar volume reported by an 
effective transaction reporting plan; (2) with respect to equity 
securities that are not NMS stocks and for which transactions are 
reported to a self-regulatory organization, five percent or more of the 
average daily dollar volume as calculated by the self-regulatory 
organization to which such transactions are reported; or (3) with 
respect to municipal securities or corporate debt securities, five 
percent or more of either--(i) the average daily dollar volume traded 
in the United States, or (ii) the average daily transaction volume 
traded in the United States.\99\
---------------------------------------------------------------------------

    \99\ Proposed Regulation SCI includes specific quantitative 
requirements, such as proposed Rule 1000(a), which would include 
numerical thresholds in the definition of SCI ATS. The Commission 
recognizes that the specificity of each such quantitative threshold 
could be read by some to imply a definitive conclusion based on 
quantitative analysis of that threshold and its alternatives. The 
numerical thresholds in the definition of SCI ATS have not been 
derived from econometric or mathematical models. Instead, they 
reflect a preliminary assessment by the Commission, based on 
qualitative and some quantitative analysis, of the likely economic 
consequences of the specific quantitative thresholds proposed to be 
included in the definition. There are a number of challenges 
presented in conducting such a quantitative analysis in a robust 
fashion as discussed in this section. Accordingly, the selection of 
the particular quantitative thresholds for the definition of SCI ATS 
reflects a qualitative and preliminary quantitative assessment by 
the Commission regarding the appropriate thresholds. In making such 
assessments and, in turn, selecting the proposed quantitative 
thresholds, the Commission has reviewed data from OATS and other 
sources. The Commission emphasizes that it invites comment, 
including relevant data and analysis, regarding all aspects of the 
various quantitative standards reflected in the proposed rules.
---------------------------------------------------------------------------

    As proposed, ATSs would be covered if they met the proposed 
thresholds for at least four of the preceding six months, which the 
Commission preliminarily believes is an appropriate time period over 
which to evaluate the trading volume of an ATS.\100\ The Commission 
preliminarily believes that this time period would help ensure that the 
standards are not so low as to capture ATSs whose volume would still be 
considered relatively low, but, for example, that may have had an 
anomalous increase in trading on a given day or small number of days.
---------------------------------------------------------------------------

    \100\ The proposed measurement period would remain unchanged 
from the period currently in Rule 301(b)(6) of Regulation ATS.
---------------------------------------------------------------------------

    The proposed definition would modify the thresholds currently 
appearing in Rule 301(b)(6) of Regulation ATS that apply to 
significant-volume ATSs.\101\ Specifically, the proposed definition 
would: Use average daily dollar volume thresholds, instead of an 
average daily share volume threshold, for ATSs that trade NMS stocks or 
equity securities that are not NMS stocks (``non-NMS stocks''); use 
alternative average daily dollar and transaction volume-based tests for 
ATSs that trade municipal securities or corporate debt securities; 
lower the volume thresholds applicable to ATSs for each category of 
asset class; and move the proposed thresholds to Rule 1000(a) of 
proposed Regulation SCI. In particular, with respect to NMS stocks, the 
Commission proposes to

[[Page 18094]]

change the volume threshold from 20 percent of average daily volume in 
any NMS stock such that an ATS that trades NMS stocks that meets either 
of the following two alternative threshold tests would be subject to 
the requirements of proposed Regulation SCI: (i) Five percent or more 
in any NMS stock, and 0.25 percent or more in all NMS stocks, of the 
average daily dollar volume reported by an effective transaction 
reporting plan; or (ii) one percent or more, in all NMS stocks, of the 
average daily dollar volume reported by an effective transaction 
reporting plan. This change is designed to ensure that proposed 
Regulation SCI is applied to an ATS that could have a significant 
impact on the NMS stock market as a whole, as well as an ATS that could 
have a significant impact on a single NMS stock and some impact on the 
NMS stock market as a whole at the same time.\102\ Specifically, by 
imposing both a single NMS stock threshold and an all NMS stocks 
threshold in (i) above, proposed Regulation SCI would not apply to an 
ATS that has a large volume in a small NMS stock and little volume in 
all other NMS stocks. Based on data collected from FINRA's Order Audit 
Trail System (``OATS data'') for one week of trading in May 2012,\103\ 
the Commission preliminarily believes that approximately 10 ATSs 
trading NMS stocks would exceed the proposed thresholds and fall within 
the definition of SCI entity, accounting for approximately 87 percent 
of the dollar volume market share of all ATSs trading NMS stocks.
---------------------------------------------------------------------------

    \101\ 17 CFR 242.301(b)(6). See also supra note 26.
    \102\ Under the proposed thresholds, inactive ATSs would not be 
included in the definition of SCI ATS.
    The Commission has considered barriers to entry and the 
promotion of competition in setting the threshold (see discussion at 
infra Section V.C.4.b) such that new ATSs trading NMS stocks would 
be able to commence operations without, at least initially, being 
required to comply with--and thereby not incurring the costs 
associated with--proposed Regulation SCI. If the proposed thresholds 
are adopted, a new ATS could engage in limited trading in any one 
NMS stock or all NMS stocks, until it reached an average daily 
dollar volume of five percent or more in any one NMS stock and 0.25 
percent or more in all NMS stocks, or one percent in all NMS stocks, 
over four of the preceding six months. Because a new ATS could begin 
trading in NMS stocks for at least three months (i.e., less than 
four of the preceding six months), and conduct such trading at any 
dollar volume level without being subject to proposed Regulation 
SCI, and would have to exceed the specified volume levels for the 
requisite period to become so subject, the Commission preliminarily 
believes that these proposed thresholds should not prevent a new ATS 
entrant from having the opportunity to initiate and develop its 
business.
    \103\ Commission staff analyzed OATS data for the week of May 7-
11, 2012, a week with average market activity and no holidays or 
shortened trading days, and thus intended to be a representative 
trading week. However, because the OATS data analysis does not 
consider trading volume over a six-month period and does not base 
the threshold test on four out of the preceding six calendar months 
as prescribed in proposed Rule 1000(a), it may overestimate the 
number of ATSs that would meet the proposed thresholds. For example, 
a large block trade during a single week could skew an ATS's numbers 
upward from what would be observed over the course of the four 
months with the highest volumes during a six-month period, 
particularly with respect to the proposed single-stock threshold. In 
addition, because the OATS data does not identify all ATSs and does 
not identify some ATSs uniquely, some ATSs may not be accounted for 
in the estimated number of ATSs that would meet the proposed 
threshold. Nevertheless, the Commission believes the analysis of 
OATS data offers useful insights.
---------------------------------------------------------------------------

    The Commission notes that its analysis of the OATS data does not 
reveal an obvious threshold level above which a particular subset of 
ATSs may be considered to have a significant impact on individual NMS 
stocks or the overall market, as compared to another subset of ATSs. 
The Commission preliminarily believes that inclusion of the proposed 
dual dollar volume threshold is appropriate to help prevent an ATS from 
avoiding the requirements of proposed Regulation SCI by circumventing 
one of the two threshold tests. The Commission also preliminarily 
believes that a threshold that accounts for 87 percent of the dollar 
volume market share of all ATSs trading NMS stocks is a reasonable 
level that would not exclude new entrants to the ATS market.\104\ 
Moreover, the Commission preliminarily believes the proposed thresholds 
would appropriately include ATSs having NMS stock dollar volume 
comparable to the NMS stock dollar volume of the equity exchanges that 
are SCI SROs and therefore covered by proposed Regulation SCI.\105\
---------------------------------------------------------------------------

    \104\ The Commission preliminarily believes that the remaining 
13 percent of the dollar volume of all ATSs trading NMS stocks is 
limited to trading conducted on small and new ATSs. See also supra 
note 102.
    \105\ For example, based on trade and quotation data published 
by NYSE Euronext for the period July 1, 2012 through December 31, 
2012, the national securities exchanges with the smallest market 
shares in NMS stocks (based on average daily dollar volume) had 
market shares slightly above and, in one case, below, the proposed 
0.25 percent threshold in all NMS stocks (the market shares of CBOE, 
NSX, and NYSE MKT were approximately 0.44 percent, 0.27 percent, and 
0.06 percent, respectively). Further, all national securities 
exchanges that trade NMS stocks had at least 5 percent or more of 
the average daily dollar volume in at least one NMS stock, with most 
exceeding such threshold for multiple NMS stocks.
---------------------------------------------------------------------------

    Since the time that the Commission originally adopted Regulation 
ATS, the equity markets have evolved significantly, resulting in an 
increase in the number of trading centers and a reduction in the 
concentration of trading activity.\106\ As such, even smaller trading 
centers, such as certain ATSs, now collectively represent a significant 
source of liquidity for NMS stocks and, by comparison, no single 
registered securities exchange executes more than 20 percent of volume 
in NMS stocks.\107\ Given these developments in market structure, the 
Commission preliminarily believes that setting the average daily dollar 
volume threshold for NMS stocks at five percent in any NMS stock and 
0.25 percent in all NMS stocks, or one percent in all NMS stocks, is 
appropriate to help ensure that entities that have determined to 
participate (in more than a limited manner) in the national market 
system as markets that bring buyers and sellers together, are subject 
to the requirements of proposed Regulation SCI. In addition, the 
Commission preliminarily believes that it is appropriate to propose 
average daily dollar volume thresholds for NMS stocks, rather than 
average daily share volume thresholds, because, by using dollar volume, 
the price level of a stock will not skew an ATS's inclusion or 
exclusion from the definition of SCI entity, as may be the case when 
using share volume, and the use of dollar thresholds may better reflect 
the economic impact of trading activity.\108\
---------------------------------------------------------------------------

    \106\ See supra notes 47-51 and accompanying text.
    \107\ See supra note 47.
    \108\ For example, if a threshold is based on the average daily 
share volume in all NMS stocks, an ATS that transacts in a stock 
that has recently been through a stock split could experience a 
significant increase in its share volume (or, for reverse stock 
splits, a decrease in its share volume), whereas the dollar value 
transacted would remain the same.
---------------------------------------------------------------------------

    In sum, the Commission preliminarily believes that the proposed 
dollar volume thresholds for NMS stocks would further the goals of the 
national market system by ensuring that ATSs that meet the thresholds 
are subject to the same baseline standards as other SCI entities for 
systems capacity, integrity, resiliency, availability, and security.
    With respect to non-NMS stocks, municipal securities, and corporate 
debt securities, the Commission is proposing to lower the current 
thresholds in Rule 301(b)(6) of Regulation ATS. Specifically, the 
Commission is proposing to reduce the standard from 20 percent to five 
percent for these types of securities,\109\ the same percentage 
threshold for such types of securities that triggers the fair access 
provisions of Rule 301(b)(5) of Regulation ATS.\110\ The Commission 
preliminarily believes that ATSs that trade non-NMS stocks, municipal 
securities, and corporate debt securities above the proposed

[[Page 18095]]

thresholds are those that play a significant role in the market for 
such securities and thus preliminarily believes that the proposed 
thresholds are appropriately designed.
---------------------------------------------------------------------------

    \109\ See proposed Rule 1000(a). As discussed in this Section 
III.B.1, the thresholds in proposed Rule 1000(a) would be based on 
average daily dollar or transaction volume.
    \110\ See Rule 301(b)(5) of Regulation ATS under the Exchange 
Act. 17 CFR 242.301(b)(5).
---------------------------------------------------------------------------

    With respect to non-NMS stocks for which transactions are reported 
to a self-regulatory organization, the Commission proposes to lower the 
threshold to five percent or more of the average daily dollar volume as 
calculated by the self-regulatory organization to which such 
transactions are reported. Using data from the first six months of 
2012, the Commission believes that an ATS executing transactions in 
non-NMS stocks at a level exceeding five percent of the average daily 
dollar volume traded in the United States would be executing trades at 
a level exceeding $31 million daily.\111\ Based on data collected from 
Form ATS-R for the second quarter of 2012, the Commission estimates 
that two ATSs would exceed this threshold and fall within the 
definition of SCI entity. The Commission requests comment on the 
accuracy of these estimates.
---------------------------------------------------------------------------

    \111\ Source: Data provided by OTC Markets.
---------------------------------------------------------------------------

    With respect to municipal securities and corporate debt securities, 
the Commission proposes to lower the threshold to five percent or more 
of either: (i) The average daily dollar volume \112\ traded in the 
United States; or (ii) the average daily transaction volume traded in 
the United States. The Commission preliminarily believes that this two-
pronged threshold is appropriate for the debt market, as it should 
capture both ATSs that are focused on retail orders and facilitate a 
relatively greater number of trades with relatively lower dollar 
values, as well as those ATSs that are focused on institutional orders 
and facilitate a relatively lower number of trades with relatively 
greater dollar values. The Commission preliminarily believes that both 
of these thresholds are important in identifying ATSs that play a 
significant role in the debt markets for executing both retail- and 
institutional-sized trades.\113\
---------------------------------------------------------------------------

    \112\ As with the proposed measures for ATSs that trade NMS 
stocks or non-NMS stocks, the Commission is proposing to use average 
daily dollar volume for debt securities, which the Commission 
preliminarily believes is the measure most commonly used when 
analyzing daily trading volume in the debt markets.
    \113\ Most corporate and municipal bond trades are small (i.e., 
less than $100,000), but small trades do not account for most of the 
dollar volume in these markets. See, e.g., Edwards, Amy K., Harris, 
Lawrence and Piwowar, Michael S., Corporate Bond Market Transaction 
Costs and Transparency, Journal of Finance, Vol. 62, No. 3 (June 
2007) and Lawrence E. Harris and Michael S. Piwowar, Secondary 
Trading Costs in the Municipal Bond Market, J.FIN. (June 2006). An 
ATS that specializes in large trades may account for a small portion 
of the trades but a large portion of the dollar volume. Likewise, an 
ATS that specializes in small trades may account for a small portion 
of the dollar volume but a large portion of the trades. Therefore, a 
systems disruption, systems compliance issue, or systems intrusion 
in either of these ATS types could potentially disrupt a large 
portion of the market.
    As the Commission stated in the ATS Release, ``many of the same 
concerns about the trading of equity securities on alternative 
trading systems apply equally to the trading of fixed income 
securities on alternative trading systems. Specifically, it is 
important that markets with significant portions of the volume in 
particular instruments have adequate systems capacity, integrity, 
and security, regardless of whether those instruments are equity 
securities or debt securities. Similarly, as electronic systems for 
debt grow, it will become increasingly important for the fair 
operation of our markets for market participants to have fair access 
to significant market centers in debt securities. One of the 
consequences of the growing role of alternative trading systems in 
the securities markets generally is that debt securities are 
increasingly being traded on these systems, similar to the way 
equity securities are traded.'' See ATS Release, supra note 2, at 
70862.
---------------------------------------------------------------------------

    Using data from the first six months of 2012, the Commission 
believes that an ATS executing transactions in municipal securities at 
a level exceeding five percent of the average daily dollar volume 
traded in the United States would be executing trades at a level of at 
least approximately $550 million daily,\114\ and that an ATS executing 
transactions in municipal securities at a level exceeding five percent 
of the average daily transaction volume traded in the United States 
would be executing an average of at least approximately 1,900 
transactions daily.\115\ Based on data collected from Form ATS-R for 
the second quarter of 2012, the Commission preliminarily believes that 
currently no ATSs executing transactions in municipal securities would 
exceed the proposed average daily dollar volume threshold and fall 
within the definition of SCI entity pursuant to that proposed prong. 
ATSs are not required to report transaction volume data for municipal 
securities on Form ATS-R. However, based on discussions with industry 
sources, the Commission preliminarily believes that three ATSs 
executing transactions in municipal securities would likely exceed the 
proposed average daily transaction volume threshold.\116\ The 
Commission requests comment on the accuracy of these estimates.
---------------------------------------------------------------------------

    \114\ For the period of January 1, 2012 to June 30, 2012, the 
average daily dollar volume of trades was over $11 billion. See 
https://emma.msrb.org/marketactivity/ViewStatistics.aspx (accessed 
January 30, 2013). Five percent of this amount is approximately $550 
million.
    \115\ For the period of January 1, 2012 to June 30, 2012, the 
average daily transaction volume was approximately 39,000. See 
https://emma.msrb.org/marketactivity/ViewStatistics.aspx (accessed 
January 30, 2013). Five percent of this amount is approximately 
1,900 trades.
    \116\ See, e.g., the Commission's Report on the Municipal 
Securities Market, supra note 96 at n.715. The Commission 
preliminarily believes that the three ATSs that would likely exceed 
the proposed average daily transaction volume threshold for 
municipal securities are the same three ATSs that would likely 
exceed the corresponding threshold for corporate debt securities. 
See infra note 119.
---------------------------------------------------------------------------

    Using data from the first six months of 2012, the Commission 
believes that an ATS executing transactions in corporate debt at a 
level exceeding five percent of the average daily dollar volume traded 
in the United States would be executing trades at a level of at least 
approximately $900 million daily,\117\ and that an ATS executing 
transactions in corporate debt at a level exceeding five percent of the 
average daily transaction volume traded in the United States would be 
executing an average of at least approximately 2,100 transactions 
daily.\118\ Based on data collected from Form ATS-R for the second 
quarter of 2012, the Commission preliminarily believes that currently 
no ATSs executing transactions in corporate debt would exceed the 
proposed average daily dollar volume threshold and fall within the 
definition of SCI entity pursuant to that proposed prong. ATSs are not 
required to report transaction volume data for corporate debt on Form 
ATS-R. However, based on discussions with industry sources, the 
Commission preliminarily believes that three ATSs executing 
transactions in corporate debt would likely exceed the proposed average 
daily transaction volume threshold.\119\ The Commission requests 
comment on the accuracy of these estimates.
---------------------------------------------------------------------------

    \117\ For the period of January to June 2012, the average daily 
dollar volume was approximately $18 billion. Five percent of this 
amount is approximately $900 million. See U.S. Bond Market Trading 
Volume, available at: https://www.sifma.org/research/statistics.aspx.
    \118\ Source: Corporate bond transactions reported to TRACE from 
January through June 2012, excluding instruments subject to Rule 
144A and April 6, 2012 (short trading day).
    \119\ As noted above, the Commission preliminarily believes that 
the three ATSs that would likely exceed the proposed average daily 
transaction volume threshold for corporate debt securities are the 
same three ATSs that would likely exceed the corresponding threshold 
for municipal securities. See supra note 116.
---------------------------------------------------------------------------

    The Commission is proposing these numerical thresholds as a 
preliminary best estimate of when a market is of sufficient 
significance to the trading of the relevant asset class (i.e., NMS 
stocks, non-NMS stocks, municipal securities, and corporate debt 
securities) as to warrant the protections and obligations of proposed 
Regulation SCI. As noted

[[Page 18096]]

above,\120\ the numerical thresholds in the definition of SCI ATS have 
not been derived from econometric or mathematical models. Instead, they 
reflect a preliminary assessment by the Commission, based on 
qualitative and some quantitative analysis, of the likely economic 
consequences of the specific quantitative thresholds proposed to be 
included in the definition. The Commission recognizes that there may 
reasonably be differing views as to what the threshold levels for 
inclusion should be and thus the Commission solicits comment on the 
appropriateness of the proposed threshold levels.
---------------------------------------------------------------------------

    \120\ See supra note 99.
---------------------------------------------------------------------------

    The Commission recognizes that it is proposing numerically higher 
thresholds for non-NMS stocks, municipal securities, and corporate debt 
securities as compared to NMS stocks (five percent, as compared to one 
percent in all NMS stocks). While the Commission preliminarily believes 
that similar concerns about the trading of NMS stocks on ATSs apply to 
the trading of non-NMS stocks and debt securities on ATSs (namely, that 
markets with significant portions of the volume in particular 
instruments have adequate systems capacity, integrity, resiliency, 
availability, and security), the Commission notes that it has 
traditionally provided special safeguards with regard to NMS stocks in 
its rulemaking efforts relating to market structure.\121\
---------------------------------------------------------------------------

    \121\ See, e.g., Regulation NMS, 17 CFR 242.600-612; Securities 
Exchange Act Release No. 51808 (June 9, 2005), 70 FR 27496 (June 29, 
2005).
---------------------------------------------------------------------------

    Further, in part due to the greater availability of, and reliance 
on, electronic trading for NMS stocks, the trading of such securities 
is generally more accessible to a wider range of investors and has 
resulted in increases in electronic trading volumes relative to 15 
years ago, as compared to other markets, such as the debt markets, 
which still largely rely on manual trading. Because the degree of 
automation and electronic trading is generally lower in markets that 
trade non-NMS stocks and debt securities than in the markets that trade 
NMS stocks, the Commission preliminarily believes that a systems issue 
at an SCI entity that trades non-NMS stocks or debt securities would 
not have as significant an impact as readily as a systems issue at an 
SCI entity that trades NMS stocks. Therefore, the Commission 
preliminarily believes there is less need in the markets for those 
securities for more stringent thresholds that would trigger the 
requirements of proposed Regulation SCI.\122\ For example, the most 
recent widely publicized issues involving systems problems and 
disruptions in the securities markets have generally all been related 
to NMS stocks.\123\ The Commission also believes that imposition of a 
threshold that is set too low in markets that lack automation could 
have the unintended effects of discouraging automation in these markets 
and discouraging new entrants into these markets. For these reasons, 
the Commission preliminarily believes that it is appropriate at this 
time to apply a different threshold to ATSs trading NMS stocks than 
those ATSs trading non-NMS stocks, municipal securities, and corporate 
debt securities.
---------------------------------------------------------------------------

    \122\ See also discussion in infra Section V.C.3.c.
    \123\ See, e.g., supra notes 61-66 and accompanying text.
---------------------------------------------------------------------------

    Under Proposed Rule 1000(a), the term ``plan processor'' would have 
the meaning set forth in Rule 600(b)(55) of Regulation NMS, which 
defines ``plan processor'' as ``any self-regulatory organization or 
securities information processor acting as an exclusive processor in 
connection with the development, implementation and/or operation of any 
facility contemplated by an effective national market system plan.'' 
\124\ As noted above, the ARP Inspection Program has developed to 
include the systems of the plan processors of the four current SCI 
Plans.\125\ Any entity selected as the processor of an SCI Plan is 
responsible for operating and maintaining computer and communications 
facilities for the receipt, processing, validating, and dissemination 
of quotation and/or last sale price information generated by the 
members of such plan.\126\ Although an entity selected as the processor 
of an SCI Plan acts on behalf of a committee of SROs, such entity is 
not required to be an SRO, nor is it required to be owned or operated 
by an SRO.\127\ The Commission believes, however, that the systems of 
such entities, because they deal with key market data, form the ``heart 
of the national market system,'' \128\ and should be subject to the 
same systems standards as SCI SROs, and proposes to include ``plan 
processors'' in the definition of SCI entity.\129\
---------------------------------------------------------------------------

    \124\ See 17 CFR 242.600(b)(55).
    \125\ See supra note 87, defining the term ``SCI Plan'' and 
discussing plan processors.
    \126\ See, e.g., CTA Plan Section V(d) and CQS Plan Section 
V(d), available at: https://www.nyxdata.com/cta; see also OPRA Plan, 
Section V, available at: https://www.opradata.com/pdf/opra_plan.pdf; 
and Nasdaq UTP Plan Section IV, available at: https://www.utpplan.com.
    \127\ Pursuant to Section 11A of the Exchange Act (15 U.S.C. 
78k-1), and Rule 609 of Regulation NMS thereunder (17 CFR 242.609), 
such entities, as ``exclusive processors,'' are required to register 
with the Commission as securities information processors on Form 
SIP. See 17 CFR 249.1001 (Form SIP, application for registration as 
a securities information processor or to amend such an application 
or registration).
    \128\ See Concept Release on Equity Market Structure, supra note 
42, at 3600 (quoting H.R. Rep. No. 94-229, 94th Cong., 1st Sess. 93 
(1975)).
    \129\ See supra note 87.
---------------------------------------------------------------------------

    Pursuant to its terms, each SCI Plan is required to periodically 
review its selection of its processor, and may in the future select a 
different processor for the SCI Plan than its current processor.\130\ 
The proposed inclusion of ``plan processors'' in the definition of SCI 
entity is designed to ensure that the processor for an SCI Plan, 
regardless of its identity, is independently subject to the 
requirements of proposed Regulation SCI. Thus, the proposed definition 
would cover any entity selected as the processor for a current or 
future SCI Plan.\131\ The Commission preliminarily believes that it is 
important for such plan processors to be subject to the requirements of 
proposed Regulation SCI because of the important role they serve in the 
national market system: Operating and maintaining computer and 
communications facilities for the receipt, processing, validating, and 
dissemination of quotation and/or last sale price information generated 
by the members of the plan.\132\
---------------------------------------------------------------------------

    \130\ See CTA Plan Section V(d) and CQS Plan Section V(d), 
available at: https://www.nyxdata.com/cta; OPRA Plan Section V, 
available at: https://www.opradata.com/pdf/opra_plan.pdf; and Nasdaq 
UTP Plan Section V, available at: https://www.utpplan.com.
    \131\ Currently, the Securities Industry Automation Corporation 
(``SIAC'') is the processor for the CTA Plan, CQS Plan, and OPRA 
Plan and Nasdaq is the processor for the Nasdaq UTP Plan. SIAC is 
wholly owned by NYSE Euronext. Both SIAC and Nasdaq are registered 
with the Commission as securities information processors, as 
required by Section 11A(b)(1) of the Exchange Act, 15 U.S.C. 78k-
1(b)(1), and in accordance with Rule 609 of Regulation NMS 
thereunder, 17 CFR 242.609. The Commission preliminarily believes 
that the proposed definition of plan processor also would include 
any entity selected and acting as exclusive processor of a future 
NMS plan, such as that contemplated by the Commission's rules to 
create a consolidated audit trail. See Securities Exchange Act No. 
67457 (July 18, 2012), 77 FR 45722 (August 1, 2012) (``Consolidated 
Audit Trail Adopting Release'').
    \132\ See supra note 126 and accompanying text.
---------------------------------------------------------------------------

    Under proposed Rule 1000(a), the term ``exempt clearing agency 
subject to ARP'' would mean ``an entity that has received from the 
Commission an exemption from registration as a clearing agency under 
Section 17A of the Act, and whose exemption contains conditions that 
relate to the Commission's Automation Review Policies, or any 
Commission regulation that supersedes or replaces such policies.'' This 
proposed definition of

[[Page 18097]]

``exempt clearing agency subject to ARP'' presently would apply to one 
entity, Global Joint Venture Matching Services--US, LLC 
(``Omgeo'').\133\
---------------------------------------------------------------------------

    \133\ On April 17, 2001, the Commission issued an order granting 
Omgeo an exemption from registration as a clearing agency subject to 
certain conditions and limitations in order that Omgeo might offer 
electronic trade confirmation and central matching services. See 
Global Joint Venture Matching Services--US, LLC; Order Granting 
Exemption from Registration as a Clearing Agency, Securities 
Exchange Act Release No. 44188 (April 17, 2001), 66 FR 20494 (April 
23, 2001) (File No. 600-32) (``Omgeo Exemption Order''). Because the 
Commission granted it an exemption from clearing agency 
registration, Omgeo is not a self-regulatory organization. See id. 
at 20498, n.41.
---------------------------------------------------------------------------

    Among the operational conditions required by the Commission in the 
Omgeo Exemption Order were several that directly related to the ARP 
policy statements.\134\ For the same reasons that it required Omgeo to 
abide by the conditions relating to the ARP policy statements set forth 
in the Omgeo Exemption Order, the Commission preliminarily believes it 
would be appropriate that Omgeo (or any similarly situated exempt 
clearing agency) should be subject to the requirements of proposed 
Regulation SCI, and thus is proposing to include any ``exempt clearing 
agency subject to ARP'' as explained above, within the definition of 
SCI entity.\135\
---------------------------------------------------------------------------

    \134\ These conditions required Omgeo to, among other things: 
Provide the Commission with an audit report addressing all areas 
discussed in the Commission ARP policy statements; provide annual 
reports prepared by competent, independent audit personnel in 
accordance with the annual risk assessment of the areas set forth in 
the ARP policy statements; report all significant systems outages to 
the Commission; provide advance notice of any material changes made 
to its electronic trade confirmation and central matching services; 
and respond and require its service providers to respond to requests 
from the Commission for additional information relating to its 
electronic trade confirmation and central matching services, and 
provide access to the Commission to conduct inspections of its 
facilities, records and personnel related to such services. See id.
    \135\ In the Omgeo Exemption Order, the Commission stated that, 
``[b]ecause these conditions are designed to promote 
interoperability, the Commission intends to require substantially 
the same conditions of other Central Matching Services that obtain 
an exemption from registration as a clearing agency.'' See id.
---------------------------------------------------------------------------

Request for Comment
    1. The Commission requests comment generally on the proposed 
definition of SCI entity and its constituent parts. Do commenters 
believe that entities of the type that would satisfy the proposed 
definition of SCI entity play significant roles in the U.S. securities 
markets such that they should be subject to proposed Regulation SCI? 
Why or why not?
    2. Do commenters believe the scope of the proposed definition of 
SCI SRO is appropriate? Does the proposed definition of SCI SRO include 
types of entities that should not be subject to the proposed 
requirements, or exclude types of entities that should be subject to 
the proposed requirements? If so, please identify such types of 
entities and explain why they should or should not be included in the 
definition of SCI entity or SCI SRO. Should the definition of ``SCI 
self-regulatory organization'' include exchanges notice-registered with 
the Commission pursuant to 15 U.S.C. 78f(g) or a limited purpose 
national securities association registered with the Commission pursuant 
to 15 U.S.C. 78o-3(k)? Do commenters believe that it is appropriate to 
defer to the CFTC regarding the systems compliance and integrity of 
such entities? Why or why not?
    3. Do commenters believe that the proposed definition of ``SCI 
alternative trading system'' is appropriate? Why or why not? Do 
commenters believe that the proposed volume thresholds for the 
different asset classes under the proposed definition of SCI ATS are 
appropriate? Specifically, are the proposed average daily dollar volume 
thresholds of five percent or more in any NMS stock and 0.25 percent or 
more in all NMS stocks, or one percent or more in all NMS stocks, 
appropriate? Would higher or lower daily dollar volume thresholds for 
NMS stocks be more appropriate? \136\ Please explain and provide data 
in support. Alternatively, would a different threshold measurement be 
more appropriate (e.g., transaction volume, share volume, etc.)? If so, 
which and at what threshold level? \137\ Please explain and provide 
data in support.
---------------------------------------------------------------------------

    \136\ For example, based on data from FINRA's Order Audit Trail 
System, if the threshold were instead to be set at five percent or 
more in any NMS stock and 0.5 percent or more in all NMS stocks, the 
Commission preliminarily estimates that approximately nine ATSs 
would satisfy the thresholds, accounting for approximately 84 
percent of the dollar-volume market share of all ATSs trading NMS 
stocks (i.e., not including NMS stocks traded on SROs). If the 
threshold were instead to be set at five percent or more in any NMS 
stock and one percent or more in all NMS stocks, the Commission 
preliminarily estimates that approximately three ATSs would satisfy 
the thresholds, accounting for approximately 38 percent of the 
market share. Further, if the threshold were instead to be set at 
0.25 percent in all NMS stocks, the Commission preliminarily 
estimates that approximately ten ATSs would satisfy the threshold. 
If the threshold were instead to be set at 0.5 percent in all NMS 
stocks, the Commission preliminarily estimates that approximately 
nine ATSs would satisfy the threshold.
    \137\ For example, based on data collected from Form ATS-R for 
the second quarter of 2012 and consolidated NMS stock share volume 
from the first six months of 2012, if the threshold were instead to 
be set at 0.25 percent of average daily NMS stock consolidated share 
volume, the Commission preliminarily estimates that approximately 15 
ATSs would satisfy the threshold, accounting for approximately 14 
percent of the total average daily consolidated share volume. If the 
threshold were instead to be set at 0.5 percent of average daily NMS 
stock consolidated share volume, the Commission preliminarily 
estimates that approximately 12 ATSs would satisfy the threshold, 
accounting for approximately 13 percent of the total average daily 
consolidated share volume. If the threshold were instead to be set 
at one percent of average daily NMS stock consolidated share volume, 
the Commission preliminarily estimates that approximately 6 ATSs 
would satisfy the threshold, accounting for approximately nine 
percent of the total average daily consolidated share volume. Based 
on consolidated NMS stock share volume from the first six months of 
2012, the Commission estimates that the equity securities exchanges 
with the smallest volume each account for approximately 0.2 percent 
to 0.4 percent of the total average daily consolidated share volume.
---------------------------------------------------------------------------

    4. The Commission notes that, unlike the threshold levels 
applicable to NMS stocks currently in Rule 301(b)(6) of Regulation ATS, 
the proposed thresholds for NMS stocks are based on average daily 
dollar volume in an individual NMS stock and/or all NMS stocks. Do 
commenters believe that these are appropriate standards? Why or why 
not? If not, what should be the appropriate standard, and why? Do 
commenters believe the proposed thresholds of five percent or more in 
any NMS stock and 0.25 percent or more in all NMS stocks would prevent 
a situation in which an ATS that has a large volume in one NMS stock 
and little volume in other NMS stocks would be covered by proposed 
Regulation SCI? How common is it for an ATS to trade illiquid NMS 
stocks without also trading more liquid NMS stocks? Please provide any 
data relevant to this question.
    5. Should the SCI ATS thresholds be triggered only with respect to 
certain NMS stocks, for example, only with respect to the most liquid 
NMS stocks? If so, how should the Commission define the ``most liquid'' 
NMS stocks? For example, should the thresholds be triggered only for 
the 500 most liquid NMS stocks? The 100 most liquid NMS stocks? Another 
amount? Why or why not? Please describe your reasoning. Further, what 
would be the appropriate threshold measurement (e.g., average daily 
share volume, average daily dollar volume, or another measurement)? 
Please explain.
    6. Is the proposed five percent threshold level appropriate for 
non-NMS stocks, municipal securities (approximately $550 million in 
daily dollar volume or 1,900 in daily transaction volume based on data 
from the first six months of 2012), and corporate debt securities 
(approximately $900 million in daily dollar volume or 2,100 in daily 
transaction volume based

[[Page 18098]]

on data from the first six months of 2012)? Why or why not? Please 
explain and provide data in support. If not, what should be the 
appropriate thresholds and why?
    7. As with NMS stocks, the proposed five percent thresholds for 
non-NMS stocks are to be calculated by reference to daily dollar 
volume, though the proposed threshold would only be with reference to 
all such stocks (as opposed to average daily dollar volume in 
individual NMS stocks and/or all NMS stocks). Do commenters believe 
that this is the appropriate standard for non-NMS stocks? Why or why 
not?
    8. Do commenters agree with the Commission's assessment that there 
is less automation among markets that trade non-NMS stocks, municipal 
securities, and corporate debt securities as compared to markets that 
trade NMS stocks? Why or why not? What is the current level of 
automation in these markets?
    9. Do commenters believe that there should be different thresholds 
for NMS stocks than non-NMS stocks, municipal securities, and corporate 
debt securities? Why or why not? Do commenters believe that the 
proposed two-pronged thresholds are appropriate for municipal 
securities and corporate debt securities? Why or why not? Would the 
proposed two-pronged approach be relevant or appropriate for securities 
other than municipal and corporate debt securities? Why or why not?
    10. Do commenters believe that the Commission's estimates of the 
current number of ATSs that would meet the proposed thresholds are 
accurate? Why or why not? If not, please provide any data or estimates 
that commenters believe would more accurately reflect the number of 
ATSs that would meet the proposed thresholds.
    11. The Commission is also considering whether it should instead 
adopt a definition for SCI ATS that is based solely on a single type of 
threshold measurement (such as average daily dollar volume), which 
would be simpler and provide consistency across different asset 
classes, rather than the differing types of threshold tests for NMS 
stocks, non-NMS stocks, municipal securities, and corporate debt 
securities currently proposed. In particular, the Commission is 
considering whether it would be appropriate to solely use a threshold 
based on a percentage of average daily dollar volume for all asset 
classes. Would a threshold based on a percentage of average daily 
dollar volume be an appropriate single measure that the Commission 
should use for all asset classes (i.e., NMS stocks, non-NMS stocks, 
municipal securities, and corporate debt securities) within the 
definition of SCI ATS? Why or why not? If so, would it be appropriate 
for the Commission to adopt the same dollar volume threshold 
measurement that applies for all of the asset classes? Why or why not? 
Please explain. If so, what would be an appropriate threshold 
measurement? For example, would five percent of the asset class's total 
average daily dollar volume be appropriate? Should the measurement be 
higher or lower? Please be specific and explain. Or, rather than a 
threshold measurement that is based on a percentage of the asset 
class's total average daily dollar volume, would a fixed average daily 
dollar volume threshold, such as $500 million, be appropriate? If so, 
should such a threshold be higher or lower than $500 million? Why or 
why not? Should such a fixed dollar threshold be different for 
different asset classes? Why or why not? If so, what should such 
thresholds be for each asset class? Please be specific. What are the 
advantages and disadvantages of a percentage-based threshold versus a 
fixed dollar threshold? Please explain.
    12. Would it be appropriate for the Commission to adopt a single 
dollar volume threshold measurement that applies across all asset 
classes? For example, if an ATS trades both municipal securities and 
corporate debt securities, should its trading volume in both asset 
classes be aggregated to determine whether it exceeded the threshold 
measurement? Why or why not?
    13. The proposed SCI ATS thresholds are to be calculated by 
reference to executions ``during at least four of the preceding six 
calendar months,'' the measurement period and method that is currently 
used in Regulation ATS. Do commenters believe this is the appropriate 
time frame and method to be included in Regulation SCI? Why or why not? 
If not, is there a more appropriate approach? If so, what should it be 
and why?
    14. With respect to calculating the proposed thresholds for 
securities other than NMS stocks (i.e., non-NMS stocks, municipal 
securities, and corporate debt securities), would ATSs have available 
appropriate data with which to determine whether the proposed 
thresholds have been met? FINRA, through its OTC Reporting Facility and 
its Trade Reporting and Compliance Engine (``TRACE'') \138\ facility, 
collects data on transactions in non-NMS stocks and corporate debt 
securities, and the MSRB collects data on transactions in municipal 
securities. Do commenters believe that FINRA, the MSRB, or another 
appropriate entity should be required to disseminate data in a format 
and frequency sufficient to enable ATSs to determine if they have met 
the proposed thresholds? Is there another mechanism or structure that 
could provide data in a format and frequency sufficient to enable ATSs 
to determine whether the proposed thresholds have been met? Please 
explain.
---------------------------------------------------------------------------

    \138\ TRACE is an automated system that, among other things, 
accommodates reporting and dissemination of transaction reports for 
over-the-counter secondary market transactions in eligible fixed 
income securities, in accordance with the FINRA Rule 6700 series.
---------------------------------------------------------------------------

    15. Are there ATSs or types of ATSs that would satisfy the proposed 
definition of SCI ATS that commenters believe should not be subject to 
proposed Regulation SCI? If so, please explain. Are there ATSs or types 
of ATSs that would not satisfy the proposed definition of SCI ATS that 
commenters believe should be subject to proposed Regulation SCI? If so, 
please explain. For example, should ATSs that execute transactions in 
U.S. treasuries and/or repurchase agreements be subject to proposed 
Regulation SCI? Why or why not? If a parent company owns multiple ATSs 
for a given asset class (e.g., NMS stocks), should the trading volumes 
of these ATSs be aggregated for purposes of determining whether the 
ATSs exceed the proposed thresholds? Why or why not? If so, how should 
such aggregation work? What are the advantages or disadvantages of such 
an approach? Please explain.
    16. Do commenters believe that, for purposes of Regulation SCI, the 
proposed definition of plan processor is appropriate? Why or why not? 
Is it appropriate to limit the definition of plan processor to entities 
within the meaning of plan processor in Rule 600(b)(55) of Regulation 
NMS? Why or why not? Do commenters believe the proposed definition is 
sufficiently clear? Are there any other entities similar to the plan 
processors of SCI Plans that commenters believe should be made subject 
to the requirements of proposed Regulation SCI? If so, please describe 
and explain why.
    17. Do commenters believe that the proposed definition of ``exempt 
clearing agency subject to ARP'' is appropriate? Why or why not? Are 
there other exempt clearing agencies that should be included in the 
proposed definition of SCI entity? Why or why not? Is it appropriate to 
limit the definition of SCI entity with respect to exempt clearing 
agencies to those with exemptions that

[[Page 18099]]

contain conditions that relate to the Commission's Automation Review 
Policies or any Commission regulation that supersedes or replaces such 
policies? Why or why not?
    18. What are the current practices of the proposed SCI entities 
with respect to the subject matter covered by the ARP policy 
statements? How many of them have practices that are consistent with 
ARP? How do they differ? Please be specific.
2. Definition of SCI Systems and SCI Security Systems
    The Commission is proposing that Regulation SCI cover the systems 
of SCI entities, which would include both SCI systems and, where 
applicable, SCI security systems. Proposed Rule 1000(a) would define 
the term ``SCI systems'' to mean ``all computer, network, electronic, 
technical, automated, or similar systems of, or operated by or on 
behalf of, an SCI entity, whether in production, development, or 
testing, that directly support trading, clearance and settlement, order 
routing, market data, regulation, or surveillance,'' and the term ``SCI 
security systems'' to mean ``any systems that share network resources 
with SCI systems that, if breached, would be reasonably likely to pose 
a security threat to SCI systems.''
    Thus, for purposes of all of the provisions of proposed Regulation 
SCI, the proposed definition of SCI systems would cover all systems of 
an SCI entity that directly support trading, clearance and settlement, 
order routing, market data, regulation, and surveillance. In addition, 
the proposed definition of SCI security systems is designed to cover 
other types of systems if they share network resources with SCI systems 
and, if breached, would be reasonably likely to pose a security threat 
to SCI systems. Unlike SCI systems, only certain provisions of proposed 
Regulation SCI would apply to SCI security systems.\139\
---------------------------------------------------------------------------

    \139\ Specifically, under proposed Rule 1000(a), SCI security 
systems are included in the proposed definitions of ``material 
systems change,'' ``responsible SCI personnel,'' ``SCI review,'' and 
``systems intrusion.'' For purposes of security standards, proposed 
Rule 1000(b)(1) would also apply to SCI security systems. In 
addition, with respect to systems intrusions, proposed Rules 
1000(b)(3)-(5) would apply to SCI security systems. Further, because 
of the definitions of material systems change and SCI review, 
proposed Rules 1000(b)(6) and (7) would apply to SCI security 
systems. Finally, proposed Rules 1000(c) and (f), relating to 
recordkeeping and access, respectively, would apply to SCI security 
systems.
---------------------------------------------------------------------------

    The Commission preliminarily believes that the proposed definition 
of SCI systems would reach those systems traditionally considered to be 
core to the functioning of the U.S. securities markets, namely trading, 
clearance and settlement, order routing, market data, regulation, and 
surveillance systems.\140\ The proposed definition would also apply to, 
for example, such systems of exchange-affiliated routing brokers that 
are facilities of national securities exchanges or such systems 
operated on behalf of national securities exchanges. It would also 
apply to regulatory systems,\141\ including systems for the regulation 
of the over-the-counter market, systems used to carry out regulatory 
services agreements, and similar future systems, including the 
Consolidated Audit Trail repository.\142\ In addition, if an SCI entity 
contracts with a third party to operate its systems (such as those that 
use execution algorithms) on behalf of the SCI entity, such systems 
would also be covered by the proposed definition of SCI systems if they 
directly support trading, clearance and settlement, order routing, 
market data, regulation, or surveillance. Therefore, systems covered by 
the proposed definition of SCI systems would not be limited only to 
those owned by the SCI entity, but also could include those operated by 
or on behalf of the SCI entity.
---------------------------------------------------------------------------

    \140\ See ARP I, supra note 1.
    \141\ SCI entities that are obligated to comply with Section 31 
of the Exchange Act (15 U.S.C. 78ee), and Rule 31 thereunder (17 CFR 
240.31), employ various systems to generate, process, transmit, or 
store electronic messages related to securities transactions. Such 
systems may include matching engines, transaction data repositories, 
trade reporting systems, and clearing databases.
    \142\ See Consolidated Audit Trail Adopting Release, supra note 
131.
---------------------------------------------------------------------------

    Based on Commission staff's experience with the ARP Inspection 
Program, the Commission believes that some SCI systems of SCI entities 
may in some cases be highly interconnected with SCI security systems 
because the SCI systems and SCI security systems share network 
resources. As a result, the Commission is concerned that a security 
issue or systems intrusion with respect to SCI security systems would 
be reasonably likely to cause an SCI event with respect to SCI systems. 
Because certain SCI security systems of an SCI entity may present 
likely vulnerable entry points to an SCI entity's network, the 
Commission preliminarily believes that it is important that the 
provisions of proposed Regulation SCI relating to security standards 
and systems intrusions apply to SCI security systems.\143\
---------------------------------------------------------------------------

    \143\ See supra note 139.
---------------------------------------------------------------------------

    The proposed definition of SCI security systems does not identify 
the types of systems that would be covered, but rather describes them 
in terms of their connectivity and potential ability to undermine the 
integrity of SCI systems. However, examples of SCI security systems 
that could be highly interconnected with SCI systems and therefore be 
reasonably likely to pose a threat to SCI systems may include systems 
pertaining to corporate operations (e.g., systems that support web-
based services, administrative services, electronic filing, email 
capability and intranet sites, as well as financial and accounting 
systems) that are typically accessed by an array of users (e.g., 
employees or executives of the SCI entity) authorized to view non-
public information. In certain cases, such systems would likely offer 
insight into the vulnerabilities of an SCI entity if they were, for 
example, accessed by a hacker. The Commission is concerned that the 
breach of such systems would likely lead to disruption of an SCI 
entity's general operations and, ultimately, its market-related 
activities. Similarly, systems by which an SCI entity provides a 
service to issuers, participants, or clients (e.g., transaction 
services, infrastructure services, and data services) may be accessed 
by employees or other representatives of the issuer, participant, or 
client organization, and may, in some instances, provide a point of 
access (and thus share network resources) to an SCI entity's SCI 
systems. Accordingly, the Commission is proposing that the term SCI 
security systems include any systems that share network resources with 
SCI systems that, if breached, would be reasonably likely to pose a 
security threat to SCI systems, but only for the limited provisions of 
proposed Regulation SCI noted above.\144\
---------------------------------------------------------------------------

    \144\ See id.
---------------------------------------------------------------------------

    In light of the above concerns, the proposed definitions of SCI 
systems and SCI security systems together are intended to reach all of 
the systems that would be reasonably likely to impact an SCI entity's 
operational capability and the maintenance of fair and orderly markets, 
rather than reaching solely SCI systems. Because of the dependence of 
today's securities markets on highly sophisticated electronic trading 
and other technology, including complex regulatory and surveillance 
systems, as well as systems relating to clearance and settlement, the 
provision of market data, and order routing, the Commission 
preliminarily believes that the proposed definitions of SCI systems and 
SCI security systems are appropriate to help ensure the capacity, 
integrity, resiliency, availability, and security of an SCI entity's 
systems.

[[Page 18100]]

Request for Comment
    19. The Commission requests comment generally on the proposed 
definitions of SCI systems and SCI security systems.
    20. Do commenters believe that the proposed definitions 
appropriately capture the scope of systems of SCI entities that would 
be reasonably likely to impact the protection of investors and the 
maintenance of fair and orderly markets? Specifically, do the proposed 
definitions of SCI systems and SCI security systems capture the 
components of the critical systems infrastructure of SCI entities in a 
comprehensive manner? Are the proposed definitions sufficiently clear?
    21. Are there any systems of SCI entities that should be included 
but would not be captured by the proposed definitions? Please explain. 
Are there any systems of SCI entities that should be excluded from the 
proposed definitions? Please explain.
    22. By including in the proposed definition of ``SCI systems'' 
those systems operated ``on behalf of'' an SCI entity, systems operated 
by a third party under contract from an SCI entity and systems operated 
by affiliates of an SCI entity that are utilized by such SCI entity 
would also be included in the proposed definition of SCI systems. Do 
commenters agree that such systems should be included? Please explain. 
Should the requirements under proposed Regulation SCI apply differently 
to systems that are operated on behalf of an SCI entity? Why or why 
not? Please explain.
    23. Do commenters agree with the proposal to distinguish between 
SCI systems and SCI security systems for purposes of triggering the 
various provisions of proposed Regulation SCI? For example, are the 
requirements that would apply to SCI security systems appropriate? Why 
or why not? If not, which requirements of proposed Regulation SCI 
should apply to SCI security systems and why? Should the requirements 
under proposed Regulation SCI apply differently to different types of 
systems, as proposed? Or, should SCI security systems be subject to all 
of the requirements of proposed Regulation SCI? Why or why not?
    24. Alternatively, should SCI security systems be excluded entirely 
from the application of proposed Regulation SCI? Why or why not? The 
Commission is proposing its approach to distinguish between SCI systems 
and SCI security systems because it preliminarily believes that the 
interconnected nature of technology infrastructure today creates the 
potential for systems other than SCI systems to expose vulnerable 
points of entry that could lead to a security breach or intrusion into 
SCI systems. In light of this potential, the Commission is proposing, 
as discussed further below, that the following provisions of proposed 
Regulation SCI apply to the SCI security systems of an SCI entity: (1) 
For purposes only of the policies and procedures relating to systems 
security, proposed Rule 1000(b)(1) would apply to its SCI security 
systems; (2) proposed Rules 1000(b)(3)-(5) (relating to SCI events and 
taking corrective action, Commission notification, and dissemination of 
information to members or participants, respectively) would apply to 
SCI security systems only with respect to systems intrusions; and (3) 
proposed Rule 1000(b)(6) would require an SCI entity to report a 
material systems change in a SCI security system only to the extent 
that it materially affects the security of such system.\145\
---------------------------------------------------------------------------

    \145\ See infra Sections III.C.1, III.C.3, and III.C.4. In 
addition, the scope of the applicability of proposed Rules 
1000(b)(7), 1000(b)(8), and 1000(c)-(f) to SCI security systems 
would be determined by the provisions of the proposed Rules 
1000(b)(1), and (3)-(6). See infra Sections III.C.5, III.C.6, and D.
---------------------------------------------------------------------------

    25. The goal of this proposed approach is to ensure that SCI 
systems, as the core systems of an SCI entity, are adequately secure 
and protected from systems intrusions. However, the Commission 
recognizes that there may be alternative ways to achieve this goal, 
including those that do not extend the scope of the proposed rule 
beyond the core systems that are defined as ``SCI systems,'' and that 
focus the Commission's oversight on those systems. For example, one 
alternative would be to limit the scope of the proposed rule to SCI 
systems, but clarify that policies and procedures reasonably designed 
to ensure that SCI systems have adequate levels of security necessarily 
would require an assessment of security vulnerabilities created by 
other systems that share network resources with SCI systems, and 
appropriate steps to address those vulnerabilities. Specifically, under 
such an alternative, the defined term ``SCI security systems,'' and all 
references to them and any associated obligations, would be eliminated 
from the proposed rule text described herein, and clarifying guidance 
would be provided with respect to the security of SCI systems as noted 
above. With such an alternative, consideration also would need to be 
given to whether or not an SCI entity should notify the Commission (and 
potentially its members or participants) of a systems intrusion with 
respect to these non-SCI systems, or a systems change that materially 
impacts the security of such systems. Accordingly, the Commission 
solicits commenters' views on this or any other potential alternative 
approaches that would not include a definition of SCI security systems 
within the scope of the proposed rule.
    26. If the Commission were to determine to eliminate the proposed 
definition of SCI security systems from proposed Regulation SCI, what 
would be the likely effect of such elimination on the ability of 
proposed Regulation SCI to ensure that SCI systems are adequately 
secure and protected from systems intrusions? Please explain. 
Specifically, if the Commission eliminated the proposed definition of 
SCI security systems from proposed Regulation SCI, and its direct 
oversight of systems that share network resources with SCI systems, 
would the Commission's ability to assure adequate security for SCI 
systems be materially weakened? Why or why not? Would such an 
alternative reduce compliance burdens for SCI entities, and improve the 
efficiency of Commission oversight without materially undermining its 
effectiveness?
    27. If the Commission were to determine to eliminate the proposed 
definition of SCI security systems from proposed Regulation SCI, would 
it be appropriate, for example, for the Commission to interpret the 
requirement of proposed Rule 1000(b)(1) that would require an SCI 
entity to have ``policies and procedures reasonably designed to ensure 
that its SCI systems have levels of * * * security * * * adequate to 
maintain the SCI entity's operational capability and promote the 
maintenance of fair and orderly markets'' to require that an SCI 
entity's SCI systems be protected from security threats by other 
systems with which they share network resources? Why or why not? Please 
explain.
    28. If the Commission were to determine to eliminate the proposed 
definition of SCI security systems from proposed Regulation SCI, should 
the Commission still require an SCI entity to report to the Commission 
an intrusion into any system (and not just SCI systems) of an SCI 
entity? Why or why not? If the Commission were to determine to 
eliminate the proposed definition of SCI security systems from proposed 
Regulation SCI, should the Commission require an SCI entity to notify 
members and participants of an intrusion into any system of an SCI 
entity? Why or why not? If the Commission were to determine to 
eliminate the proposed definition of SCI

[[Page 18101]]

security systems from proposed Regulation SCI, are there any other 
changes to the rule that would be appropriate? What are they, and why 
would they be appropriate? Please describe in detail.
3. SCI Events
    Pursuant to the current ARP policy statements and Regulation ATS, a 
key element of the ARP Inspection Program has been to encourage ARP 
participants to notify Commission staff of significant systems 
disruptions so that the staff can work with the affected entity to help 
ensure that the disruption is addressed promptly and effectively, and 
that appropriate steps are taken to reduce the likelihood of future 
problems. Commission staff has previously sought to provide guidance 
and clarification on what should be considered a ``significant system 
outage'' for purposes of reports to Commission staff. Specifically, in 
the 2001 Staff ARP Interpretive Letter, Commission staff provided 
examples of situations for which an outage is deemed significant and 
thus should be reported.\146\ The examples listed in that letter 
included: (1) Outages resulting in a failure to maintain any service 
level agreements or constraints; (2) disruptions of normal operations, 
e.g., switchover to back-up equipment with zero hope of near-term 
recovery of primary hardware; (3) the loss of use of any system; (4) 
the loss of transactions; (5) outages resulting in excessive back-ups 
or delays in processing; (6) the loss of ability to disseminate vital 
information; (7) outage situations communicated to other external 
entities; (8) events that are (or will be) reported or referred to the 
entity's board of directors or senior management; (9) events that 
threaten systems operations even though systems operations are not 
disrupted; for example, events that cause the entity to implement a 
contingency plan; and (10) the queuing of data between system 
components or queuing of messages to or from customers of such duration 
that a customer's usual and customary service delivery is 
affected.\147\
---------------------------------------------------------------------------

    \146\ See 2001 Staff ARP Interpretive Letter, supra note 35.
    \147\ See id.
---------------------------------------------------------------------------

    The Commission believes that guidance in the 2001 Staff ARP 
Interpretive Letter regarding what constitutes a significant systems 
outage has been useful over the years to the entities that received the 
2001 Staff ARP Interpretive Letter, but understands that Commission 
action in this area would help SROs and other entities by providing 
definitive guidance through a formal rulemaking process that includes 
notice and comment. Furthermore, the Commission believes the term 
``significant systems outage'' in plain usage denotes a category of 
systems problems that is considerably narrower than those the 
Commission believes could pose risks to the securities markets and 
market participants. Therefore, the Commission proposes to specify the 
types of events that would be required to be reported to the Commission 
and the types of systems problems that would trigger notice 
requirements on the part of an SCI entity. Specifically, the Commission 
is proposing to define the term ``SCI event'' in Rule 1000(a) as ``an 
event at an SCI entity that constitutes: (1) A systems disruption; (2) 
a systems compliance issue; or (3) a systems intrusion.'' As discussed 
in detail below, the proposed rule would define each of these terms 
used in the proposed definition of SCI event.
a. Systems Disruption
    The Commission proposes that the term ``systems disruption'' be 
defined to mean ``an event in an SCI entity's SCI systems that results 
in: (1) A failure to maintain service level agreements or constraints; 
(2) a disruption of normal operations, including switchover to back-up 
equipment with near-term recovery of primary hardware unlikely; (3) a 
loss of use of any such system; (4) a loss of transaction or clearance 
and settlement data; (5) significant back-ups or delays in processing; 
(6) a significant diminution of ability to disseminate timely and 
accurate market data; or (7) a queuing of data between system 
components or queuing of messages to or from customers of such duration 
that normal service delivery is affected.'' The proposed definition is 
similar, but not identical, to the definition of ``significant systems 
outage'' in the 2001 Staff ARP Interpretive Letter.\148\
---------------------------------------------------------------------------

    \148\ See supra note 35. The Commission believes that the term 
``systems disruption'' is a more appropriate term to describe the 
types of events captured within the proposed definition and thus is 
proposing to use the term ``systems disruption,'' rather than the 
term ``systems outage,'' the term used in the ARP Inspection 
Program.
---------------------------------------------------------------------------

    As proposed, a systems disruption would be an event in an SCI 
entity's SCI systems that manifests itself as a problem measured by 
reference to one or more of seven elements. The first proposed element, 
a failure to maintain service level agreements or constraints, is 
unchanged from the 2001 Staff ARP Interpretive Letter. This would 
include, for example, a failure or inability of the SCI entity to honor 
its contractual obligations to provide a specified level or speed of 
service to users of its SCI systems. A trading market could, for 
example, contract to maintain its trading system without delays over a 
specific threshold, e.g., 100 milliseconds, and its failure to honor 
that obligation would thus be a systems disruption.
    The second proposed element, ``a disruption of normal operations, 
including switchover to back-up equipment with near-term recovery of 
primary hardware unlikely'' differs from the element in the 2001 Staff 
ARP Interpretive Letter (disruption of normal operations, e.g., 
switchover to back-up equipment with zero hope of near-term recovery of 
primary hardware). This modification is intended to convey that the 
Commission preliminarily believes that an SCI entity should be required 
to notify Commission staff of a SCI systems problem that involves a 
switchover to backup equipment, even if a determination that no 
recovery is possible has not been made because the probability that 
such switchover may continue indefinitely is significant. The 
Commission also intends that this proposed element, a ``disruption of 
normal operations,'' would capture problems with SCI systems such as 
programming errors, testing errors, systems failures, or if a system 
release is backed out after it is implemented in production.
    The third proposed element, ``a loss of use of any such system,'' 
is unchanged from the 2001 Staff ARP Interpretive Letter and would 
cover situations in which an SCI system is broken, offline, or 
otherwise out of commission. For example, the Commission intends that a 
failure of primary trading or clearance and settlement systems, even if 
immediately replaced by backup systems without any disruption to normal 
operations, would be covered under this third proposed element. The 
Commission preliminarily believes the language of the fourth proposed 
element, ``a loss of transaction or clearance and settlement data,'' is 
more precise than the language in the 2001 Staff ARP Interpretive 
Letter, which lists ``loss of transactions'' as an example of a systems 
outage.
    Similarly, the language of the fifth and sixth proposed elements is 
intended to be more precise than the comparable language in the fifth 
and sixth examples enumerated in the 2001 Staff ARP Interpretive 
Letter. The Commission is not at this time proposing to quantify what 
would constitute a ``significant back-up or delay in processing'' or a 
``significant diminution of ability to disseminate timely and accurate 
market data'' because it preliminarily believes that the varying 
circumstances that

[[Page 18102]]

could give rise to such events, and the range of SCI systems 
potentially impacted, make precise quantification impractical.\149\ 
These proposed elements are intended to include, for example, 
circumstances in which a problem with an SCI system results in a 
slowdown or disruption of operations that would adversely affect 
customers, impair quotation or price transparency, or impair accurate 
and timely regulatory reporting. Instances in which message traffic is 
throttled (i.e., slowed) by an SCI entity for any market participant, 
without a corresponding provision in the SCI entity's rules, user 
agreements, or governing documents, as applicable, would also be 
covered here.\150\ Further, the Commission preliminarily believes that 
if customers or systems users, for example, have complained or inquired 
about a slowdown or disruption of operations, including, for example, a 
slowdown or disruption in their receipt of market data, then such 
circumstance would be indicative of a problem at an SCI entity that 
results in ``significant back-ups or delays in processing'' or a 
``significant diminution of ability to disseminate timely and accurate 
market data,'' that should be considered a ``systems disruption.'' The 
fifth and sixth elements of the proposed definition of systems 
disruption are also intended to cover the entry, processing, or 
transmission of erroneous or inaccurate orders, trades, price-reports, 
other information in the securities markets or clearance and settlement 
systems, or any other significant deterioration in the transmission of 
market data in an accurate, timely, and efficient manner. For example, 
it is possible that an SCI system of an SCI entity that disseminates 
market data could, as a result of a programming or testing error in 
another system of the SCI entity, be overwhelmed with erroneous market 
data to such an extent that the SCI entity's SCI systems are no longer 
able to disseminate market data in a timely and accurate manner.
---------------------------------------------------------------------------

    \149\ The Commission is, however, soliciting comment on whether 
it would be appropriate to adopt quantitative criteria in connection 
with the definition of ``systems disruption.''
    \150\ However, if an SCI entity's rules or governing documents 
provided for such throttling in specified scenarios as a part of 
normal operations, such throttling would not be covered as such a 
situation would not represent an unexpected back-up or delay in 
processing but rather would be part of the SCI entity's normal 
operation.
---------------------------------------------------------------------------

    Finally, the seventh proposed element, ``a queuing of data between 
system components or queuing of messages to or from customers of such 
duration that normal service delivery is affected,'' is proposed to be 
included because the Commission preliminarily believes that queuing of 
data between system components of SCI systems is often a warning signal 
of significant disruption of normal system operations.
    Although the 2001 Staff ARP Interpretive Letter lists ``a report or 
referral of an event to the entity's board of directors or senior 
management'' and ``an outage situation communicated to other external 
entities'' as examples of a significant systems outage, the Commission 
is not proposing to include such reports or communications in the 
definition of systems disruption because it preliminarily believes 
these examples are more likely to be indicia of whether information 
about a systems disruption or other systems problem warrants 
dissemination to the SCI entity's members or participants.\151\ 
Further, although the 2001 Staff ARP Interpretive Letter lists ``a 
serious threat to systems operations even though systems operations are 
not disrupted'' as an example of a significant systems outage, the 
Commission has not included that example as an element in the proposed 
definition of systems disruption because it preliminarily believes that 
such a threat would more likely be indicative of a systems intrusion or 
systems compliance issue.\152\
---------------------------------------------------------------------------

    \151\ See infra Section III.B.4.d, discussing whether an SCI 
event is a ``dissemination SCI event.''
    \152\ See infra Sections III.B.3.b and III.B.3.c, discussing the 
proposed definition of systems compliance issue and systems 
intrusion, respectively.
---------------------------------------------------------------------------

Request for Comment
    29. The Commission requests comment generally on the proposed 
definition of ``systems disruption.'' Do commenters believe that it is 
appropriate to limit the proposed definition of ``systems disruption'' 
to SCI systems? Why or why not? Do commenters believe the proposed 
definition of ``systems disruption'' is too broad? Why or why not? 
Please explain.
    30. Do commenters believe that there should be minimum thresholds 
associated with the circumstances specified in any elements of the 
proposed definition of systems disruption--e.g., quantitative criteria 
describing when an event fitting the description of one of the elements 
of the proposed definition would meet the definition of SCI event? If 
so, what should such minimum thresholds be and to which elements of the 
definition of ``systems disruption'' should such minimum thresholds 
apply? Please explain. Should systems disruptions affecting different 
types of SCI systems be treated differently? For example, should 
trading systems have a different quantitative criteria than systems 
dedicated to surveillance? Please be specific with respect to which 
categories of SCI systems might deserve different treatment, and what 
such quantitative criteria might be and why.
    31. Do commenters believe the term ``transaction or clearance and 
settlement data,'' as used in paragraph (4) of the proposed definition 
of ``systems disruption,'' is appropriate? Why or why not? Should other 
types of data be included, in addition to transaction and clearance and 
settlement data? For example, should customer account data, regulatory 
data, and/or audit trail data be included? Why or why not?
    32. Do commenters believe that there should be exceptions to the 
proposed definition of systems disruption? If so, what should such 
exceptions be and why? For example, should the proposed definition of 
systems disruption include a de minimis exception? If so, what types of 
systems problems should be considered de minimis and what criteria 
should be used to determine whether a systems problem is de minimis? 
Should the proposed definition of systems disruption include a 
materiality threshold? If so, what types of systems problems should be 
considered material and what criteria should be used to determine 
whether a systems problem is material? Should the definition of systems 
disruption exclude regular planned outages occurring during the normal 
course of business?
    33. Should the proposed definition be expanded, narrowed, or 
otherwise modified in any way? For example, should the proposed 
definition include quantitative criteria that establish a minimum 
deviation from normal performance levels, such as a tenfold increase or 
greater in latency for queuing of data, for an event to be considered 
an SCI event? Would a minimum deviation of 100 milliseconds from normal 
system performance levels be an appropriate indication of system 
degradation? Or, would a larger or smaller deviation be more 
appropriate? Why or why not? For example, would the choice of a 
specific threshold help to balance the tradeoff between the costs of 
over-reporting systems disruptions and the costs of failing to report 
systems disruptions that could lead to significant negative 
consequences? Should different quantitative criteria be used across 
different SCI systems? For example, a limited pause in the operations 
of a clearing system may not raise the same issues as a similar pause 
in the operation of a market data feed. If commenters believe that 
different criteria should be maintained, please be specific and provide 
examples of what

[[Page 18103]]

the appropriate minimum deviations should be for such systems.
    34. Are there other types of circumstances that should be included 
that are not part of the proposed definition? If so, please describe 
and explain. For example, if an SCI SRO or SCI ATS suspects a 
technology error originating from a third party (such as an SCI SRO's 
member firm or an SCI ATS's subscriber) that has the potential to 
disrupt the market, should that type of discovery be included in the 
definition of systems disruption? Why or why not? Is there additional 
guidance that commenters would find helpful to determine whether an 
event would meet the proposed definition of systems disruption?
    35. How often do SCI entities currently experience systems 
disruptions?
b. Systems Compliance Issue
    The Commission proposes that the term ``systems compliance issue'' 
be defined as ``an event at an SCI entity that has caused any SCI 
system of such entity to operate in a manner that does not comply with 
the federal securities laws and rules and regulations thereunder or the 
entity's rules or governing documents, as applicable.'' \153\ 
Circumstances covered by the proposed definition would include, for 
example, situations in which a lack of communication between an SCI 
SRO's information technology staff and its legal or regulatory staff 
regarding SCI systems design or requisite regulatory approvals resulted 
in one or more SCI systems operating in a manner not in compliance with 
the SCI SRO's rules and, thus, in a manner other than how the users of 
the SCI SRO's SCI systems, as well as market participants generally, 
have been informed that such systems would operate. Another example of 
a systems compliance issue could arise when a change to an SCI system 
is made by information technology staff that results in the system 
operating in a manner that fails to comply with the federal securities 
laws and rules thereunder.
---------------------------------------------------------------------------

    \153\ As discussed in infra Section III.C.2, one of the elements 
of the safe harbor in proposed Rule 1000(b)(2)(ii)(A) would require 
that an SCI entity establish policies and procedures that provide 
for ongoing monitoring of SCI systems functionality to detect 
whether SCI systems are operating in the manner intended. This 
element would require that each SCI entity establish parameters for 
detection of a systems compliance issue, and is not intended to 
suggest one set of parameters for all SCI entities.
---------------------------------------------------------------------------

    The phrase ``operate in a manner that does not comply with * * * 
the entity's rules or governing documents'' would mean that an SCI 
entity is operating in a manner that does not comply with the entity's 
applicable rules and other documents, whether or not filed with the 
Commission. Generally, such rules or other documents are made available 
to the public and/or to members, clients, users, and/or participants in 
the SCI entity.\154\ Specifically, for an SCI SRO, this phrase would 
include operating in a manner that does not comply with the SCI SRO's 
rules as defined in the Exchange Act and the rules thereunder.\155\ For 
a plan processor, this phrase would include operating in a manner that 
does not comply with an applicable effective national market system 
plan. For an SCI ATS or exempt clearing agency subject to ARP, this 
phrase would include operating in a manner that does not comply with 
documents such as subscriber agreements and any rules provided to 
subscribers and users and, for ATSs, described in their Form ATS 
filings with the Commission.\156\
---------------------------------------------------------------------------

    \154\ For example, each SCI SRO is required to publish its rules 
on its publicly available Web site. See 15 U.S.C. 78s(b)(2)(E). Each 
plan processor is also required to post amendments to its national 
market system plan on its Web site. See 17 CFR 242.608. Subscriber 
agreements and other similar documents that govern operations of SCI 
ATSs and exempt clearing agencies subject to ARP are generally not 
publicly available, but are provided to subscribers and users of 
such entities.
    \155\ The rules of an SCI SRO are defined in Sections 3(a)(27) 
and (28) of the Exchange Act to include, among other things, its 
constitution, articles of incorporation, and bylaws. See 15 U.S.C. 
78c(a)(27)-(28). See also Exchange Act Rule 19b-4(c), 17 CFR 
240.19b-4(c).
    \156\ See 17 CFR 242.301(b) for a description of the filing 
requirements for ATSs.
---------------------------------------------------------------------------

Request for Comment
    36. The Commission requests comment generally on the proposed 
definition of ``systems compliance issue.'' Do commenters believe it 
would be appropriate to define ``systems compliance issue'' to mean any 
instance in which an SCI system operates in a manner that does not 
comply with the federal securities laws and rules and regulations 
thereunder, or the entity's rules or governing documents, as 
applicable? Why or why not? If the proposed definition is not 
appropriate, what would be an appropriate definition? Do commenters 
believe that it is appropriate to limit the proposed definition of 
``systems compliance issue'' to SCI systems? Why or why not? Please 
explain.
    37. Do commenters believe that there should be exceptions to the 
proposed definition of systems compliance issue? If so, what should 
such exceptions be and why? For example, should the proposed definition 
of systems compliance issue include a de minimis exception? If so, what 
types of systems compliance issues should be considered de minimis and 
what criteria should be used to determine whether a systems compliance 
issue is de minimis? Should the proposed definition of systems 
compliance issue include a materiality threshold? If so, what types of 
systems compliance issues should be considered material and what 
criteria should be used to determine whether a systems compliance issue 
is material?
    38. Do commenters believe other types of documents or agreements 
should be included in the definition? If so, please specify the types 
of documents or agreements and explain why.
    39. How often do SCI entities currently experience systems 
compliance issues?
c. Systems Intrusion
    The Commission proposes that ``systems intrusion'' be defined as 
``any unauthorized entry into the SCI systems or SCI security systems 
of an SCI entity.'' The proposed definition is intended to cover all 
unauthorized entry into SCI systems or SCI security systems by 
outsiders, employees, or agents of the SCI entity, regardless of 
whether the intrusions were part of a cyber attack, potential criminal 
activity, or other unauthorized attempt to retrieve, manipulate or 
destroy data, or access or disrupt systems of SCI entities. The 
proposed definition of systems intrusion would cover the introduction 
of malware or other attempts to disrupt SCI systems or SCI security 
systems of SCI entities provided that such systems were actually 
breached. In addition, the proposed definition is intended to cover 
unauthorized access, whether intentional or inadvertent, by employees 
or agents of the SCI entity that result from weaknesses in the SCI 
entity's access controls and/or procedures. The proposed definition 
would not, however, cover unsuccessful attempts at unauthorized entry. 
An unsuccessful systems intrusion by definition is much less likely 
than a successful intrusion to disrupt the systems of an SCI entity. 
Moreover, because it is impossible to prevent attempted intrusions, the 
Commission preliminarily believes at this time that the focus of this 
aspect of proposed Regulation SCI should be on successful unauthorized 
entry.
Request for Comment
    40. The Commission requests comment generally on the proposed 
definition of ``systems intrusion.'' Is the proposed definition 
sufficiently clear? If not, why not? Do commenters believe that it is 
appropriate to apply the proposed definition of ``systems

[[Page 18104]]

intrusion'' to both SCI systems and SCI security systems? Why or why 
not? Please explain.
    41. Do commenters believe it is appropriate to exclude from the 
proposed definition of systems intrusion an attempted intrusion that 
did not breach systems or networks? Why or why not? Should significant, 
sophisticated, repeated, and/or attempted intrusions, even if 
unsuccessful, be included? Why or why not? If yes, please explain what 
categories of attempted intrusions should be covered by the proposed 
rule and why.
    42. Should the proposed definition of systems intrusion be expanded 
to include the unauthorized use or unintended release of information or 
data, for example, by an employee or agent of an SCI entity? Why or why 
not? If so, should the definition be limited to the unauthorized use of 
non-public or confidential information or should it apply to any 
unauthorized use of information or data? The Commission recognizes that 
including in the definition all instances of unauthorized use or 
unintended release of information or data may be broad and solicits 
comment generally on how the definition might be more narrowly defined 
to encompass those types of events that commenters believe would be 
appropriate to be included in proposed Regulation SCI.
    43. How often do SCI entities currently experience known systems 
intrusions or known attempted systems intrusions?
d. Dissemination SCI events
    The Commission proposes that the term ``dissemination SCI event'' 
be defined as ``an SCI event that is a: (1) Systems compliance issue; 
(2) systems intrusion; or (3) systems disruption that results, or the 
SCI entity reasonably estimates would result, in significant harm or 
loss to market participants.'' \157\
---------------------------------------------------------------------------

    \157\ See proposed Rule 1000(a).
---------------------------------------------------------------------------

    As discussed below in Section III.C.3, proposed Rule 1000(b)(5) 
includes requirements for disseminating information regarding certain 
SCI events to members or participants.\158\ Specifically, only 
information relating to dissemination SCI events would be required to 
be disseminated to members or participants pursuant to proposed Rule 
1000(b)(5).\159\ The Commission recognizes that public disclosure of 
each and every systems issue (such as very brief outages or minor 
disruptions of normal systems operations where the effects on trading, 
market data, and clearance and settlement are immaterial) could be 
counterproductive, potentially overwhelming the public with 
information, masking significant issues that might arise, and thus 
preliminarily believes that requiring the dissemination of information 
about dissemination SCI events to members or participants would promote 
dissemination of information to persons who are most directly affected 
by such events and who would most naturally need, want, and be able to 
act on the information, without creating a separate regulatory standard 
governing when broader public disclosure should be made.
---------------------------------------------------------------------------

    \158\ Proposed Rule 1000(b)(5) would require the dissemination 
of specified information relating to dissemination SCI events and 
specify the nature and timing of such dissemination, with a delay in 
dissemination permitted for certain systems intrusions. See infra 
Section III.C.3.c.
    \159\ See infra note 235.
---------------------------------------------------------------------------

    In the case of a dissemination SCI event, the Commission 
preliminarily believes that dissemination to members or participants of 
the nature of the event and the steps being taken to remedy it would be 
necessary to help ensure that potentially impacted market participants, 
and others that might be evaluating whether to use the affected 
systems, have basic information about the event so that they might be 
able to better assess what, if any, next steps they might deem prudent 
to take in light of the event.\160\
---------------------------------------------------------------------------

    \160\ However, as discussed below, the Commission recognizes 
that, in the case of systems intrusions, there may be circumstances 
in which full prompt dissemination of information to members or 
participants of a systems intrusion could hinder an investigation 
into such an intrusion or an SCI entity's ability to mitigate it. As 
such, the Commission is proposing that dissemination of information 
for certain systems intrusions could be delayed in specified 
circumstances. Specifically, the Commission is proposing that an SCI 
entity disseminate information about a systems intrusion to its 
members or participants, unless the SCI entity determines that 
dissemination of such information would likely compromise the 
security of the SCI entity's SCI systems or SCI security systems, or 
an investigation of the systems intrusion, and documents the reasons 
for such determination. See proposed Rule 1000(b)(5)(ii) and text 
accompanying infra note 174. The Commission preliminarily believes, 
however, that an SCI entity should ultimately disseminate 
information regarding systems intrusions, and that the provisions of 
proposed Rule 1000(b)(5)(ii) permitting a delay in dissemination, if 
applicable, should only affect the timing of such dissemination.
    The Commission notes that some Roundtable panelists and 
commenters discussed the role that communications and disclosure 
should play in mitigation of risk from systems issues. For example, 
panelists from Citadel, DE, Nasdaq, Lime, and TDA, among others, 
spoke about the role of communications and management involvement in 
responding to errors. See discussion of Roundtable, supra Section 
I.D. See also text accompanying infra note 238.
---------------------------------------------------------------------------

    Proposed Rule 1000(a) specifies three categories of SCI events that 
would constitute a dissemination SCI event. First, any SCI event that 
is a systems compliance issue would be a dissemination SCI event.\161\ 
The Commission preliminarily believes that, if an SCI entity's SCI 
systems were operating in a manner not in compliance with the federal 
securities laws and rules and regulations thereunder, or the entity's 
rules or governing documents, as applicable, the SCI entity should be 
required to disseminate that information to all members or 
participants, i.e., the users of its SCI systems. In addition, because 
SCI entities that are SCI SROs or plan processors are required by the 
Exchange Act to comply with their rules, proposing to require 
dissemination of information about systems compliance issues to members 
or participants should help to reinforce this statutory obligation.
---------------------------------------------------------------------------

    \161\ See supra Section III.B.3.b, discussing the definition of 
``systems compliance issue.''
---------------------------------------------------------------------------

    Second, any SCI event that is a systems intrusion would also be a 
dissemination SCI event. The Commission preliminarily believes that a 
systems intrusion may represent a significant weakness in the security 
of an SCI entity's systems and thus warrant dissemination of 
information to an SCI entity's members or participants. However, 
because detailed information about a systems intrusion may expose an 
SCI entity's systems to further probing and attack, an SCI entity would 
only be required to provide a summary description of the systems 
intrusion, including a description of the corrective action taken by 
the SCI entity and when the systems intrusion has been or is expected 
to be resolved.\162\ In addition, because immediate dissemination of 
information about a systems intrusion may in some cases further 
compromise the security of the SCI entity's SCI systems or SCI security 
systems, or an investigation of the systems intrusion, an SCI entity in 
some cases may be permitted to delay the dissemination of information 
about such systems intrusion.\163\
---------------------------------------------------------------------------

    \162\ See infra Section III.C.3.c and proposed Rule 
1000(b)(5)(ii).
    \163\ See id.
---------------------------------------------------------------------------

    Finally, the Commission is proposing that any systems disruption 
that results, or the SCI entity reasonably estimates would result, in 
significant harm or loss to market participants would also be a 
dissemination SCI event. Some systems disruptions may have an 
immediate, obvious, and detrimental impact on market participants, 
hampering the ability of an SCI entity's members or participants to 
utilize the SCI entity's SCI systems and, in some cases, making

[[Page 18105]]

such systems unusable. At the same time, the Commission recognizes that 
disseminating information relating to a single systems disruption that 
results in harm or loss to one or a small number of market participants 
that is not significant may not warrant the cost of such dissemination. 
Furthermore, the Commission preliminarily believes that the proposed 
standard is appropriate in that it does not set a specific threshold or 
definition of ``significant harm or loss to market participants,'' and 
provides an SCI entity with reasonable discretion in estimating whether 
a given systems disruption has resulted, or would result, in 
significant harm or loss to market participants.\164\ Although the 
particular facts and circumstances will differ for each systems 
disruption, some systems disruptions would clearly result in 
significant harm or loss to market participants and warrant 
dissemination of information regarding such systems disruption to the 
SCI entity's members or participants, even if the harm or loss, or the 
potential harm or loss, is difficult to quantify. For example, if a 
market experiences a problem with a trading system such that order 
processing and execution in certain securities is halted and members 
are not able to confirm transactions in such securities, the Commission 
preliminarily believes that such a systems disruption would be a 
dissemination SCI event. In contrast, if a trading market or a clearing 
agency experienced a momentary power disruption causing a fail over to 
the backup data center with no customer, member, or participant impact, 
such SCI event would be a systems disruption requiring written notice 
to the Commission, but would not be a dissemination SCI event.
---------------------------------------------------------------------------

    \164\ The tradeoffs of setting thresholds are discussed in the 
Economic Analysis Section below. See infra Section V.B.
---------------------------------------------------------------------------

Request for Comment
    44. Do commenters believe the proposed definition of 
``dissemination SCI event'' is appropriate? Why or why not?
    45. Do commenters believe that a ``systems compliance issue'' 
should constitute a dissemination SCI event? Why or why not? Please 
explain.
    46. Do commenters believe that a ``systems intrusion'' should 
constitute a dissemination SCI event? Why or why not? Please explain.
    47. Do commenters believe that systems disruptions that meet the 
``significant harm or loss to market participants'' standard should be 
included as dissemination SCI events? Why or why not? If not, what 
would be an appropriate threshold, and how should it be measured? 
Should the term ``significant harm or loss to market participants'' be 
further clarified or defined in the rule? Why or why not? If so, what 
should such clarification or definition be and why?
    48. Would an alternative measurement, or group of alternative 
measurements, for systems disruptions, such as a 50 millisecond pause 
in service or some other nonmonetary measure (for example, out of 
memory situations, memory overloads, data loss due to an SCI system 
exceeding capacity limitations, excessive queuing or throttling), also 
be an appropriate and effective means to measure certain events about 
which an SCI entity should disseminate information to its members or 
participants? If so, what are they and why? Should any such 
measurements vary based on the type of SCI system involved? If so, how? 
Please be specific.
    49. Are there any other types of systems disruptions that should be 
required to be disseminated to members or participants? If so, please 
explain why. Should, for example, information relating to a systems 
disruptions be required to be disseminated to members or participants 
if it affects a certain number of market participants? If so, how 
should such a level (number of market participants) be determined?
4. Material Systems Changes
    Rule 1000(a) of proposed Regulation SCI would define ``material 
systems change'' as ``a change to one or more: (1) SCI systems of an 
SCI entity that: (i) Materially affects the existing capacity, 
integrity, resiliency, availability, or security of such systems; (ii) 
relies upon materially new or different technology; (iii) provides a 
new material service or material function; or (iv) otherwise materially 
affects the operations of the SCI entity; or (2) SCI security systems 
of an SCI entity that materially affects the existing security of such 
systems.'' \165\ This proposed definition of ``material systems 
change'' is substantively similar to the definition of ``significant 
system change'' discussed in the ARP II Release.\166\
---------------------------------------------------------------------------

    \165\ See proposed Rule 1000(a). See also infra Sections III.C.4 
and III.C.6 discussing notices of material systems changes and 
reports of material systems changes, respectively.
    \166\ See ARP II Release, supra note 1, at 22592-93. See also 
2001 Staff ARP Interpretive Letter, supra note 35 (citing ARP II, 
supra note 1, at 22492-93: ``ARP II provides a non-exclusive list of 
factors that should be considered in determining whether a system 
change is significant and should be reported. The list includes a 
change that: (1) Affects existing capacity or security; (2) in 
itself raises capacity or security issues, even if it does not 
affect other existing systems; (3) relies upon substantially new or 
different technology; (4) is designed to provide a new service or 
function for SRO members or their customers; or (5) otherwise 
significantly affects the operations of the entity.'').
---------------------------------------------------------------------------

    Item (1)(i) of the proposed definition of material systems change 
differs from item (1) in the definition in the ARP II Release of 
``significant system change,'' as proposed item (1)(i) refers to 
changes to an SCI entity's SCI systems that affect not only capacity 
and security, but also integrity, resiliency, and availability.\167\ 
Items (1)(ii) and (1)(iii) in the proposed definition of material 
systems change are intended to be substantively identical to items (3) 
and (4) of the definition of significant system change in the 2001 
Staff ARP Interpretive Letter, generally covering changes to an SCI 
entity's SCI systems designed to advance systems development.\168\ 
Proposed item (1)(iv), covering a change to an SCI entity's SCI systems 
that ``otherwise materially affects the operations of the SCI entity,'' 
is intended to require notification of major systems changes to SCI 
systems that are not captured by other elements of paragraph (1) of the 
proposed definition. Proposed item (2), covering a change to an SCI 
entity's SCI security systems that ``materially affects the existing 
security of such systems,'' is intended to ensure that significant 
changes that would affect the security of an SCI entity's SCI security 
systems (i.e., systems that share network resources with SCI systems 
that, if breached, would be reasonably likely to pose a security threat 
to SCI systems) \169\ are reported to the Commission.
---------------------------------------------------------------------------

    \167\ Proposed item (1)(i) consolidates items (1) and (2) of the 
definition of material systems change in the 2001 Staff ARP 
Interpretive Letter. The Commission believes that the addition of 
integrity, resiliency, and availability aspects of SCI systems that 
are important in today's automated trading environments 
appropriately reflects the evolution of the types of systems issues 
since the 2001 Staff ARP Interpretive Letter.
    \168\ In addition, each of proposed items (1)(i) through 
(1)(iii) are changes that concern the adequacy of capacity 
estimates, testing, and security measures taken by an SCI entity, 
for which adequate procedures are required by proposed Rule 
1000(b)(1). See infra Section III.C.1.
    \169\ See supra Section III.B.2 (discussing definition of SCI 
security system).
---------------------------------------------------------------------------

    Examples that the Commission preliminarily believes could be 
included within the proposed definition of material systems change are: 
Major systems architecture changes; reconfigurations of systems that 
would cause a variance greater than five percent in throughput or 
storage; the introduction of new business functions or services; 
changes to external interfaces; changes that could increase 
susceptibility to major outages; changes that could increase risks to 
data

[[Page 18106]]

security; changes that were, or would be, reported to or referred to 
the entity's board of directors, a body performing a function similar 
to the board of directors, or senior management; and changes that could 
require allocation or use of significant resources. These examples are 
cited in the 2001 Staff ARP Interpretive Letter.\170\ Based on 
Commission staff's experience working with SROs that have relied on the 
guidance provided in the 2001 Staff ARP Interpretive Letter, the 
Commission preliminarily believes that such examples could continue to 
be relevant guidance to SCI SROs as well as to other SCI entities. In 
addition, the Commission preliminarily believes that any systems change 
occurring as a result of the discovery of an actual or potential 
systems compliance issue, as that term would be defined in proposed 
Rule 1000(a), would be material.
---------------------------------------------------------------------------

    \170\ See supra note 35.
---------------------------------------------------------------------------

    Based on its experience with SROs and other entities reporting 
significant systems changes in the context of the ARP Inspection 
Program, the Commission preliminarily believes that the proposed 
definition of material systems change is appropriate for all SCI 
entities. The Commission preliminarily believes that proposed items 
(1)(i)-(iv) and (2), which would cover changes affecting capacity 
estimates, security measures, the use of new technology and new 
functionality, could also highlight the need for SCI entities that are 
SROs, when applicable, to file a proposed rule change with the 
Commission under Section 19(b) of the Exchange Act and SCI entities 
that are SROs to file proposed amendments for SCI Plans under Rule 608 
of Regulation NMS.\171\ As the Commission noted in ARP II, the purpose 
of urging SROs to notify Commission staff of significant system changes 
was not to supplant or provide an alternative means for SROs to satisfy 
their obligations to file proposed rule changes as required by the 
Exchange Act.\172\ Rather, under ARP II, the Commission was primarily 
concerned with fulfilling its oversight responsibilities and was also 
interested in obtaining a full view and understanding of systems 
development at SROs.\173\ Likewise, the proposal to require an SCI 
entity to notify the Commission of material systems changes would not 
relieve an SCI SRO of any obligation it may have to file a proposed 
rule change, the participants of an SCI Plan to file a proposed 
amendment to such SCI Plan, or any other obligation any SCI entity may 
have under the Exchange Act or rules thereunder.\174\
---------------------------------------------------------------------------

    \171\ Section 19(b)(1) of the Exchange Act requires an SRO to 
file proposed rules and proposed rule changes with the Commission in 
accordance with rules prescribed by the Commission. See 15 U.S.C. 
78s(b)(1). Section 19(b)(1) further requires the Commission to 
solicit public comment on any proposed rule change filed by an SRO. 
See id. Rule 608(a)(1) of Regulation NMS under the Exchange Act, 17 
CFR 242.608(a)(1), permits ``self-regulatory organizations, acting 
jointly, [to] file a national market system plan or [to] propose an 
amendment to an effective national market system plan.'' Rule 608(b) 
of Regulation NMS, 17 CFR 242.608(b), requires the Commission to 
publish such proposed national market system plan or national market 
system plan amendment for notice and comment, and, in certain 
situations, approve such NMS plan or plan amendment before it may 
become effective.
    \172\ See ARP II, supra note 1, at 22493. ARP II explained that 
because the rule change process pursuant to Section 19(b) of the 
Exchange Act and Rule 19b-4 thereunder ``imposes shortened 
timeframes for action on proposed rule changes and because not all 
systems changes trigger the need for changes to rules of the SROs,'' 
the rule change process was not providing staff with timely and 
complete detail on various significant systems changes occurring at 
the SROs. The policy of urging SROs to provide timely and accurate 
information on systems changes was intended as an adjunct to, and 
not a substitution for the rule change process. See id.
    \173\ See id. at 22493-94, n. 20.
    \174\ See infra request for comment in Section III.C.1.b, 
wherein the Commission solicits comment on whether SCI SROs should 
be required to provide notice to their members of anticipated 
technology deployments prior to implementation and offer their 
members the opportunity to test anticipated technology deployments 
prior to implementation.
---------------------------------------------------------------------------

Request for Comment
    50. The Commission requests comment generally on the proposed 
definition of ``material systems change.'' Is the proposed definition 
of material systems change clear? Should the Commission provide 
additional guidance on, or further define what would constitute a 
``material systems change?'' Are there other factors that should be 
included? Please be specific and give examples of types of system 
changes that should be included in the proposed definition but 
currently are not.
    51. The Commission sets forth above examples of systems changes 
that it preliminarily believes could be included within the proposed 
definition of material systems change (i.e., major systems architecture 
changes; reconfigurations of systems that would cause a variance 
greater than five percent in throughput or storage; the introduction of 
new business functions or services; changes to external interfaces; 
changes that could increase susceptibility to major outages; changes 
that could increase risks to data security; changes that were, or would 
be, reported to or referred to the entity's board of directors, a body 
performing a function similar to the board of directors, or senior 
management; and changes that could require allocation or use of 
significant resources). Do commenters agree each of these examples 
could constitute material systems changes? Why or why not?
    52. Should any of the proposed factors be eliminated or refined? If 
so, please explain. Should material systems changes be defined to 
include cumulative systems changes over a specified period that might 
not otherwise qualify individually as a material systems change? For 
example, if systems changes (such as reconfigurations of systems that 
would cause a variance greater than five percent in throughput or 
storage) occurred that, on their own, each would not constitute a 
material systems change but, if grouped together with other similar or 
even identical changes (or, alternatively, that occurred repeatedly 
over a certain period of time such as a week or a month) could 
represent a material system change, should such changes together be 
considered a material systems change? If so, what would be the 
appropriate number of similar or identical systems changes that should 
be considered and/or what would be an appropriate time period to 
consider? Should all non-material systems changes count towards this 
threshold or should only non-material systems changes of the same or 
similar type count? Would cumulative changes over a week be an 
appropriate measurement period? Would a 30-day measurement period be 
appropriate? Should the period be longer or shorter? Please explain.
    53. Do commenters believe that a change to the SCI systems of an 
SCI entity that ``materially affects the existing capacity, integrity, 
resiliency, availability, or security of such systems'' should 
constitute a material systems change as proposed? Why or why not? 
Should a change with respect to any of the proposed characteristics of 
such systems (i.e., capacity, integrity, resiliency, availability, or 
security) be eliminated or modified? Should any be added? Please 
explain.
    54. Should a change to the SCI systems of an SCI entity that 
``relies upon materially new or different technology'' constitute a 
material systems change as proposed? Why or why not? Is the phrase 
``materially new or different'' sufficiently clear? If not, please 
explain.
    55. Should a change to an SCI entity's SCI systems that ``provides 
a new material service or material function'' constitute a material 
systems change as proposed? Why or why not? Is the phrase ``a new 
material service or

[[Page 18107]]

material function'' sufficiently clear? If not, please explain.
    56. Do commenters believe it is appropriate to include a change to 
an SCI entity's SCI systems that ``otherwise materially affects the 
operations of the SCI entity'' as proposed? Why or why not? Please 
explain.
    57. Do commenters believe that a change to the SCI security systems 
of an SCI entity that ``materially affects the existing security of 
such systems'' should constitute a material systems change as proposed? 
Why or why not? Please explain.
    58. Do commenters believe the rule should include quantitative 
criteria or other minimum thresholds for the effect of a change to an 
SCI entity's SCI systems or SCI security systems beyond which the 
Commission must be notified of the change? Why or why not? If so, what 
should such quantitative criteria or other minimum thresholds be and 
why?
    59. How often do SCI entities currently make material systems 
changes? How often do SCI SROs make material systems changes and what 
percentage of the time are such changes filed with the Commission as 
proposed rule changes under Section 19 of the Exchange Act?

C. Proposed Rule 1000(b): Obligations of SCI Entities

    Paragraph (b) of proposed Rule 1000 would set forth requirements 
that would apply to SCI entities relating to written policies and 
procedures, obligations with regard to corrective actions, reporting of 
SCI events to the Commission, dissemination of information relating to 
certain SCI events to members or participants, reporting of material 
systems changes, SCI reviews, and the participation of designated 
members or participants of SCI entities in testing the business 
continuity and disaster recovery plans of SCI entities.
1. Policies and Procedures To Safeguard Capacity, Integrity, 
Resiliency, Availability, and Security \175\
---------------------------------------------------------------------------

    \175\ See infra Sections IV.D.1.a and V.B for discussions 
related to current practices of SCI entities.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(1) would require each SCI entity to 
establish, maintain, and enforce written policies and procedures, 
reasonably designed to ensure that its SCI systems and, for purposes of 
security standards, SCI security systems, have levels of capacity, 
integrity, resiliency, availability, and security, adequate to maintain 
the SCI entity's operational capability and promote the maintenance of 
fair and orderly markets. Proposed Rule 1000(b)(1)(i) would further 
provide that such policies and procedures include, at a minimum: ``(A) 
The establishment of reasonable current and future capacity planning 
estimates; (B) periodic capacity stress tests of such systems to 
determine their ability to process transactions in an accurate, timely, 
and efficient manner; (C) a program to review and keep current systems 
development and testing methodology for such systems; (D) regular 
reviews and testing of such systems, including backup systems, to 
identify vulnerabilities pertaining to internal and external threats, 
physical hazards, and natural or manmade disasters; (E) business 
continuity and disaster recovery plans that include maintaining backup 
and recovery capabilities sufficiently resilient and geographically 
diverse to ensure next business day resumption of trading and two-hour 
resumption of clearance and settlement services following a wide-scale 
disruption; and (F) standards that result in such systems being 
designed, developed, tested, maintained, operated, and surveilled in a 
manner that facilitates the successful collection, processing, and 
dissemination of market data.'' \176\ Proposed Rule 1000(b)(1)(ii) 
would deem an SCI entity's policies and procedures required by proposed 
Rule 1000(b)(1) to be reasonably designed if they are consistent with 
SCI industry standards.\177\ In particular, for purposes of complying 
with proposed Rule 1000(b)(1), if an SCI entity has policies and 
procedures that are consistent with such SCI industry standards, as 
discussed further in Section III.C.1.b below, such policies and 
procedures would be deemed to be reasonably designed and thus the SCI 
entity would be in compliance with proposed Rule 1000(b)(1). In 
addition, under proposed Rule 1000(b)(1)(ii), compliance with the 
identified SCI industry standards would not be the exclusive means to 
comply with the requirements of proposed Rule 1000(b)(1).
---------------------------------------------------------------------------

    \176\ See proposed Rule 1000(b)(1)(i)(A)-(F).
    \177\ See infra Section III.C.1.b.
---------------------------------------------------------------------------

a. Proposed Rule 1000(b)(1)(i)
    Proposed Rule 1000(b)(1) would require that an SCI entity have 
policies and procedures that address items (i)(A)-(F) for its SCI 
systems and, for purposes of security standards, SCI security systems. 
Items (A)-(C) enumerated in proposed Rule 1000(b)(1)(i) are 
substantively the same as the requirements of Rule 301(b)(6)(ii)(A)-(C) 
of Regulation ATS, applicable to significant-volume alternative trading 
systems, and trace their origin to the ARP I Release.\178\ With respect 
to SCI systems and, as applicable, SCI security systems, proposed item 
(A), which would require an SCI entity to establish, maintain, and 
enforce policies and procedures for the establishment of reasonable 
current and future capacity planning estimates, and proposed item (B), 
which would require an SCI entity to establish, maintain, and enforce 
policies and procedures for periodic capacity stress tests of such 
systems, would help an SCI entity determine its systems' ability to 
process transactions in an accurate, timely, and efficient manner, and 
thereby help ensure market integrity. Proposed item (C), which would 
require an SCI entity to establish, maintain, and enforce policies and 
procedures that include a program to review and keep current systems 
development and testing methodology for such systems, would help ensure 
that the SCI entity continues to monitor and maintain systems capacity 
and availability.
---------------------------------------------------------------------------

    \178\ See 17 CFR 242.301(b)(6)(ii)(A)-(C); see also ARP I 
Release, supra note 1, at 48706-07.
---------------------------------------------------------------------------

    Proposed item (D), which would require an SCI entity to establish, 
maintain, and enforce policies and procedures to review and test 
regularly such systems, including backup systems, to identify 
vulnerabilities pertaining to internal and external threats, physical 
hazards, and natural or manmade disasters, would likewise assist an SCI 
entity in ascertaining whether its SCI systems and SCI security systems 
are and remain sufficiently secure and resilient. Unlike Rule 
301(b)(6)(ii)(D) of Regulation ATS, proposed item (D) includes 
``manmade disasters'' in the list of vulnerabilities an SCI entity 
would be required to consider and protect against. The Commission 
proposes to add ``manmade disasters'' to be clear that acts of 
terrorism and sabotage--threats that some SCI entities have faced in 
recent history \179\--are threats that an SCI entity must prepare for 
in reviewing and testing its systems and operations.
---------------------------------------------------------------------------

    \179\ See, e.g., supra note 61.
---------------------------------------------------------------------------

    Proposed items (B), (C), and (D) would each require, among other 
things, the establishment of policies and procedures relating to 
various aspects of systems testing, including capacity stress tests, 
testing methodology, and tests for systems vulnerabilities to internal 
and external threats, physical hazards, and natural or manmade 
disasters, respectively. The Commission preliminarily believes that, to 
help ensure an effective testing regime, such

[[Page 18108]]

policies and procedures would need to address when testing with 
members, participants, and other market participants would be 
appropriate.\180\
---------------------------------------------------------------------------

    \180\ See also the Commission's request for comment in infra 
Sections III.C.1.b and III.C.7, on whether proposed Regulation SCI 
should be more prescriptive regarding testing standards and 
requirements in light of comments on testing made by Roundtable 
panelists and commenters, and the closure of the national securities 
exchanges in the wake of Superstorm Sandy, as discussed in the text 
accompanying supra notes 78-83.
---------------------------------------------------------------------------

    Proposed item (E), which would require SCI entities to establish, 
maintain, and enforce policies and procedures for business continuity 
and disaster recovery plans, is substantially similar to a requirement 
in Rule 301(b)(6)(ii) of Regulation ATS and ARP I.\181\ However, 
proposed item (E) would further require SCI entities to have plans for 
maintaining backup and recovery capabilities sufficiently resilient and 
geographically diverse to ensure next business day resumption of 
trading and two-hour resumption of clearance and settlement services 
following a wide-scale disruption. The proposed resiliency and 
geographic diversity requirement is designed particularly to help 
ensure that an SCI entity would be able to continue operations from the 
backup site during a wide-scale disruption resulting from natural 
disasters, terrorist activity, or other significant events. For 
example, the Commission preliminarily believes that backup sites should 
not rely on the same infrastructure components (e.g., transportation, 
telecommunications, water supply, and electric power) used by the 
primary site.\182\ The proposed next business day trading resumption 
standard reflects the Commission's preliminary view that an SCI entity, 
being part of the critical infrastructure of the U.S. securities 
markets, should have plans to limit downtime caused by a wide-scale 
disruption to less than one business day.\183\ Likewise, the proposed 
two-hour resumption standard for clearance and settlement services, 
which traces its origin to the 2003 Interagency White Paper,\184\ 
reflects the Commission's preliminary view that an SCI entity that is a 
registered clearing agency or an ``exempt clearing agency subject to 
ARP'' should have contingency plans to avoid a scenario in which 
failure to settle transactions by the end of the day could present 
systemic risk to the markets.\185\
---------------------------------------------------------------------------

    \181\ See 17 CFR 242.301(b)(6)(ii)(E); ARP I Release, supra note 
1, at 48706.
    \182\ See 2003 Interagency White Paper, supra note 31.
     As discussed further below in Section III.C.1.b, proposed Rule 
1000(b)(1) would require an SCI entity to have policies and 
procedures that are ``reasonably designed'' and ``adequate to 
maintain [its] operational capability and promote the maintenance of 
fair and orderly markets.'' Proposed Rule 1000(b)(1)(i)(E) would 
require that such policies and procedures include ``business 
continuity and disaster recovery plans that include maintaining 
backup and recovery capabilities sufficiently resilient and 
geographically diverse,'' (emphasis added) to ensure next business 
day or two-hour resumption as applicable, following a wide-scale 
disruption. While ``sufficient'' geographic diversity would be a 
required element of reasonably designed business continuity and 
disaster recovery plans, the proposed rule does not specify any 
particular minimum distance or geographic location that would be 
necessary to achieve the requisite level of geographic diversity. 
Instead, the proposed rule focuses on the ability to achieve the 
goal of resuming business within the applicable time frame in the 
wake of a wide-scale disruption. As noted above, the Commission also 
preliminarily believes that an SCI entity should have a reasonable 
degree of flexibility to determine the precise nature and location 
of its backup site depending on the particular vulnerabilities 
associated with those sites, and the nature, size, technology, 
business model, and other aspects of its business.
    \183\ Standards with respect to resilient and geographically 
remote back-up sites and resumption of operations are discussed in 
the 2003 Interagency White Paper and the 2003 Policy Statement on 
Business Continuity Planning for Trading Markets, and these 
publications are proposed to be designated as industry standards in 
the context of contingency planning. See 2003 Interagency White 
Paper, supra note 31 and 2003 Policy Statement on Business 
Continuity Planning for Trading Markets, supra note 32.
     In addition, the 2003 Policy Statement on Business Continuity 
Planning for Trading Markets urged SRO markets and ECNs to ``have a 
business continuity plan that anticipates the resumption of trading 
* * * no later than the next business day following a wide-scale 
disruption.'' See supra note 32, at 56658.
    \184\ See supra note 31. See also infra note 195, discussing 
further the 2003 Interagency White Paper.
    \185\ The Commission believes that all clearing agencies that 
would be subject to proposed Regulation SCI (i.e., all of the 
registered clearing agencies and the current ``exempt clearing 
agency subject to ARP'') currently strive to adhere to this 
standard.
---------------------------------------------------------------------------

    Proposed item (F) would require SCI entities to have standards that 
result in systems being designed, developed, tested, maintained, 
operated, and surveilled in a manner that facilitates the successful 
collection, processing, and dissemination of market data. As the 
Commission previously noted, when Congress mandated a national market 
system in 1975, it emphasized that the systems for collecting and 
distributing consolidated market data would ``form the heart of the 
national market system.'' \186\ As a result of consolidated market 
data, the public has ready access to a comprehensive, accurate, and 
reliable source of information for the prices and volume of any NMS 
stock at any time during the trading day.\187\ This information helps 
to ensure that the public is aware of the best displayed prices for a 
stock, no matter where they may arise in the national market 
system.\188\ It also enables investors to monitor the prices at which 
their orders are executed and assess whether their orders received best 
execution.\189\ Further, as noted above, one of the findings of the May 
6 Staff Report is that ``fair and orderly markets require that the 
standards for robust, accessible, and timely market data be set quite 
high.'' \190\ The Commission believes that the accurate, timely and 
efficient processing of data is similarly important to the proper 
functioning of the securities markets. For example, if a clearing 
agency were not able to process data accurately, settlements could 
potentially be impacted. Similarly, if an exchange does not process 
trades accurately, erroneous executions could occur.
---------------------------------------------------------------------------

    \186\ See Concept Release on Equity Market Structure, supra note 
42, at 3600 (quoting H.R. Rep. No. 94-229, 94th Cong., 1st Sess. 93 
(1975)).
    \187\ See id.
    \188\ See id.
    \189\ See id. The benefits of consolidated market data discussed 
here are true for the options markets as well.
    \190\ See May 6 Staff Report, supra note 56, at 8.
---------------------------------------------------------------------------

    Consistent with these goals and Congress's statement, proposed item 
(F) would be a new requirement that has no precedent in either Rule 
301(b)(6) of Regulation ATS or the ARP policy statements and would 
require SCI entities to have ``standards that result in such systems 
being designed, developed, tested, maintained, operated, and surveilled 
in a manner that facilitates the successful collection, processing, and 
dissemination of market data.'' \191\ The Commission preliminarily 
believes that proposed item (F) would assist an SCI entity in ensuring 
that its market data systems are designed to maintain market integrity.
---------------------------------------------------------------------------

    \191\ This proposed requirement is consistent with Rule 603(a) 
of Regulation NMS, which states that any ``* * * broker or dealer 
with respect to information for which it is the exclusive source, 
that distributes information with respect to quotations for or 
transactions in an NMS stock to a securities information processor 
shall do so on terms that are fair and reasonable.'' In adopting 
Regulation NMS, the Commission stated that Rule 603(a) ``prohibits 
an SRO or broker-dealer from transmitting data to a vendor or user 
any sooner than it transmits the data to a Network processor.'' Rule 
603(a) by its terms applies only to NMS stocks. See supra note 121. 
See also 17 CFR 242.603(a).
---------------------------------------------------------------------------

b. Proposed Rule 1000(b)(1)(ii)
    Proposed Rule 1000(b)(1) would generally require that each SCI 
entity's policies and procedures be reasonably designed to ensure that 
its SCI systems and, for purposes of security standards, SCI security 
systems, ``have levels of capacity, integrity, resiliency, 
availability, and security, adequate to maintain the SCI entity's 
operational capability and promote the maintenance

[[Page 18109]]

of fair and orderly markets.'' As discussed above, proposed Rule 
1000(b)(1)(i) would also require that an SCI entity have policies and 
procedures that address items (A)-(F). The Commission notes that SCI 
entities that are ARP participants have been applying the ARP I 
principles underlying proposed Rule 1000(b)(1)(i)(A)-(F) for many 
years. However, while the items enumerated in proposed Rule 
1000(b)(1)(i)(A)-(F) identify the areas that would be required to be 
addressed by an SCI entity's policies and procedures, the Commission is 
not proposing to prescribe the specific policies and procedures an SCI 
entity must follow to comply with the requirements of proposed Rule 
1000(b)(1). Instead, the Commission intends to, and preliminarily 
believes that the proposed requirements as written would, provide SCI 
entities sufficient flexibility, based on the nature, size, technology, 
business model, and other aspects of their business, to identify 
appropriate policies and procedures that would meet the articulated 
standard, namely that they be reasonably designed to ensure that their 
systems have levels of capacity, integrity, resiliency, availability, 
and security adequate to maintain the SCI entity's operational 
capability and promote the maintenance of fair and orderly markets. 
However, the Commission also preliminarily believes that it would be 
helpful to SCI entities to provide additional guidance about one way in 
which they might elect to satisfy this general standard in proposed 
Rule 1000(b)(1). Therefore, the Commission is proposing Rule 
1000(b)(1)(ii), which would provide that, for purposes of complying 
with proposed Rule 1000(b)(1), an SCI entity's policies and procedures 
would be deemed to be reasonably designed, and thus satisfy the 
requirements of proposed Rule 1000(b)(1), if they are consistent with 
current SCI industry standards. Proposed Rule 1000(b)(1)(ii) further 
states that such SCI industry standards shall be: (A) comprised of 
information technology practices that are widely available for free to 
information technology professionals in the financial sector; and (B) 
issued by an authoritative body that is a U.S. governmental entity or 
agency, association of U.S. governmental entities or agencies, or 
widely recognized organization. Proposed Rule 1000(b)(1)(ii) would 
additionally provide that compliance with the SCI industry standards 
identified in the proposal would not be the exclusive means to comply 
with the requirements of paragraph (b)(1). As noted above, the 
Commission intends to, and preliminarily believes that the proposed 
requirements as written would, provide SCI entities sufficient 
flexibility, based on the nature, size, technology, business model, and 
other aspects of their business, to identify appropriate policies and 
procedures to comply with proposed Rule 1000(b)(1).
    The Commission is proposing this approach because it preliminarily 
believes that providing additional guidance on the types of industry 
standards that would satisfy the requirements of proposed Rule 
1000(b)(1) could assist an SCI entity in determining how to best 
allocate resources to maintain its systems' operational capability, and 
promote the maintenance of fair and orderly markets.\192\ The 
Commission acknowledges that current industry standards applicable to 
SCI entities have been developed in a number of areas to help ensure 
that systems have adequate capacity, integrity, resiliency, 
availability, and security. Accordingly, the current SCI industry 
standards that would be deemed to be reasonably designed for purposes 
of proposed Rule 1000(b)(1) are not limited to the SCI industry 
standards discussed and contained in the publications identified in 
Table A below, but rather may be found in a variety of publications, 
issued by a range of sources. The Commission acknowledges that an SCI 
entity's choice of a current SCI industry standard in a given domain or 
subcategory thereof may be different than those contained in the 
publications identified in Table A. Further, some of the identified 
standards may be more relevant for some SCI entities than others, based 
on the nature and amount of their respective activities. Thus, the 
Commission's proposed approach is designed to provide a non-exclusive 
method of compliance.
---------------------------------------------------------------------------

    \192\ See infra Sections V.B and V.C, discussing market failures 
and the anticipated economic benefits of proposed Regulation SCI. 
Each SCI entity, to the extent it seeks to rely on SCI industry 
standards in complying with proposed Rule 1000(b)(1), would have 
discretion to identify those industry standards that provide an 
appropriate way for it to comply with the requirements set forth in 
the rule, given its technology, business model, and other factors.
---------------------------------------------------------------------------

    The Commission preliminarily believes that the publications set 
forth in Table A below \193\ contain examples of SCI industry standards 
that an SCI entity may elect to look to in establishing its policies 
and procedures under proposed Rule 1000(b)(1). However, as proposed 
Rule 1000(b)(1)(ii) makes clear, compliance with such current SCI 
industry standards would not be the exclusive means to comply with the 
requirements of proposed Rule 1000(b)(1). Thus, as proposed, written 
policies and procedures that are consistent with the relevant examples 
of SCI industry standards contained in the publications identified in 
Table A, would be deemed to be ``reasonably designed'' for purposes of 
proposed Rule 1000(b)(1). The publications identified in Table A cover 
nine inspection areas, or ``domains,'' that have evolved over the past 
20 years of the ARP Inspection Program and that are relevant to SCI 
entities' systems capacity, integrity, resiliency, availability, and 
security, namely: Application controls; capacity planning; computer 
operations and production environment controls; contingency planning; 
information security and networking; audit; outsourcing; physical 
security; and systems development methodology.
---------------------------------------------------------------------------

    \193\ Each of these publications would meet the proposed 
criteria that they be: (i) Information technology practices that are 
widely available for free to information technology professionals in 
the financial sector; and (ii) issued by an authoritative body that 
is a U.S. governmental entity or agency, association of U.S. 
governmental entities or agencies, or widely recognized 
organization. See proposed Rules 1000(b)(1)(ii).
---------------------------------------------------------------------------

    The publications included in Table A set forth industry standards 
that the Commission understands are currently used by information 
technology and audit professionals in the financial and government 
sectors. These industry standards have been issued primarily by NIST 
and FFIEC. NIST, an agency within the U.S. Department of Commerce, has 
issued special publications regarding information technology systems. 
The FFIEC is a U.S. intergovernmental body that prescribes uniform 
principles and practices for the examination of certain financial 
institutions by U.S. regulators, and has issued publications on 
numerous topics, including development and acquisition of applications, 
computer operations, outsourcing technology, business continuity 
planning, information security, and internal audits.\194\ In addition 
to these standards issued by FFIEC and NIST, financial regulatory 
agencies, including the Commission, provided guidance on business 
continuity and disaster recovery plans

[[Page 18110]]

in the 2003 Interagency White Paper \195\ and the 2003 Policy Statement 
on Business Continuity Planning for Trading Markets.\196\
---------------------------------------------------------------------------

    \194\ The federal agencies represented on the FFIEC are the 
Board of Governors of the Federal Reserve System, the Federal 
Deposit Insurance Corporation, the National Credit Union 
Administration, Office of the Comptroller of the Currency, and the 
Consumer Financial Protection Bureau.
    \195\ See 2003 Interagency White Paper, supra note 31. In the 
2003 Interagency White Paper, which was issued jointly by the 
Commission, the Board of Governors of the Federal Reserve System, 
and the Office of the Comptroller of the Currency, the agencies 
identified a broad consensus on three important business continuity 
objectives: (1) Rapid recovery and timely resumption of critical 
operations following a wide-scale disruption; (2) rapid recovery and 
timely resumption of critical operations following the loss or 
inaccessibility of staff in at least one major operating location; 
and (3) a high level of confidence, through ongoing use or robust 
testing, that critical internal and external continuity arrangements 
are effective and compatible. See id. at 17811.
    The agencies also identified sound practices for core clearing 
and settlement organizations and firms that play significant roles 
in critical financial markets. They stated that in this context, 
``core clearing and settlement organizations'' consist of market 
utilities that provide clearing and settlement services for critical 
financial markets or act as large-value payment system operators and 
present systemic risk to the markets should they be unable to 
perform. ``Firms that play significant roles in critical financial 
markets'' refers to organizations whose participation in one or more 
critical financial markets is significant enough that their failure 
to settle their own or their customers' material pending 
transactions by the end of the day could present systemic risk to 
the markets. The sound practices address the risks of a wide-scale 
disruption and strengthen the resilience of the financial system. 
They also reduce the potential that key market participants will 
present systemic risk to one or more critical markets because 
primary and back-up processing facilities and staffs are 
concentrated within the same geographic region.
    The sound practices are as follows. First, identify clearing and 
settlement activities in support of critical financial markets. 
These activities include the completion of pending large-value 
payments; clearance and settlement of material pending transactions; 
meeting material end-of-day funding and collateral obligations 
necessary to ensure the performance of pending large-value payments 
and transactions; and updating records of accounts. Second, 
determine appropriate recovery and resumption objectives for 
clearing and settlement activities in support of critical markets. 
In this regard, core clearing and settlement organizations are 
expected to develop the capacity to recover and resume clearing and 
settlement activities within the business day on which the 
disruption occurs with the overall recovery goal of two hours after 
an event. Third, maintain sufficient geographically dispersed 
resources to meet recovery and resumption objectives. The 2003 
Interagency White Paper states that back-up arrangements should be 
as far away from the primary site as necessary to avoid being 
subject to the same set of risks as the primary location and should 
not rely on the same infrastructure components used by the primary 
site. Fourth, routinely use or test recovery and resumption 
arrangements. This includes regular tests of internal recovery and 
resumption arrangements as well as cross-organization tests to 
ensure the effectiveness and compatibility of recovery and 
resumption strategies within and across critical markets. See id. at 
17811-13.
    \196\ See supra note 32. The Commission's policy statement 
applies more broadly to all ``SRO markets'' and ECNs, not just those 
that play ``significant roles in critical financial markets,'' as 
discussed in the 2003 Interagency White Paper. Each SRO market and 
ECN is expected to (1) have in place a business continuity plan that 
anticipates the resumption of trading in the securities traded by 
that market no later than the next business day following a wide-
scale disruption; (2) maintain appropriate geographic diversity 
between primary and back-up sites in order to assure resumption of 
trading activities by the next business day; (3) assure the full 
resilience of shared information streams, such as the consolidated 
market data stream generated for the equity and options markets; and 
(4) confirm the effectiveness of the back-up arrangements through 
testing. See id. at 56658.
---------------------------------------------------------------------------

    Also included in Table A is a publication issued by the Institute 
of Internal Auditors (``IIA''). The IIA is an international 
professional association that has developed and published guidance 
setting forth industry best practices in internal auditing for internal 
audit professionals. It has more than 175,000 members in 165 countries 
and territories around the world.\197\ IIA is also a credentialing 
organization, awarding the Certified Internal Auditor (CIA), Certified 
Government Auditing Professional (CGAP), Certified Financial Services 
Auditor (CFSA), Certification in Control Self-Assessment (CCSA), and 
Certification in Risk Management Assurance (CRMA) certifications to 
those who meet the requirements.\198\ The Commission preliminarily 
believes these factors support identification of IIA as an 
authoritative body that is a widely recognized organization.
---------------------------------------------------------------------------

    \197\ See IIA's 2011 Annual Report, available at: https://na.theiia.org/about-us/Pages/Annual-Reports.aspx.
    \198\ See id.
---------------------------------------------------------------------------

    In addition, one of the publications identified in Table A is 
issued by the Security Benchmarks division of the Center for Internet 
Security (``CIS''). The CIS is a not-for-profit organization focused on 
enhancing the cybersecurity readiness and response of public and 
private sector entities. The CIS Security Benchmarks division 
facilitates the development of industry best practices for security 
configuration, tools for measuring information security status, and 
resources to assist entities in making security investment 
decisions.\199\ Its members include commercial organizations, academic 
organizations, government agencies, and security service, consulting, 
and software organizations.\200\ According to the CIS, its benchmarks 
are regularly referred to by U.S. government agencies for compliance 
with information security rules and regulations.\201\ The Commission 
preliminarily believes these factors support a determination that CIS 
is an authoritative body that is a widely recognized organization.
---------------------------------------------------------------------------

    \199\ See https://benchmarks.cisecurity.org/en-us/?route=default.about.
    \200\ See https://benchmarks.cisecurity.org/en-us/?route=membership.
    \201\ The CIS states that its benchmarks are widely accepted by 
U.S. government agencies for compliance with the Federal Information 
Security Management Act (FISMA), Gramm-Leach-Bliley Act, Sarbanes-
Oxley Act, The Health Insurance Portability and Accountability Act 
of 1996 (HIPAA), and other the regulatory requirements for 
information security. See https://benchmarks.cisecurity.org/en-us/?route=membership.
---------------------------------------------------------------------------

    Table A lists the publication(s) that the Commission has 
preliminarily identified as SCI industry standard(s) in each domain 
that an SCI entity, taking into account its nature, size, technology, 
business model, and other aspects of its business, could, but is not 
required to, use to establish, maintain, and enforce reasonably 
designed policies and procedures that satisfy the requirements of 
proposed Rule 1000(b)(1). Thus, the Commission is proposing that the 
industry standards contained in the publications identified in Table A 
be one example of ``current SCI industry standards'' for purposes of 
proposed Rule 1000(b)(1), and requests commenters' views on the 
appropriateness of each publication identified in Table A as a 
``current SCI industry standard.'' Each listed publication is 
identified with specificity, and includes the particular publication's 
date, volume number, and/or publication number, as the case may be. 
Thus, to the extent an SCI entity seeks to rely on SCI industry 
standards for purposes of complying with proposed Rule 1000(b)(1)(ii), 
the Commission intends SCI entities that establish policies and 
procedures based on the SCI industry standards contained in the 
publications set forth in Table A to enforce written policies and 
procedures, taking into account their nature, size, technology, 
business model, and other aspects of their business, consistent with 
relevant standards, even if the issuing organization were to 
subsequently update a given industry practice, until such time as the 
list of SCI industry standards were to be updated, as discussed 
below.\202\ Of course, SCI entities could elect to use standards 
contained in the publications other than those identified on Table A to 
satisfy the requirements of proposed Rule 1000(b)(1)\\.
---------------------------------------------------------------------------

    \202\ See discussion in this Section III.C.1.b following Table A 
below.
    \203\ The Commission recently adopted a similar contingency 
planning practice in Rule 17Ad-22(d)(4) that requires registered 
clearing agencies to have policies and procedures designed to 
identify sources of operational risk and minimize those risks 
through the development of appropriate systems controls and 
procedures. See Securities Exchange Act Release No. 68080 (October 
22, 2012), 77 FR 66220 (November 2, 2012). See also supra note 95.

[[Page 18111]]



                        Table A--Publications Relating to Industry Standards in 9 Domains
----------------------------------------------------------------------------------------------------------------
                              Domain                                             Industry standards
----------------------------------------------------------------------------------------------------------------
Application Controls.............................................  NIST DRAFT Security and Privacy Controls for
                                                                    Federal Information Systems and
                                                                    Organizations (Special Publication 800-53
                                                                    Rev. 4) available at: https://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf.
Capacity Planning................................................  FFIEC, Operations IT Examination Handbook
                                                                    (July 2004), available at: https://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Operations.pdf.
Computer Operations and Production Environment Controls..........  NIST DRAFT Security and Privacy Controls for
                                                                    Federal Information Systems and
                                                                    Organizations (Special Publication 800-53
                                                                    Rev. 4), available at: https://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf.
Contingency Planning (BCP) \203\.................................  NIST Contingency Planning Guide for Federal
                                                                    Information Systems (Special Publication 800-
                                                                    34 Rev. 1), available at: https://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf.
                                                                   2003 Interagency White Paper on Sound
                                                                    Practices to Strengthen the Resilience of
                                                                    the U.S. Financial System, Securities
                                                                    Exchange Act Release No. 47638 (April 8,
                                                                    2003), 68 FR 17809 (April 11, 2003),
                                                                    available at: https://www.sec.gov/news/studies/34-47638.htm.
                                                                   2003 Policy Statement on Business Continuity
                                                                    Planning for Trading Markets, Securities
                                                                    Exchange Act Release No. 48545 (September
                                                                    25, 2003), 68 FR 56656 (October 1, 2003),
                                                                    available at: https://www.sec.gov/rules/policy/34-48545.htm.
Information Security and Networking..............................  NIST DRAFT Security and Privacy Controls for
                                                                    Federal Information Systems and
                                                                    Organizations (Special Publication 800-53
                                                                    Rev. 4), available at: https://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf.
                                                                   NIST Guidelines on Security and Privacy in
                                                                    Public Cloud Computing (Special Publication
                                                                    800-144), available at: https://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf.
                                                                   The Center for Internet Security
                                                                    Configuration Benchmarks, available at:
                                                                    https://benchmarks.cisecurity.org/en-us/?route=downloads.benchmarks.
Audit............................................................  FFIEC, Audit IT Examination Handbook (August
                                                                    2003), available at: https://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Audit.pdf.
                                                                   IIA, The Role of Internal Auditing in
                                                                    Enterprise-wide Risk Management, available
                                                                    at: https://www.theiia.org/iia and https://www.theiaa.org/index.
Outsourcing......................................................  FFIEC, Outsourcing Technology Services IT
                                                                    Examination Handbook (June 2004), available
                                                                    at: https://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_OutsourcingTechnologyServices.pdf.
Physical Security................................................  NIST DRAFT Security and Privacy Controls for
                                                                    Federal Information Systems and
                                                                    Organizations (Special Publication 800-53
                                                                    Rev. 4), available at: https://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf.
Systems Development Methodology..................................  NIST Security Considerations in the System
                                                                    Development Life Cycle (Special Publication
                                                                    800-64 Rev. 2), available at: https://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf.
----------------------------------------------------------------------------------------------------------------

    As noted above, each of the publications listed in Table A is 
intended to identify information technology practices that are widely 
available for free to information technology professionals in the 
financial sector and are issued by an authoritative body that is a U.S. 
governmental entity or agency, association of U.S. governmental 
entities or agencies, or widely recognized organization.
    Although the industry standards contained in the publications 
identified in Table A above are intended as an appropriate initial set 
of industry standards under proposed Regulation SCI, the Commission 
does not seek to foreclose the development, whether by the Commission 
or otherwise, of a set of industry standards that is more focused on 
the specific businesses and systems of SCI entities.\204\ In such a 
case, the Commission preliminarily believes that it would be 
appropriate to use the industry standards contained in the publications 
listed in Table A as a starting point for such development.
---------------------------------------------------------------------------

    \204\ Standards issued by the Commission itself would meet the 
proposed criteria in that they would be: (i) Comprised of 
information technology practices that are widely available for free 
to information technology professionals in the financial sector; and 
(ii) issued by an authoritative body that is a U.S. governmental 
entity or agency, association of U.S. governmental entities or 
agencies, or widely recognized organization.
---------------------------------------------------------------------------

    Further, the Commission recognizes that systems and technologies 
are continually evolving. As such, the standards identified in this 
proposal would likely be updated from time to time by the organizations 
issuing them. However, the Commission also preliminarily believes that, 
following its initial identification of one set of SCI industry 
standards, it may be appropriate to update the identified set of 
standards from time to time through the periodic issuance of Commission 
staff guidance. Accordingly, the Commission preliminarily believes it 
would be appropriate for Commission staff, from time to time, to issue 
notices to update the list of previously identified set of SCI industry 
standards after receiving appropriate input from interested 
persons.\205\ The Commission preliminarily believes that this approach 
would provide the public, including SCI entities and other market 
participants, an opportunity to comment on newly proposed SCI industry 
standards. However, until such time as Commission staff were to update 
the identified set of SCI industry standards, the then-current set of 
SCI industry standards would be the standards referred to in proposed 
Rule 1000(b)(1)(ii) of Regulation SCI.
---------------------------------------------------------------------------

    \205\ As noted in the request for comment section below, the 
Commission solicits comment on the ways in which appropriate input 
from interested persons should be obtained for updating the SCI 
industry standards.
---------------------------------------------------------------------------

    As noted above, proposed Rule 1000(b)(1)(ii) would require that any 
SCI industry standards be: (i) Comprised of information technology 
practices that are widely available for free to information technology 
professionals in the financial sector; and (ii) issued by an 
authoritative body that is a U.S. governmental entity or agency, 
association of U.S. governmental entities or agencies, or a widely 
recognized organization.

[[Page 18112]]

Request for Comment
    60. The Commission requests comment generally on proposed Rule 
1000(b)(1). Do commenters believe the proposed scope of required 
policies and procedures is appropriate? Why or why not? Please explain.
    61. Do commenters believe that it is appropriate to apply the 
requirements of proposed Rule 1000(b)(1) to SCI systems and, for 
purposes of security standards, to SCI security systems? Why or why 
not? Please explain.
    62. Do commenters believe the enumeration of the items in proposed 
Rule 1000(b)(1)(i)(A)-(F) that are to be addressed in the required 
policies and procedures is appropriate? Why or why not? Specifically, 
is the proposal to require that such policies and procedures include 
the establishment of reasonable current and future capacity planning 
estimates, as provided in proposed Rule 1000(b)(1)(i)(A), appropriate? 
Why or why not?
    63. Should the Commission specify the interval (e.g., monthly or 
quarterly) at which SCI entities would be required to conduct periodic 
capacity stress tests of relevant systems, as provided in proposed Rule 
1000(b)(1)(i)(B)? Should such periodic tests be limited to a subset of 
systems? If so, for which systems should such tests be required and why 
would that limitation be appropriate?
    64. Should the Commission require SCI entities to have a program to 
review and keep current systems development and testing methodology, as 
proposed to be required in proposed Rule 1000(b)(1)(i)(C)? Why or why 
not?
    65. Should the Commission specify the interval at which SCI 
entities would be required to conduct reviews and tests of SCI systems 
and SCI security systems, including backup systems, to identify 
vulnerabilities pertaining to internal and external threats, physical 
hazards, and natural or manmade disasters, as provided in proposed Rule 
1000(b)(1)(i)(D)? Why or why not? And, if so, what would be appropriate 
intervals and why?
    66. The Commission notes that items (i)(B), (C), and (D) would each 
require the establishment of policies and procedures for: Testing of 
capacity, testing methodology, and testing for vulnerabilities, 
respectively. The Commission also notes that the need for improved 
testing was a recurring theme during the Roundtable and discussed in 
several comment letters.\206\ The Commission requests comment on 
whether the testing policies and procedures requirements in proposed 
Rule 1000(b)(1)(i)(B), (C), and (D) would be sufficiently comprehensive 
to foster development of the types of testing that Roundtable panelists 
and commenters recommended. Why or why not? Please be specific. Should 
the Commission require certain types of testing by SCI entities? Why or 
why not? Please be specific. If so, what specific types of testing 
should the Commission require in proposed Regulation SCI? Please 
describe in detail.
---------------------------------------------------------------------------

    \206\ See text accompanying supra note 72, discussing 
recommendations by Roundtable panelists and commenters to lower 
rates of error in software development by improving testing 
opportunities and participation in testing by member firms. See also 
text accompanying supra note 180.
---------------------------------------------------------------------------

    67. Should the Commission require SCI entities to have, and make 
available to their members or participants, certain infrastructure or 
mechanisms that would aid industry-wide testing or direct testing with 
an SCI entity, such as test facilities or test symbols? Why or why not? 
If so, please specify what types of infrastructures or mechanisms 
should be required.
    68. Should the Commission require industry-wide testing for certain 
types of anticipated technology deployments? \207\ Why or why not? If 
so, what should be the criteria for identifying anticipated technology 
deployments that warrant mandatory industry-wide testing and which 
market participants should be required to participate? Please explain 
in detail.
---------------------------------------------------------------------------

    \207\ See also infra Section III.C.7 (discussing, among other 
things, the requirement of proposed Rule 1000(b)(9)(ii) that an SCI 
entity coordinate the testing of the SCI entity's business 
continuity and disaster recovery plans, including its backup 
systems, with other SCI entities).
---------------------------------------------------------------------------

    69. Should the Commission require SCI entities to mandate that 
their members or participants participate in direct testing with such 
SCI entities for certain types of anticipated technology deployments by 
the members or participants? \208\ Why or why not? If so, what should 
be the criteria for identifying anticipated technology deployments that 
warrant mandatory testing with an SCI entity? Should the Commission 
identify such criteria, or should SCI entities identify such criteria? 
Please explain.
---------------------------------------------------------------------------

    \208\ See also infra Section III.C.7 (discussing, among other 
things, the requirement of proposed Rule 1000(b)(9)(i) that an SCI 
entity require participation by designated members or participants 
in scheduled functional and performance testing of the operation of 
the SCI entity's business continuity and disaster recovery plans, 
including its backup systems).
---------------------------------------------------------------------------

    70. Similarly, would proposed item (i)(E), regarding policies and 
procedures for business continuity and disaster recovery plans, be 
sufficiently comprehensive to foster the establishment of the types of 
contingency plans discussed by Roundtable panelists and Roundtable 
commenters, such as predetermined communication plans, escalation 
procedures, and/or kill switches? \209\ Why or why not? Should proposed 
Regulation SCI expressly require that an SCI entity's contingency plans 
include such details? \210\ Why or why not? Please explain. Should SCI 
entities' contingency plans and the testing of such plans be required 
to account for specific types of disaster or threat scenarios, such as 
an extreme volume surge, the failure of a major market participant, 
and/or a terrorist or cyber attack? Why or why not? Please explain. If 
so, what other types of scenarios should such plans take into account? 
Please be specific.
---------------------------------------------------------------------------

    \209\ See discussion of Roundtable in supra Section I.D. The 
Commission is not proposing at this time any requirements related to 
kill switches.
    \210\ See also infra Section III.C.3.a, discussing proposed Rule 
1000(b)(3), which would require an SCI entity, upon any responsible 
SCI personnel becoming aware of an SCI event, to begin to take 
appropriate corrective action, including, at a minimum, mitigating 
potential harm to investors and market integrity resulting from the 
SCI event and devoting adequate resources to remedy the SCI event as 
soon as reasonably practicable, and the associated request for 
comment.
---------------------------------------------------------------------------

    71. There was considerable discussion at the Roundtable about kill 
switches, with several panelists advocating the kill switch proposal 
outlined in the Industry Working Group comment letter,\211\ while 
others expressed concerns.\212\ The Commission is not proposing at this 
time any requirements related to kill switches. However, do commenters 
believe that the implementation of kill switches, as outlined in the 
Industry Working Group comment letter, would assist SCI entities in 
maintaining the integrity of their systems? Why or why not? If so, how, 
if at all, should the Commission foster the development of coordinated 
contingency plans among SCI SROs and SCI ATSs that would include such a 
kill switch mechanism?
---------------------------------------------------------------------------

    \211\ See letter from Industry Working Group, supra note 74 and 
accompanying text.
    \212\ See, e.g., letter from TDA, supra note 74.
---------------------------------------------------------------------------

    72. Should the Commission include the criteria of geographic 
diversity in the requirement relating to business continuity and 
disaster recovery plans in proposed Rule 1000(b)(1)(i)(E)? Why or why 
not? Please explain. Should the Commission specify minimum standards 
for ``geographically diverse'' in proposed Rule 1000(b)(1)(i)(E)? Why 
or why not? If so, what would be an appropriate standard?
    73. Is the next business day resumption of trading following a 
wide-scale disruption requirement in

[[Page 18113]]

proposed Rule 1000(b)(1)(i)(E) appropriate? Why or why not? Is the two-
hour resumption of clearance and settlement services following a wide-
scale disruption an appropriate requirement for an SCI entity that is a 
registered clearing agency or ``exempt clearing agency subject to 
ARP?'' Why or why not?
    74. As discussed above, the U.S. national securities exchanges 
closed for two business days in October 2012 in the wake of Superstorm 
Sandy, even though the securities industry's annual test of how trading 
firms, market operators, and their utilities could operate through an 
emergency using backup sites, backup communications, and disaster 
recovery facilities occurred without significant incident on October 
27, 2012, just two days before the storm.\213\ As discussed in greater 
detail below, proposed Rule 1000(b)(9) would require SCI entities to 
mandate participation by designated members or participants in 
scheduled testing of the operation of their business continuity and 
disaster recovery plans, including backup systems, and to coordinate 
such testing with other SCI entities.\214\ Are there other industry 
practices related to proposed Regulation SCI that should be considered 
further in light of the two-day closure of the U.S. securities markets 
during the storm? If so, what are they? For example, for SCI entities 
that are trading markets, should the Commission limit the extent to 
which an SCI entity's business continuity and disaster recovery plans 
may involve changing how trading may be conducted? For example, the 
NYSE, pursuant to its rules, initially proposed to conduct trading only 
electronically on October 29, 2012, using NYSE Arca systems, rather 
than conduct trading both electronically as well as on a physical 
trading floor, as it normally does.\215\ Should an SCI entity that is 
experiencing a wide-scale disruption be permitted to offer its members 
or participants an alternative that significantly differs from its 
usual method of operation? Please explain. What are the costs and 
benefits associated with each type of approach?
---------------------------------------------------------------------------

    \213\ See supra Section I.D.
    \214\ See infra Section III.C.7.
    \215\ See supra Section I.D.
---------------------------------------------------------------------------

    75. Should business continuity and disaster recovery plans 
involving backup data centers be required to be tested in a live 
``production'' environment on a periodic basis (e.g., annually, or at 
some other frequency)? Why or why not? Please explain.
    76. The Commission understands that certain entities that would be 
defined as SCI entities (such as registered clearing agencies) are 
already effectively operating under business resumption requirements of 
less than one business day. Should the Commission consider revising the 
proposed next business day resumption requirement for trading to a 
shorter or longer period, for example, a specific number of hours less 
or more than one business day or within the business day for certain 
entities that play a significant role within the securities markets? 
Why or why not? Similarly, should the proposed two-hour resumption 
standard for clearance and settlement services be shortened or 
lengthened? Why or why not?
    77. Following a systems disruption (including, for example, 
activation of an SCI entity's business continuity plan), should the 
Commission require user testing and certification prior to resuming 
operation of the affected systems? Why or why not? If so, what should 
the testing requirements be? Should they vary depending on the type of 
system(s) affected? To whom should an SCI entity certify that an 
affected system or group of systems is ready to resume operation?
    78. Is the requirement in proposed Rule 1000(b)(1)(i)(F) for 
``standards that result in such systems being designed, developed, 
tested, maintained, operated, and surveilled in a manner that 
facilitates the successful collection, processing, and dissemination of 
market data'' appropriate? Are there other factors that the Commission 
should consider in determining whether standards to process data are 
adequate? Or, should some of the proposed standards be eliminated or 
modified? If so, please explain how and why.
    79. Do commenters believe there are specific internal controls or 
other mechanisms that would reinforce the effectiveness of an SCI 
entity's reasonably designed policies and procedures under proposed 
Rule 1000(b)(1)? Why or why not? Please explain. How do SCI entities 
presently use specific internal controls or other mechanisms to 
maintain the SCI entity's operational capability and promote the 
maintenance of fair and orderly markets? How do commenters generally 
view the advantages and disadvantages of specific internal controls or 
other mechanisms? The Commission is not proposing to prescribe specific 
internal controls under proposed Rule 1000(b)(1). Should the Commission 
propose that any particular internal controls or other mechanisms be 
required (for example, that a senior officer be designated to be 
responsible for the SCI entity's compliance with proposed Regulation 
SCI, or that personnel of the SCI entity certify that the SCI entity's 
policies and procedures are reasonably designed)?
    80. Would any of the Commission's proposed requirements under 
proposed Rule 1000(b)(1) create inappropriate barriers to entry for new 
entities seeking to register with the Commission as an SRO, ATS, or 
plan processor? Would any of the proposed requirements inappropriately 
limit the growth or expansion of entities currently registered with the 
Commission as an SRO, ATS, or plan processor? Why or why not?
    81. As noted above, the Commission proposes that policies and 
procedures would be deemed to be reasonably designed for purposes of 
proposed Rule 1000(b)(1) if they are consistent with current SCI 
industry standards. Do commenters agree with this approach? Why or why 
not? What are the advantages or disadvantages of such an approach?
    82. Do commenters believe that the publications listed in Table A 
represent publications that are suitable for purposes of proposed Rule 
1000(b)(1)(ii) and that should be the ``current SCI industry 
standards'' for purposes of proposed Rule 1000(b)(1)(ii)? Why or why 
not? If not, what publications would be appropriate? Do commenters 
believe that SCI entities currently follow the industry standards 
contained in the publications listed in Table A?
    83. Are there areas within one of the nine identified domains that 
these publications do not cover? For example, should the Commission 
identify additional publications that provide industry standards for 
specific areas such as personnel security or information security risk 
management? If so, please identify any such publications that would be 
appropriate for the Commission to apply to SCI entities. Are there 
other areas that commenters believe are not covered at all by the 
publications listed in Table A that should be included? If so, what 
publications would be appropriate for such areas? Are there any areas 
within one of the nine identified domains that commenters believe 
should not be included? If so, why not?
    84. Should any of the publications listed in Table A be eliminated? 
If so, which ones and why? Are there any publications that should be 
added? If so, which ones and why? Are there industry practices that 
apply to, or are developed by, entities related to the securities 
markets that should be considered? If so, what are they and why? Are 
there any types of SCI entities for which the proposed publications 
would not be appropriate? If so, which

[[Page 18114]]

types of entities and why? How should any such possible concerns be 
addressed? The Commission notes that many of the publications in Table 
A have been issued by either NIST or FFIEC. Do commenters believe that 
SCI entities generally currently follow the industry standards issued 
by one of these organizations more frequently than the other? If so, 
which one and why? Is one organization's publications more appropriate 
or preferable for SCI entities? If so, please explain. What are the 
advantages and/or disadvantages of the publications issued by each 
organization?
    85. The Commission seeks comment on whether commenters believe that 
the identified publications, and the industry standards within, are 
adequate in terms of the detail, specificity and scope. Are there areas 
in which the industry standards listed in the publications in Table A 
should be modified to provide adequate guidance to SCI entities? If so, 
please explain in detail. For example, the Commission understands that 
many businesses, including SCI entities, now utilize cloud computing as 
part of their operations, and the Commission has identified industry 
standards with respect to cloud computing among the publications listed 
in Table A. However, do commenters believe that these industry 
standards provide an adequate level of specificity to allow an SCI 
entity to ascertain how to comply with such standards? Further, do the 
industry standards contained in the publications in Table A cover all 
of the relevant areas related to a particular subject area (such as 
cloud computing)? Similarly, the Commission notes that it has 
identified publications with respect to capacity planning, but that the 
industry standards in such publications focus primarily on continuity 
of operations. As such, the Commission seeks comment on whether 
commenters believe that the identified publications with respect to 
capacity planning are adequate in terms of the detail, specificity, and 
scope? Specifically, do these publications provide an adequate level of 
specificity to allow an SCI entity to ascertain how to comply with such 
standards, and do the industry standards cover all of the necessary 
areas related to a particular subject area such as capacity planning? 
Why or why not? As noted above, compliance with the industry standards 
contained in the publications on Table A would not be the exclusive 
means to comply with the requirements of proposed Rule 1000(b)(1).
    86. Do commenters agree with the Commission's proposed policies and 
procedures approach to the requirements of proposed Rule 1000(b)(1)? 
Why or why not? If not, is there another approach that is more 
appropriate? If so, please describe and explain. Do commenters agree 
with the Commission's proposed approach to deem an SCI entity's 
policies and procedures to be reasonably designed if they are 
consistent with current SCI industry standards, as provided for in 
proposed Rule 1000(b)(1)(ii)? Why or why not? How do commenters believe 
the actions of SCI entities might differ if such a provision were not 
available? What are the costs and benefits of the Commission's approach 
? What would be the costs and benefits of other approaches? Please 
explain.
    87. Do commenters agree or disagree with the Commission's proposed 
criteria to evaluate publications suitable for inclusion on Table A as 
an SCI industry standard and to update such list? Do commenters agree 
with the proposed criteria that identified publications should be: (i) 
Comprised of information technology practices that are widely available 
for free to information technology professionals in the financial 
sector; and (ii) issued by an authoritative body that is a U.S. 
governmental entity or agency, association of U.S. governmental 
entities or agencies, or widely recognized organization? Why or why 
not? Are there other criteria that would be more appropriate? Should 
the proposed criteria allow for a publication that may be available for 
an incidental charge rather than being required to be available for 
free? Why or why not? How frequently should such list of publications 
be updated and revised and what should the process be to update and/or 
revise them?
    88. Are there SCI entities for which the proposed requirements in 
Rule 1000(b)(1) would be inappropriate (e.g., not cost effective)? If 
so, please identify such type of entity or entities, or the 
characteristics of such entity or entities, and explain which proposed 
requirements would be inappropriate and why. Would cost burden be an 
appropriate reason to omit an SCI entity or proposed requirement 
generally? Alternatively, would cost burden be an appropriate reason to 
omit an SCI entity or proposed requirement, on a case-by-case basis, as 
the Commission determined to be consistent with Exchange Act 
requirements?
    89. When the Commission adopts new rules, or when SCI SROs 
implement rule changes, SCI SROs and their members often need to make 
changes to their systems to comply with such new rules. Would the 
requirements of proposed Rule 1000(b)(1) add additional time to this 
process and would the requirements increase the amount of time SCI 
entities would need to adjust their systems for Commission or SCI SRO 
rule changes? If so, how much additional time would SCI SROs need to 
adjust their systems? If not, should proposed Regulation SCI or another 
Commission rule require SCI SROs to provide minimum advance notice to 
their members of anticipated technology deployments prior to the 
implementation of any associated new rule or rule change by the SCI 
SRO? Why or why not? If so, how much advance notice should be required 
(e.g., a few days, a week, 30 days, 60 days, some other period)? Along 
with any such advance notice, should SCI SROs be required to offer to 
its members the opportunity to test such change with the SCI SRO prior 
to deployment of the new technology and implementation of any 
associated new rule or rule change? Why or why not? Should there be a 
similar requirement for other types of SCI entities? Why or why not? If 
so, what types of entities and what sorts of requirements should be 
included?
    90. Do commenters believe the potential additional time SCI SROs 
allocate to this process would result in fewer SCI events by helping to 
ensure that SCI SROs properly implement systems changes? Why or why 
not? How would the benefits and costs of such potential additional time 
compare? Please be as specific as possible.
    91. The Commission generally solicits comments on its proposed 
process for updating current SCI industry standards. Do commenters 
believe that it would be appropriate that Commission staff, from time 
to time, issue notices to update the list of previously identified 
publications containing SCI industry standards after receiving 
appropriate input from interested persons? Is there a more appropriate 
method? If so, what would it be? If not, why not?
    92. Would such a process in allow for Commission staff to receive 
sufficient input from the public, including experts, SCI entities, and 
other market participants regarding the appropriate standards it should 
update, and how to do so? Why or why not?
    93. Would it be useful, for example, to provide notice to the 
public that it was focusing on a given domain or standard and seek 
comment on a domain-by-domain, or standard-by-standard, basis? Would it 
be useful for the Commission to set up a committee to advise Commission 
staff on such standards? If so, which groups or types of market 
participants should be represented on such a committee and

[[Page 18115]]

why? Is there any other process that the Commission or its staff should 
use to help it obtain useful input? Would it be appropriate to instead 
require SROs, for example, to submit an NMS plan under Rule 608 of 
Regulation NMS that contained standards? Why or why not?
    94. If the Commission, its staff, or another entity seeks to 
develop a set of standards that is more focused on the specific 
businesses and systems of SCI entities, do commenters agree that the 
industry standards contained in the publications listed in Table A 
would be appropriate to be used as a starting point for this effort? 
Why or why not? If not, what publication(s) should be used as a 
starting point? Please describe in detail and explain.
    95. Do commenters believe it would be feasible to establish 
industry standards through means other than identification through 
Table A? For example, should SCI entities take the lead in developing 
such standards? Why or why not? If so, how should the process be 
organized and what parameters should be put in place to facilitate the 
process? For example, should SCI entities jointly develop industry 
standards that apply to all SCI entities or should the various types of 
SCI entities (e.g., national securities exchanges, ATSs, plan 
processors, clearing agencies) work separately to develop their own 
standards? Should one or more industry organizations take the lead in 
developing such standards? If so, which ones, and why? Should any such 
standards identified by the SCI entities and/or industry organizations 
be formally approved or disapproved by the Commission as part of any 
such process?
2. Systems Compliance
    Proposed Rule 1000(b)(2)(i) would require each SCI entity to 
establish, maintain, and enforce written policies and procedures 
reasonably designed to ensure that its SCI systems operate in the 
manner intended, including in a manner that complies with the federal 
securities laws and rules and regulations thereunder and the entity's 
rules and governing documents, as applicable.\216\ Whereas proposed 
Rule 1000(b)(1) concerns the robustness of the SCI entity's SCI systems 
and SCI security systems--i.e., such systems' capacity and resiliency 
against failures and security threats--proposed Rule 1000(b)(2) 
concerns the SCI entity's establishment of policies and procedures 
reasonably designed to ensure the operational compliance of an SCI 
entity's SCI systems with applicable laws, rules, and the SCI entity's 
governing documents. Diligent discharge of this proposed obligation to 
establish, maintain, and enforce written policies and procedures would 
establish the organizational framework for an SCI entity to meet its 
other obligations under proposed Regulation SCI. In particular, with 
respect to SCI SROs, compliance with proposed Rule 1000(b)(2)(i) should 
help to ensure that SCI SROs comply with Section 19(b)(1) of the 
Exchange Act, which requires each SRO to file with the Commission 
copies of any proposed rule or any proposed change in, addition to, or 
deletion from the rules of the SRO.\217\ Therefore, compliance with 
this proposed requirement may help ensure not only that SCI SROs 
operate in compliance with the Exchange Act, but also help reinforce 
existing processes for filing SRO rule changes in order to better 
assist market participants and the public in understanding how the SCI 
systems of SCI SROs are intended to operate.\218\
---------------------------------------------------------------------------

    \216\ See supra Section III.B.3.b, discussing the definition of 
``systems compliance issue.''
    \217\ See 15 U.S.C. 78s(b)(1).
    \218\ SCI SROs would similarly be assisted in meeting their 
obligations to file plan amendments to SCI Plans under Rule 608 of 
Regulation NMS.
---------------------------------------------------------------------------

    Because of the complexity of SCI systems and the breadth of the 
federal securities laws and rules and regulations thereunder and the 
SCI entities' rules and governing documents, the Commission 
preliminarily believes that it would be appropriate to provide an 
explicit safe harbor for SCI entities and their employees in order to 
provide greater clarity as to how they can ensure that their conduct 
will comply with this provision. Therefore, the Commission is proposing 
Rules 1000(b)(2)(ii) and (iii), which would provide a safe harbor from 
liability under proposed Rule 1000(b)(2)(i) for SCI entities and 
persons employed by SCI entities, respectively, as further described 
below.
    Specifically, proposed Rule 1000(b)(2)(ii) would provide that an 
SCI entity would be deemed not to have violated proposed Rule 
1000(b)(2)(i) if: (A) the SCI entity has established and maintained 
policies and procedures reasonably designed to provide for: (1) Testing 
of all SCI systems and any changes to such systems prior to 
implementation; (2) periodic testing of all such systems and any 
changes to such systems after their implementation; (3) a system of 
internal controls over changes to such systems; (4) ongoing monitoring 
of the functionality of such systems to detect whether they are 
operating in the manner intended; (5) assessments of SCI systems 
compliance performed by personnel familiar with applicable federal 
securities laws and rules and regulations thereunder and the SCI 
entity's rules and governing documents, as applicable; and (6) review 
by regulatory personnel of SCI systems design, changes, testing, and 
controls to prevent, detect, and address actions that do not comply 
with applicable federal securities laws and rules and regulations 
thereunder and the SCI entity's rules and governing documents, as 
applicable; (B) the SCI entity has established and maintained a system 
for applying such policies and procedures which would reasonably be 
expected to prevent and detect, insofar as practicable, any violations 
of such policies and procedures by the SCI entity or any person 
employed by the SCI entity; and (C) the SCI entity: (1) has reasonably 
discharged the duties and obligations incumbent upon the SCI entity by 
such policies and procedures, and (2) was without reasonable cause to 
believe that such policies and procedures were not being complied with 
in any material respect.
    The Commission preliminarily believes that, if an SCI entity 
establishes and maintains policies and procedures reasonably designed 
to provide for the items in proposed Rule 1000(b)(2)(ii)(A)(1)-(6), 
such policies and procedures would meet the requirement articulated in 
proposed Rule 1000(b)(2)(i). Specifically, the Commission preliminarily 
believes that items (1) and (2), which, for purposes of qualifying for 
the safe harbor, would require SCI entities to have policies and 
procedures requiring the testing of SCI systems and changes to such 
systems before they are put into production and periodically 
thereafter, should help SCI entities to identify potential problems 
before such problems have the ability to impact markets and investors. 
Items (3) and (4), which, for purposes of qualifying for the safe 
harbor, would require a system of internal controls over changes to SCI 
systems and ongoing monitoring of the functionality of such systems, 
would provide a framework for SCI entities seeking to bring newer, 
faster, and more innovative SCI systems online. In conjunction with 
ongoing monitoring, the Commission preliminary believes the policies 
and procedures proposed to be required in items (3) and (4) for 
purposes of qualifying for the safe harbor, would help prevent SCI 
systems becoming noncompliant resulting from, for example, inattention 
or failure to review compliance with established written policies and 
procedures.

[[Page 18116]]

    Further, the Commission preliminarily believes that item (5) 
(which, for purposes of qualifying for the safe harbor, would require 
that an SCI entity establish, maintain, and enforce written policies 
and procedures for assessments of SCI systems compliance by personnel 
familiar with applicable federal securities laws, rules and regulations 
thereunder, and the SCI entity's rules and governing documents), in 
conjunction with item (6) (which, for purposes of qualifying for the 
safe harbor, would require policies and procedures directing that 
regulatory personnel review SCI systems design, changes, testing, and 
controls), would help foster coordination between the information 
technology and regulatory staff of an SCI entity so that SCI events and 
other issues related to an SCI entity's SCI systems would be more 
likely to be addressed by a team of staff in possession of the 
requisite range of knowledge and skills to help ensure compliance with 
the SCI entity's obligations under proposed Regulation SCI.
    Insofar as an SCI entity follows them to qualify for the safe 
harbor, proposed items (5) and (6) also are intended to help to ensure 
that an SCI entity's business interests do not undermine regulatory, 
surveillance, and compliance functions and, more broadly, the 
requirements of the federal securities laws, during the development, 
testing, implementation, and operation processes for SCI systems. Thus, 
proposed items (1)-(6) together, insofar as SCI entities follow them to 
qualify for the safe harbor, are meant to promote the development and 
implementation of policies and procedures consistent with the 
functioning of SCI systems of SCI entities as planned and as described 
by the SCI entity's rules and governing documents, as well as in 
compliance with applicable federal securities laws and rules.\219\
---------------------------------------------------------------------------

    \219\ See supra note 154-156 and accompanying text.
---------------------------------------------------------------------------

    In addition to establishing and maintaining the policies and 
procedures described in proposed Rule 1000(b)(2)(ii)(A)(1)-(6), to 
qualify for the safe harbor, an SCI entity would also be required to 
satisfy two additional requirements. First, under proposed Rule 
1000(b)(2)(ii)(B), it would be required to have established and 
maintained a system for applying such policies and procedures which 
would reasonably be expected to prevent and detect, insofar as 
practicable, any violations of such policies and procedures by the SCI 
entity or any person employed by the SCI entity. In addition, under 
proposed Rule 1000(b)(2)(ii)(C), the SCI entity would be required to: 
(1) Have reasonably discharged the duties and obligations incumbent 
upon it by such policies and procedures; and (2) have been without 
reasonable cause to believe that such policies and procedures were not 
being complied with in any material respect. To the extent an SCI 
entity seeks to qualify for the safe harbor, the elements of proposed 
Rules 1000(b)(2)(ii)(B) and (C) would require not only that its 
policies and procedures are reasonably designed to achieve SCI systems 
compliance, as described in items (A)(1)-(6) above, but also that, as 
part of such policies and procedures, the SCI entity establishes and 
maintains a system for applying those policies and procedures, and 
enforces its policies and procedures, in a manner that would reasonably 
allow it to prevent and detect violations of the policies and 
procedures. Proposed Rules 1000(b)(2)(ii)(B) and (C) are also designed 
to ensure that the SCI entity reasonably discharges duties and 
obligations incumbent upon it by such policies and procedures and is 
without reasonable cause to believe that such policies and procedures 
were not being complied with in any material respect.
    In addition, proposed Rule 1000(b)(2)(iii) would provide a safe 
harbor from liability for individuals. Specifically, proposed Rule 
1000(b)(2)(iii) would provide that a person employed by an SCI entity 
shall be deemed not to have aided, abetted, counseled, commanded, 
caused, induced, or procured the violation by any other person of 
proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity 
has reasonably discharged the duties and obligations incumbent upon 
such person by such policies and procedures, and was without reasonable 
cause to believe that such policies and procedures were not being 
complied with in any material respect. The Commission preliminarily 
believes that the safe harbor for individuals under proposed Rule 
1000(b)(2)(iii) would appropriately provide protection from liability 
under Rule 1000(b)(2) to employees of SCI entities who reasonably 
conduct their assigned responsibilities under the SCI entity's policies 
and procedures and do not have reasonable cause to believe the policies 
and procedures were not being complied with in any material respect.
    In this regard, an SCI entity would not be deemed to violate 
proposed Rule 1000(b)(2)(i) merely because it experienced a systems 
compliance issue, and could take advantage of the safe harbor for SCI 
entities if it satisfied the elements enumerated in proposed Rule 
1000(b)(2)(ii).\220\ Likewise, an employee of an SCI entity, including 
an employee involved in the design or implementation of policies and 
procedures under the rule, would not be deemed to have aided, abetted, 
counseled, commanded, caused, induced, or procured the violation by any 
other person of proposed Rule 1000(b)(2)(i) merely because the SCI 
entity at which he or she worked experienced a systems compliance 
issue, whether or not the employee was able to take advantage of the 
safe harbor for individuals under proposed Rule 1000(b)(2)(iii).
---------------------------------------------------------------------------

    \220\ The language of proposed Rules 1000(b)(2)(ii)(B) and (C) 
is drawn in significant part from language in Section 15(b)(4)(E) of 
the Exchange Act, 15 U.S.C. 78o(b)(4)(E), which generally provides a 
safe harbor from liability for failure to supervise, with a view to 
preventing violations of the securities laws, another person who is 
subject to his or her supervision and who commits such a violation.
---------------------------------------------------------------------------

Request for Comment
    96. The Commission requests comment generally on all aspects of 
proposed Rule 1000(b)(2). Do commenters believe that it is appropriate 
to limit the application of the requirements of proposed Rule 
1000(b)(2)(i) to SCI systems? Why or why not? Please explain. Do 
commenters agree with the requirements of the proposed safe harbor for 
SCI entities? Why or why not? Specifically, with respect to proposed 
Rule 1000(b)(2)(ii)(A)(1), which would include in the safe harbor a 
requirement that each SCI entity establish and maintain written 
policies and procedures that provide for testing of all SCI systems and 
any changes to such systems prior to implementation, should certain 
types of SCI systems be excluded from the proposed requirement? If so, 
please specify which types and explain.
    97. Should the Commission specify the interval at which SCI 
entities would be required to conduct the periodic testing of all SCI 
systems contemplated by the safe harbor under proposed Rule 
1000(b)(2)(ii)(A)(2)? Why or why not? And if so, what would be an 
appropriate interval? Should certain types of SCI systems be tested on 
a more or less frequent basis? If so, please specify which types and 
explain.
    98. With respect to proposed Rule 1000(b)(2)(ii)(A)(3), which would 
include in the safe harbor a requirement that an SCI entity establish 
and maintain written policies and procedures that provide for a system 
of internal controls over changes to SCI

[[Page 18117]]

systems, should the Commission specify minimum standards for internal 
controls? If so, please explain why, as well as what such standards 
should be.
    99. With respect to proposed Rule 1000(b)(2)(ii)(A)(4), which would 
include in the safe harbor a requirement that an SCI entity establish 
and maintain written policies and procedures that provide for ongoing 
monitoring of the functionality of SCI systems to detect whether they 
are operating in the manner intended, should the Commission specify the 
frequency with which the monitoring of such systems' functionality 
should occur? If so, please explain. Should the Commission require 
different monitoring frequencies depending on the type of SCI system? 
Why or why not? If so, what should they be? Please explain.
    100. For purposes of the safe harbor and proposed Rule 
1000(b)(2)(ii)(A)(5), do commenters believe the Commission should 
require that the assessments of SCI systems compliance be performed by 
persons having specified qualifications? Why or why not? If so, what 
would be appropriate and/or necessary qualifications for such 
personnel?
    101. Proposed Rule 1000(b)(2)(ii)(A)(6) would include in the safe 
harbor a requirement that each SCI entity establish and maintain 
policies and procedures that provide for review by regulatory personnel 
of SCI systems design, changes, testing, and controls to prevent, 
detect, and address actions that are not in compliance with applicable 
federal securities laws and rules and regulations thereunder and the 
SCI entity's rules and governing documents, as applicable. Do 
commenters believe, for purposes of qualifying for the safe harbor, the 
roles and allocations of responsibility for personnel in proposed Rules 
1000(b)(2)(ii)(A)(5) and (6) are appropriate? Why or why not?
    102. Do commenters agree that in order for an SCI entity to qualify 
for the safe harbor from liability under proposed Rule 1000(b)(2)(i), 
it should, in addition to establishing and maintaining the policies and 
procedures described in proposed Rule 1000(b)(2)(ii)(A)(1)-(6), be 
required to establish and maintain a system for applying such policies 
and procedures which would reasonably be expected to prevent and 
detect, insofar as practicable, any violations of such policies and 
procedures by the SCI entity or any person employed by the SCI entity? 
Why or why not? To qualify for the safe harbor from liability under 
proposed Rule 1000(b)(2)(i), should an SCI entity be further required 
to: have reasonably discharged the duties and obligations incumbent 
upon the SCI entity by such policies and procedures; and be without 
reasonable cause to believe that such policies and procedures were not 
being complied with in any material respect? Why or why not? Please 
explain.
    103. Do commenters agree with the requirements for the proposed 
safe harbor for individuals in proposed Rule 1000(b)(2)(iii), which 
would provide that a person employed by an SCI entity shall be deemed 
not to have aided, abetted, counseled, commanded, caused, induced, or 
procured the violation by any other person of proposed Rule 
1000(b)(2)(i) if the person employed by the SCI entity: has reasonably 
discharged the duties and obligations incumbent upon such person by 
such policies and procedures; and was without reasonable cause to 
believe that such policies and procedures were not being complied with 
in any material respect? Why or why not? Should a similar safe harbor 
be available to individuals other than persons employed by SCI 
entities? Why or why not? Please explain.
    104. Do commenters agree with the Commission's proposed policies 
and procedures approach to the requirements of proposed Rule 
1000(b)(2)? Why or why not? If not, is there another approach that is 
more appropriate? If so, please describe and explain. As discussed 
above, the Commission is proposing to include safe harbor provisions in 
proposed Rule 1000(b)(2) for SCI entities and employees of SCI 
entities. The Commission preliminarily believes that, in the context of 
proposed Regulation SCI, this approach may be appropriate to provide 
clarity and guidance to SCI entities and SCI entity employees on one 
method to comply with the proposed general standard in proposed Rule 
1000(b)(2)(i). The Commission solicits commenters' views on the 
Commission's proposed approach. Specifically, do commenters agree with 
the Commission's proposed approach to provide safe harbors for SCI 
entities and employees of SCI entities from liability under proposed 
Rule 1000(b)(2)(i)? Why or why not? How do commenters believe the 
actions of SCI entities or behavior of employees of SCI entities might 
differ if the safe harbors under proposed Rule 1000(b)(2) were not 
available? What are the costs and benefits of the Commission's approach 
to provide safe harbors? What would be the costs and benefits of other 
approaches? Please explain.
    105. Do commenters believe there are specific internal controls or 
other mechanisms that would reinforce the effectiveness of an SCI 
entity's reasonably designed policies and procedures under proposed 
Rule 1000(b)(2)? Why or why not? Please explain. How do SCI entities 
presently use specific internal controls or other mechanisms to ensure 
that their systems operate in a manner that complies with the federal 
securities laws and rules and regulations thereunder and their rules 
and governing documents, as applicable? How do commenters generally 
view the advantages and disadvantages of specific internal controls or 
other mechanisms? The Commission is not proposing to prescribe specific 
internal controls related to compliance with proposed Rule 1000(b)(2). 
Should the Commission propose that any particular internal controls or 
other mechanisms be required (for example, that a senior officer be 
designated to be responsible for the SCI entity's compliance with 
proposed Regulation SCI, or that personnel of the SCI entity certify 
that the SCI entity's policies and procedures are reasonably designed)?
3. SCI Events--Action Required; Notification
    Proposed Rule 1000(b)(3)-(5) would govern the actions an SCI entity 
must take upon any responsible SCI personnel becoming aware of an SCI 
event, whether it be a systems disruption, systems compliance issue, or 
systems intrusion.\221\
---------------------------------------------------------------------------

    \221\ See supra Section III.B.3 for a discussion of the proposed 
definition of systems disruption, systems compliance issue, and 
systems intrusion.
---------------------------------------------------------------------------

a. Corrective Action
    Proposed Rule 1000(b)(3) would require an SCI entity, upon any 
responsible SCI personnel becoming aware of an SCI event, to begin to 
take appropriate corrective action including, at a minimum, mitigating 
potential harm to investors and market integrity resulting from the SCI 
event and devoting adequate resources to remedy the SCI event as soon 
as reasonably practicable. The Commission is proposing this requirement 
to make clear that, upon learning of an SCI event, an SCI entity would 
be required to take the steps necessary to remedy the problem or 
problems causing the SCI event and mitigate the effects of the SCI 
event, if any, on customers, market participants and the securities 
markets.
    Proposed Rule 1000(a) would define ``responsible SCI personnel'' to 
mean, for a particular SCI system or SCI security system impacted by an 
SCI event, any personnel, whether an

[[Page 18118]]

employee or agent, of an SCI entity having responsibility for such 
system. The proposed definition is intended to include any personnel 
used by the SCI entity that has responsibility for the specific 
system(s) impacted by a given SCI event. Thus, such personnel would 
include, for example, any technology, business, or operations staff 
with responsibility for such systems. With respect to systems 
compliance issues, such personnel would also include regulatory, legal, 
or compliance personnel with legal or compliance responsibility for 
such systems. In addition, such ``responsible SCI personnel'' would not 
be limited to managerial or senior-level employees of the SCI entity. 
For example, the proposed definition is intended to include a junior 
systems analyst responsible for monitoring the operations or testing of 
an SCI system or SCI security system. The proposed definition would 
also include not only applicable employees of the SCI entity, but 
applicable agents of the SCI entity as well. Thus, for example, if an 
SCI entity were to contract the monitoring of the operations of a given 
SCI system to an external firm, the proposed definition of 
``responsible SCI personnel'' would include the personnel of such firm 
that were responsible for the monitoring. The proposed definition, 
however, is not intended to include all personnel of an SCI entity. For 
example, personnel of the SCI entity who have no responsibility for any 
SCI system or SCI security system of an SCI entity are not intended to 
be included in the proposed definition.
b. Commission Notification
    Proposed Rule 1000(b)(4) would address the obligation of an SCI 
entity to notify the Commission upon any responsible SCI personnel 
becoming aware of an SCI event.\222\ Proposed Rule 1000(b)(4)(i) would 
require an SCI entity, upon any responsible SCI personnel \223\ 
becoming aware of a systems disruption that the SCI entity reasonably 
estimates would have a material impact on its operations or on market 
participants, any systems compliance issue, or any systems intrusion 
(``immediate notification SCI event''), to notify the Commission of 
such SCI event, which may be done orally or in writing (e.g., by 
email). Proposed Rule 1000(b)(4)(ii) would require an SCI entity to 
submit a written notification pertaining to any SCI event to the 
Commission within 24 hours of any responsible SCI personnel becoming 
aware of the SCI event. Proposed Rule 1000(b)(4)(iii) would require an 
SCI entity to submit to the Commission continuing written updates on a 
regular basis, or at such frequency as reasonably requested by a 
representative of the Commission, until such time as the SCI event is 
resolved.\224\
---------------------------------------------------------------------------

    \222\ Proposed Rule 1000(b)(5), addressed in Section III.C.3.c 
below, would address whether and when an SCI entity would be 
required to disseminate information regarding an SCI event to its 
members or participants.
    \223\ See supra III.C.3.a (discussing definition of 
``responsible SCI personnel'').
    \224\ See supra Section III.B.3.d, for a discussion of 
dissemination SCI events.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(4) also would require that any written 
notification to the Commission made pursuant to proposed Rules 
1000(b)(4)(ii) or 1000(b)(4)(iii) be made electronically on new 
proposed Form SCI (Sec.  249.1900), and include all information as 
prescribed in Form SCI and the instructions thereto.\225\ To help 
ensure that the Commission and its staff receive all information known 
by the SCI entity relevant to aiding the Commission's understanding of 
an SCI event, proposed Rule 1000(b)(4)(iv) would provide that a written 
notification under proposed Rule 1000(b)(4)(ii) must include all 
pertinent information known about an SCI event, including: (1) A 
detailed description of the SCI event; (2) the SCI entity's current 
assessment of the types and number of market participants potentially 
affected by the SCI event; (3) the potential impact of the SCI event on 
the market; and (4) the SCI entity's current assessment of the SCI 
event, including a discussion of the SCI entity's determination 
regarding whether the SCI event is a dissemination SCI event or 
not.\226\ In addition, to the extent available as of the time of the 
initial notification, Exhibit 1 would require inclusion of the 
following information: (1) A description of the steps the SCI entity is 
taking, or plans to take, with respect to the SCI event; (2) the time 
the SCI event was resolved or timeframe within which the SCI event is 
expected to be resolved; (3) a description of the SCI entity's rule(s) 
and/or governing documents, as applicable, that relate to the SCI 
event; and (4) an analysis of the parties that may have experienced a 
loss, whether monetary or otherwise, due to the SCI event, the number 
of such parties, and an estimate of the aggregate amount of such 
loss.\227\
---------------------------------------------------------------------------

    \225\ New proposed Form SCI is discussed in detail in Section 
III.E below.
    \226\ See proposed Rule 1000(b)(4)(iv)(A)(1).
    \227\ See proposed Rule 1000(b)(4)(iv)(A)(2).
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(4)(iv)(B) would require an SCI entity to 
update any of the pertinent information contained in previous written 
notifications, including any information required by proposed Rule 
1000(b)(4)(iv)(A)(2) that was not available at the time of initial 
submission. Subsequent notifications would be required to update any of 
the pertinent information previously provided until the SCI event is 
resolved.
    Proposed Rule 1000(b)(4)(iv)(C) would further require an SCI entity 
to provide a copy of any information disseminated to date regarding the 
SCI event to its members or participants or on the SCI entity's 
publicly available Web site.
    The Commission preliminarily believes an SCI entity's obligation to 
notify the Commission of significant SCI events should begin upon any 
responsible SCI personnel becoming aware of an SCI event. Thus, for all 
immediate notification SCI events, an SCI entity would be required to 
notify the Commission of the SCI event. Such notification could be made 
orally (e.g., by telephone) or in a written form (e.g., by email). The 
Commission preliminarily believes that, by not prescribing the precise 
method of communication for an initial notification of an immediate 
notification SCI event under proposed Rule 1000(b)(4)(i), SCI entities 
would have the needed flexibility to determine the most appropriate 
method.\228\ Further, if the responsible SCI personnel became aware of 
such an SCI event outside of normal business hours, the SCI entity 
would still be required to notify the Commission at that time rather 
than, for example, the start of the next business day. For all SCI 
events, including immediate notification SCI events, an SCI entity 
would be required to submit a written notification pertaining to such 
SCI event to the Commission on Form SCI, and follow up with regular 
written updates until the SCI event is resolved. Even if an SCI entity 
had notified the Commission of an immediate notification SCI event in 
writing as would be permitted under proposed Rule 1000(b)(4)(i), the 
SCI entity would still be required to submit a separate written 
notification on Form SCI pursuant to proposed Rule 1000(b)(4)(ii).\229\
---------------------------------------------------------------------------

    \228\ The Commission expects that it would establish a telephone 
hotline, designated email accounts, or similar arrangements, to 
enable receipt of notifications of immediate notification SCI 
events.
    \229\ See proposed Rule 1000(b)(4)(iv), which would require that 
written notifications under 1000(b)(4)(ii) be submitted on Form SCI, 
and which would not provide for the ability of SCI entities to 
submit a written notification of an immediate notification SCI event 
on Form SCI.

---------------------------------------------------------------------------

[[Page 18119]]

    The Commission preliminarily believes that the proposed 
notification requirement for immediate notification SCI events, the 
proposed 24-hour time frame for submission of written notices, and the 
proposed continuing update requirement, are appropriately tailored to 
help the Commission and its staff quickly assess the nature and scope 
of an SCI event, and help the SCI entity identify the appropriate 
response to the SCI event, including ways to mitigate the impact of the 
SCI event on investors and promote the maintenance of fair and orderly 
markets. These requirements would help to ensure not only that the 
Commission and its staff are kept apprised of such SCI events, 
including their causes and their effect on the markets, but also that 
the Commission is aware of the steps and resources necessary to correct 
such SCI events, mitigate their effects on other SCI entities and the 
market, and prevent recurrence to the extent possible. The Commission 
also preliminarily believes that the proposal to require an SCI entity 
to update the Commission regularly regarding an SCI event, or at such 
frequency as reasonably requested by a representative of the 
Commission, until the SCI event is resolved, provides appropriate 
flexibility to the Commission to request additional information as 
necessary, depending on the facts and circumstances of the SCI event 
and the SCI entity's progress in resolving it. At the same time, the 
Commission recognizes that the information required to be provided to 
it by an SCI entity about an immediate notification SCI event under 
proposed Rule 1000(b)(4)(i) would represent the SCI entity's initial 
assessment of the SCI event, and that even the written notification on 
Form SCI required under proposed Rule 1000(b)(4)(ii) may, in some 
cases, be a preliminary assessment of the SCI event for which the SCI 
entity may still be in the process of analyzing and assessing the 
precise facts and circumstances related to the SCI event. Thus, the 
Commission is proposing to only require that SCI entities provide 
certain key information for the written notification required under 
proposed Rule 1000(b)(4)(ii),\230\ and only provide certain additional 
details ``to the extent available as of the time of the notification.'' 
\231\ In addition, the Commission's proposal allows for the SCI entity 
to subsequently ``update any information previously provided regarding 
the SCI event, including any information required by paragraph 
(b)(4)(iv)(A)(2) which was not available at the time of the 
notification made pursuant to paragraph (b)(4)(ii).'' \232\
---------------------------------------------------------------------------

    \230\ See proposed Rule 1000(b)(4)(iv)(A)(1).
    \231\ See proposed Rule 1000(b)(4)(iv)(A)(2).
    \232\ See proposed Rule 1000(b)(4)(iv)(B).
---------------------------------------------------------------------------

    Comprehensive reporting of all SCI events would facilitate the 
Commission's regulatory oversight of the national securities markets. 
The proposed reporting requirements should provide the Commission with 
an aggregate and comprehensive set of data on SCI events, a significant 
improvement over the current state of administration, whereby SCI 
entities report events through multiple methods and with varying 
consistency.\233\ The aggregated data that would result from the 
reporting of SCI events would also permit the Commission to analyze 
such data, e.g., to examine the most common types of events and the 
types of systems most often affected. This ability to more efficiently 
analyze a comprehensive set of data would help the Commission to carry 
out its oversight responsibilities because it would help the Commission 
identify more effectively, for example, areas of persistent or 
recurring problems across the systems of all SCI entities.
---------------------------------------------------------------------------

    \233\ Currently, there is no Commission rule specifically 
requiring SCI entities to notify the Commission of systems problems 
in writing or in a specific format. Nevertheless, voluntary 
communications of systems problems to Commission staff occur in a 
variety of ways, including by telephone and email. The Commission 
notes that proposed Rule 1000(b)(4) would impose a new reporting 
requirement on SCI entities, regardless of whether they currently 
voluntarily notify the Commission of SCI events on an ad hoc basis. 
As such, the Commission preliminarily believes that a history of 
voluntarily reporting such events to the Commission would not lessen 
the future burden of reporting such events to the Commission on Form 
SCI as required under proposed Rule 1000(b)(4).
---------------------------------------------------------------------------

    As discussed in greater detail below, the Commission also 
preliminarily believes that submission of required notifications by SCI 
entities by filing Form SCI in an electronic format would be less 
burdensome and a more efficient filing process for SCI entities and the 
Commission than the submission of such notices in non-standardized ad 
hoc formats, as they are currently provided under the ARP Program.\234\
---------------------------------------------------------------------------

    \234\ See infra Section III.D.2 discussing proposed Rule 
1000(d), requiring electronic filings on new proposed Form SCI, and 
Section III.E, discussing information proposed to be required to be 
submitted on new Form SCI. See also infra note 235 and accompanying 
text.
---------------------------------------------------------------------------

c. Dissemination of Information to Members or Participants \235\
---------------------------------------------------------------------------

    \235\ The requirements relating to dissemination of information 
relating to dissemination SCI events to members or participants 
proposed to be included in Regulation SCI relate solely to 
Regulation SCI. Nothing in proposed Regulation SCI should be 
construed as superseding, altering, or affecting the reporting 
obligations of SCI entities under other federal securities laws or 
regulations. Accordingly, in the case of an SCI event, SCI entities 
subject to the public company reporting requirements of Section 13 
or Section 15(d) of the Exchange Act would need to ensure compliance 
with their disclosure obligations pursuant to those provisions 
(including, for example, with respect to Regulation S-K and Forms 
10-K, 10-Q and 8-K) in addition to their disclosure and reporting 
obligations under Regulation SCI. See, e.g., CF Disclosure Guidance: 
Topic No. 2, Cybersecurity (October 13, 2011), available at: https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. As an 
additional example, nothing in proposed Regulation SCI should be 
construed as superseding the obligations such SCI entities may have 
under Regulation FD.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(5) would require information relating to 
dissemination SCI events to be disseminated to members or participants, 
and specify the nature and timing of such disseminations, with a 
limited delay permitted for certain systems intrusions, as discussed 
further below.\236\ Proposed Rule 1000(b)(5)(i)(A) would require that 
an SCI entity, promptly after any responsible SCI personnel \237\ 
becomes aware of a dissemination SCI event other than a systems 
intrusion, disseminate to its members or participants the following 
information about such SCI event: (1) The systems affected by the SCI 
event; and (2) a summary description of the SCI event. In addition, 
proposed Rule 1000(b)(5)(i)(B) would require an SCI entity to further 
disseminate to its members or participants, when known: (1) A detailed 
description of the SCI event; (2) the SCI entity's current assessment 
of the types and number of market participants potentially affected by 
the SCI event; and (3) a description of the progress of its corrective 
action for the SCI event and when the SCI event has been or is expected 
to be resolved. Proposed Rule 1000(b)(5)(i)(C) would further require an 
SCI entity to provide regular updates to members or participants on any 
of the information required to be disseminated under proposed Rules 
1000(b)(5)(i)(A) and (i)(B).
---------------------------------------------------------------------------

    \236\ See supra Section III.B.3.d for a discussion of 
dissemination SCI events.
    \237\ See supra III.C.3.a (discussing definition of 
``responsible SCI personnel'').
---------------------------------------------------------------------------

    For the disseminations of information to members or participants to 
be meaningful, the Commission preliminarily believes it would be 
necessary for an SCI entity to describe the SCI event in sufficient 
detail to enable a member or participant to determine whether and how 
it was affected by the SCI event and make appropriate decisions based 
on that determination. For example, the Commission preliminarily 
believes that a general statement that a systems disruption occurred 
that impacted trading for a certain period of time would not be 
sufficient. The

[[Page 18120]]

dissemination of information should, for example, specify with 
particularity such information as necessary to provide readers 
meaningful context with regard to the issue, which may include but is 
not limited to, details relating to, if applicable: the magnitude of 
the issue (such as estimates with respect to the number of shares 
affected, numbers of stocks affected, and total dollar volumes of the 
affected trades); the specific system(s) or part of the system(s) that 
caused the issue; the Commission and SCI entity rule(s) that relate 
most directly to the issue; the specific time periods in which the 
issue occurred, including whether the issue may be ongoing; and the 
specific names of the securities affected. The Commission preliminarily 
believes these proposed items, which concern the timing, nature, and 
foreseeable possible consequences of a systems problem, comprise the 
appropriate minimum detail that a member or participant would need to 
assess whether an SCI event affected or would potentially affect that 
member or participant, and would assist members and participants in 
making investment or business decisions based on disclosed facts rather 
than on speculation regarding, for example, the cause of a market 
disruption.\238\
---------------------------------------------------------------------------

    \238\ See supra note 160, referring to Roundtable panelists 
suggesting that communication and disclosure are important elements 
of risk mitigation.
---------------------------------------------------------------------------

    The Commission preliminarily believes that it is appropriate to 
require that the information specified by proposed Rule 
1000(b)(5)(i)(A) be disseminated by the SCI entity to its members or 
participants promptly after any responsible SCI personnel becomes aware 
of an applicable dissemination SCI event. The Commission also 
preliminarily believes that it is appropriate to require the further 
dissemination of information specified by proposed Rule 
1000(b)(5)(i)(B) ``when known'' by the SCI entity. These requirements 
reflect the Commission's preliminary view that, given the sensitivities 
of such dissemination of information, it is important that, before 
information is shared with the SCI entity's members or participants, 
the SCI entity be given a reasonable amount of time to gather, confirm, 
and preliminarily analyze facts regarding a dissemination SCI event. 
The Commission preliminarily believes that the value of dissemination 
of information to an SCI entity's members or participants in these 
circumstances is enhanced when the SCI entity has taken an appropriate 
amount of time to ensure that the information it is sharing with its 
members or participants is accurate, such that incorrect information 
does not cause or exacerbate market confusion. At the same time, the 
Commission preliminarily believes that it is important that basic 
information about dissemination SCI events, such as those items 
required by proposed Rule 1000(b)(5)(i)(A), be made available to 
members or participants promptly.
    The proposed requirement relating to dissemination of information 
to members or participants of dissemination SCI events, other than 
systems intrusions as specified in proposed Rule 1000(b)(5)(i), is 
intended to aid members or participants of SCI entities in determining 
whether their trading activity has been or might be impacted by the 
occurrence of an SCI event at an SCI entity, so that they could 
consider that information in making trading decisions, seeking 
corrective action or pursuing remedies, or taking other responsive 
action. Further, the requirement to disseminate information regarding 
dissemination SCI events could provide an incentive for SCI entities to 
devote more resources and attention to improving the integrity and 
compliance of their systems and preventing the occurrence of SCI 
events.
    Proposed Rule 1000(b)(5)(ii) would provide a limited exception to 
the proposed requirement of prompt dissemination of information to 
members or participants for certain systems intrusions.\239\ Proposed 
Rule 1000(b)(5)(ii) would require an SCI entity, promptly after any 
responsible SCI personnel becomes aware of a systems intrusion, to 
disseminate to its members or participants a summary description of the 
systems intrusion, including a description of the corrective action 
taken by the SCI entity and when the systems intrusion was resolved or 
an estimate of when the systems intrusion is expected to be resolved, 
unless the SCI entity determines that dissemination of such information 
would likely compromise the security of the SCI entity's SCI systems or 
SCI security systems, or an investigation of the systems intrusion, and 
documents the reasons for such determination.\240\ The Commission 
preliminarily believes that information relating to all dissemination 
SCI events, including systems intrusions, should be disseminated to 
members or participants, but that there may be circumstances in which 
such dissemination of information relating to a systems intrusion 
should be delayed, for example, to avoid compromising the investigation 
or resolution of a systems intrusion.\241\ If an SCI entity determines 
to delay the dissemination of information to members or participants 
relating to a systems intrusion, it would be required to make an 
affirmative determination and document the reasons for such 
determination that such dissemination would likely compromise the 
security of its SCI systems or SCI security systems, or an 
investigation of the systems intrusion. If it cannot make such a 
determination, or at whatever point in time such a determination no 
longer applies, information relating to the systems intrusion would be 
required to be disseminated to the SCI entity's members or 
participants.
---------------------------------------------------------------------------

    \239\ As noted in supra note 235, the requirements relating to 
information disseminations to members or participants proposed to be 
included in Regulation SCI, including the proposal to permit an SCI 
entity to delay such dissemination for certain systems intrusions, 
relate solely to Regulation SCI. Nothing in proposed Regulation SCI 
should be construed as superseding, altering, or affecting the 
reporting obligations of SCI entities under other federal securities 
laws or regulations.
    \240\ Unlike proposed Rule 1000(b)(5), proposed Rule 1000(b)(4) 
(relating to Commission notification), discussed above in Section 
III.C.3.b, would not provide for a delay in reporting any systems 
intrusions to the Commission.
    \241\ See supra note 239.
---------------------------------------------------------------------------

    The information required to be disseminated to members or 
participants for systems intrusions by proposed Rule 1000(b)(5)(ii) is 
not as extensive as that required to be disseminated to members or 
participants for other types of dissemination SCI events. The 
Commission is sensitive to the fact that dissemination of too much 
detailed information regarding a systems intrusion may provide hackers 
or others seeking unauthorized entry into the systems of an SCI entity 
with insights into the potential vulnerabilities of the SCI entity's 
systems. At the same time, the occurrence of a systems intrusion may 
reveal a weakness in the SCI systems or SCI security systems of the SCI 
entity that warrants dissemination of information about such event to 
the SCI entity's members or participants. Proposed Rule 1000(b)(5)(ii) 
is therefore intended to strike an appropriate balance by requiring 
dissemination to members or participants, which may be delayed when 
necessary, of key summary information about a given systems intrusion.
Request for Comment
    106. The Commission requests comment on all aspects of proposed 
Rules 1000(b)(3), (4), and (5).
    107. Do commenters believe the proposed definition of ``responsible 
SCI personnel'' in proposed Rule 1000(a) is appropriate? Why or why 
not? Please

[[Page 18121]]

explain. Is the proposed definition sufficiently clear? If not, why 
not? Should the proposed definition only apply to personnel of a given 
seniority, such as managerial personnel or officers of an SCI entity? 
Why or why not? Should the proposed definition include both employees 
and agents of an SCI entity? Why or why?
    108. As proposed to be required by Rule 1000(b)(3), do commenters 
believe the Commission should require an SCI entity, upon any 
responsible SCI personnel becoming aware of an SCI event, to begin to 
take appropriate corrective action including, at a minimum, mitigating 
potential harm to investors and market integrity resulting from the SCI 
event and devoting adequate resources to remedy the SCI event as soon 
as reasonably practicable? If not, why not? Should the proposed 
requirement that an SCI entity take corrective action be triggered by 
something other than awareness of an SCI event? If so, what would be an 
appropriate trigger, and why?
    109. In addition to requiring an SCI entity to take appropriate 
corrective action, should the Commission also require an SCI entity to 
have written policies and procedures regarding how it should respond to 
SCI events, such as an incident response plan that, for example, would 
lay out in advance of any SCI event the courses of action, 
responsibilities of personnel, chains of command, or similar 
information regarding how the SCI entity and its personnel should 
respond to various SCI event scenarios? Why or why not? Would such a 
requirement be useful? What would be the potential costs and benefits 
of such a requirement? Would SCI entities be able to meet the 
requirements of proposed Rule 1000(b)(3) without developing such 
response plans? \242\ Why or why not? Do SCI entities have such plans 
in place today? If so, please describe.
---------------------------------------------------------------------------

    \242\ See also supra Section III.C.1.a (requesting comment on 
proposed Rule 1000(b)(1)(i)(E) regarding policies and procedures for 
development of business continuity plans and on whether the 
Commission and/or SCI SROs should propose rules governing how such 
plans are tested).
---------------------------------------------------------------------------

    110. With respect to proposed Rule 1000(b)(4), do commenters 
believe the proposal to require an SCI entity to report all SCI events 
to the Commission is appropriate?
    111. Are there SCI events that should not be required to be 
reported to the Commission? If so, what are they, and why should 
reporting of such SCI events not be required? Or, as an alternative, 
would it be appropriate for the Commission to require SCI entities to 
keep and preserve the documentation relating to certain types of SCI 
events without sending that documentation to the Commission? Why or why 
not? If so, how would commenters recommend the Commission distinguish 
between SCI events that should be reported to the Commission and those 
that should only be subject to a recordkeeping requirement? What do 
commenters believe might be the advantages or disadvantages of such an 
alternative approach? Do commenters believe proposed Rule 1000(b)(4) 
may require the reporting of types of issues or types of information 
that may not be critical to the goals of proposed Regulation SCI? 
Please be specific and describe such situations.
    112. What criteria do ARP participants currently use for reporting 
ARP events? How many SCI events would an SCI entity expect to report 
each year?
    113. For immediate notification SCI events, is the initial 
notification requirement in proposed Rule 1000(b)(4)(i) to the 
Commission appropriate? Why or why not? If so, should this requirement 
apply to such SCI events that occur outside normal business hours as 
well? If not, what should be the requirement? Should the Commission 
require a different notification procedure for immediate notifications 
that might occur outside normal business hours? What are the advantages 
and disadvantages of different methods of immediate notifications? 
Please describe. Do commenters agree that those systems disruptions 
that the SCI entity reasonably estimates would have a material impact 
on its operations or on market participants should be subject to the 
immediate notification requirement? Why or why not? Please explain. Do 
commenters agree that all systems compliance issues should be subject 
to the immediate notification requirement? Why or why not? Do 
commenters agree that all systems intrusions should be subject to the 
immediate notification requirement? Why or why not? Should additional 
types of SCI events be subject to the immediate notification 
requirement? If so, which types of SCI events? Please be specific.
    114. Do commenters agree with the proposed 24-hour written 
notification requirement for all SCI events?
    115. Do commenters believe it is appropriate to require that 
written updates be submitted regularly until an SCI event is resolved, 
or at such frequency as reasonably requested by a representative of the 
Commission?
    116. Do commenters believe the proposed required dissemination of 
information to an SCI entity's members or participants regarding 
dissemination SCI events set forth in proposed Rule 1000(b)(5) are 
appropriate? If not, why not? Do commenters believe that requiring the 
dissemination of information about dissemination SCI events to members 
or participants would promote dissemination of information to persons 
who are most directly affected by such events? Why or why not? With 
respect to proposed Rule 1000(b)(5), should any of the proposed 
requirements relating to dissemination of information to members or 
participants be eliminated or modified? \243\ Please explain. What 
other information, if any, should be required to be disseminated to 
members or participants? Please explain. Could these proposed 
requirements have any negative or unintended impact on the market or 
market participants? If so, please explain.
---------------------------------------------------------------------------

    \243\ See also infra Section III.E.1, discussing proposed 
Exhibit 3 to Form SCI, which would require that an SCI entity 
provide a copy of any information disseminated to date regarding an 
SCI event to its members or participants or on the SCI entity's 
publicly available Web site.
---------------------------------------------------------------------------

    117. Do commenters agree with the timing requirements contained in 
proposed Rule 1000(b)(5)? Do commenters agree that the initial 
dissemination of information to members or participants should be 
required promptly after an SCI entity's responsible SCI personnel 
becomes aware of a dissemination SCI event, as would be required by 
proposed Rule 1000(b)(5)(i)(A)? Do commenters believe that more 
specific timing requirements would be more appropriate? If so, what 
should such requirements be? Should there be a specific time period 
requirement with respect to subsequent updates on the status of the 
dissemination SCI event? Why or why not? For example, should there be a 
requirement that an SCI entity provide updates daily or weekly? If so, 
what additional specificity should be included?
    118. Do commenters believe it is appropriate to permit an SCI 
entity to delay the dissemination of information to members or 
participants for certain systems intrusions as proposed in Rule 
1000(b)(5)(ii)? Should an SCI entity be required to immediately 
disseminate information to members or participants regarding a systems 
intrusion, with delays permitted only when the Commission specifically 
authorizes the delay? Why or why not? Should the proposed rule impose a 
maximum period of time that an SCI entity may delay its dissemination 
of information to members or participants for certain systems 
intrusions? Why or why not? If

[[Page 18122]]

so, what should such a maximum period of time be and should the rule 
set forth a specific maximum time period applicable to all instances? 
Please explain.
    119. Are there types of dissemination SCI events that should not be 
required to be disseminated to members or participants? If so, what are 
they, and why should it not be required?
    120. Should dissemination of information to members or participants 
of any types of dissemination SCI events, other than those that are 
systems intrusions, be delayed? If so, please describe the types of SCI 
events and explain why. In addition, please describe the time period 
within which commenters believe such types of dissemination SCI events 
should be disseminated and why such time period would be appropriate.
    121. For any types of dissemination SCI events for which commenters 
believe information should either not be required to be disseminated to 
members or participants or be permitted to have a delay in 
dissemination in certain circumstances (such as for systems 
intrusions), what might be the impact of such non-dissemination or 
delay in dissemination with respect to different types of market 
participants?
    122. Are there SCI entities for which the proposed requirements in 
Rules 1000(b)(3), (b)(4), and (b)(5) would not be appropriate (e.g., 
not cost-effective)? If so, please identify such entity or entities, or 
the characteristics of such entity or entities, and explain which 
proposed requirements would be inappropriate and why. Is the fact that 
they might not be cost-effective an appropriate reason to omit them 
generally for those SCI entities, or on a case-by-case basis, as the 
Commission determined to be consistent with Exchange Act requirements?
    123. What are the current practices of SCI entities with respect to 
the dissemination of information about systems issues to members or 
participants? What type of information do SCI entities currently 
disseminate? Please describe.
4. Notification of Material Systems Changes
    Proposed Rule 1000(b)(6) addresses notification to the Commission 
regarding planned material systems changes,\244\ which the Commission 
believes is important to help ensure it has information about important 
changes at an SCI entity that may affect the SCI entity's ability to 
effectively oversee the operations of its systems. Proposed Rule 
1000(b)(6) would require an SCI entity, absent exigent circumstances, 
to notify the Commission in writing at least 30 calendar days before 
implementation of any planned material systems changes including a 
description of the planned material systems changes as well as the 
expected dates of commencement and completion of implementation of such 
changes. A written notification to the Commission made pursuant to 
paragraph (b)(6) would be required to be made electronically on Form 
SCI and include all information as prescribed in Form SCI and the 
instructions thereto.\245\
---------------------------------------------------------------------------

    \244\ See supra Section III.B.4 (discussing the proposed 
definition of material systems change).
    \245\ See infra Section III.E.2, discussing proposed new Form 
SCI and electronic submission of the notices required by proposed 
Rule 1000(b)(6).
---------------------------------------------------------------------------

    The Commission preliminarily believes that the proposed 30 calendar 
day requirement regarding pre-implementation written notification to 
the Commission of planned material systems changes would be an 
appropriate time period. The Commission has found through its 
experience with the current ARP Inspection Program that this amount of 
advance notice typically is needed to allow Commission staff to 
effectively monitor technology developments associated with a planned 
material systems change. A shorter timeframe might not provide 
sufficient time for Commission staff to understand the impact of the 
systems change; a longer time frame might unnecessarily interfere with 
SCI entities' flexibility in planning and implementing systems changes.
    If exigent circumstances existed, or if the information previously 
provided to the Commission regarding any planned material systems 
change has become materially inaccurate, the SCI entity would be 
required to notify the Commission, either orally or in writing, with 
any oral notification to be memorialized within 24 hours after such 
oral notification by a written notification, as early as reasonably 
practicable.\246\ The existence of exigent circumstances would be 
determined by the SCI entity and might exist where, for example, a 
systems compliance issue or systems intrusion were discovered that 
requires immediate corrective action to ensure compliance with the 
Exchange Act and the rules and regulations thereunder, and/or the SCI 
entity's own rules and procedures. In such cases, it would not be 
prudent or desirable to delay corrective action simply to permit the 30 
calendar days' advance notice required in non-exigent circumstances. In 
addition, there may be circumstances where the information previously 
provided to the Commission regarding a material systems change has 
become materially inaccurate. For example, if a material systems 
change's expected implementation completion date were to be 
substantially delayed because of an inability to procure systems 
components, or due to difficulties in systems programming, an update to 
reflect this development would enable the Commission to make further 
inquiry (as appropriate) in order to understand the potential 
consequences of the delay. Similarly, an update would be required if 
the SCI entity were to decide to significantly alter the scope of its 
planned material systems change.
---------------------------------------------------------------------------

    \246\ See proposed Rule 1000(b)(6)(ii).
---------------------------------------------------------------------------

    The Commission notes further that, in such cases, an SCI entity 
might separately be obligated to notify the Commission or its members 
or participants pursuant to proposed Rules 1000(b)(4) and (5), as 
discussed above.\247\
---------------------------------------------------------------------------

    \247\ See supra Section III.B.3.
---------------------------------------------------------------------------

Request for Comment
    124. The Commission requests comment generally on proposed Rule 
1000(b)(6). Is the proposed requirement to notify the Commission in 
advance of implementation of material systems changes appropriate?
    125. Should the Commission provide additional guidance on, or 
define, what constitutes ``exigent circumstances'' that would obviate 
the need for advance notification? If so, what information, 
clarification, or definition would be helpful, and why?
    126. Do commenters believes that an SCI entity should be required 
to provide updated information to the Commission regarding a planned 
material systems change if the information previously provided to the 
Commission regarding such change were to become materially inaccurate? 
Why or why not?
    127. Do commenters believe that the proposed notification 
requirements would discourage an SCI entity from making necessary 
systems changes? Why or why not?
    128. Is the proposed requirement that an SCI entity report all 
material systems changes too broad or too narrow? Why or why not? 
Should all material systems changes be reported to the Commission? If 
not, which systems changes should be excluded? Do commenters believe 
the proposed rule should specify quantitative criteria or other minimum 
thresholds for the effect of a change to an SCI entity's systems on the 
entity's capacity, security, and operations, beyond which the SCI 
entity would be

[[Page 18123]]

required to notify the Commission of the change?
    129. Do commenters believe it is appropriate for the Commission to 
require a standardized format for disclosing planned material systems 
changes on new proposed Form SCI? If not, why not? What would be a 
better approach?
    130. Are there SCI entities for which the proposed requirements in 
Rule 1000(b)(6) would not be appropriate (e.g., cost-effective)? If so, 
please identify such entity or entities, or the characteristics of such 
entity or entities, and explain which proposed requirements would be 
inappropriate and why. If they are not cost-effective, would that be an 
appropriate reason to omit them generally for those SCI entities, or on 
a case-by-case basis, as the Commission determined to be consistent 
with Exchange Act requirements?
    131. How often do SCI entities make material systems changes?
5. Review of Systems
    Proposed Rule 1000(b)(7) would require an SCI entity to conduct an 
SCI review of the SCI entity's compliance with Regulation SCI not less 
than once each calendar year, and submit a report of the SCI review to 
senior management of the SCI entity no more than 30 calendar days after 
completion of such SCI review. Proposed Rule 1000(a) would define the 
term ``SCI review'' to mean a review, following established procedures 
and standards, that is performed by objective personnel having 
appropriate experience in conducting reviews of SCI systems and SCI 
security systems, and which review contains: (1) A risk assessment with 
respect to such systems of the SCI entity; and (2) an assessment of 
internal control design and effectiveness to include logical and 
physical security controls, development processes, and information 
technology governance, consistent with industry standards.\248\ In 
addition, such review would be required to include penetration test 
reviews of the SCI entity's network, firewalls, development, testing 
and production systems at a frequency of not less than once every three 
years.\249\ The proposed requirement for an annual SCI review would 
formalize a practice in place under the current ARP Inspection Program 
in which SROs conduct annual systems reviews following established 
audit procedures and standards that result in the presentation of a 
report to senior SRO management on the recommendations and conclusions 
of the review.\250\
---------------------------------------------------------------------------

    \248\ See infra discussion of proposed Rule 1000(b)(8). See also 
supra publications listed in Table A, Domain: Audit.
    \249\ See proposed Rule 1000(a).
    \250\ See supra notes 17-21 and accompanying text. Although ARP 
policy statements used the term ``independent,'' the Commission is 
using the term ``objective'' in proposed Regulation SCI to 
distinguish the meaning of ``objective'' from the meaning of 
``independent,'' which may be considered a term of art in the 
context of financial accounting audits.
---------------------------------------------------------------------------

    The risk assessment with respect to SCI entity's systems and 
assessment of internal control design and effectiveness should help an 
SCI entity assess the effectiveness of its information technology 
practices and determine where to best devote resources, including 
identifying instances in which the SCI entity was not in compliance 
with the policies and procedures required by proposed Rules 1000(b)(1) 
and (2). The penetration test reviews of the SCI entity's network, 
firewalls, and development, testing and production systems should help 
an SCI entity evaluate the system's security and resiliency in the face 
of attempted and successful systems intrusions. In requiring a 
frequency of not less than once every three years for penetration test 
reviews, the Commission seeks to balance the frequency of such tests 
with the costs associated with performing the tests.\251\
---------------------------------------------------------------------------

    \251\ See infra Section IV.D.2.d (estimating, among other 
things, the cost of conducting SCI reviews, including penetration 
test reviews).
---------------------------------------------------------------------------

    For such assessments and reviews to be effective, the Commission 
preliminarily believes that it is important that they be conducted by 
objective personnel having appropriate experience performing such types 
of reviews. The Commission is not proposing a definition of the term 
``objective,'' but preliminarily believes that to satisfy the criterion 
that an SCI review be conducted by ``objective personnel,'' it should 
be performed by persons who have not been involved in the development, 
testing, or implementation of the systems being reviewed.\252\ The 
Commission preliminarily believes that persons who were not involved in 
the process for development, testing, or implementation of such systems 
would likely be in a better position to identify weaknesses and 
deficiencies that were not identified in the development, testing, and 
implementation stages. As proposed, the SCI review could be performed 
by personnel of the SCI entity (e.g., an SCI entity's internal audit 
department) or an external firm with objective personnel.
---------------------------------------------------------------------------

    \252\ See also supra ARP II note 1 at 22492 n.9.
---------------------------------------------------------------------------

    In addition, proposed Rule 1000(b)(7) would require an SCI entity 
to submit a report of the SCI review to senior management of the SCI 
entity no more than 30 calendar days after completion of such SCI 
review.\253\ The proposed 30-day time frame is based on the 
Commission's experience with the current ARP Inspection Program that an 
entity is able within 30 calendar days to consider the review and 
prepare a report for senior management consideration prior to 
submission to the Commission.
---------------------------------------------------------------------------

    \253\ This proposed requirement would formalize a recommendation 
under the current ARP Inspection Program. See supra note 21 and 
accompanying text.
---------------------------------------------------------------------------

Request for Comment
    132. The Commission requests comment on all aspects of proposed 
Rule 1000(b)(7). Is the proposed definition of ``SCI review'' 
appropriate? Why or why not? And, if not, what would be an appropriate 
definition?
    133. Is the proposed scope of the SCI review appropriate? Why or 
why not? Is it sufficiently clear? Why or why not? Should the SCI 
review include, as proposed in Rule 1000(a), an assessment of internal 
control design and effectiveness to include logical and physical 
security controls, development processes, and information technology 
governance, consistent with industry standards? Why or why not? Should 
it include, as proposed in Rule 1000(a), penetration test reviews of 
the SCI entity's network, firewalls, development, testing and 
production systems? Is the proposed frequency of such penetration test 
reviews (i.e., not less than once every three years) appropriate? Why 
or why not? Should it be more or less frequent? Why or why not?
    134. Do commenters agree with the proposed requirement that the 
review be performed by persons with appropriate experience conducting 
reviews of SCI systems and SCI security systems? Should the Commission 
define how it would evaluate whether a person or persons performing the 
review would satisfy the proposed requirement that they have 
appropriate systems review experience? Are there any credentials or 
specific qualifications that the Commission should require or specify 
as meeting the requirement? For example, should the Commission specify 
that a review be conducted by a Certified Information System Auditor 
(CISA) or GIAC Systems and Network Auditor (GSNA) certification? \254\
---------------------------------------------------------------------------

    \254\ For further information regarding these certifications, 
see, e.g., https://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/What-is-CISA/Pages/default.aspx and 
https://www.giac.org/certifications.

---------------------------------------------------------------------------

[[Page 18124]]

    135. Should the term ``objective personnel'' be defined or further 
clarified? If so, what should be such definition?
    136. Are there other elements that should be included in the scope 
of the SCI review? If so, which ones? For example, should the review 
include an assessment of the systems' compliance with the federal 
securities laws and rules and regulations thereunder or the entity's 
rules or governing documents as applicable? Why or why not?
    137. Under what circumstances do SCI entities presently use outside 
consultants or other third parties to review their systems and 
controls? When such outside reviews are conducted, what is the scope 
and the stated purpose? How do outside reviews compare to internal 
reviews by audit or other staff in terms of scope or other factors? 
What are the considerations used by SCI entities in determining whether 
and when to engage outside consultants? How do commenters generally 
view the advantages and disadvantages of internal v. external reviews? 
The Commission is not proposing at this time any requirements related 
to third party reviews. Should the Commission propose to require that 
SCI review be conducted by third parties?
    138. What are the current practices of SCI entities with respect to 
reviews of their SCI systems and SCI security systems? How often are 
such reviews conducted? Who conducts such reviews? What do such reviews 
entail? What types of assessments or tests are included in such 
reviews? Do such reviews include penetration test reviews? Please 
describe.
    139. Do commenters agree with the proposal to require an SCI entity 
to submit a report of the SCI review to senior management of the SCI 
entity no more than 30 calendar days after completion of such SCI 
review? Why or why not? Is the 30-day time frame reasonable? Would a 
shorter or longer time period be more appropriate, such as 20, 45, or 
60 days? If so, what should such a time period be and why? Please 
explain.
6. Periodic Reports
    Proposed Rule 1000(b)(8)(i) would require an SCI entity to submit 
to the Commission a report of the SCI review required by paragraph 
(b)(7), together with any response by senior management, within 60 
calendar days after its submission to senior management of the SCI 
entity.
    The proposed requirement to submit a report of the SCI review 
required by paragraph (b)(7), together with any response by senior 
management, within 60 calendar days after its submission to senior 
management of the SCI entity, is designed to ensure that the senior 
management of the SCI entity is aware of any issues with its systems 
and promptly establishes plans for resolving such issues. The 
Commission preliminarily believes that the report would also help 
ensure that the Commission and its staff receive the report and any 
management response in a timely manner,\255\ would help to ensure that 
the Commission is aware of areas that may warrant more focused 
attention during its inspections (i.e., which SCI entities would 
already have identified for itself through its SCI review), and would 
allow the Commission to review the SCI entity's progress in resolving 
any systems issues. Further, the proposed requirement to submit the 
annual report within 60 calendar days after its submission to senior 
management is based on the Commission's experience with the current ARP 
Inspection Program that 60 calendar days after completion of an annual 
review or report is a sufficient period of time to enable senior 
management to consider such review or report before submitting it to 
the Commission.
---------------------------------------------------------------------------

    \255\ See infra Section III.E.3 and General Instructions to the 
Form, explaining that, ``within 60 calendar days after its 
submission to senior management of the SCI entity, the SCI entity 
shall attach [as Exhibit 5] the report of the SCI review of the SCI 
entity's compliance with Regulation SCI, together with any response 
by senior management.''
---------------------------------------------------------------------------

    In addition, proposed Rule 1000(b)(8)(ii) would require each SCI 
entity to submit a report within 30 calendar days after the end of June 
and December of each year containing a summary description of the 
progress of any material systems change during the six-month period 
ending on June 30 or December 31, as the case may be, and the date, or 
expected date, of completion of implementation of such changes. The 
proposed requirement to submit these semi-annual reports within 30 
calendar days of the end of each semi-annual period is designed to 
ensure that the Commission would have regularly updated information 
with respect to the status of ongoing material systems changes that 
were originally reported pursuant to proposed Rule 1000(b)(6).\256\ 
This proposed requirement would formalize a practice in place under the 
current ARP Inspection Program in which senior information technology, 
audit, and compliance staff of certain SROs prepare such reports in 
advance of meeting with Commission staff periodically throughout the 
year to present and discuss recently completed systems projects and 
proposed systems projects. Further, the proposed requirement to submit 
the semi-annual report within 30 calendar days after the end of the 
applicable semi-annual period is based on the Commission's experience 
with the current ARP Inspection Program that 30 calendar days after 
completion of a report is a sufficient time period to enable senior 
management to consider such report before submitting it to the 
Commission. The Commission is proposing to require these reports to be 
submitted to the Commission on a semi-annual basis because the proposal 
would separately require information relating to planned material 
systems changes to be submitted (absent exigent circumstances or when 
information regarding any planned material systems change becomes 
materially inaccurate) at least 30 calendar days before their 
implementation \257\ and thus requiring an ongoing summary report more 
frequently would not, in the Commission's preliminary view, be 
necessary. On the other hand, the Commission is concerned that a longer 
period of time (such as on an annual basis) would permit significant 
updates and milestones relating to systems changes to occur without 
notice to the Commission.
---------------------------------------------------------------------------

    \256\ As discussed above in supra Section III.C.4, proposed Rule 
1000(b)(6)(ii) would require SCI entities to provide the Commission 
with an update if the information it previously provided to the 
Commission regarding any planned material systems change had become 
materially inaccurate.
    \257\ See proposed Rule 1000(b)(6); see supra notes 244-247 and 
accompanying text.
---------------------------------------------------------------------------

    Pursuant to proposed Rule 1000(b)(8)(iii), the reports required to 
be submitted to the Commission by proposed Rule 1000(b)(8) would be 
required to be submitted electronically as prescribed in Form SCI and 
the instructions thereto.\258\
---------------------------------------------------------------------------

    \258\ See infra Section III.E discussing new proposed Form SCI 
and its contemplated use by SCI entities to submit reports and other 
required information to the Commission electronically in a 
standardized format with attachments when and as required.
---------------------------------------------------------------------------

Request for Comment
    140. Do commenters believe it would be appropriate to require SCI 
entities to submit a report of an SCI review to the Commission within 
60 calendar days of its submission to senior management of the SCI 
entity? Should the Commission lengthen or shorten the time period for 
submission? Why or why not? If so, what is an appropriate period?

[[Page 18125]]

    141. Is the proposed requirement to submit semi-annual reports on 
material systems changes necessary or appropriate? Do commenters 
believe it would be appropriate to require each SCI entity to submit a 
semi-annual report within 30 calendar days after the end of each semi-
annual period containing a description of the progress of any material 
systems change during the applicable semi-annual period and the date, 
or expected date, of completion of implementation? Should the 
Commission lengthen or shorten the 30-day period for submission? Is the 
semi-annual submission requirement appropriate or should these reports 
be required to be submitted more or less frequently? If so, please 
state what such frequency should be and why.
    142. Are there any other reports the Commission should require of 
SCI entities? If so, please explain.
    143. Are there SCI entities for which the proposed requirements in 
Rule 1000(b)(8) would not be cost-effective? If so, please identify 
such entity or entities, or the characteristics of such entity or 
entities. For proposed requirements that commenters believe would not 
be cost-effective, would that be an appropriate reason to omit them 
generally for those SCI entities, or on a case-by-case basis, as the 
Commission determines to be consistent with Exchange Act requirements?
7. Proposed Rule 1000(b)(9): SCI Entity Business Continuity and 
Disaster Recovery Plans Testing Requirements for Members or 
Participants
    The Commission is proposing Rule 1000(b)(9), which would address 
testing of SCI entity business continuity and disaster recovery plans, 
including backup systems, by SCI entity members or participants. 
Specifically, proposed Rule 1000(b)(9)(i) would require an SCI entity, 
with respect to its business continuity and disaster recovery plans, 
including its backup systems, to require participation by designated 
members or participants in scheduled functional and performance testing 
of the operation of such plans, in the manner and frequency as 
specified by the SCI entity, at least once every 12 months. Proposed 
Rule 1000(b)(9)(ii) would further require an SCI entity to coordinate 
such testing on an industry- or sector-wide basis with other SCI 
entities. Proposed Rule 1000(b)(9)(iii) would require each SCI entity 
to designate those members or participants it deems necessary, for the 
maintenance of fair and orderly markets in the event of the activation 
of its business continuity and disaster recovery plans, to participate 
in the testing of such plans. Proposed Rule 1000(b)(9)(iii) would also 
require each SCI entity to notify the Commission of such designations 
and its standards for designation on Form SCI and promptly update such 
notification after any changes to its designations or standards.\259\
---------------------------------------------------------------------------

    \259\ The proposed rule does not specify when the Commission 
would need to be notified about the designations and standards 
because SCI entities would be required to provide an initial 
notification at such point as when proposed Regulation SCI were 
effective, and subsequent updates only promptly after its 
designations and/or standards changed.
---------------------------------------------------------------------------

    The Commission preliminarily believes that the testing 
participation requirement in proposed Rule 1000(b)(9) would help an SCI 
entity to ensure that its efforts to develop effective business 
continuity and disaster recovery plans are not undermined by a lack of 
participation by its members or participants that the SCI entity 
believes would be necessary to the success of such plans if they were 
to be put into effect. The Commission further preliminarily believes 
that the appropriate standard for measuring whether a business 
continuity and disaster recovery plans can be activated successfully is 
whether such activation would likely result in the maintenance of fair 
and orderly markets, a goal Congress found important in adopting 
Section 11A of the Exchange Act.\260\
---------------------------------------------------------------------------

    \260\ See Section 11A(a)(1)(C) and (a)(2), 15 U.S.C. 76k-
1(a)(1)(C) and (a)(2).
---------------------------------------------------------------------------

    The 2003 Interagency White Paper, which underlies the requirement 
in proposed Rule 1000(b)(1)(i)(E) pertaining to business continuity and 
disaster recovery plans,\261\ identifies three important business 
continuity objectives that would apply to SCI entities: (1) Rapid 
recovery and timely resumption of critical operations following a wide-
scale disruption; (2) rapid recovery and timely resumption of critical 
operations following the loss or inaccessibility of staff in at least 
one major operating location; and (3) a high level of confidence, 
through ongoing use or robust testing, that critical internal and 
external continuity arrangements are effective and compatible.\262\ The 
2003 Interagency White Paper also states that it is a ``sound 
practice'' for organizations to ``routinely use or test recovery and 
resumption arrangements.'' \263\ Further, the Commission's 2003 Policy 
Statement on Business Continuity Planning for Trading Markets states, 
among other things, that market centers, including SROs, are to: (1) 
Have in place a business continuity plan that anticipates the 
resumption of trading in the securities traded by that market no later 
than the next business day following a wide-scale disruption; (2) 
maintain appropriate geographic diversity between primary and back-up 
sites in order to assure resumption of trading activities by the next 
business day; and (3) confirm the effectiveness of the backup 
arrangements through testing.\264\ SCI entities that currently 
participate in the ARP Inspection Program are familiar with the 
standards identified in the 2003 Interagency White Paper and the 
Commission's 2003 Policy Statement on Business Continuity Planning for 
Trading Markets.
---------------------------------------------------------------------------

    \261\ The 2003 Interagency White Paper is included in Table A as 
a proposed SCI industry standard. See supra Section III.C.1.b.
    \262\ See supra note 195.
    \263\ See id.
    \264\ See supra notes 32 and 196.
---------------------------------------------------------------------------

    As noted above,\265\ the experience of the equities and options 
markets in the wake of Superstorm Sandy demonstrates the importance of 
not only an SCI entity itself being able to operate following an event 
that triggers its business continuity and disaster recovery plans, but 
also that the members or participants of the SCI entity be able to 
conduct business with such SCI entity when its business continuity and 
disaster recovery plans have been activated. The Commission 
preliminarily believes that, even if an SCI entity is able to operate 
following an event that triggers its business continuity and disaster 
recovery plans, unless there is effective participation by certain of 
its members or participants in the testing of such plans, the objective 
of ensuring resilient and available markets in general,\266\ and the 
maintenance of fair and orderly markets in particular, would not be 
achieved. Accordingly, the Commission preliminarily believes that it is 
appropriate to require SCI entities to designate members or 
participants they believe are necessary to the successful activation of 
their business continuity and disaster recovery plans, including backup 
systems, and require them to participate in the testing of such plans.
---------------------------------------------------------------------------

    \265\ See supra notes 78-83 and accompanying text.
    \266\ See proposed Rule 1000(b)(1) (requiring SCI entities to 
have policies and procedures relating to, among other things, 
resiliency and availability) and supra Section III.C.1.
---------------------------------------------------------------------------

    Under the proposed rule, each SCI entity would need to schedule, 
and require their designated members or participants to participate in, 
scheduled ``functional and performance testing'' \267\ of the entity's 
business continuity and

[[Page 18126]]

disaster recovery plans. Such functional and performance testing should 
include not only testing of connectivity, but also testing of an SCI 
entity's systems, such as order entry, execution, clearance and 
settlement, order routing, and the transmission and/or receipt of 
market data, as applicable, to determine if they can operate as 
contemplated by its business continuity and disaster recovery plans.
---------------------------------------------------------------------------

    \267\ As commonly understood, functional testing examines 
whether a system operates in accordance with its specifications, 
whereas performance testing examines whether a system is able to 
perform under a particular workload.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(9)(i) would require that testing of an SCI 
entity's business continuity and disaster recovery plans occur at least 
once every 12 months. This proposed requirement reflects the 
Commission's preliminary view that the testing of business continuity 
and disaster recovery plans, including backup systems, must occur 
regularly if such plans are to be effective when an actual disaster or 
disruption occurs. The Commission preliminarily believes that its 
proposed required testing frequency of at least once every 12 months is 
the minimum frequency that would be consistent with seeking to ensure 
that testing is meaningful and effective.\268\ However, the proposed 
rule would not prevent an SCI entity from conducting testing and 
requiring participation by members or participants in such testing more 
frequently than once every 12 months, if the SCI entity believes it is 
necessary or if, for example, it materially modifies its business 
continuity and disaster recovery plans.
---------------------------------------------------------------------------

    \268\ Consistent with the frequency of testing under proposed 
Rule 1000(b)(9), the Securities Industry and Financial Markets 
Association coordinates an industry-wide business continuity test 
each year in October. See https://www.sifma.org/services/bcp/industry-testing. See also supra notes 81-82 and accompanying text.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(9)(i) would also provide an SCI entity with 
discretion to determine the precise manner and content of the testing. 
Thus, for example, the SCI entity would have discretion to determine, 
for example, the duration of the testing, the sample size of 
transactions tested, the scenarios tested, and the scope of the test. 
The Commission preliminarily believes that SCI entities are in the best 
position to structure the details of the test in a way that would 
maximize its utility.
    Although proposed Rule 1000(b)(9)(i) would give SCI entities 
discretion to determine the precise manner and content of the testing, 
the Commission is also proposing Rule 1000(b)(9)(ii), which would 
require an SCI entity to coordinate its testing on an industry- or 
sector-wide basis with other SCI entities.\269\ The proposed 
coordination requirement is designed to enhance the value of testing by 
requiring SCI entities to work together to schedule and conduct the 
testing in as efficient and effective a manner as possible. Given that 
trading in the U.S. securities markets today is dispersed among a wide 
variety of exchanges, ATSs, and other trading venues, and is often 
conducted through sophisticated algorithmic trading strategies that 
access many trading platforms simultaneously, the Commission 
preliminarily believes that requiring SCI entities to coordinate 
testing is necessary to ensure the goal of achieving robust and 
effective business continuity and disaster recovery plans, because it 
would result in testing under more realistic market conditions. In 
addition, the Commission is cognizant that situations that trigger 
implementation of an SCI entity's business continuity and disaster 
recovery plans are often not limited in scope to a single SCI entity, 
but may affect multiple, or even all, SCI entities at the same time. 
Thus, proposed Rule 1000(b)(9)(ii)'s requirement is designed to foster 
better coordination and cooperation across the securities industry such 
that the markets, investors, and all market participants may benefit 
from more efficient and meaningful testing. Further, the Commission 
preliminarily believes that it would be more cost-effective for market 
participants to participate in the testing of the business continuity 
and disaster recovery plans of SCI entities on an industry- or sector-
wide basis because such coordination would likely reduce duplicative 
testing efforts.
---------------------------------------------------------------------------

    \269\ Thus, to satisfy the requirement of proposed Rule 
1000(b)(9)(ii), an SCI entity could coordinate its testing with all 
SCI entities, or an appropriate subset of them, such as by asset 
class(es) (NMS stocks, non-NMS stocks, municipal debt, corporate 
bonds, options) or type of SCI entity (national securities 
exchanges, clearing agencies, plan processors).
---------------------------------------------------------------------------

    While proposed Rule 1000(b)(9)(ii) would require SCI entities to 
coordinate testing on an industry- or sector-wide basis, it would 
provide discretion to SCI entities to determine how to best meet this 
requirement because the Commission preliminarily believes that SCI 
entities currently are best suited to find the most efficient and 
effective way to test. Of course, as noted above, each SCI entity may 
require its members or participants to participate in additional 
testing beyond the industry- or sector-wide testing under proposed Rule 
1000(b)(9)(ii).
    Proposed Rule 1000(b)(9)(iii) would require each SCI entity to 
designate those members or participants it deems necessary, for the 
maintenance of fair and orderly markets in the event of the activation 
of its business continuity and disaster recovery plans, to participate 
in the testing of such plans. In addition, proposed Rule 
1000(b)(9)(iii) would require each SCI entity to provide to the 
Commission on Form SCI its standards for determining which members or 
participants are necessary for the maintenance of fair and orderly 
markets in the event of the activation of its business continuity and 
disaster recovery plans and promptly update such notification following 
any changes to such standards. The Commission believes that the 
viability of an SCI entity's business continuity and disaster recovery 
plans, and the usefulness of its backup systems, depend upon the 
ability of such members or participants to be ready, able, and willing 
to use such systems during an actual disaster or disruption. The 
proposed requirement that designated members or participants be 
required to test such plans in advance reflects the Commission's 
preliminary view that the proposed testing would enhance the value of 
SCI entities' business continuity and disaster recovery plans, and 
thereby advance the goal of achieving resilient and available 
markets.\270\
---------------------------------------------------------------------------

    \270\ See supra note 266.
---------------------------------------------------------------------------

    For SCI SROs, proposed Rule 1000(b)(9)(iii) would require SRO rules 
pursuant to Section 19(b) of the Exchange Act, setting forth the 
standards for designation. For an SCI ATS or an exempt clearing agency 
subject to ARP, the requirement in proposed Rule 1000(b)(9)(iii) would 
be satisfied by setting forth such standards in its internal 
procedures, as well as any subscriber or similar agreement, as 
applicable. For an SCI entity that is a plan processor, proposed Rule 
1000(b)(9)(iii) would require an amendment to the applicable SCI Plan 
pursuant to Rule 608 of Regulation NMS, setting forth such standards. 
Further, proposed Rule 1000(b)(9)(iii) would require each SCI entity to 
provide to the Commission on Form SCI the list of designated members or 
participants and promptly update such notification following any 
changes to the designations.\271\
---------------------------------------------------------------------------

    \271\ As discussed in infra Section III.E, Form SCI would also 
require SCI entities to attach the relevant provision of their rules 
(for SCI SROs), SCI Plans (for plan processors) or subscriber or 
similar agreements (for SCI ATSs and exempt clearing agencies 
subject to ARP) that require designated members or participants to 
participate in the testing required by proposed Rule 1000(b)(9).
---------------------------------------------------------------------------

Request for Comment
    144. The Commission requests comment generally on proposed Rule 
1000(b)(9).

[[Page 18127]]

    145. Do commenters believe the proposal to require an SCI entity, 
with respect to its business continuity and disaster recovery plans, 
including its backup systems, to require participation by designated 
members or participants in scheduled functional and performance testing 
of the operation of such plans, in the manner and frequency as 
specified by the SCI entity, is appropriate? Why or why not? Is the 
proposed requirement that SCI entities require participation in 
``functional and performance testing'' appropriate? Why or why not? Is 
the term ``functional and performance testing'' clear? If not, why not 
and what would be a better description of the nature of the proposed 
required testing?
    146. Do commenters believe it is appropriate to require that such 
testing occur at least once every 12 months? Why or why not? Would 
another minimum interval for such testing, such as bi-annually, semi-
annually, or quarterly, be more appropriate? Please explain. Would it 
be appropriate to also require such testing to occur following a 
material change to the SCI entity's business continuity and disaster 
recovery plans? Why or why not? If yes, would it be appropriate to 
require such testing within 90 days of the material change? Why or why 
not? Would another time period be more appropriate? If so, what should 
such time period be?
    147. Should the Commission give SCI entities discretion in 
designating the members or participants that must participate in the 
testing of the business continuity and disaster recovery plans? Why or 
why not? Should the Commission instead specify standards for such 
designation? If so, what should the standards be based on? For example, 
should the standards be based on the size, volume traded or cleared, 
and/or geographic proximity of a member or participant to the SCI 
entity's backup systems? Why or why not? Should only members or 
participants that execute or clear transactions above a certain volume 
threshold and/or that account for a certain percentage of trading 
volume on the SCI entity be required to participate? Why or why not? If 
so, what should be such threshold or thresholds (e.g., 0.5 percent, 1 
percent, 5 percent)? Should an SCI entity be required to mandate 
participation in testing by some other subset of members or 
participants? For example, should such subset comprise members or 
participants that account for a certain percentage of trading in each 
or all of the equities, options, or fixed-income markets traded through 
the SCI entity? Why or why not? If so, what should be such threshold 
(e.g., 0.5 percent, 1 percent, 5 percent)? Or, should testing be 
mandated only for certain types of market participants (e.g., market 
makers, clearing broker-dealers, retail broker-dealers)? If so, for 
which types of market participants should testing be mandatory and why? 
Please explain. Alternatively, should all members or participants of an 
SCI entity (or certain types of SCI entities, e.g., plan processors) be 
required to participate in the testing of its business continuity and 
disaster recovery plans? Why or why not?
    148. Do commenters believe those members or participants that would 
likely be designated by SCI entities under proposed Rule 
1000(b)(9)(iii) currently have the ability, including the 
infrastructure, to participate in the required testing? Do commenters 
believe all members or participants of SCI entities currently have the 
ability, including the infrastructure, to participate in such testing? 
What would be the costs and benefits to a member or participant of an 
SCI entity to participate in such testing, including for such member or 
participant to establish and maintain connectivity to an SCI entity's 
backup systems? What would be the economic effect of this proposed 
rule, particularly with regard to a member or participant? Please 
describe in detail and provide data to support your views if possible.
    149. Should an SCI entity be required to notify the Commission on 
Form SCI of its standards for designating members or participants for 
testing and its list of designated members or participants? Why or why 
not? Should an SCI entity be required to promptly update such 
Commission notification if its standards for designation or list of 
designated members or participants change? Why or why not? Is there a 
more appropriate time period for updating Commission notifications 
(e.g., 7 days following a change, 30 days following a change, 
quarterly)? Please explain.
    150. Proposed Rule 1000(b)(9)(i) would require each SCI entity to 
mandate participation by designated members or participants in 
``functional and performance testing'' of its business continuity and 
disaster recovery plans, including its backup systems, but would leave 
to the discretion of the SCI entity the details regarding the manner of 
testing. Should the Commission be more prescriptive with respect to 
such testing? For example, should the Commission require that SCI 
entities periodically operate from their backup facilities during 
regular trading hours? Why or why not? Please explain. Are there other 
details that the Commission should prescribe in relation to the 
proposed rule? If so, please explain.
    151. Proposed Rule 1000(b)(9)(ii) would require SCI entities to 
coordinate testing on an industry- or sector-wide basis, but would not 
specify how or the parameters. Do commenters believe it is appropriate 
to leave such discretion to SCI entities? Why or why not? Are the terms 
``industry-wide'' and ``sector-wide'' clear? Should the Commission 
define these terms? If so, what would be appropriate definitions? Would 
such an approach foster the creation of meaningful, efficient testing 
of business continuity and disaster recovery plans across SCI entities 
and their members or participants? Why or why not? If not, what would 
be a more appropriate approach? Should the Commission require a minimum 
number of SCI entities needed to satisfy the coordination requirement 
of proposed Rule 1000(b)(9)(ii)? Or should that requirement only be 
satisfied if all SCI entities (or all SCI entities within a sector of 
the industry) participate? Why or why not? Should the Commission 
mandate a minimum list of actions that SCI entities must take to 
satisfy the requirement of proposed Rule 1000(b)(9)(ii)? If so, what 
actions should be required and why? If not, why not?
    152. Should the Commission require SCI entities to submit reports 
on the results of their testing of business continuity and disaster 
recovery plans or reports of any systems testing that was not 
successful? If not, why not? If so, should such reports be required to 
be submitted within a specified time frame or in a specified manner or 
format? Please explain. In addition, should the Commission require SCI 
entities to submit reports on systems testing opportunities required of 
or made available to members or subscribers and the extent to which 
such members or subscribers participate in such opportunities?
    153. Would proposed Rule 1000(b)(9) enhance investor confidence in 
the integrity of the U.S. securities markets? Why or why not? Please 
explain. What would be the costs associated with proposed Rule 
1000(b)(9)? What would be the benefits? Please be specific. What would 
be the potential competitive impacts of proposed Rule 1000(b)(9), 
including impacts on small members or small participants? To the extent 
possible, please provide data to support your views.
    154. To help ensure that the goals of an SCI entity's business 
continuity and disaster recovery plans are achieved, should the 
Commission impose other requirements (in addition to the mandatory 
testing participation

[[Page 18128]]

requirement in proposed Rule 1000(b)(9)) on the members or participants 
of SCI entities? \272\ For example, proposed Rule 1000(b)(1)(i)(E) 
would require that an SCI entity's business continuity and disaster 
recovery plans allow for ``maintaining backup and recovery capabilities 
sufficiently resilient and geographically diverse to ensure next 
business day resumption of trading.'' Should the Commission require SCI 
entities to mandate that some or all of their members or participants 
be able to meet the next business day resumption of trading standards 
for SCI entities in proposed Rule 1000(b)(1)(i)(E)? Why or why not? If 
not all, which members or participants should be required to meet such 
resumption of trading standards? For example, should an SCI entity 
require members or participants that execute transactions above a 
certain volume threshold and/or that account for a certain percentage 
of trading on the SCI entity to meet such resumption of trading 
standards? Why or why not? If so, what should be such threshold or 
thresholds?
---------------------------------------------------------------------------

    \272\ See also infra Section III.G (soliciting comment on 
whether broker-dealers, other than SCI ATSs, should be subject to 
some or all of the additional system safeguard rules that are 
proposed for SCI entities).
---------------------------------------------------------------------------

    155. Are there other requirements that SCI entities should mandate 
for their members or participants to help SCI entities meet their 
obligations under proposed Regulation SCI? If so, what are they? Please 
describe. For example, should the Commission also require each SCI 
entity to mandate that its members or participants maintain continuous 
connectivity with the SCI entity's backup data centers? Why or why not? 
If not all, which members or participants should be required to 
maintain continuous connectivity with the SCI entity's backup data 
centers? For example, should an SCI entity require members or 
participants designated under proposed Rule 1000(b)(9)(iii), or that 
execute transactions above a certain volume threshold and/or that 
account for a certain percentage of trading on the SCI entity, to 
maintain such connectivity? Why or why not? If so, what should be such 
threshold or thresholds?

D. Proposed Rule 1000(c)-(f): Recordkeeping, Electronic Filing on Form 
SCI, and Access

1. Recordkeeping Requirements
    The Commission notes that many SCI entities are already subject to 
recordkeeping requirements,\273\ but that records relating to systems 
review and testing may not be specifically addressed in certain current 
recordkeeping rules. Accordingly, the Commission is proposing Rule 
1000(c) to specifically address recordkeeping requirements for SCI 
entities with respect to records relating to Regulation SCI compliance.
---------------------------------------------------------------------------

    \273\ See, e.g., 17 CFR 240.17a-1, applicable to SCI SROs; 17 
CFR 240.17a-3, 17a-4, applicable to broker-dealers; and 17 CFR 
242.301-303, applicable to ATSs.
     It has been the experience of the Commission that SCI entities 
presently subject to the ARP Inspection Program (nearly all of whom 
are SCI SROs that are also subject to the record keeping 
requirements of Rule 17a-1(a)) do generally keep and preserve the 
types of records that would be subject to the requirements of 
proposed Rule 1000(c). Nevertheless, the Commission preliminarily 
believes that Regulation SCI's codification of these preservation 
practices will support an accurate, timely, and efficient inspection 
and examination process and help ensure that all types of SCI 
entities keep and preserve such records.
---------------------------------------------------------------------------

    Proposed Rule 1000(c)(1) would require each SCI SRO to make, keep, 
and preserve all documents relating to its compliance with Regulation 
SCI, as prescribed by Rule 17a-1 under the Exchange Act.\274\ Rule 17a-
1(a) under the Exchange Act requires every national securities 
exchange, national securities association, registered clearing agency, 
and the MSRB to keep and preserve at least one copy of all documents, 
including all correspondence, memoranda, papers, books, notices, 
accounts, and other such records as shall be made and received by it in 
the course of its business as such and in the conduct of its self-
regulatory activity.\275\ In addition, Rule 17a-1(b) requires these 
entities to keep all such documents for a period of not less than five 
years, the first two years in an easily accessible place, subject to 
the destruction and disposition provisions of Rule 17a-6.\276\ Rule 
17a-1(c) requires these entities, upon request of any representative of 
the Commission, to promptly furnish to the possession of Commission 
representatives copies of any documents required to be kept and 
preserved by it pursuant to Rule 17a-1(a) and (b).\277\ The Commission 
believes that the breadth of Rule 17a-1 under the Exchange Act is such 
that it would require SCI SROs to make, keep, and preserve records 
relating to their compliance with proposed Regulation SCI should the 
Commission adopt Regulation SCI. Thus, the Commission proposes to 
cross-reference Rule 17a-1 in proposed Regulation SCI to be clear that 
it intends all SCI entities to be subject to the same recordkeeping 
requirements regarding compliance with proposed Regulation SCI.
---------------------------------------------------------------------------

    \274\ 17 CFR 240.17a-1.
    \275\ See 17 CFR 240.17a-1(a). Such records would, for example, 
include copies of incident reports and the results of systems 
testing.
    \276\ See 17 CFR 240.17a-1(b). Rule 17a-6(a) under the Exchange 
Act states: ``Any document kept by or on file with a national 
securities exchange, national securities association, registered 
clearing agency or the Municipal Securities Rulemaking Board 
pursuant to the Act or any rule or regulation thereunder may be 
destroyed or otherwise disposed of by such exchange, association, 
clearing agency or the Municipal Securities Rulemaking Board at the 
end of five years or at such earlier date as is specified in a plan 
for the destruction or disposition of any such documents if such 
plan has been filed with the Commission by such exchange, 
association, clearing agency or the Municipal Securities Rulemaking 
Board and has been declared effective by the Commission.'' 17 CFR 
240.17a-6(a).
    \277\ See 17 CFR 240.17a-1(c).
---------------------------------------------------------------------------

    For SCI entities that are not SCI SROs (i.e., SCI ATSs, plan 
processors, and exempt clearing agencies subject to ARP), the 
Commission is proposing broad recordkeeping requirements relating to 
compliance with proposed Regulation SCI that are consistent with those 
applicable to SROs under Rule 17a-1 under the Exchange Act. Thus, the 
Commission is proposing Rule 1000(c)(2), which would require SCI 
entities other than SCI SROs to: (i) Make, keep, and preserve at least 
one copy of all documents, including correspondence, memoranda, papers, 
books, notices, accounts, and other such records, relating to its 
compliance with Regulation SCI, including, but not limited to, records 
relating to any changes to its SCI systems and SCI security systems; 
(ii) keep all such documents for a period of not less than five years, 
the first two years in a place that is readily accessible to the 
Commission or its representatives for inspection and examination; \278\ 
and (iii) upon request of any representative of the Commission, 
promptly furnish to the possession of such representative copies of any 
documents required to be kept and preserved by it pursuant to (i) and 
(ii) above.
---------------------------------------------------------------------------

    \278\ The proposed five-year and two-year time frames would be 
the same as those applicable to SCI SROs pursuant to Rule 17a-1 
under the Exchange Act, and the Commission preliminarily believes it 
would be appropriate for all SCI entities to be subject to the same 
time frame requirements.
---------------------------------------------------------------------------

    Proposed Rule 1000(c)(3), applicable to all SCI entities, would 
require each SCI entity, upon or immediately prior to ceasing to do 
business or ceasing to be registered under the Exchange Act, to take 
all necessary action to ensure that records required to be made, kept, 
and preserved by proposed Rule 1000(c) would be accessible to the 
Commission or its representatives for the remainder of the period 
required by proposed Rule 1000(c). For example, an SCI entity could 
fulfill its obligations under proposed Rule 1000(c)(3) by delivering

[[Page 18129]]

such records, immediately prior to deregistration, to a repository or 
other similar entity and by making all necessary arrangements for such 
records to be readily accessible to the Commission or its 
representative, for inspection and examination for the duration of the 
requirement under proposed Rule 1000(c)(3).
    The Commission preliminarily believes that its ability to examine 
for and enforce compliance with proposed Regulation SCI could be 
hampered if an SCI entity were not required to adequately provide 
accessibility for the full proposed retention period. In addition, 
while many SCI events may occur, be discovered, and be resolved in a 
short time frame, there may be other SCI events that may not be 
discovered until months or years after their occurrences, or may take 
significant periods of time to fully resolve. In such cases, having an 
SCI entity's records available even after it has ceased to do business 
or be registered under the Exchange Act would be beneficial. Because 
SCI events have the potential to negatively impact investor decisions, 
risk exposure, and market efficiency, the Commission also preliminarily 
believes that its ability to oversee the securities markets could be 
undermined if it is unable to review records to determine the causes 
and consequences of one or more SCI events experienced by an SCI entity 
that deregisters or ceases to do business. This information would 
provide an additional tool to help the Commission reconstruct important 
market events and better understand how such events impacted investor 
decisions, risk exposure, and market efficiency.
    Proposed Rule 1000(e) would provide that, if the records required 
to be made or kept by an SCI entity under proposed Regulation SCI were 
prepared or maintained by a service bureau or other recordkeeping 
service on behalf of the SCI entity, the SCI entity would be required 
to ensure that the records are available for review by the Commission 
and its representatives by submitting a written undertaking, in a form 
acceptable to the Commission, by such service bureau or other 
recordkeeping service, signed by a duly authorized person at such 
service bureau or other recordkeeping service. The written undertaking 
would be required to include an agreement by the service bureau 
designed to permit the Commission and its representatives to examine 
such records at any time or from time to time during business hours, 
and to promptly furnish to the Commission and its representatives true, 
correct, and current electronic files in a form acceptable to the 
Commission or its representatives or hard copies of any, all, or any 
part of such records, upon request, periodically, or continuously and, 
in any case, within the same time periods as would apply to the SCI 
entity for such records. The preparation or maintenance of records by a 
service bureau or other recordkeeping service would not relieve an SCI 
entity from its obligation to prepare, maintain, and provide the 
Commission and its representatives with access to such records. 
Proposed Rule 1000(e) is substantively the same as the requirement 
applicable to broker-dealers under Rule 17a-4(i) of the Exchange 
Act.\279\
---------------------------------------------------------------------------

    \279\ 17 CFR 240.17a-4(i).
---------------------------------------------------------------------------

    The Commission is proposing this requirement for SCI entities to 
prevent the inability of the Commission to obtain required SCI entity 
records because they are held by a third party that may not otherwise 
have an obligation to make such records available to the Commission. In 
addition, the requirement that SCI entities obtain from such third 
parties a written undertaking would help ensure that such service 
bureau or other recordkeeping service is aware of this obligation with 
respect to records relating to proposed Regulation SCI. The Commission 
preliminarily believes that it is appropriate to include this 
requirement in proposed Regulation SCI to help ensure that the 
Commission would have prompt and efficient access to all required 
records, including those housed at a service bureau or any other 
recordkeeping service.\280\
---------------------------------------------------------------------------

    \280\ See 17 CFR 240.17a-4(i) (records preserved or maintained 
by a service bureau).
---------------------------------------------------------------------------

Request for Comment
    156. The Commission requests comment on all aspects of proposed 
Rule 1000(c). Specifically, do SCI entities currently make, keep, and 
preserve the types of records that would be required to be made, kept, 
and preserved by proposed Rule 1000(c)? Are there any records that 
could be important to make, keep, and preserve that would not be 
captured under proposed Rule 1000(c) or the existing recordkeeping 
requirements for SROs under Rule 17a-1? If so, please explain and 
identify the records. Should any of the records subject to proposed 
Rule 1000(c) not be required? If so, please explain and identify the 
records. Should the Commission require SCI entities to furnish records 
to Commission representatives electronically in a tagged data format 
(e.g., XML, XBRL, or similar structured data formats which may be 
tagged)? The Commission notes that a tagged data format would have the 
benefit of permitting records to be organized and searched more easily, 
and thereby enable more efficient analyses, but that there would also 
be costs associated with implementing a tagged data format requirement. 
Do commenters believe the benefits of using a tagged data format would 
justify the costs? Why or why not? Please explain. If so, should any 
particular electronic format be mandated? If so, please describe.
    157. Should the Commission lengthen or shorten the proposed periods 
for SCI entities to keep and preserve records? If so, by how much and 
why? Is it appropriate for an SCI entity, prior to ceasing to do 
business or ceasing to be regulated under the Exchange Act, to be 
required to ensure that its records are accessible in some way to the 
Commission and its representatives? Why or why not? What practical 
steps do commenters envision an SCI entity taking to comply with this 
proposed requirement?
    158. The Commission requests comment on all aspects of proposed 
Rule 1000(e). Specifically, would the written undertaking required by 
proposed Rule 1000(e) be sufficient to help ensure that the Commission 
and its representatives would be able to obtain and examine true, 
correct, and current records of SCI entities? Why or why not? Are the 
provisions of proposed Rule 1000(e) an appropriate means of addressing 
any potential problems with access to books and records at service 
bureaus? Why or why not? Are there alternatives that the Commission 
should consider with respect to recordkeeping requirements for SCI 
entities? If so, please explain your reasoning.
2. Electronic Submission of Reports, Notifications, and Other 
Communications on Form SCI
    Proposed Rule 1000(d) provides that, except with respect to 
notifications to the Commission under proposed Rule 1000(b)(4)(i) 
(Commission notification of certain SCI events), and oral notifications 
to the Commission under proposed Rule 1000(b)(6)(ii) (Commission 
notification of certain material systems changes), any notification, 
review, description, analysis, or report required to be submitted to 
the Commission under proposed Regulation SCI must be submitted 
electronically and contain an electronic signature. This proposed 
requirement is intended to provide a uniform manner in which the 
Commission would receive--and SCI entities would provide--written

[[Page 18130]]

notifications, reviews, descriptions, analyses, or reports made 
pursuant to proposed Regulation SCI. The Commission preliminarily 
believes that such standardization would guide SCI entities in 
completing such submissions and make it easier and more efficient for 
them to draft and submit such required reports. Additionally, the 
standardization would make it easier and more efficient for the 
Commission to promptly review, analyze, and respond, as necessary, to 
the information proposed to be provided.\281\ The electronic signature 
requirement is consistent with the intention of the Commission to 
receive documents that can be readily accessed and processed 
electronically.
---------------------------------------------------------------------------

    \281\ This proposed requirement is consistent with electronic-
reporting standards set forth in other Commission rules under the 
Exchange Act, such as Rule 17a-25 (Electronic Submission of 
Securities Transaction Information by Exchange Members, Brokers, and 
Dealers). See 17 CFR 240.17a-25.
---------------------------------------------------------------------------

    Proposed Rule 1000(d) also would require that submissions by SCI 
entities be filed electronically on new proposed Form SCI, in 
accordance with the instructions contained in Form SCI.\282\ The 
Commission's proposal contemplates the use of an online filing system, 
similar to the electronic form filing system (``EFFS'') currently used 
by SCI SROs to submit Form 19b-4 filings, through which an SCI entity 
would be able to file a completed Form SCI.\283\ Based on the 
widespread use and availability of the Internet, the Commission 
preliminarily believes that filing Form SCI in an electronic format 
would be less burdensome and a more efficient filing process for SCI 
entities and the Commission, as it is likely to be less expensive and 
cumbersome than mailing and filing paper forms to the Commission.
---------------------------------------------------------------------------

    \282\ See proposed Rule 1000(d) and infra Section III.E.
    \283\ See Securities Exchange Act Release No. 50486 (October 4, 
2004), 69 FR 60287 (October 8, 2004) (adopting the EFFS for use in 
filing Form 19b-4).
---------------------------------------------------------------------------

Request for Comment
    159. The Commission requests comment on all aspects of proposed 
Rule 1000(d). Do commenters believe that the electronic submission 
requirement of proposed Rule 1000(d) is appropriate? Alternatively, 
would the submission of a required notification, review, description, 
analysis, or report via electronic mail to one or more Commission email 
addresses be a more appropriate way for the Commission to implement the 
proposed requirement? Are there other alternative methods that would be 
preferable? If so, please describe. Should there be any additional 
security requirements for such communications (e.g., password 
protection or encryption)? If so, please describe. Should the 
submissions be made in a tagged data format, e.g., XML, XBRL, or 
similar structured data formats which may be tagged? The Commission 
notes that a tagged data format would have the benefit of permitting 
records to be organized and searched more easily, and thereby enable 
more efficient analyses, but that there would also be costs associated 
with implementing a tagged data format requirement. Do commenters 
believe the benefits of using a tagged data format would justify the 
costs? Why or why not? Please explain. If so, should any particular 
electronic format be mandated? If so, please describe.
3. Access to the Systems of an SCI Entity
    Proposed Rule 1000(f) would require SCI entities to provide 
Commission representatives reasonable access to their SCI systems and 
SCI security systems. Thus, the proposed rule would facilitate the 
access of representatives of the Commission to such systems of an SCI 
entity either remotely or on site.\284\ Proposed Rule 1000(f) is 
intended to be consistent with the Commission's current authority with 
respect to access to records generally \285\ and help ensure that 
Commission representatives have ready access to the SCI systems and SCI 
security systems of SCI entities in order to evaluate an SCI entity's 
practices with regard to the requirements of proposed Regulation 
SCI.\286\
---------------------------------------------------------------------------

    \284\ For example, with access to an SCI entity's SCI systems 
and SCI security systems, Commission representatives could test an 
SCI entity's firewalls and vulnerability to intrusions.
    \285\ See, e.g., Section 17(b) of the Exchange Act which states 
that all records of the entities listed in Section 17(a) ``are 
subject at any time, or from time to time, to such reasonable 
periodic, special, or other examinations by representatives of the 
Commission * * * as the Commission * * * deems necessary or 
appropriate in the public interest, for the protection of investors, 
or otherwise in furtherance of the purposes of [the Exchange Act].''
    \286\ See 15 U.S.C. 78q(b). The Commission believes proposed 
Rule 1000(f) also is authorized by Sections 11A, 6(b)(1), 15A(b)(2), 
and 17A(b)(3)(A) of the Exchange Act, among others. See supra notes 
9-11 and accompanying text.
---------------------------------------------------------------------------

Request for Comment
    160. The Commission requests comment generally on proposed Rule 
1000(f). Are there restrictions that should be placed on the proposed 
access that would still allow the Commission and its representatives to 
be able to evaluate an SCI entity's practices with regard to the 
requirements of proposed Regulation SCI? If so, what should such 
restrictions be and why? Please describe.

E. New Proposed Form SCI

    The Commission is proposing that the notices, reports, and other 
information required to be provided to the Commission pursuant to 
proposed Rules 1000(b)(4), (6), (8), and (10) of Regulation SCI be 
submitted electronically on new proposed Form SCI. Proposed Form SCI 
would solicit information through a series of questions designed to 
elicit short-form answers and also would require SCI entities to 
provide information and/or reports in narrative form by attaching 
specified exhibits. All filings on proposed Form SCI would require that 
an SCI entity identify itself and indicate the basis for submitting 
Form SCI, whether a: notification or update notification regarding an 
SCI event pursuant to proposed Rule 1000(b)(4); notice of a planned 
material systems change pursuant to proposed Rule 1000(b)(6); 
submission of a required report pursuant to proposed Rule 1000(b)(8); 
or notification of an SCI entity's standards for designation of members 
or participants to participate in required testing and the identity of 
such designated members or participants pursuant to proposed Rule 
1000(b)(9). A filing on Form SCI required by proposed Rules 1000(b)(4), 
(6), (8), or (9) would require that an SCI entity provide additional 
information on attached exhibits, as discussed below.
1. Notice of SCI Events Pursuant to Proposed Rule 1000(b)(4)
    As discussed above, proposed Rule 1000(b)(4)(i) would require an 
SCI entity, upon any responsible SCI personnel becoming aware of a 
systems disruption that the SCI entity reasonably estimates would have 
a material impact on its operations or on market participants, any 
systems compliance issue, or any systems intrusion, to notify the 
Commission of such SCI event. Proposed Rule 1000(b)(4)(ii) would 
require an SCI entity, upon any responsible SCI personnel becoming 
aware of any SCI event, to notify the Commission of the SCI event in 
writing within 24 hours. Proposed Rule 1000(b)(4)(iii) would require 
continuing written updates on a regular basis, or at such frequency as 
reasonably requested by a representative of the Commission, until such 
time as the SCI event is resolved. Proposed Rule 1000(b)(4)(iv) would 
direct an SCI entity to submit the required notifications on Form SCI. 
Further, proposed Rule 1000(b)(4)(iv) and new proposed Form SCI would 
specify the particular information an

[[Page 18131]]

SCI entity would be required to provide to the Commission to comply 
with the Commission notification requirements of proposed Rules 
1000(b)(4)(ii) and 1000(b)(4)(iii). As such, proposed Rule 1000(b)(4) 
would specify when and how notices would be required to be filed, and 
it and new proposed Form SCI would address the content of required 
notices.
    For a written notification to the Commission of an SCI event under 
proposed Rule 1000(b)(4)(ii), new proposed Form SCI would require that 
an SCI entity indicate that the filing is being made pursuant to 
proposed Rule 1000(b)(4)(ii) and provide the following information in a 
short, standardized format: (i) Whether the filing is a Rule 
1000(b)(4)(ii) notification or Rule 1000(b)(4)(iii) update of an SCI 
event; (ii) the SCI event type(s) (i.e., systems compliance issue, 
systems intrusion, and/or systems disruption); (iii) whether the event 
is a systems disruption that the SCI entity reasonably estimates would 
have a material impact on its operations or on market participants; 
(iv) if so, whether the Commission has been notified of the SCI event; 
(v) whether the SCI event has been resolved; (vi) the date/time the SCI 
event started; (vii) the duration of the SCI event; (viii) the date and 
time when responsible SCI personnel became aware of the SCI event; (ix) 
the estimated number of market participants impacted by the SCI event; 
(x) the type(s) of systems impacted; \287\ and (xi) if applicable, the 
type of systems disruption.\288\ In addition, proposed Form SCI would 
require attachment of Exhibit 1, providing a narrative description of 
the SCI event, including: (1) A detailed description of the SCI event; 
(2) the SCI entity's current assessment of the types and number of 
market participants potentially affected by the SCI event; (3) the 
potential impact of the SCI event on the market; and (4) the SCI 
entity's current assessment of the SCI event, including a discussion of 
the SCI entity's determination regarding whether the SCI event is a 
dissemination SCI event or not.\289\ In addition, to the extent 
available as of the time of the initial notification, Exhibit 1 would 
require inclusion of the following information: (1) A description of 
the steps the SCI entity is taking, or plans to take, with respect to 
the SCI event; (2) the time the SCI event was resolved or timeframe 
within which the SCI event is expected to be resolved; (3) a 
description of the SCI entity's rule(s) and/or governing documents, as 
applicable, that relate to the SCI event; and (4) an analysis of the 
parties that may have experienced a loss, whether monetary or 
otherwise, due to the SCI event, the number of such parties, and an 
estimate of the aggregate amount of such loss.\290\
---------------------------------------------------------------------------

    \287\ The types of systems listed on proposed Form SCI track the 
types of systems that make up the proposed definitions of ``SCI 
system'' and ``SCI security system'' in proposed Rule 1000(a).
    \288\ The types of systems disruptions listed on proposed Form 
SCI track the provisions of the proposed definition of ``system 
disruption'' in proposed Rule 1000(a) and include, with respect to 
SCI systems: (1) A failure to maintain service level agreements or 
constraints; (2) a disruption of normal operations, including 
switchover to back-up equipment with near-term recovery of primary 
hardware unlikely; (3) a loss of use of any such system; (4) a loss 
of transaction or clearance and settlement data; (5) significant 
back-ups or delays in processing; (6) a significant diminution of 
ability to disseminate timely and accurate market data; or (7) a 
queuing of data between system components or queuing of messages to 
or from customers of such duration that normal service delivery is 
affected.
    \289\ See proposed Rule 1000(b)(4)(iv)(A)(1).
    \290\ See proposed Rule 1000(b)(4)(iv)(A)(2).
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(4)(iii) would require an SCI entity to 
provide continuing written updates regularly for each SCI event, or at 
such frequency as reasonably requested by a representative of the 
Commission, until such time as the SCI event is resolved.\291\ Proposed 
Form SCI would require that an SCI entity indicate that it is providing 
such written update pursuant to Rule 1000(b)(4)(iii) and attach such 
update as Exhibit 2 to Form SCI.
---------------------------------------------------------------------------

    \291\ See proposed Rule 1000(b)(4)(iv)(B).
---------------------------------------------------------------------------

    If any of the foregoing information is not available for inclusion 
on Exhibit 1 as of the date of the initial notification, the SCI entity 
would be required to provide such information when it becomes available 
on Exhibit 2. The information proposed to be required in narrative 
format in Exhibit 1, and if applicable, Exhibit 2, is intended to 
elicit a fuller description of the SCI event, and would require an SCI 
entity to provide detail and context not easily conveyed in short-form 
responses.
    Proposed Form SCI would further require attachment of Exhibit 3, 
providing a copy in pdf or html format of any information disseminated 
to date regarding the SCI event to its members or participants or on 
the SCI entity's publicly available Web site.\292\
---------------------------------------------------------------------------

    \292\ See proposed Rule 1000(b)(4)(iv)(C).
---------------------------------------------------------------------------

    The Commission preliminarily believes that the proposed items of 
information required to be disclosed by an SCI entity on Exhibit 1 
within 24 hours of any of its responsible SCI personnel becoming aware 
of an SCI event, or when available, on Exhibit 2, would help the 
Commission and its staff quickly assess the nature and scope of an SCI 
event, and help the SCI entity identify the appropriate response to the 
SCI event, including ways to mitigate the impact of the SCI event on 
investors and promote the maintenance of fair and orderly markets.
2. Notices of Material Changes Pursuant to Proposed Rule 1000(b)(6)
    Proposed Rule 1000(b)(6) would require an SCI entity to notify the 
Commission of planned material systems changes on proposed Form SCI 30 
calendar days in advance of such change, unless exigent circumstances 
exist or information previously provided regarding a material systems 
change has become materially inaccurate, necessitating notice regarding 
a material systems change with less than 30 calendar days' notice. To 
implement this requirement, proposed Form SCI would require an SCI 
entity to indicate on Form SCI that it is filing a planned material 
systems change notification, provide the date of the planned material 
systems change, indicate whether exigent circumstances exist or if the 
information previously provided to the Commission regarding any planned 
material systems change has become materially inaccurate, and, if so, 
whether the Commission has been notified orally, and attach as Exhibit 
4 a description of the planned material systems change as well as the 
expected dates of commencement and completion of implementation of such 
changes, or, if applicable, a material systems change that has already 
been made due to exigent circumstances.
3. Reports Submitted Pursuant to Rule 1000(b)(8)
    Proposed Rule 1000(b)(8) would require an SCI entity to submit to 
the Commission: (i) A report of the SCI review required by proposed 
Rule 1000(b)(7), together with any response by senior management, 
within 60 calendar days after submission of the SCI review to senior 
management; and (ii) a report within 30 calendar days after the end of 
June and December of each year containing a summary description of the 
progress of any material systems change during the six-month period 
ending on June 30 or December 31, as the case may be, and the date, or 
expected date, of completion of implementation of such changes. For 
filings of the reports of SCI reviews, proposed Form SCI would require 
an SCI entity to indicate on Form SCI that it is filing a report of SCI 
review, indicate the date of completion of the SCI review, and date of 
submission of the SCI review to senior management of the SCI entity. 
The report of the SCI review required by

[[Page 18132]]

proposed Rule 1000(b)(7), together with any response by senior 
management, would be required to be submitted as Exhibit 5 to proposed 
Form SCI. For filings of the semi-annual reports of material systems 
changes, proposed Form SCI would require an SCI entity to indicate on 
Form SCI that it is filing a semi-annual report of material systems 
changes, and attach the semi-annual report as Exhibit 6 to proposed 
Form SCI.
4. Notifications of Member or Participant Designation Standards and 
List of Designees Pursuant to Proposed Rule 1000(b)(9)
    Proposed Rule 1000(b)(9) would require an SCI entity to notify the 
Commission of its standards for designating members or participants it 
deems necessary, for the maintenance of fair and orderly markets in the 
event of the activation of the SCI entity's business continuity and 
disaster recovery plans, to participate in the testing of such plans as 
well as a list of members or participants designated in accordance with 
such standards, and prompt updates following any changes to such 
standards and designations. Form SCI would require such information to 
be submitted as Exhibit 7 to Form SCI. Thus, an SCI SRO would be 
required to attach any relevant provisions of its rules, an SCI ATS or 
exempt clearing agency subject to ARP would be required to attach its 
relevant internal processes or other documents, and a plan processor 
would be required to attach the relevant provisions of its SCI Plan.
    The Commission preliminarily believes that the proposed mechanism 
of submitting the reports, notices, and other information required by 
proposed Rules 1000(b)(4), (6), (8), and (10) by attaching them as 
exhibits to Form SCI would be an efficient manner for providing such 
information to the Commission and its staff, and that it would be more 
cost-effective for SCI entities as well as the Commission than 
requiring the submission in a paper format or using an electronic 
method that differs from that proposed.
5. Other Information and Electronic Signature
    In addition to the foregoing, proposed Form SCI would require an 
SCI entity to provide Commission staff with point of contact 
information for systems personnel and regulatory personnel responsible 
for addressing an SCI event, including the name, title, telephone 
number and email address of such persons. Proposed Form SCI would also 
require the SCI entity to designate on the form contact information for 
a senior officer of the SCI entity responsible for matters concerning 
the submission of such Form SCI. Finally, proposed Form SCI would 
require an electronic signature to help ensure the authenticity of the 
Form SCI submission. The Commission preliminarily believes these 
proposed requirements would expedite communications between Commission 
staff and an SCI entity and help to ensure that only personnel 
authorized by the SCI entity are submitting required filings and 
working with Commission staff to address an SCI event or systems issue 
promptly and efficiently.
    To the extent that the Commission receives confidential information 
pursuant to these reports and submissions, such information would be 
kept confidential, subject to the provisions of applicable law.\293\
---------------------------------------------------------------------------

    \293\ See, e.g., 5 U.S.C. 552 (Exemption 4 of the Freedom of 
Information Act provides an exemption for ``trade secrets and 
commercial or financial information obtained from a person and 
privileged or confidential.'' 5 U.S.C. 552(b)(4). Exemption 8 of the 
Freedom of Information Act provides an exemption for matters that 
are ``contained in or related to examination, operating, or 
condition reports prepared by, on behalf of, or for the use of an 
agency responsible for the regulation or supervision of financial 
institutions.'' 5 U.S.C. 552(b)(8)).
---------------------------------------------------------------------------

Request for Comment
    161. The Commission requests comment on all aspects of proposed 
Form SCI. Do commenters believe proposed Form SCI would capture the 
information necessary to assist the Commission in obtaining relevant 
information about SCI events to mitigate the effects of such events on 
investors and the public? Specifically, do commenters believe that the 
proposal to elicit the following information on Form SCI within 24 
hours of any responsible SCI personnel becoming aware of an SCI event 
is appropriate: (i) Whether the filing is a Rule 1000(b)(4)(ii) 
notification or Rule 1000(b)(4)(iii) update of an SCI event; (ii) the 
SCI event type(s) (i.e., systems compliance issue, systems intrusion, 
and/or systems disruption); (iii) whether the event is a systems 
disruption that the SCI entity reasonably estimates would have a 
material impact on its operations or on market participants; (iv) if 
so, whether the Commission has been notified of the SCI event; (v) 
whether the SCI event has been resolved; (vi) the date/time the SCI 
event started; (vii) the duration of the SCI event (viii) the date and 
time when responsible SCI personnel became aware of the SCI event; (ix) 
the estimated number of market participants impacted by the SCI event; 
(x) the type(s) of systems impacted; and (xi) if applicable, the type 
of systems disruption.
    162. Do commenters believe that all relevant information relating 
to a systems disruption, systems compliance issue, or systems intrusion 
would be captured on proposed Form SCI? If not, what additional 
information should be included on proposed Form SCI? For example, 
should proposed Form SCI require that an SCI entity specifically 
identify market participants that may have been affected by the SCI 
event? Why or why not?
    163. Do commenters believe the proposed information required to be 
provided to the Commission regarding SCI events in the 24-hour 
notification on Exhibit 1 is appropriate? Do commenters believe that 
the proposal to require an update notification on Exhibit 2, and the 
information required to be provided for such updates, are appropriate? 
Why or why not?
    164. Commenters that believe the information proposed to be 
required on Form SCI, whether in short form or in narrative form on 
proposed Exhibits 1 and 2, is not appropriate should explain their 
reasoning and suggest alternatives, as appropriate. Should any 
information proposed to be required be eliminated? Should any other 
information be required? Please describe and explain.
    165. Do commenters believe the required contents of proposed 
Exhibit 3 are appropriate (i.e., a copy in pdf or html format of any 
information disseminated to an SCI entity's members or participants or 
on the SCI entity's publicly available Web site)? If not, why not?
    166. Do commenters believe submission of proposed Form SCI and 
attachment of Exhibits 4, 5, 6, and 7 regarding material systems 
changes, SCI reviews, and notifications of standards for designations 
and designees for the testing of an SCI entity's business continuity 
and disaster recovery plans, is an appropriate method for SCI entities 
to provide this information to the Commission? If not, why not? Should 
any information proposed to be required be eliminated? Should any other 
information be required? Please explain.
    167. Is the proposal to require contact information for systems, 
regulatory, and senior officer appropriate? Should any information 
proposed to be required be eliminated? Is there any other type of 
information that proposed Form SCI should require? Is the proposal to 
require an electronic signature appropriate? If not, why not?
    168. Would proposed Form SCI contain enough information so that the 
Commission and its staff would be able

[[Page 18133]]

to accurately analyze SCI events, material changes to systems, and all 
other required filings?
    169. Upon receiving information submitted as part of an SCI 
entity's electronic filing, it is the Commission's objective that such 
information be easily analyzed, searched, and manipulated. The 
Commission has designed proposed Form SCI with this objective in mind, 
particularly with the uniform requirements on the front of the form. 
The Commission, however, is cognizant that certain information, 
particularly with respect to the information required on the various 
exhibits to the proposed form, may not be as easily analyzed, searched, 
or manipulated. The Commission seeks comment as to whether it should 
mandate that proposed Form SCI as a whole, including the proposed 
exhibits, employ a particular structured data format that would allow 
the Commission and its staff to analyze, search, and manipulate the 
form's information. At the same time, the Commission recognizes that 
employing a particular tagged data format may potentially reduce the 
flexibility afforded to such entities to collect and report data in a 
manner that is more efficient and cost effective for them. The 
Commission requests comments as to whether there may be tagged data 
formats that are sufficiently flexible and that are accepted and used 
throughout the industry, such as XML, XBRL, or another structured data 
format that could be used for proposed Form SCI. Are there different 
standard data formats currently in use depending on the type of SCI 
entity that would enable the Commission to achieve its goals? If so, 
what are they? Should the SCI entity have the flexibility to specify 
the acceptable data format for submitting information? Why or why not? 
Do commenters have concerns with proposed Regulation SCI requiring the 
use of a tagged data format, such as XML, XBRL, or some other 
structured data format that may be tagged, to report data? If so, what 
are they? Are there any licensing fees or other costs associated with 
the use of tagged data formats, such as XML, XBRL, or similar 
structured data formats that may be tagged? If so, what action should 
the Commission take, if any, to help ensure wide availability of a 
common data format by all participants?

F. Request for Comment on Applying Proposed Regulation SCI to Security-
Based Swap Data Repositories and Security-Based Swap Execution 
Facilities

    On July 21, 2010, the President signed the Dodd-Frank Act into 
law.\294\ The Dodd-Frank Act was enacted, among other things, to 
promote the financial stability of the United States by improving 
accountability and transparency of the nation's financial system.\295\ 
Title VII of the Dodd-Frank Act provides the Commission and the CFTC 
with the authority to regulate over-the-counter (``OTC'') derivatives.
---------------------------------------------------------------------------

    \294\ The Dodd-Frank Wall Street Reform and Consumer Protection 
Act (Pub. L. 111-203, H.R. 4173) (``Dodd-Frank Act'').
    \295\ See Public Law 111-203 Preamble.
---------------------------------------------------------------------------

1. Proposed System Safeguard Rules for SB SDRs and SB SEFs
    Section 763 of the Dodd-Frank Act amends the Exchange Act by adding 
various new statutory provisions to govern the regulation of various 
entities, including security-based swap data repositories and security-
based swap execution facilities.\296\ Under the authority of Section 
13(n) of the Exchange Act, applicable to SB SDRs, and Section 3D(d) of 
the Exchange Act, applicable to SB SEFs, the Commission recently 
proposed rules for these entities with regard to their automated 
systems' capacity, resiliency, and security.\297\ Specifically, in the 
SB SDR Proposing Release and the SB SEF Proposing Release, 
respectively, the Commission proposed Rule 13n-6 and Rule 822 under the 
Exchange Act, which would set forth the requirements for these entities 
with regard to their automated systems' capacity, resiliency, and 
security.\298\ In each release, the Commission stated that it was 
proposing standards comparable to the standards applicable to SROs, 
including exchanges and clearing agencies, and other registrants, 
pursuant to the Commission's ARP standards.\299\
---------------------------------------------------------------------------

    \296\ See Public Law 111-203, Section 763 (adding Sections 
13(n), 3C, and 3D of the Exchange Act). The Dodd-Frank Act also 
directs the Commission to harmonize to the extent possible 
Commission regulation of SB SDRs and SB SEFs with CFTC regulation of 
swap data repositories (``SDRs'') and swap execution facilities 
(``SEFs'') under the CFTC's jurisdiction, an endeavor that 
Commission staff is undertaking as it seeks to move the SB SDR and 
SB SEF proposals toward adoption. See Public Law 111-203, Section 
712, directing the Commission, before commencing any rulemaking with 
regard to SB SDRs or SB SEFs, to consult and coordinate with the 
CFTC for purposes of assuring regulatory consistency and 
comparability to the extent possible.
    \297\ See Securities Exchange Act Release Nos. 63347 (November 
19, 2010), 75 FR 77306 (December 10, 2010) (proposing new Rule 13n-6 
under the Exchange Act applicable to SB SDRs) (``SB SDR Proposing 
Release''); 63825 (February 2, 2011), 76 FR 10948 (February 28, 
2011) (proposing new Rule 822 under the Exchange Act applicable to 
SB SEFs) (``SB SEF Proposing Release,'' together with the SB SDR 
Proposing Release, the ``SBS Releases''). See also Public Law 111-
203, Section 761(a) (adding Section 3(a)(75) of the Exchange Act) 
(defining the term ``security-based swap data repository''), and 
Section 761(a) (adding Section 3(a)(77) of the Exchange Act) 
(defining the term ``security-based swap execution facility'').
    \298\ See SB SDR Proposing Release and SB SEF Proposing Release, 
supra note 297.
    \299\ See SB SDR Proposing Release, supra note 293, at 77332 and 
SB SEF Proposing Release, supra note 297, at 10987.
---------------------------------------------------------------------------

    Proposed Rules 13n-6 and 822, applicable to SB SDRs and SB SEFs, 
respectively, would require these entities, ``with respect to those 
systems that support or are integrally related to the performance of 
its activities'' to ``establish, maintain, and enforce written policies 
and procedures reasonably designed to ensure that its systems provide 
adequate levels of capacity, resiliency, and security.'' \300\ Under 
proposed Rules 13n-6 and 822, such policies and procedures, at a 
minimum, would require these SB SDRs and SB SEFs to: (i) Establish 
reasonable current and future capacity estimates; (ii) conduct periodic 
capacity stress tests of critical systems to determine such systems' 
ability to process transactions in an accurate, timely, and efficient 
manner; (iii) develop and implement reasonable procedures to review and 
keep current their system development and testing methodologies; (iv) 
review the vulnerability of their systems and data center computer 
operations to internal and external threats, physical hazards, and 
natural disasters; and (v) establish adequate contingency and disaster 
recovery plans.\301\ Proposed Rules 13n-6 and 822 would further require 
SB SDRs and SB SEFs to submit, on an annual basis, an ``objective 
review'' of their systems to the Commission within 30 calendar days of 
its completion; \302\ notify the Commission in writing of material 
systems outages; and notify the Commission in writing at least 30 
calendar days before implementation of any planned material systems 
changes.
---------------------------------------------------------------------------

    \300\ See SB SDR Proposing Release, 75 FR 77370 and SB SEF 
Proposing Release, 76 FR 11064, supra note 297.
    \301\ Id.
    \302\ Such review may be performed internally if an external 
firm reports on the objectivity, competency, and work performance 
with respect to the internal review.
---------------------------------------------------------------------------

    To date, the Commission has received two comment letters from one 
commenter in response to proposed Rule 13n-6 \303\ and four comment 
letters

[[Page 18134]]

in response to proposed Rule 822.\304\ Both comment letters on proposed 
Rule 13n-6 expressed support for the proposed rule.\305\ Two commenters 
on proposed Rule 822 expressed support for the proposed rule.\306\ Two 
other commenters on proposed Rule 822 suggested modifications, 
including that the Commission (1) require SB SEFs to establish policies 
and procedures reasonably designed to prevent any provision in a valid 
swap transaction from being invalidated or modified through the 
utilization of, or execution on, a SB SEF; \307\ and (2) provide for 
the implementation of the system safeguards requirements on a staged 
basis.\308\
---------------------------------------------------------------------------

    \303\ See Letter from Larry E. Thompson, General Counsel, The 
Depository Trust & Clearing Corporation to Elizabeth M. Murphy, 
Secretary, Commission, dated January 24, 2011 (``DTCC SB SDR Letter 
1''); and Letter from Larry E. Thompson, General Counsel, Depository 
Trust & Clearing Corporation to Mary Shapiro, Chairman, Commission, 
dated June 3, 2011 (``DTCC SB SDR Letter 2'').
    \304\ See Letter from American Benefits Counsel to Elizabeth M. 
Murphy, Secretary, Commission, dated April 8, 2011 (``ABC SB SEF 
Letter''); Letter from Nancy C. Gardner, Executive Vice President & 
General Counsel, Markets Division, Thomson Reuters to Elizabeth M. 
Murphy, Secretary, Commission, dated April 4, 2011 (``Thomson SB SEF 
Letter''); Letter from Stephen Merkel, Chairman, Wholesale Markets 
Brokers' Association Americas to Elizabeth M. Murphy, Secretary, 
Commission, dated April 4, 2011 (``WMBAA SB SEF Letter''); and 
Letter from Robert Pickel, Executive Vice Chairman, International 
Swaps and Derivatives Association, and Kenneth E. Bentsen, Jr., 
Executive Vice President, Public Policy and Advocacy, Securities 
Industry and Financial Markets Association to Elizabeth M. Murphy, 
Secretary, Commission, dated April 4, 2011 (``ISDA SIFMA SB SEF 
Letter'').
    \305\ See DTCC SB SDR Letter 1, supra note 304, at 3; DTCC SB 
SDR Letter 2, supra note 304, at 4 (recommending that SB SDRs 
``maintain multiple levels of operational redundancy and data 
security'').
    \306\ See Thomson SB SEF Letter, supra note 304, at 8; WMBAA SB 
SEF Letter, supra note 304, at 24.
    \307\ See ABC SB SEF Letter, supra note 304, at 10.
    \308\ See ISDA SIFMA SB SEF Letter, supra note 304, at 12 
(noting that the system safeguard requirements would require time 
and systems expertise to implement fully).
---------------------------------------------------------------------------

2. Proposed System Safeguard Rules for SB SDRs and SB SEFs as Compared 
to Proposed Regulation SCI
    As noted above, proposed Regulation SCI is intended to build upon 
and update the Commission's ARP standards,\309\ which were the basis 
for proposed Rules 13n-6 and 822 for SB SDRs and SB SEFs, respectively. 
Although proposed Rules 13n-6 and 822 have much in common with proposed 
Regulation SCI, they differ in scope and detail from proposed 
Regulation SCI in a number of ways. Among the differences are certain 
provisions in proposed Regulation SCI that proposed Rules 13n-6 and 822 
do not include. Specifically, as discussed above, proposed Regulation 
SCI would: (i) Define the terms ``SCI systems'' and ``SCI security 
systems;'' \310\ (ii) specifically require the establishment, 
maintenance, and enforcement of written policies and procedures 
reasonably designed to ensure that SCI systems and, for purposes of 
security standards, SCI security standards, have levels of capacity, 
integrity, resiliency, availability, and security adequate to maintain 
an SCI entity's operational capability and promote the maintenance of 
fair and orderly markets; \311\ (iii) require SCI entities to establish 
policies and procedures regarding standards that result in systems 
designed, developed, tested, maintained, operated, and surveilled in a 
manner that facilitates the successful collection, processing, and 
dissemination of market data; (iv) require SCI entities to establish, 
maintain, and enforce reasonably designed written policies and 
procedures to ensure that SCI systems operate in the manner intended, 
including in a manner that complies with the federal securities laws 
and rules and regulations thereunder and, as applicable, the entity's 
rules and governing documents; (v) require SCI entities to take 
corrective action, including devoting adequate resources, to remedy an 
SCI event as soon as reasonably practicable; \312\ (vi) require SCI 
entities to have backup and recovery capabilities sufficiently 
resilient and geographically diverse to ensure next business day 
resumption of trading following a wide scale disruption; (vii) require 
an annual SCI review of the SCI entity's compliance with proposed 
Regulation SCI and the reporting of such review to the Commission; 
(viii) require an SCI entity, with respect to its business continuity 
and disaster recovery plans, including its backup systems, to require 
participation by designated members or participants in scheduled 
functional and performance testing of the operation of such plans at 
specified intervals, and to coordinate such required testing with other 
SCI entities; (ix) require all SCI events to be reported to the 
Commission, and certain types of SCI events to be disseminated to an 
SCI entity's members or participants; and (x) establish semi-annual 
reporting obligations for planned material systems changes. In 
addition, proposed Regulation SCI would establish a system for 
submitting required notices, reports, and other information to the 
Commission on proposed new Form SCI. Each of these proposed 
requirements goes beyond the explicit requirements in proposed Rules 
13n-6 and 822.
---------------------------------------------------------------------------

    \309\ See supra Sections I and II.
    \310\ See proposed Rule 1000(a), which would define ``SCI 
systems'' as ``all computer, network, electronic, technical, 
automated, or similar systems of, or operated by or on behalf of, an 
SCI entity, whether in production, development, or testing, that 
directly support trading, clearance and settlement, order routing, 
market data, regulation, or surveillance,'' and ``SCI security 
systems'' as ``any systems that share network resources with SCI 
systems that, if breached, would be reasonably likely to pose a 
security threat to SCI systems.''
    \311\ While proposed Rule 13n-6 did not specifically include 
such a requirement for SB SDRs, the SB SDR Proposing Release stated 
that ``[a]s a general matter, the Commission preliminarily believes 
that, if an SDR's policies and procedures satisfy industry best 
practices standards, then these policies and procedures would be 
adequate.'' See SB SDR Proposing Release, supra note 297, at 77333. 
See also SB SEF Proposing Release, supra note 297, at 10988.
    \312\ See proposed Rule 1000(a), defining ``SCI event'' as an 
event at an SCI entity that constitutes: (1) A systems disruption; 
(2) a systems compliance issue; or (3) a systems intrusion.
---------------------------------------------------------------------------

3. Consideration of Applying the Requirements of Proposed Regulation 
SCI to SB SDRs and/or SB SEFs
    If the Commission were to adopt Rules 13n-6 and 822 as proposed in 
the SBS Releases and also adopt Regulation SCI as proposed herein, 
there would be differences, as noted above, between the obligations 
imposed on SB SDRs and SB SEFs with respect to system safeguards on the 
one hand and the obligations imposed on SCI entities on the other. 
Therefore, the Commission solicits comment on whether it should propose 
to apply the requirements of proposed Regulation SCI, in whole or in 
part, to SB SDRs and/or SB SEFs. In providing views on whether the 
Commission should propose to apply proposed Regulation SCI to SB SDRs 
and/or SB SEFs, commenters are encouraged to consider the discussion 
regarding each provision of proposed Regulation SCI that is set forth 
in Sections III.B through III.E above. Should the Commission to decide 
to propose to apply the requirements of proposed Regulation SCI to such 
entities, the Commission would issue a separate release discussing such 
a proposal.
    In enacting Title VII of the Dodd-Frank Act, Congress judged it 
important to increase the transparency and oversight of the OTC 
derivatives market. In addition, in proposing Regulation SB SEF, the 
Commission noted that SB SEFs are intended to ``lead to a more robust, 
transparent, and competitive environment for the market for security-
based swaps (``SBS'' or ``SB swaps'').'' \313\ Similarly, in proposing 
rules for SB SDRs, the Commission

[[Page 18135]]

noted that ``SDRs may be especially critical during times of market 
turmoil, both by giving relevant authorities information to help limit 
systemic risk and by promoting stability through enhanced 
transparency'' and that, ``[b]y enhancing stability in the SBS market, 
SDRs may also indirectly enhance stability across markets, including 
equities and bond markets.'' \314\
---------------------------------------------------------------------------

    \313\ See SB SEF Proposing Release, supra note 297, at 11035.
    \314\ See SB SDR Proposing Release, supra note 297, at 77307.
---------------------------------------------------------------------------

    The Commission notes that it may or may not be appropriate to apply 
the requirements of proposed Regulation SCI to SB SDRs and SB SEFs. In 
particular, SB SDRs will play an important role in limiting systemic 
risk and promoting the stability of the SBS market. SB SDRs also would 
serve as information disseminators \315\ in a manner similar to plan 
processors in the equities and options markets that, under this 
proposal, would be subject to the requirements of proposed Regulation 
SCI. SB SEFs would function as trading markets, and in that respect 
could be viewed as analogous to national securities exchanges and SCI 
ATSs, both of which function as trading markets and are included in the 
proposed definition of SCI entity.\316\ The Commission preliminarily 
believes that the same types of concerns and issues that have resulted 
in the Commission previously publishing its ARP policy statements,\317\ 
developing its ARP Inspection Program,\318\ adopting certain aspects of 
the ARP policy statements under Regulation ATS,\319\ and, ultimately, 
proposing Regulation SCI,\320\ may similarly apply to SB SDRs and SB 
SEFs. In proposing Rule 13n-6, the Commission noted that systems 
failures can limit access to data, call into question the integrity of 
data, and prevent market participants from being able to report 
transaction data, and thereby have a large impact on market confidence, 
risk exposure, and market efficiency.\321\ Similarly, in proposing Rule 
822, the Commission noted that the proposed system safeguard 
requirements for SB SEFs are designed to prevent and minimize the 
impact of systems failures that might negatively impact the stability 
of the SB swaps market.\322\ At the same time, because the Commission 
recognizes that there may be differences between the markets for the 
types of securities that would be covered by proposed Regulation SCI 
and the SBS market, including differing levels of automation and stages 
of regulatory development, the Commission requests comment on whether 
it would be appropriate to propose to apply the requirements of 
proposed Regulation SCI to SB SDRs and/or SB SEFs. As discussed further 
below, the Commission also requests comment on whether, if commenters 
believe proposed Regulation SCI should apply to SB SDRs and/or SB SEFs, 
the system safeguard rules currently proposed for SB SDRs and SB SEFs 
in the SBS Releases should, if adopted, be replaced, at some point in 
the future, by the requirements proposed in this release and, if so, 
how.
---------------------------------------------------------------------------

    \315\ See Securities Exchange Act Release No. 63346 (November 
19, 2010), 75 FR 75208, 75227 (December 2, 2010) (proposing 
Regulation SBSR).
    \316\ See SB SEF Proposing Release, supra note 297, at 10987, 
n.246 (``Because SB SEFs would be an integral part of the market for 
SB swaps, and therefore an integral part of the national market 
system, the Commission believes that it is appropriate to model a SB 
SEF's rules on system safeguards on ARP.'').
    \317\ See supra notes 1 and 12-18 and accompanying text.
    \318\ See supra notes 25-26 and accompanying text.
    \319\ See supra note 26 and accompanying text.
    \320\ See supra Section I.B.
    \321\ See SB SDR Proposing Release, supra note 297, at 77332.
    \322\ See SB SEF Proposing Release, supra note 297, at 10987.
---------------------------------------------------------------------------

    170. Are the SBS markets sufficiently similar to the markets within 
which the proposed SCI entities operate such that it would be 
appropriate to apply the same system safeguard requirements to SB SDRs 
and/or SB SEFs that would be applicable to SCI entities? Why or why 
not? Do commenters believe that there are characteristics of the SBS 
markets that the Commission should consider to support its applying 
different system safeguard rules to SB SDRs and/or SB SEFs than to SCI 
entities? If so, what are those characteristics, and why should 
different rules apply to SB SDRs and/or SB SEFs? If not, why not?
    171. If the Commission were to propose to apply some or all of the 
provisions of proposed Regulation SCI to SB SDRs and/or SB SEFs, should 
the Commission propose to apply the provisions of proposed Regulation 
SCI differently to SB SDRs versus SB SEFs? For example, should the 
Commission propose to apply some or all of the provisions of proposed 
Regulation SCI to SB SDRs but not SB SEFs or vice versa? Why or why 
not?
    172. What effect, if any, would there be of having SB SDRs and/or 
SB SEFs subject to different system safeguard rules than those proposed 
for SCI entities? Would there be any short term and/or long term impact 
of SB SDRs and/or SB SEFs being subject to different system safeguard 
rules than those proposed for SCI entities? For example, if SB SEFs 
were subject to different system safeguard rules than those proposed 
for SCI entities, would there be an impact on competition between SB 
SEFs and national securities exchanges that trade SB swaps? Please 
describe any expected impact on competition. Are there any provisions 
in proposed Regulation SCI that, if applied to SB SEFs, would create 
barriers to entry that could preclude small SB SEFs (e.g., those that 
do not exceed a specified volume or liquidity threshold) from entering 
the SBS market?
    173. The Commission also requests comment on whether it should 
propose to apply all provisions of proposed Regulation SCI to SB SDRs 
and/or SB SEFs or just those provisions comparable to the proposed 
system safeguard rules for SB SDRs or SB SEFs.
    174. Should the Commission, if it were to propose to apply some or 
all of the provisions of proposed Regulation SCI to SB SDRs and/or SB 
SEFs, propose that SB SEFs and/or SB SDRs have written policies and 
procedures reasonably designed to ensure that their SCI systems and, 
for purposes of security standards, SCI security systems, have levels 
of capacity, integrity, resiliency, availability, and security, 
adequate to maintain their operational capability and promote the 
maintenance of fair and orderly markets? Why or why not? If the 
Commission were to propose such a requirement for SB SDRs and/or SB 
SEFs, should SCI industry standards for SB SDRs and/or SB SEFs be 
different from those proposed for SCI entities? If so, please explain 
why. What are the industry standards that should apply to SB SEFs and/
or SB SDRs? Please be as specific as possible and explain why a 
particular industry standard would be appropriate.
    175. Do the characteristics of the SBS market support a need for a 
mandatory requirement that SB SDRs and/or SB SEFs maintain backup and 
recovery capabilities sufficiently resilient and geographically diverse 
to ensure next business day resumption of trading (for SB SEFs) or data 
repository services (for SB SDRs) following a wide scale disruption? 
Why or why not?
    176. Should the Commission propose to require SB SEFs and/or SB 
SDRs to establish written policies and procedures regarding standards 
that result in systems designed, developed, tested, maintained, 
operated, and surveilled in a manner that facilitates the successful 
collection, processing, and dissemination of market data? Why or why 
not?
    177. Should the Commission propose to require SB SEFs and/or SB 
SDRs to establish, maintain, and enforce policies and procedures 
reasonably designed to ensure that their SCI systems operate in the 
manner intended, including in a

[[Page 18136]]

manner that complies with federal securities laws and rules and 
regulations thereunder and, as applicable, the entity's rules and 
governing documents, as proposed for SCI entities in Rule 
1000(b)(2)(i)? Why or why not? Should the Commission propose a safe 
harbor from liability for SB SEFs and/or SB SDRs and their respective 
employees if they satisfy the elements of a safe harbor, similar to 
those for SCI entities in proposed Rules 1000(b)(2)(ii) and (iii)? Why 
or why not?
    178. Should the Commission propose to require SB SEFs and/or SB 
SDRs, with respect to their business continuity and disaster recovery 
plans, including their backup systems, to require participation by 
designated participants in scheduled functional and performance testing 
of the operation of such plans at specified intervals, and to 
coordinate such required testing with other SB SEFs and/or SB SDRs, as 
proposed for SCI entities in Rule 1000(b)(9)? Why or why not?
    179. With regard to the reporting and information dissemination 
requirements in proposed Rules 1000(b)(4) and Rule 1000(b)(5) of 
Regulation SCI, would it be appropriate to propose that an SB SDR and/
or SB SEF be required to report all SCI events to the Commission, and 
disseminate information relating to dissemination SCI events to their 
participants? Why, or why not? If not, on what basis should SB SDRs 
and/or SB SEFs be distinguished from other SCI entities?
    180. Should SB SDRs and/or SB SEFs be required to provide notice 
of, and file semi-annual reports for, material systems changes with the 
Commission, as proposed for SCI entities in Rules 1000(b)(6) and 
(b)(8)? Why or why not?
    181. Should SB SDRs and/or SB SEFs be required to undertake an 
annual SCI review of systems and submit to the Commission a report of 
such review, together with any response of senior management, as 
proposed for SCI entities in Rule 1000(b)(7) and (8)? Why or why not?
    182. Should SB SDRs and/or SB SEFs be required to submit any 
required notices, reports, and other information to the Commission on 
proposed new Form SCI? Why, or why not?
    183. If the Commission were to determine that it would be 
appropriate to propose to apply some or all of the requirements of 
proposed Regulation SCI to SB SDRs and/or SB SEFs, should the 
Commission propose to apply such requirements of proposed Regulation 
SCI to all SB SDRs? To all SB SEFs? Are there distinctions that should 
be made between different types of SB SDRs (or SB SEFs) such that some 
requirements of proposed Regulation SCI might be appropriate for some 
SB SDRs (or SB SEFs) but not others? If so, what are those distinctions 
and what are those requirements? For example, should any requirements 
be based on criteria such as number of transactions or notional volume 
reported to a SB SDR or executed on a SB SEF? If so, what would be an 
appropriate threshold for any such criteria, and why?
    184. Alternatively, given the nascent stage of regulatory 
development of the SBS markets, would it be appropriate to create a 
category under proposed Regulation SCI such as ``new SB SCI entity'' 
that would, for example, be applicable to SB SDRs and/or SB SEFs for a 
certain period of time after such entities become registered with the 
Commission? If so, what period of time would be appropriate (e.g., one 
year, three years, or some other period)? Should there be other 
criteria for an SB SEF (or SB SDR) to be considered a new SB SCI 
entity? If so, what should be the criteria for inclusion? Would market 
share, number of transactions, and/or notional volume be appropriate 
criteria? If so, at what level should the criteria thresholds be set, 
and why? If not, why not? How should the requirements of proposed 
Regulation SCI differ for such ``new SB SCI entities?''
    185. The Commission notes that, if it were to adopt proposed 
Regulation SCI and proposed Rules 13n-6 and 822, the system safeguard 
rules applicable to SB SDRs and SB SEFs would diverge from those 
applicable to SCI entities, as well as from those the CFTC has adopted 
for SDRs and may adopt for SEFs.\323\ What negative effects, if any, do 
commenters believe would result from disparity in the: (1) Commission's 
system safeguard rules applicable to SB SDRs and/or SB SEFs; (2) 
requirements of Regulation SCI applicable to SCI entities; and (3) 
CFTC's system safeguard rules applicable to SDRs and SEFs?
---------------------------------------------------------------------------

    \323\ As noted above, SDRs and SEFs, entities similar to SB SDRs 
and SB SEFs, respectively, are subject to the CFTC's jurisdiction. 
The CFTC's system safeguards rules for SDRs, and those proposed for 
SEFs differ from those rules that the Commission is proposing in 
Regulation SCI. See 76 FR 54538 (September 1, 2011) (adopting 17 CFR 
part 49, Swap Data Repositories: Registration Standards, Duties and 
Core Principles, Effective October 31, 2011); 76 FR 1214 (January 7, 
2011) (proposing 17 CFR part 37, Core Principles and Other 
Requirements for Swap Execution Facilities). For example, for SDRs, 
the CFTC requires same day recovery for ``critical SDRs'' whereas 
proposed Regulation SCI would require next business day recovery for 
trading services (and two-hour recovery for clearing and settlement 
services). See CFTC Rule 49.24.
---------------------------------------------------------------------------

    186. The Commission seeks commenters' views on all aspects of 
whether to propose to apply Regulation SCI to SB SDRs and/or SB SEFs, 
taking into account the possibility that any final Commission action on 
proposed Rules 13n-6 and 822 could occur prior to any final Commission 
action on proposed Regulation SCI. The Commission seeks commenters' 
views on whether a proposal to extend the requirements of proposed 
Regulation SCI to SB SDRs and/or SB SEFs would be beneficial to help to 
promote the integrity, capacity, resiliency, availability, and security 
of their systems. The Commission notes that having comparable system 
safeguard requirements may be appropriate for SB SDRs and/or SB SEFs 
if, as noted above, the same types of concerns and issues that have 
resulted in the Commission previously publishing its ARP policy 
statements, developing its ARP Inspection Program, adopting certain 
aspects of the ARP policy statements under Regulation ATS, and, 
ultimately, proposing Regulation SCI, also apply to SB SDRs and/or SB 
SEFs.
    187. The Commission is particularly interested in commenters' views 
on the different benefits and costs associated with applying proposed 
Regulation SCI to SB SDRs and/or SB SEFs versus the costs and benefits 
of applying proposed Rules 13n-6 and 822 to SB SDRs and SB SEFs, 
respectively. In the SBS Proposing Releases, the Commission provided 
aggregate estimates of the costs of its proposed rules governing SB 
SDRs and SB SEFs. The SB SDR Proposing Release provided an aggregate 
initial cost estimate of approximately $214,913,592 to be incurred by 
prospective SB SDRs and an aggregate ongoing annualized cost estimate 
of approximately $140,302,120, both of which estimates took account of 
proposed Rule 13n-6.\324\

[[Page 18137]]

Similarly, the SB SEF Proposing Release provided an aggregate initial 
cost estimate of approximately $41,692,900 and an aggregate ongoing 
annualized cost estimate of approximately $22,342,700 to be incurred by 
prospective SB SEFs, both of which estimates took account of proposed 
Rule 822.\325\
---------------------------------------------------------------------------

    \324\ See SB SDR Proposing Release, supra note 297, at 77364. In 
the SB SDR Proposing Release, the Commission estimated that the 
paperwork burden associated with proposed Rule 13n-6 would come from 
preparing and implementing policies associated with SB SDR duties, 
data collection and maintenance, automated systems and direct 
electronic access, and from preparing reports and reviews. See id. 
at 77345-46. The Commission estimated that there would be up to 10 
SB SDRs subject to the proposed SB SDR rules. See id. at 77355. 
Based on the information in the SB SDR Proposing Release, the 
Commission estimated that the aggregate burden on an estimated 10 SB 
SDRs to prepare and implement the policies and procedures under Rule 
13n-6 would be 2100 hours along with 500 hours of outside legal 
services at $400 an hour, and that the aggregate annual burden on 
such SB SDRs to maintain such policies would be an additional 600 
hours. See id. at 77349. Based on the information in the SB SDR 
Proposing Release, the Commission estimated that the annual 
aggregate burden on SB SDRs to promptly notify the Commission and 
submit a written description and analysis of outages and any 
remedial measures would be 154 hours and the aggregate annual burden 
on SB SDRs to notify the Commission of planned material system 
changes would be 1200 hours. See id. at 77349-50. The Commission 
estimated that the aggregate annual burden on SB SDRs to submit an 
objective review would be 8250 hours and $900,000. See id. at 77350.
    \325\ See SB SEF Proposing Release, supra note 297, at 11034. In 
the SB SEF Proposing Release, the Commission estimated that the 
paperwork burden associated with Rule 822 would come from rule 
writing requirements under Rule 822(a)(1), and from reporting 
requirements under Rules 822(a)(2), 822(a)(3), and 822(a)(4). See 
id. at 11017-19. The Commission also estimated that there would be 
up to 20 SB SEFs subject to the proposed SB SEF rules. See id. at 
11023. Based on the information in the SB SEF Proposing Release, the 
Commission estimated that the aggregate burden on an estimated 20 SB 
SEFs to draft rules to implement Rule 822 would be 200 hours, see 
id. at 11026, and that the aggregate annual burden on an estimated 
20 SB SEFs to comply with the reporting requirements under Rule 822 
would be 19,208 hours and $1,800,000. See id. at 11029.
---------------------------------------------------------------------------

    If the Commission were to propose to apply Regulation SCI to SB 
SDRs and/or SB SEFs, it preliminarily believes that the initial 
potential costs of such application could differ from the costs to be 
incurred by SCI entities that currently participate in the ARP 
Inspection Program on a per entity basis, as described in Sections IV 
and V below. This is because prospective SB SDRs and prospective SB 
SEFs, unlike those entities, are not now subject to the ARP Inspection 
Program and its standards.\326\ However, the Commission preliminarily 
believes that the initial potential costs of such application to SB 
SDRs and SB SEFs, on a per entity basis, could be equivalent to those 
costs estimated below in Sections IV and V with respect to SCI entities 
that currently do not participate in the ARP Inspection Program. 
Further, as noted above, the SBS Releases have accounted for potential 
costs to be incurred by SB SDRs and SB SEFs in implementing the 
proposed system safeguard requirements in Rules 13n-6 and 822, 
respectively and, as discussed above, the requirements in proposed 
Regulation SCI could be incremental to those already proposed in Rules 
13n-6 and 822. The Commission therefore preliminarily believes that, if 
it were to decide to propose to apply some or all of the requirements 
of proposed Regulation SCI to SB SDRs and/or SB SEFs, the costs of 
applying proposed Regulation SCI to SB SDRs and/or SB SEFs would be 
incremental to the costs associated with proposed Rules 13n-6 and 822.
---------------------------------------------------------------------------

    \326\ As stated in the SB SDR Proposing Release, ``[t]he 
Commission believes that persons currently operating as SDRs may 
have developed and implemented aspects of the proposed rules 
already,'' and that ``the Commission does not believe that the one-
time cost of [enhancements to their information technology systems] 
will be significant.'' See supra note 297, at 77358.
---------------------------------------------------------------------------

    188. The Commission seeks commenters' views regarding the 
prospective costs, as well as the potential benefits, of proposed 
Regulation SCI to SB SDRs and/or SB SEFs. Commenters should quantify 
the costs of applying proposed Regulation SCI to SB SDRs and/or SB 
SEFs, to the extent possible. As noted above, commenters are urged to 
address specifically each requirement of proposed Regulation SCI and 
note whether it would be reasonable to propose to apply each such 
requirement to SB SDRs and/or SB SEFs and what the benefits and costs 
of such application would be.
4. Timing and Implementation Considerations
    As noted above, the Commission has proposed rules providing a 
regulatory framework for SB SDRs and SB SEFs, but has not yet adopted 
final rules governing these entities. To date, the Commission has not 
received any comments with respect to the timing of the implementation 
of proposed Rule 13n-6 \327\ but has received one comment in connection 
with the timing of the implementation of proposed Rule 822.\328\
---------------------------------------------------------------------------

    \327\ The Commission, however, has received comments that 
suggest a phase-in approach to the proposed SB SDR rules generally 
may be appropriate. These comments generally indicate that a phase-
in approach would be necessary to enable existing swap data 
repositories and other market participants to make the necessary 
changes to their operations. See, e.g., Letter in response to a 
joint public roundtable conducted by Commission and CFTC staff on 
implementation issues raised by Title VII of the Dodd-Frank Act on 
May 2 and 3, 2011, from The Financial Services Roundtable, available 
on the Commission's Web site at: https://www.sec.gov/comments/4-625/4625-1.pdf (stating that ``it may be prudent to have different 
portions of a single rulemaking proposal take effect at different 
times and with due consideration of steps that are preconditions to 
other steps,'' suggesting, as an example, that ``a requirement to 
designate a CCO should be implemented quickly, but that the CCO be 
given time to design, implement, and test the compliance system 
before any requirement to certify as to the compliance system 
becomes effective'' and supporting a phase-in approach ``that 
recognizes the varying levels of sophistication, resources and scale 
of operations within a particular category of market participant'').
    \328\ See ISDA SIFMA SB SEF Letter at 12 (``Many of the proposed 
rules will pose significant operational and administrative hurdles 
for market participants and SB SEFs. For example, the proposed rules 
have requirements for system safeguards that will require time and 
systems expertise to implement fully. We strongly suggest that SB 
SEFs be allowed to adopt the rules on a staged basis so that the 
basic functioning of the SB SEF and the market can be established 
before all requirements are imposed.''). As with the proposed SB SDR 
rules, the Commission has received general comments suggesting that 
a phase-in approach for all SB SEF Rules may be generally 
appropriate. See, e.g., Thomson SB SEF Letter at 8 (stating that 
``in order to ensure the proper operation of these markets, it may 
be necessary for the SEC to adopt a phased-in approach and we would 
urge avoiding over-hasty rulemaking which could result in unintended 
consequences for the markets and the broader economy'').
---------------------------------------------------------------------------

    Although the Commission has issued a policy statement regarding the 
anticipated sequencing of the compliance dates of final rules to be 
adopted by the Commission for certain provisions of Title VII of the 
Dodd-Frank Act,\329\ the precise timing for adoption of or compliance 
with any final rules relating to SB SDRs or SB SEFs, or for adoption of 
or compliance with proposed Regulation SCI, is not known at this time. 
In addition, as the Title VII Implementation Policy Statement notes, 
any final rules for SB SDRs and SB SEFs potentially would be considered 
by the Commission at different times.\330\ As such, specifying the 
precise timing and ordering of the implementation of any requirements 
of proposed Regulation SCI, or Rules 13n-6 and 822, to SB SDRs and/or 
SB SEFs is difficult to predict, should the Commission determine to 
proposed to apply some or all of the requirements of proposed 
Regulation SCI to SB SDRs and/or SB SEFs, or adopt Rules 13n-6 and 822 
to SB SDRs and SB SEFs, respectively.
---------------------------------------------------------------------------

    \329\ See Securities Exchange Act Release No. 67177 (June 11, 
2012), 77 FR 35625 (June 14, 2012) (Statement of General Policy on 
the Sequencing of the Compliance Dates for Final Rules Applicable to 
Security-Based Swaps Adopted Pursuant to the Securities Exchange Act 
of 1934 and the Dodd-Frank Wall Street Reform and Consumer 
Protection Act) (``Title VII Implementation Policy Statement'').
    \330\ See id. at 35629 (noting that the rules pertaining to the 
registration and regulation of SB SDRs are in the second category of 
rules, whereas the rules pertaining to the registration and 
regulation of SB SEFs are in the fifth category of rules).
---------------------------------------------------------------------------

    189. Nonetheless, the Commission requests comment on what--if the 
Commission were to propose to apply some or all of the requirements of 
proposed Regulation SCI to SB SDRs and/or SB SEFs--would be the most 
appropriate way to implement such requirements for SB SDRs and/or SB 
SEFs. For example, should the Commission seek to implement such 
requirements for SB SDRs and/or SB SEFs within the same timeframe as 
those entities currently defined as SCI entities under the proposal? 
Alternatively, should the applicability of some or all of Regulation 
SCI to SB SDRs and/or SB SEFs be phased in over time? If so, what 
provisions of proposed Regulation SCI should be phased in and

[[Page 18138]]

what would be an appropriate phase-in period? Should there be different 
phase-in schedules for different SB SDRs and/or SB SEFs? Why or why 
not? If yes, how would the SB SDRs and/or SB SEFs be selected for 
different phase-in schedules? Please be specific.
    190. Do commenters believe that, because the Commission's actions 
to implement the regulatory framework for the SB swaps market are still 
in progress, the Commission should not propose to apply the 
requirements of Regulation SCI to SB SDRs and/or SB SEFs at the same 
time as SCI entities, but instead should adopt the system safeguard 
provisions of proposed Rules 13n-6 and 822 and reconsider such 
requirements in the future after the SB swaps market and the 
Commission's regulation of such market and its participants has 
developed further? Why or why not? What would be the impact of this 
approach for SB SDRs and/or SB SEFs?
    191. As discussed in the SBS Releases,\331\ the system safeguards 
requirements in proposed Rules 13n-6 and 822 have their origins in the 
Commission's ARP standards. Though they differ in scope and detail, the 
provisions of proposed Regulation SCI likewise trace their origin to 
the Commission's ARP standards.\332\ If the Commission were to adopt 
final rules for SB SDRs and/or SB SEFs before it were to adopt 
Regulation SCI, and if the Commission were to decide to propose to 
apply some or all of the requirements of proposed Regulation SCI to SB 
SDRs and/or SB SEFs, should the Commission require SB SDRs and/or SB 
SEFs to comply with the requirements of the system safeguards rules in 
proposed Rules 13n-6 and 822 \333\ first, and apply the requirements of 
Regulation SCI to SB SDRs and/or SB SEFs at a specific date in the 
future? If the Commission were to adopt Rules 13n-6 and 822 prior to 
adoption of proposed Regulation SCI, and if the Commission were to 
decide to propose to apply some or all of the requirements of proposed 
Regulation SCI to SB SDRs and/or SB SEFs, should the Commission delay 
implementation of Rules 13n-6 and 822 and instead request that SB SDRs 
and/or SB SEFs comply with the Commission's voluntary ARP Inspection 
Program until such time as the Commission were to propose and adopt 
Regulation SCI for SB SDRs and SB SEFs?
---------------------------------------------------------------------------

    \331\ See supra note 299 and accompanying text.
    \332\ See supra notes 310-312 and accompanying text.
    \333\ See supra notes 298-302 and accompanying text.
---------------------------------------------------------------------------

G. Solicitation of Comment Regarding Potential Inclusion of Broker-
Dealers, Other than SCI ATSs, and Other Types of Entities

1. Policy Considerations
    As discussed above, the requirements of proposed Regulation SCI 
would apply to national securities exchanges, registered securities 
associations, registered clearing agencies, the MSRB, SCI ATSs, plan 
processors, and exempt clearing agencies subject to ARP. They would not 
apply to other types of market participants, such as market makers or 
other broker-dealers. This proposed scope of the definition of SCI 
entity in part reflects the historical reach of the ARP policy 
statements (which apply, for example, to national securities exchanges) 
and existing Rule 301 of Regulation ATS (which applies systems 
safeguard requirements to certain ATSs).
    Recent events have highlighted the significance of systems 
integrity of a broader set of market participants than those proposed 
to be included within the definition of SCI entity.\334\ Also, some 
broker-dealers have grown in size and importance to the market in 
recent years. For example, many orders are internalized by OTC market 
makers, one subset of broker-dealers, who handle a large portion of 
order flow in the market.\335\ The Commission recognizes that systems 
disruptions, systems compliance issues, and systems intrusions at 
broker-dealers, including for example OTC market makers and clearing 
broker-dealers, could pose a significant risk to the market. Such an 
occurrence could impact all orders being handled by a broker-dealer, 
which can be significant for larger broker-dealers. If a given broker-
dealer handles a large portion of order flow and suddenly experiences a 
systems disruption or systems intrusion, the disruption or intrusion 
could cause ripple effects. For example, a systems issue at one broker-
dealer could result in confusion about whether orders are handled 
correctly or whether the systems issue at the broker-dealer could have 
caused capacity issues elsewhere.\336\
---------------------------------------------------------------------------

    \334\ For example, on August 1, 2012, Knight Capital Group, Inc. 
(``Knight'') reported that it ``experienced a technology issue at 
the opening of trading at the NYSE * * * [which was] related to 
Knight's installation of trading software and resulted in Knight 
sending numerous erroneous orders in NYSE-listed securities into the 
market * * *. Knight has traded out of its entire erroneous trade 
position, which has resulted in a realized pre-tax loss of 
approximately $440 million.'' See Knight Capital Group Provides 
Update Regarding August 1st Disruption To Routing In NYSE-listed 
Securities (August 2, 2012), available at: https://www.knight.com/investorRelations/pressReleases.asp?compid=105070&releaseID=1721599.
    Among other things, Knight provides market making services in 
U.S. equities and U.S. options; institutional sales and trading 
services; electronic execution services; and corporate and other 
services. See Knight Operating Subsidiaries, available at: https://www.knight.com/ourFirm/operatingSubsidiaries.asp. Knight also 
operates two registered ATSs, Knight Match and Knight Bond Point. 
See Knight Match, available at: https://www.knight.com/electronicExecutionServices/knightMatch.asp; Knight BondPoint, 
available at: https://www.knight.com/electronicExecutionServices/knightBondpoint.asp; and Alternative Trading Systems Active Filers 
as of April 30, 2012, available at: https://www.sec.gov/foia/ats/atslist0412.pdf.
    \335\ See Concept Release on Equity Market Structure, supra note 
42, at 3600 (stating: ``OTC market makers, for example, appear to 
handle a very large percentage of marketable (immediately 
executable) order flow of individual investors that is routed by 
retail brokerage firms. A review of the order routing disclosures 
required by Rule 606 of Regulation NMS of eight broker-dealers with 
significant retail customer accounts reveals that nearly 100% of 
their customer market orders are routed to OTC market makers.'')
    \336\ For example, if an e-market-maker handling 20 percent of 
message traffic experiences a systems issue, the order flow could be 
diverted elsewhere, including to entities that are unable to handle 
the increase in message traffic, resulting in a disruption to that 
entity's systems as well. Similarly, a broker-dealer accidentally 
could run a test during live trading and flood markets with message 
traffic such that those markets hit their capacity limits, resulting 
in a disruption.
---------------------------------------------------------------------------

    The Commission is not at this time proposing to include some 
classes of registered broker-dealers (other than SCI ATSs) in the 
definition of SCI entity. Were the Commission to decide to propose to 
apply the requirements of proposed Regulation SCI to such entities, the 
Commission would issue a separate release discussing such a proposal. 
Rule 15c3-5, requiring brokers or dealers with market access to 
implement risk management controls and supervisory procedures to limit 
risk, already seeks to address certain risks posed to the markets by 
broker-dealer systems. Specifically, in 2010 when the Commission 
adopted Rule 15c3-5 regarding risk management controls and supervisory 
procedures for brokers or dealers with market access,\337\ the 
Commission stated that

[[Page 18139]]

``broker-dealers, as the entities through which access to markets is 
obtained, should implement effective controls reasonably designed to 
prevent errors or other inappropriate conduct from potentially causing 
a significant disruption to the markets'' and that ``risk management 
controls and supervisory procedures that are not applied on a pre-trade 
basis or that, with certain limited exceptions, are not under the 
exclusive control of the broker-dealer, are inadequate to effectively 
address the risks of market access arrangements, and pose a 
particularly significant vulnerability in the U.S. national market 
system.'' \338\
---------------------------------------------------------------------------

    \337\ See Securities Exchange Act Release No. 63241 (November 3, 
2010), 75 FR 69792 (November 15, 2010) (``Market Access Release''). 
Rule 15c3-5(a)(1) defines ``market access'' to mean: (i) access to 
trading in securities on an exchange or ATS as a result of being a 
member or subscriber of the exchange or ATS, respectively; or (ii) 
access to trading in securities on an ATS provided by a broker-
dealer operator of an ATS to a non-broker-dealer. See 17 CFR 
240.15c3-5(a)(1). In adopting Rule 15c3-5(a)(1), the Commission 
stated that ``the risks associated with market access * * * are 
present whenever a broker-dealer trades as a member of an exchange 
or subscriber to an ATS, whether for its own proprietary account or 
as agent for its customers, including traditional agency brokerage 
and through direct market access or sponsored access arrangements.'' 
See Market Access Release at 69798. As such, the Commission stated 
that ``to effectively address these risks, Rule 15c3-5 must apply 
broadly to all access to trading on an Exchange or ATS.'' See id.
    \338\ Id. at 69794.
---------------------------------------------------------------------------

    Pursuant to Rule 15c3-5, a broker or dealer with market access, or 
that provides a customer or any other person with access to an exchange 
or ATS through use of its market participant identifier or otherwise, 
must establish, document, and maintain a system of risk management 
controls and supervisory procedures reasonably designed to manage the 
financial, regulatory, and other risks of this business activity.\339\ 
Rule 15c3-5 also specifies the baseline standards for financial and 
regulatory risk management controls and supervisory procedures.\340\ 
The financial risk management controls and supervisory procedures must 
be reasonably designed to systematically limit the financial exposure 
of the broker or dealer that could arise as a result of market 
access.\341\ The regulatory risk management controls and supervisory 
procedures must be reasonably designed to ensure compliance with all 
regulatory requirements.\342\
---------------------------------------------------------------------------

    \339\ See 17 CFR 240.15c3-5(b). Certain broker-dealers are 
exempt from some of the requirements under Rule 15c3-5. See id.
    \340\ See 17 CFR 240.15c3-5(c).
    \341\ See 17 CFR 240.15c3-5(c)(1). Such financial risk 
management controls and supervisory procedures must be reasonably 
designed to: (i) Prevent the entry of orders that exceed appropriate 
pre-set credit or capital thresholds in the aggregate for each 
customer and the broker or dealer, and where appropriate, more 
finely-tuned by sector, security or otherwise by rejecting orders if 
such orders would exceed the applicable credit or capital 
thresholds; and (ii) prevent the entry of erroneous orders, by 
rejecting orders that exceed appropriate price or size parameters, 
on an order-by-order basis or over a short period of time, or that 
indicate duplicative orders. See 17 CFR 240.15c3-5(c)(1).
    \342\ See 17 CFR 240.15c3-5(c)(2). Such regulatory risk 
management controls and supervisory procedures must be reasonably 
designed to: (i) Prevent the entry of orders unless there has been 
compliance with all regulatory requirements that must be satisfied 
on a pre-order entry basis; (ii) prevent the entry of orders for 
securities for a broker or dealer, customer, or other person if such 
person is restricted from trading those securities; (iii) restrict 
access to trading systems and technology that provide market access 
to persons and accounts pre-approved and authorized by the broker or 
dealer; and (iv) assure that appropriate surveillance personnel 
receive immediate post-trade execution reports that result from 
market access. See 17 CFR 240.15c3-5(c)(2).
---------------------------------------------------------------------------

    Under the approach set out by Rule 15c3-5, broker-dealers with 
market access are responsible in the first instance for establishing 
and maintaining appropriate risk management controls, including with 
respect to their systems. Although Rule 15c3-5 takes a different and 
more limited approach with broker-dealers than proposed Regulation SCI 
does with SCI entities, the requirements in Rule 15c3-5 are designed to 
address some of the same concerns regarding systems integrity discussed 
in this proposal. As an example of reasonable risk control under Rule 
15c3-5, the Commission stated, ``a system-driven, pre-trade control 
designed to reject orders that are not reasonably related to the quoted 
price of the security would prevent erroneously entered orders from 
reaching the securities markets, * * * should lead to fewer broken 
trades and thereby enhance the integrity of trading on the securities 
markets.'' \343\
---------------------------------------------------------------------------

    \343\ See Market Access Release, supra note 337, at 69794.
---------------------------------------------------------------------------

    In light of recent events, however, the Commission believes that it 
is appropriate to consider whether some types or categories of broker-
dealers other than SCI ATSs should also be subject to some or all of 
the additional system safeguard rules that are proposed for SCI 
entities. Such broker-dealers could include, for example, OTC market 
makers (either all or those that execute a significant volume of 
orders), exchange market makers (either all or those that trade a 
significant volume on exchanges), order entry firms that handle and 
route order flow for execution (either all or those that handle a 
significant volume of investor orders), clearing broker-dealers (either 
all or those that engage in a significant amount of clearing 
activities), and large multi-service broker-dealers that engage in a 
variety of order handling, trading, and clearing activities.
2. Request for Comment
    192. As noted above, at this time, the Commission is not proposing 
to apply Regulation SCI to broker-dealers other than SCI ATSs or to 
other types of entities that are not covered by the definition of SCI 
entity. Were the Commission to decide to propose to apply the 
requirements of Regulation SCI to such entities, the Commission would 
issue a separate release discussing such a proposal. Nevertheless, the 
Commission is soliciting comment generally on whether it should apply 
the requirements of proposed Regulation SCI, in whole or in part, to 
such entities. Specifically:
    193. What are the current practices of broker-dealers in relation 
to the requirements of proposed Regulation SCI? \344\ Would the current 
practices of broker-dealers that provide market access and comply with 
Rule 15c3-5 change if they were also subject to proposed Regulation 
SCI? Why or why not? If so, how? Are there broker-dealers who do not 
provide the services that would require compliance with Rule 15c3-5? If 
so, how do the practices of those broker-dealers compare to the 
requirements of proposed Regulation SCI?
---------------------------------------------------------------------------

    \344\ As noted above, one ATS currently voluntarily participates 
in the ARP Inspection Program. See supra note 91.
---------------------------------------------------------------------------

    194. In Section VI.B.2 below, the Commission discusses potential 
market failures that may explain why market solutions cannot solve the 
problems that proposed Regulation SCI is intended to address. Does the 
market for broker-dealer services, including client services, market 
maker services, or market access services, suffer from market failures 
that limit the ability of the market to solve the issues that proposed 
Regulation SCI is intended to address? For example, are broker-dealers' 
clients able to easily switch broker-dealers, and how often do clients 
use more than one broker-dealer simultaneously (e.g., for redundancy in 
case of a problem at a given broker-dealer)? Are broker-dealers subject 
to more market discipline than SCI entities? Please explain. 
Conversely, does a lack of transparency regarding events like SCI 
events limit this market discipline? Why or why not?
    195. Given the stated goals and purpose of proposed Regulation SCI 
and its various provisions,\345\ what are commenters' views on whether 
the scope of the proposed rules should be expanded to cover broker-
dealers, or certain categories of broker-dealers? For example, what are 
commenters' views on the impact to overall market integrity or the 
protection of investors if an OTC market maker was no longer able to 
operate due to a systems disruption, systems compliance issue, or a 
systems intrusion? Or an exchange market maker? Or a clearing broker-
dealer? What are commenters' views on the

[[Page 18140]]

importance of different categories of broker-dealers to the stability 
of the overall securities market infrastructure, in the context of 
requiring them to comply with the proposed rules, in light of the 
stated goals and purpose of Regulation SCI? What risks do the systems 
of broker-dealers pose on the securities markets?
---------------------------------------------------------------------------

    \345\ See supra Section III.
---------------------------------------------------------------------------

    196. If the Commission were to subsequently propose to apply some 
or all of the requirements of proposed Regulation SCI to some types or 
categories of broker-dealers (in addition to SCI ATSs), what types of 
broker-dealers should the requirements apply to and why? Are there 
distinctions that should be made between different types of broker-
dealers (e.g., OTC market makers, exchange market makers, order entry 
firms, clearing broker-dealers, and multi-service broker-dealers) for 
this purpose? If so, what are those distinctions and which requirements 
should apply?
    197. The Commission notes that Roundtable panelists generally did 
not distinguish between national securities exchanges, ATSs, and 
different types of broker-dealers when addressing how to improve error 
prevention and error response strategies. Rather, Roundtable panelists 
and commenters referred more generally to ``entities with market 
access'' and/or ``execution venues.'' \346\ In this regard, should the 
Commission consider expanding the application of Regulation SCI to all 
market centers, as that term is defined in Rule 600(b)(38) of 
Regulation NMS,\347\ which means any exchange market maker, OTC market 
maker, ATS, national securities exchange, or national securities 
association? \348\ Why or why not? Would an expansion of proposed 
Regulation SCI to include all market centers (i.e., execution venues) 
inappropriately exclude the broader category of entities having market 
access? Why or why not? Alternatively, should the Commission consider 
applying the requirements of proposed Regulation SCI to (a) any 
registered market maker or (b) any broker-dealer that offers market 
access that, in either case, with respect to any NMS stock, has a 
specified percentage of average daily dollar volume? If so, what should 
such a percentage be? Would the levels applicable to SCI ATSs that 
trade NMS stocks under proposed Rule 1000(a) of Regulation SCI be 
appropriate for registered market makers, broker-dealers that offer 
market access, or other broker-dealers? Why or why not? If not, what 
should such a threshold be?
---------------------------------------------------------------------------

    \346\ See, e.g., letter from Better Markets, supra note 74, 
arguing that regulators should encourage firms to adopt more robust 
software development practices and audit any firm with direct market 
access or require third-party certification and mandate minimum 
requirements for testing any application that has direct market 
access. In addition, the panelist from NYSE stated that common 
standards for technology deployment should apply across all 
execution venues.
    \347\ 17 CFR 242.600(b)(38).
    \348\ Rule 600(b)(24) defines exchange market maker to mean any 
member of a national securities exchange that is registered as a 
specialist or market maker pursuant to the rules of such exchange, 
and Rule 600(b)(52) defines OTC market maker to mean any dealer that 
holds itself out as being willing to buy from and sell to its 
customers, or others, in the U.S., an NMS stock for its own account 
on a regular or continuous basis otherwise than on a national 
securities exchange in amounts of less than block size. See 17 CFR 
242.600(b)(24) and 17 CFR 242.600(b)(52).
---------------------------------------------------------------------------

    198. If the Commission were to propose to expand the scope of 
proposed Regulation SCI to a subset of broker-dealers, what are 
commenters' views on whether, and if so, how, the various different 
proposed requirements of Regulation SCI should or should not apply to 
such entities?
    199. If the Commission were to propose to expand the scope of 
proposed Regulation SCI to include a subset of broker-dealers, should 
the Commission require such broker-dealers to have written policies and 
procedures reasonably designed to ensure that their systems have levels 
of capacity, integrity, resiliency, availability, and security adequate 
to maintain their operational capability, and promote the maintenance 
of fair and orderly markets, as proposed in Rule 1000(b)(1) for SCI 
entities? Why or why not? Should SCI industry standards for broker-
dealers be different from those proposed for SCI entities? If so, what 
are the standards that should apply to broker-dealers? Please be as 
specific as possible and explain why a particular standard would be 
appropriate.
    200. Should the Commission require such broker-dealers to 
establish, maintain, and enforce policies and procedures reasonably 
designed to ensure that their systems operate in the manner intended, 
including in a manner that complies with federal securities laws and 
rules and regulations thereunder, as proposed in Rule 1000(b)(2)(i) for 
SCI entities? Why or why not? Should the Commission establish a safe 
harbor from liability for such broker-dealers and their respective 
employees if they satisfy the elements of a safe harbor, similar to 
those in proposed Rules 1000(b)(2)(ii) and (iii) for SCI entities and 
their employees? Why or why not?
    201. Should the Commission require such broker-dealers, upon any of 
their responsible SCI personnel becoming aware of an SCI event, to 
begin to take appropriate corrective action including, at a minimum, 
mitigating potential harm to investors and market integrity resulting 
from the SCI event and devoting adequate resources to remedy the SCI 
event as soon as reasonably practicable, as proposed in Rule 1000(b)(3) 
for SCI entities? Why or why not? Should such broker-dealers' 
corrective action be triggered by something other than awareness of an 
SCI event? If so, what would be an appropriate trigger?
    202. With regard to the reporting and information dissemination 
requirements for SCI entities in proposed Rules 1000(b)(4) and 
1000(b)(5), would it be appropriate to require such broker-dealers to 
report all SCI events to the Commission, and disclose dissemination SCI 
events to their customers?
    203. Should such broker-dealers be required to notify the 
Commission of material systems changes, as proposed in Rule 1000(b)(6) 
for SCI entities? Why or why not?
    204. Should such broker-dealers be required to undertake an annual 
SCI review of their systems, as proposed in Rule 1000(b)(7) for SCI 
entities? Should such broker-dealers also be required to provide the 
Commission with reports regarding the SCI review and material systems 
changes, as proposed in Rule 1000(b)(8) for SCI entities? Why or why 
not?
    205. Should such broker-dealers be required to submit any required 
notices, reports, and other information to the Commission on proposed 
new Form SCI? Why or why not?
    206. Alternatively, should the Commission propose to require that 
each SCI SRO establish rules requiring that its members adopt written 
policies and procedures reasonably designed to ensure that their 
systems have levels of capacity, integrity, resiliency, availability, 
and security adequate to maintain their operational capability, and 
promote the maintenance of fair and orderly markets? Why or why not? 
Similarly, should the Commission propose to require that each SCI SRO 
establish rules requiring that its members adopt written policies and 
procedures reasonably designed to ensure that the systems of such 
members operate in the manner intended, including in a manner that 
complies with applicable federal securities laws and rules and 
regulations thereunder and the SCI SRO's rules? Why or why not? In 
either case, would such a proposal raise any competitive issues, such 
as between

[[Page 18141]]

national securities exchanges and ATSs? \349\
---------------------------------------------------------------------------

    \349\ The Commission notes that all broker-dealers are members 
of one or more SCI SROs (such as FINRA and/or a national securities 
exchange), while participants on ATSs may include non-broker-dealer 
market participants.
---------------------------------------------------------------------------

    207. In addition, should the Commission consider including other 
entities in the definition of SCI entity (e.g., transfer agents), thus 
subjecting them to some or all of the requirements under proposed 
Regulation SCI? If yes, to which entities should some or all of 
proposed Regulation SCI apply and why? If not, why not? If commenters 
believe other types of entities should be included in the definition of 
SCI entity, should the Commission include all entities of a given type 
in the definition? Why or why not? If not, how should the Commission 
distinguish those entities that should be included (e.g., size, volume, 
types of services performed, etc.)? Please describe and be as specific 
as possible.
    208. If the Commission were to subsequently propose and adopt a 
rule applying Regulation SCI to all or certain categories of broker-
dealers or other entities, what are commenters' views as to the type 
and scale of the costs of such application? Please explain. In 
addition, what are commenters' views as to the potential impact on 
efficiency, competition, and capital formation of such application? 
Please explain.

IV. Paperwork Reduction Act

    Certain provisions of the proposal contain ``collection of 
information'' requirements within the meaning of the Paperwork 
Reduction Act of 1995 (``PRA'') \350\ and the Commission will submit 
them to the Office of Management and Budget (``OMB'') for review in 
accordance with 44 U.S.C. 3507 and 5 CFR 1320.11. The title of the new 
collection of information is Regulation Systems Compliance and 
Integrity. An agency may not conduct or sponsor, and a person is not 
required to respond to, a collection of information unless it displays 
a currently valid OMB control number.
---------------------------------------------------------------------------

    \350\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

A. Summary of Collection of Information

    Proposed Regulation SCI would include four categories of 
obligations that would require a collection of information within the 
meaning of the PRA. Specifically, an SCI entity would be required to: 
(1) Establish specified written policies and procedures, and mandate 
participation by designated members or participants in certain testing 
of the SCI entity's business continuity and disaster recovery plans; 
(2) provide certain notifications, disseminate certain information, and 
create reports; (3) take corrective actions, identify certain SCI 
events for which immediate Commission notification is required, and 
identify dissemination SCI events; and (4) comply with recordkeeping 
and access requirements relating to its compliance with proposed 
Regulation SCI.
1. Requirements To Establish Written Policies and Procedures and 
Mandate Participation in Certain Testing
    Proposed Rules 1000(b)(1) and (b)(2) would require SCI entities to 
establish policies and procedures with respect to various matters. 
Proposed Rule 1000(b)(1) would require each SCI entity to establish, 
maintain, and enforce written policies and procedures reasonably 
designed to ensure that its SCI systems and, for purposes of security 
standards, SCI security systems, have levels of capacity, integrity, 
resiliency, availability, and security, adequate to maintain the SCI 
entity's operational capability and promote the maintenance of fair and 
orderly markets. Proposed Rule 1000(b)(1)(i) specifies that such 
policies and procedures would be required to include, at a minimum: (A) 
The establishment of reasonable current and future capacity planning 
estimates; (B) periodic capacity stress tests of such systems to 
determine their ability to process transactions in an accurate, timely, 
and efficient manner; (C) a program to review and keep current systems 
development and testing methodology for such systems; (D) regular 
reviews and testing of such systems, including backup systems, to 
identify vulnerabilities pertaining to internal and external threats, 
physical hazards, and natural or manmade disasters; (E) business 
continuity and disaster recovery plans that include maintaining backup 
and recovery capabilities sufficiently resilient and geographically 
diverse to ensure next business day resumption of trading and two-hour 
resumption of clearance and settlement services following a wide-scale 
disruption; and (F) standards that result in such systems being 
designed, developed, tested, maintained, operated, and surveilled in a 
manner that facilitates the successful collection, processing, and 
dissemination of market data. Proposed Rule 1000(b)(1)(ii) states that 
such policies and procedures would be deemed to be reasonably designed 
if they are consistent with current SCI industry standards, which would 
be required to be: (A) Comprised of information technology practices 
that are widely available for free to information technology 
professionals in the financial sector; and (B) issued by an 
authoritative body that is a U.S. governmental entity or agency, 
association of U.S. governmental entities or agencies, or widely 
recognized organization. The proposed SCI industry standards contained 
in the publications identified on Table A are intended to serve as 
standards that SCI entities could use, if they so choose, to comply 
with the requirements of proposed Rule 1000(b)(1), though compliance 
with such SCI industry standards would not be the exclusive means to 
comply with the requirements of proposed Rule 1000(b)(1).
    Proposed Rule 1000(b)(2)(i) would require each SCI entity to 
establish, maintain, and enforce written policies and procedures 
reasonably designed to ensure that its SCI systems operate in the 
manner intended, including in a manner that complies with the federal 
securities laws and rules and regulations thereunder and the entity's 
rules and governing documents, as applicable. An SCI entity would be 
deemed not to have violated proposed Rule 1000(b)(2)(i) if: (A) It has 
established and maintained policies and procedures reasonably designed 
to provide for: (1) testing of all such systems and any changes to such 
systems prior to implementation; (2) periodic testing of all such 
systems and any changes to such systems after their implementation; (3) 
a system of internal controls over changes to such systems; (4) ongoing 
monitoring of the functionality of such systems to detect whether they 
are operating in the manner intended; (5) assessments of SCI systems 
compliance performed by personnel familiar with applicable federal 
securities laws and rules and regulations thereunder and the SCI 
entity's rules and governing documents, as applicable; and (6) review 
by regulatory personnel of SCI systems design, changes, testing, and 
controls to prevent, detect, and address actions that do not comply 
with applicable federal securities laws and rules and regulations 
thereunder and the SCI entity's rules and governing documents, as 
applicable; (B) the SCI entity has established and maintained a system 
for applying such policies and procedures which would reasonably be 
expected to prevent and detect, insofar as practicable, any violation 
of such policies and procedures by the SCI entity or any person 
employed by the SCI entity; and (C) the SCI entity: has reasonably 
discharged the duties and obligations incumbent upon it by such

[[Page 18142]]

policies and procedures; and was without reasonable cause to believe 
that such policies and procedures were not being complied with in any 
material respect. Further, pursuant to proposed Rule 1000(b)(2)(iii), a 
person employed by an SCI entity would be deemed not to have aided, 
abetted, counseled, commanded, caused, induced, or procured the 
violation by any other person of proposed Rule 1000(b)(2)(i) if the 
person employed by the SCI entity: (A) Has reasonably discharged the 
duties and obligations incumbent upon such person by such policies and 
procedures; and (B) was without reasonable cause to believe that such 
policies and procedures were not being complied with in any material 
respect.
    Proposed Rule 1000(b)(9)(i) would require an SCI entity, with 
respect to its business continuity and disaster recovery plans, 
including its backup systems, to require participation by designated 
members or participants in scheduled functional and performance testing 
of the operation of such plans in the manner and frequency as specified 
by the SCI entity, at least once every 12 months (e.g., for SCI SROs, 
by submitting proposed rule changes under Section 19(b) of the Exchange 
Act; for SCI ATSs, by revising membership or subscriber agreements and 
internal procedures; for plan processors, through an amendment to an 
SCI Plan under Rule 608 of Regulation NMS; and, for exempt clearing 
agencies subject to ARP, by revising participant agreements and 
internal procedures). Proposed Rule 1000(b)(9)(ii) would further 
require an SCI entity to coordinate such required testing on an 
industry- or sector-wide basis with other SCI entities. Proposed Rule 
1000(b)(9)(iii) would require an SCI entity to designate members or 
participants it deems necessary, for the maintenance of fair and 
orderly markets in the event of the activation of its business 
continuity and disaster recovery plans, to participate in the testing 
of such plans. It would also require the SCI entity to notify and 
update the Commission of its designations and standards for 
designation, and promptly update such notification after any changes to 
its designations or standards.
2. Notice, Dissemination, and Reporting Requirements for SCI Entities
    A number of proposed rules under Regulation SCI would require SCI 
entities to notify or report information to the Commission, or 
disseminate information to their members or participants. Proposed 
Rules 1000(b)(4), (b)(5), (b)(6), (b)(7), and (b)(8) each contain a 
notification, dissemination, or reporting requirement.
    Proposed Rule 1000(b)(4) would require notice of SCI events to the 
Commission. Proposed Rule 1000(b)(4)(i) would require an SCI entity to 
notify the Commission upon any responsible SCI personnel becoming aware 
of a systems disruption that the SCI entity reasonably estimates would 
have a material impact on its operations or on market participants, any 
systems compliance issue, or any systems intrusion.
    Proposed Rule 1000(b)(4)(ii) would require an SCI entity, within 24 
hours of any responsible SCI personnel becoming aware of any SCI event, 
to submit a written notification to the Commission on Form SCI 
pertaining to such SCI event.\351\ Proposed Rule 1000(b)(4)(iv)(A) 
would specify that, for a notification made pursuant to proposed Rule 
1000(b)(4)(ii), an SCI entity must include all pertinent information 
known about the SCI event, including: a detailed description of the SCI 
event; the SCI entity's current assessment of the types and number of 
market participants potentially affected by the SCI event; the 
potential impact of the SCI event on the market; and the SCI entity's 
current assessment of the SCI event, including a discussion of the 
determination of whether the SCI event is a dissemination SCI event or 
not. In addition, to the extent available as of the time of the initial 
notification, the notification would be required to include: a 
description of the steps the SCI entity is taking, or plans to take, 
with respect to the SCI event; the time the SCI event was resolved or 
timeframe within which the SCI event is expected to be resolved; a 
description of the SCI entity's rule(s) and/or governing document(s), 
as applicable, that relate to the SCI event; and an analysis of the 
parties that may have experienced a loss, whether monetary or 
otherwise, due to the SCI event, the number of such parties, and an 
estimate of the aggregate amount of such loss. Further, for a written 
notification to the Commission of an SCI event under proposed Rule 
1000(b)(4)(ii), an SCI entity would be required to attach a copy of any 
information disseminated to date regarding the SCI event to its members 
or participants or on the SCI entity's publicly available Web site.
---------------------------------------------------------------------------

    \351\ For a written notification to the Commission of an SCI 
event under proposed Rule 1000(b)(4)(ii), new proposed Form SCI 
would require that an SCI entity indicate that the filing is being 
made pursuant to Rule 1000(b)(4)(ii) and provide the following 
information in a short, standardized format: (i) Whether the filing 
is a Rule 1000(b)(4)(ii) notification or Rule 1000(b)(4)(iii) update 
of an SCI event; (ii) the SCI event type(s) (i.e., systems 
compliance issue, systems intrusion, and/or systems disruption); 
(iii) whether the event is a systems disruption that the SCI entity 
reasonably estimates would have a material impact on its operations 
or on market participants; (iv) if so, whether the Commission has 
been notified of the SCI event; (v) whether the SCI event has been 
resolved; (vi) the date/time the SCI event started; (vii) the 
duration of the SCI event (viii) the date and time when responsible 
SCI personnel became aware of the SCI event; (ix) the estimated 
number of market participants impacted by the SCI event; (x) the 
type(s) of systems impacted; and (xi) if applicable, the type of 
systems disruption.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(4)(iii) would require an SCI entity to submit 
written updates on Form SCI pertaining to an SCI event to the 
Commission on a regular basis, or at such frequency as reasonably 
requested by a representative of the Commission, until such time as the 
SCI event is resolved. Proposed Rule 1000(b)(4)(iv)(B) specifies that, 
for a notification made pursuant to proposed Rule 1000(b)(4)(iii), the 
SCI entity would be required to update any information previously 
provided regarding an SCI event, including any information under 
proposed Rule 1000(b)(4)(iv)(A)(2) that was not available at the time 
of submission of a notification under proposed Rule 1000(b)(4)(ii). 
Further, for a written notification to the Commission of an SCI event 
under proposed Rule 1000(b)(4)(iii), an SCI entity would be required to 
attach a copy of any information disseminated to date regarding the SCI 
event to its members or participants or on the SCI entity's publicly 
available Web site.
    Proposed Rule 1000(b)(5) would require dissemination to members or 
participants of dissemination SCI events and specify the nature and 
timing of such required dissemination, with limited exceptions for 
dissemination SCI events that are systems intrusions, as discussed 
further below.\352\ Proposed Rule 1000(b)(5)(i)(A) would require that 
an SCI entity, promptly after any responsible SCI personnel becomes 
aware of a dissemination SCI event, disseminate to its members or 
participants the following information about such SCI event: (1) The 
systems affected by the SCI event; and (2) a summary description of the 
SCI event. In addition, proposed Rule 1000(b)(5)(i)(B) would require an 
SCI entity to, when known, further disseminate to its members or 
participants: (1) a detailed description of the SCI event; (2) the SCI 
entity's

[[Page 18143]]

current assessment of the types and number of market participants 
potentially affected by the SCI event; and (3) a description of the 
progress of its corrective action for the SCI event and when the SCI 
event has been or is expected to be resolved. Proposed Rule 
1000(b)(5)(i)(C) would further require that an SCI entity provide 
regular updates to members or participants on any of the information 
required to be disseminated under proposed Rules 1000(b)(5)(i)(A) and 
(i)(B).
---------------------------------------------------------------------------

    \352\ As discussed above, the Commission proposes that the term 
``dissemination SCI event'' be defined as ``an SCI event that is a: 
(1) Systems compliance issue; (2) systems intrusion; or (3) systems 
disruption that results, or the SCI entity reasonably estimates 
would result, in significant harm or loss to market participants.'' 
See supra Section III.B.4.d.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(5)(ii) would provide a limited exception to 
the proposed requirement of prompt dissemination to members or 
participants of information regarding dissemination SCI events for 
systems intrusion. Proposed Rule 1000(b)(5)(ii) would require an SCI 
entity, promptly after any responsible SCI personnel becomes aware of a 
systems intrusion, to disseminate to its members or participants a 
summary description of the systems intrusion, including a description 
of the corrective action taken by the SCI entity and when the systems 
intrusion has been or is expected to be resolved, unless the SCI entity 
determines that dissemination of such information would likely 
compromise the security of the SCI entity's SCI systems or SCI security 
systems, or an investigation of the systems intrusion, and documents 
the reasons for such determination.
    Proposed Rule 1000(b)(6) would require an SCI entity, absent 
exigent circumstances, to notify the Commission on Form SCI at least 30 
calendar days before implementation of any planned material systems 
change, including a description of the planned material systems change 
as well as the expected dates of commencement and completion of 
implementation of such change. If exigent circumstances exist, or if 
the information previously provided to the Commission regarding any 
material systems change has become materially inaccurate, an SCI entity 
would instead be required to notify the Commission, either orally or in 
writing on Form SCI, with any oral notification to be memorialized 
within 24 hours after such oral notification by a written notification, 
as early as reasonably practicable.\353\
---------------------------------------------------------------------------

    \353\ Form SCI would require an SCI entity to provide the date 
of the planned change. The SCI entity must also specify whether 
exigent circumstances exist, or if the information previously 
provided to the Commission regarding any material systems change has 
become materially inaccurate, and if so, whether the Commission has 
been orally notified. Further, the notification must include an 
Exhibit 4.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(7) would require an SCI entity to conduct an 
SCI review of the entity's compliance with Regulation SCI not less than 
once each calendar year, and to submit a report of the SCI review to 
senior management of the SCI entity for review no more than 30 calendar 
days after completion of such SCI review.
    Proposed Rule 1000(b)(8) contains two reporting requirements. 
Specifically, proposed Rule 1000(b)(8) would require an SCI entity to 
submit as an attachment to Form SCI: (i) A report of the SCI review 
required by proposed Rule 1000(b)(7), together with any response by 
senior management, within 60 calendar days after its submission to 
senior management of the SCI entity; \354\ and (ii) a report within 30 
calendar days after the end of June and December of each year, 
containing a summary description of the progress of any material 
systems change during the six-month period ending on June 30 or 
December 31, as the case may be, and the date or expected date of 
completion of implementation of such change.\355\
---------------------------------------------------------------------------

    \354\ This report would be required to be submitted as Exhibit 5 
to Form SCI.
    \355\ This report would be required to be submitted as Exhibit 6 
to Form SCI.
---------------------------------------------------------------------------

3. Requirements To Take Corrective Actions, Identify Immediate 
Notification SCI Events, and Identify Dissemination SCI Events
    Proposed Rule 1000(b)(3) would require an SCI entity, upon any 
responsible SCI personnel becoming aware of an SCI event, to begin to 
take appropriate corrective action which would be required to include, 
at a minimum, mitigating potential harm to investors and market 
integrity resulting from the SCI event and devoting adequate resources 
to remedy the SCI event as soon as reasonably practicable. Given these 
requirements of proposed Rule 1000(b)(3), SCI entities would likely 
work to develop a process for ensuring that they are prepared to comply 
with the corrective action requirement and would likely also 
periodically review this process.
    In addition, proposed Rule 1000(a) would define a ``dissemination 
SCI event'' to mean an SCI event that is a: (1) Systems compliance 
issue; (2) systems intrusion; or (3) systems disruption that results, 
or the SCI entity reasonably estimates would result, in significant 
harm or loss to market participants.
    Under the proposed Commission notification and member or 
participant dissemination requirements of proposed Rules 1000(b)(4) and 
(b)(5), when an SCI event occurs, an SCI entity must determine whether 
an SCI event is an immediate notification SCI event or a dissemination 
SCI event. As such, SCI entities would likely work to develop a process 
for ensuring that they are able to make determinations regarding the 
nature of the SCI event quickly and accurately, and periodically review 
this process.
4. Recordkeeping Requirements
    Proposed Rule 1000(c) would set forth recordkeeping requirements 
for SCI entities. Under proposed Rule 1000(c)(1), SCI SROs would be 
required to make, keep, and preserve all documents relating to their 
compliance with Regulation SCI as prescribed in Rule 17a-1 under the 
Exchange Act. Under proposed Rule 1000(c)(2), each SCI entity that is 
not an SCI SRO would be required to make, keep, and preserve at least 
one copy of all documents, including correspondence, memoranda, papers, 
books, notices, accounts, and other such records, relating to its 
compliance with Regulation SCI including, but not limited to, records 
relating to any changes to its SCI systems and SCI security systems, 
for a period of not less than five years, the first two years in a 
place that is readily accessible to the Commission or its 
representatives for inspection and examination. Upon request of any 
representative of the Commission, such SCI entities would be required 
to promptly furnish to the possession of such representative copies of 
any documents required to be kept and preserved by it under proposed 
Rule 1000(c)(2). Under proposed Rule 1000(c)(3), upon or immediately 
prior to ceasing to do business or ceasing to be registered under the 
Exchange Act, an SCI entity must take all necessary action to ensure 
that the records required to be made, kept, and preserved by this 
section will be accessible to the Commission and its representatives in 
the manner required by proposed Rule 1000(c) and for the remainder of 
the period required by proposed Rule 1000(c).
    In addition, proposed Rule 1000(e) would provide that, if the 
records required to be filed or kept by an SCI entity under proposed 
Regulation SCI are prepared or maintained by a service bureau or other 
recordkeeping service on behalf of the SCI entity, the SCI entity would 
be required to ensure that the records are available for review by the 
Commission and its representatives by submitting a written undertaking, 
in a form acceptable to the Commission, by such service bureau or other 
recordkeeping service and signed by a

[[Page 18144]]

duly authorized person at such service bureau or other recordkeeping 
service.

B. Proposed Use of Information

1. Requirements To Establish Written Policies and Procedures and 
Mandate Participation in Certain Testing
    The proposed requirements that SCI entities establish certain 
written policies and procedures with respect to their systems, and that 
they require designated members or participants to participate in the 
testing of their business continuity and disaster recovery plans, would 
further the goals of the national market system and reinforce Exchange 
Act obligations by requiring entities important to the functioning of 
the U.S. securities markets to carefully design, develop, test, 
maintain, and surveil systems integral to their operations, and operate 
them in compliance with relevant federal securities laws and the rules 
and regulations thereunder, as well as their own rules and policies.
2. Notification, Dissemination, and Reporting Requirements for SCI 
Entities
    The information that would be collected pursuant to the proposed 
requirements for notifications, disseminations of information, and 
reports would assist the Commission in its oversight of SCI entities 
and the securities markets, help ensure the orderly operation of the 
U.S. securities markets, and help protect investors and the public 
interest. In particular, the proposed requirements that SCI entities 
notify the Commission of all SCI events, disseminate information to 
members or participants, undertake and submit to the Commission an SCI 
review not less than once each calendar year, and submit reports of 
material systems changes are designed to help ensure compliance with 
the other provisions of proposed Regulation SCI and accountability of 
SCI entities in the event of systems problems. Further, the Commission 
preliminarily believes that the member or participant information 
dissemination requirement for dissemination SCI events would make 
members or participants aware that their trading activity might have 
been or might be impacted by the occurrence of a dissemination SCI 
event, so that they could consider that information in making trading 
decisions, seeking corrective action, or pursuing remedies, among other 
things. The Commission also preliminarily believes that the prospect of 
disseminating information regarding dissemination SCI events to members 
or participants would provide an incentive for SCI entities to better 
focus on improving the integrity and compliance of their systems.
3. Requirements To Take Corrective Actions, Identify Immediate 
Notification Events, and Identify Dissemination SCI Events
    The proposed requirement that SCI entities begin to take 
appropriate corrective action upon any responsible SCI personnel 
becoming aware of an SCI event would help ensure that SCI entities 
dedicate adequate resources to timely address an SCI event and place an 
emphasis on mitigating potential harm to investors and market 
integrity. The proposed threshold for notification of certain SCI 
events to the Commission under proposed Rule 1000(b)(4)(i) would help 
ensure that the Commission is made aware of significant SCI events when 
any responsible SCI personnel becomes aware of such events. The 
proposed definition of dissemination SCI event would help ensure 
potentially impacted members or participants have basic information 
about SCI events so that they might be able to better assess whether 
they should use the services of an SCI entity.\356\
---------------------------------------------------------------------------

    \356\ See infra Section III.B.3.d (discussing the threshold for 
dissemination SCI events).
---------------------------------------------------------------------------

5. Recordkeeping Requirements
    The proposed recordkeeping requirements in Rules 1000(c) and (e) 
would assist Commission staff during an examination of an SCI entity to 
assess its compliance with the proposed rules. In addition, access to 
the records of SCI entities would help Commission staff to carry out 
its oversight responsibilities of SCI entities and the securities 
markets. Further, the proposed recordkeeping requirements would aid SCI 
entities and the Commission in documenting, reviewing, and correcting 
any SCI event, as well as in identifying market participants that may 
have been harmed by such an event.

C. Respondents

    The ``collection of information'' requirements contained in 
proposed Regulation SCI would apply to SCI entities, as described 
below. Currently, there are 26 entities that would satisfy the proposed 
definition of SCI SRO,\357\ 15 entities that would satisfy the proposed 
definition of SCI ATS,\358\ 2 entities that would satisfy the 
definition of plan processor,\359\ and 1 entity that would meet the 
definition of exempt clearing agency subject to ARP.\360\ Accordingly, 
the Commission estimates that there are currently 44 entities that 
would meet the definition of SCI entity and be subject to the 
collection of information requirements of proposed Regulation SCI.
---------------------------------------------------------------------------

    \357\ See supra notes 93-96 and accompanying text (listing 17 
registered national securities exchanges, 7 registered clearing 
agencies, FINRA, and the MSRB).
    \358\ See supra Section III.B.1.
    \359\ See supra note 565.
    \360\ See supra note 133 and accompanying text.
---------------------------------------------------------------------------

    The Commission requests comment on the accuracy of these estimated 
figures.

D. Total Initial and Annual Reporting and Recordkeeping Burdens

    As discussed above, all of the national securities exchanges, 
national securities associations, registered clearing agencies, and 
plan processors currently participate on a voluntary basis in the ARP 
Inspection Program.\361\ Under the ARP Inspection Program, Commission 
staff conducts on-site inspections and attends periodic technology 
briefings by staff of these entities, generally covering systems 
capacity and testing, review of systems vulnerability, review of 
planned systems development, and business continuity planning.\362\ In 
addition, Commission staff monitors systems failures and planned major 
systems changes at these entities.\363\
---------------------------------------------------------------------------

    \361\ See supra Section I.A.
    \362\ See id.
    \363\ See id.
---------------------------------------------------------------------------

    Under proposed Regulation SCI, many of the principles of the ARP 
policy statements with which SCI SROs are familiar would be codified. 
However, because the proposed regulation would have a broader scope 
than the current ARP Inspection Program and would impose mandatory 
recordkeeping obligations on entities subject to the rules,\364\ 
proposed Regulation SCI would impose paperwork burdens on all SCI 
entities. The Commission's total burden estimates reflect the total 
burdens on all SCI entities, taking into account the extent to which 
some SCI entities already comply with some of the proposed requirements 
of Regulation SCI. As discussed below, the Commission preliminarily 
believes that the extent of these burdens will vary for different types 
of SCI entities. The Commission notes that the hour figures set forth 
in this section are the Commission's preliminary best estimate of the 
paperwork burden for compliance with proposed Regulation SCI based on a 
variety of sources, including the

[[Page 18145]]

Commission's experience with the current ARP Inspection Program and 
other similar estimated burdens for analogous rulemakings. However, the 
Commission recognizes that commenters may have other informed views of 
the actual burdens that would be imposed by these requirements and 
thus, the Commission solicits comment on the appropriateness and 
accuracy of each of the estimated burdens below.
---------------------------------------------------------------------------

    \364\ As discussed more fully in supra Section III.D and infra 
Section IV.D.4, SCI SROs are already subject to existing 
recordkeeping and retention requirements under Rule 17a-1 and thus 
the Commission believes that the proposed recordkeeping obligations 
would not impose any new burden on SCI SROs that is not already 
accounted for in the burden estimates for Rule 17a-1.
---------------------------------------------------------------------------

1. Requirements To Establish Written Policies and Procedures and 
Mandate Participation in Certain Testing
    The proposed rules that would require an SCI entity to establish 
policies and procedures and to mandate member or participant 
participation in business continuity and disaster recovery plans 
testing are discussed more fully in Section III.C above.
a. Policies and Procedures Required by Proposed Rule 1000(b)(1)
    The Commission preliminarily estimates that an SCI entity that has 
not previously participated in the ARP Inspection Program would require 
an average of 210 burden hours to develop and draft policies and 
procedures reasonably designed to ensure that its SCI systems and, for 
purposes of security standards, SCI security systems, have levels of 
capacity, integrity, resiliency, availability, and security adequate to 
maintain the SCI entity's operational capability and promote the 
maintenance of fair and orderly markets, as proposed to be required by 
Rule 1000(b)(1) of Regulation SCI (except for policies and procedures 
for standards that result in such systems being designed, developed, 
tested, maintained, operated, and surveilled in a manner that 
facilitates the successful collection, processing, and dissemination of 
market data, which are addressed separately).\365\ The estimated 210 
hours required for such entities would include the time expended to 
draft relevant policies and procedures and the time expended for review 
of the draft policies and procedures by the SCI entity's management. 
The Commission preliminarily believes that all SCI entities \366\ would 
conduct this work internally.\367\
---------------------------------------------------------------------------

    \365\ This estimate is based on the Commission's experience with 
the ARP Inspection Program and its preliminary estimate in the SB 
SDR Proposing Release for a similar requirement. See SB SDR 
Proposing Release, supra note 297, at 77349 (estimating the number 
of hours it would take to draft policies and procedures reasonably 
designed to ensure that the SDR's systems provide adequate levels of 
capacity, resiliency, and security). This estimate is for the number 
of hours an SCI entity would require over and above the usual and 
customary amount of time it would devote to developing policies and 
procedures designed to ensure its systems' capacity, integrity, 
resiliency, availability, and security. These estimated burdens may 
vary depending on an SCI entity's business and regulatory 
responsibilities.
    \366\ The Commission estimates that there are 44 SCI entities. 
Of these, 29 entities currently participate in the ARP Inspection 
Program and 15 do not. Because the MSRB is not currently a 
participant in the ARP Inspection Program, the estimated burden 
hours for the MSRB to develop policies and procedures as required by 
proposed Rule 1000(b)(1) (except for policies and procedures for 
standards that result in such systems being designed, developed, 
tested, maintained, operated, and surveilled in a manner that 
facilitates the successful collection, processing, and dissemination 
of market data) is 210 hours, which is higher than the number 
estimated for all other SCI SROs that currently participate in the 
ARP Inspection Program, as discussed below.
    \367\ But see infra Section IV.D.6, requesting comment on 
whether some SCI entities, particularly those that do not currently 
participate in the ARP Inspection Program, would seek to outsource 
this work and what the cost to outsource this work would be.
---------------------------------------------------------------------------

    For SCI entities that currently participate in the ARP Inspection 
Program (29 entities, nearly all of which are SCI SROs \368\), the 
Commission preliminarily believes that in developing their policies and 
procedures, these entities would be starting from a baseline of fifty 
percent, and therefore the average paperwork burden of developing the 
proposed policies and procedures would be 105 burden hours.\369\ The 
Commission preliminarily believes that a fifty percent baseline for SCI 
entities that participate in the ARP Inspection Program is appropriate 
because, although these entities already have substantial policies and 
procedures in place, proposed Rule 1000(b)(1) would require these 
entities to devote substantial time to reviewing and revising their 
existing policies and procedures to ensure that they are sufficiently 
robust in the context of a new and expanded regulatory regime. The 
Commission preliminarily believes that these entities would conduct 
this work internally.\370\
---------------------------------------------------------------------------

    \368\ 17 registered national securities exchanges + 7 registered 
clearing agencies + 1 national securities association + 2 plan 
processors + 1 exempt clearing agency subject to ARP + 1 ATS = 29 
entities.
    \369\ In establishing this baseline estimate, the Commission has 
considered what the entities do today; that is, in the absence of 
the proposed rule.
    \370\ But see infra Section IV.D.6, requesting comment on 
whether some SCI entities, particularly those that do not currently 
participate in the ARP Inspection Program, would seek to outsource 
this work and what the cost to outsource this work would be.
---------------------------------------------------------------------------

    With regard to the proposed requirement in Rule 1000(b)(1) that an 
SCI entity's policies and procedures include standards that result in 
such systems being designed, developed, tested, maintained, operated, 
and surveilled in a manner that facilitates the successful collection, 
processing, and dissemination of market data, the Commission 
preliminarily estimates that each SCI entity would spend an average of 
130 hours annually to comply with this requirement.\371\ As this 
proposed requirement is not currently addressed by the ARP Inspection 
Program, the Commission preliminarily estimates that the total initial 
and ongoing burden would be the same for all SCI entities and SCI 
entities would conduct this work internally.\372\
---------------------------------------------------------------------------

    \371\ This estimate is based on the Commission's experience with 
the ARP Inspection Program, and includes the time necessary to 
program systems to meet the proposed standard.
    \372\ But see infra Section IV.D.6, requesting comment on 
whether some SCI entities, particularly those that do not currently 
participate in the ARP Inspection Program, would seek to outsource 
this work and what the cost to outsource this work would be.
---------------------------------------------------------------------------

    As noted above, the Commission preliminarily believes that SCI 
entities would handle internally most of the work associated with 
establishing, maintaining, and enforcing written policies and 
procedures as proposed to be required by Rule 1000(b)(1). However, 
based on its experience with the ARP Inspection Program, the Commission 
preliminarily believes that SCI entities also would seek outside legal 
and/or consulting services in the initial preparation of such policies 
and procedures, and that the average cost of such outside legal and/or 
consulting advice would be $20,000 per respondent,\373\ for a total of 
$880,000 for all respondents.\374\
---------------------------------------------------------------------------

    \373\ This estimate is based on the Commission's experience with 
the ARP Inspection Program, as well as industry sources. In 
addition, the Commission has considered its estimate of the cost 
burden under Regulation SDR in connection with the establishment of 
certain policies and procedures. See SB SDR Proposing Release, supra 
note 297, at 77349 (preliminarily estimating that it would cost 
$100,000 to establish, maintain, and enforce five sets of written 
policies and procedures, one of which requires policies and 
procedures reasonably designed to ensure that the SDR's systems 
provide adequate levels of capacity, resiliency, and security).
    \374\ ($20,000 outside legal cost) x (44 SCI entities) = 
$880,000.
---------------------------------------------------------------------------

    As noted above, the Commission preliminarily estimates that the 
average initial number of burden hours per respondent to comply with 
proposed Rule 1000(b)(1) (except for policies and procedures for 
standards that result in such systems being designed, developed, 
tested, maintained, operated, and surveilled in a manner that 
facilitates the successful collection, processing, and dissemination of 
market data) would be 105 hours for SCI entities that are current ARP 
Inspection Program participants and 210 hours for SCI entities that are 
not current ARP

[[Page 18146]]

Inspection Program participants, for a total of 6,195 hours.\375\ In 
addition, the Commission preliminarily estimates that the average 
initial number of burden hours per respondent to comply with the 
requirement for policies and procedures for standards that result in 
such systems being designed, developed, tested, maintained, operated, 
and surveilled in a manner that facilitates the successful collection, 
processing, and dissemination of market data would be 130 hours for a 
total of 5,720 hours for all respondents.\376\
---------------------------------------------------------------------------

    \375\ The Commission preliminarily believes that an Attorney and 
a Compliance Manager working in collaboration would develop and 
draft the required policies and procedures, assisted by, and in 
consultation with, Senior Systems Analysts and Operational 
Specialists. Thus, the Commission estimates: (Compliance Manager 
(including Senior Management Review) at 80 hours + Attorney at 80 
hours + Senior Systems Analyst at 25 hours + Operations Specialist 
at 25 hours) x (15 potential respondents) + (Compliance Manager 
(including Senior Management Review) at 40 hours + Attorney at 40 
hours + Senior Systems Analyst at 12.5 hours + Operations Specialist 
at 12.5 hours) x (29 potential respondents) = 6,195 burden hours.
    \376\ Based on its experience with the ARP Inspection Program, 
the Commission estimates: (Compliance Attorney at 30 hours + Senior 
Systems Analyst at 100 hours) x (44 potential respondents) = 5,720 
burden hours.
---------------------------------------------------------------------------

    The Commission preliminarily estimates that, once an SCI entity has 
drafted the policies and procedures proposed to be required by Rule 
1000(b)(1) (except for policies and procedures for standards that 
result in such systems being designed, developed, tested, maintained, 
operated, and surveilled in a manner that facilitates the successful 
collection, processing, and dissemination of market data), it would 
spend on average approximately 60 hours annually to review its written 
policies and procedures to ensure that they are up-to-date and to 
prepare any necessary new or amended policies and procedures.\377\ 
Using a fifty percent baseline for SCI entities that participate in the 
ARP Inspection Program and therefore currently review and revise 
policies and procedures from time to time, the Commission preliminarily 
estimates that the total annual ongoing burden to comply with proposed 
Rule 1000(b)(1) (except for policies and procedures for standards that 
result in such systems being designed, developed, tested, maintained, 
operated, and surveilled in a manner that facilitates the successful 
collection, processing, and dissemination of market data) would be 30 
hours per respondent for this group of respondents. The Commission 
therefore estimates the ongoing burden to comply with proposed Rule 
1000(b)(1) (except for policies and procedures for standards that 
result in such systems being designed, developed, tested, maintained, 
operated, and surveilled in a manner that facilitates the successful 
collection, processing, and dissemination of market data) to be 870 
hours \378\ for SCI entities that are current ARP Inspection Program 
participants and 900 hours \379\ for SCI entities that are not ARP 
Inspection Program participants, for a total of 1,770 hours for all 
respondents.\380\ As noted above, the Commission preliminarily 
estimates that the average ongoing number of burden hours per 
respondent to comply with the proposed requirement for policies and 
procedures for standards that result in such systems being designed, 
developed, tested, maintained, operated, and surveilled in a manner 
that facilitates the successful collection, processing, and 
dissemination of market data would be 130 hours for each respondent, 
for a total of 5,720 hours for all respondents.\381\ The Commission 
preliminarily believes that the work associated with updating the 
policies and procedures proposed to be required by proposed Rule 
1000(b)(1) would be done internally.\382\
---------------------------------------------------------------------------

    \377\ This estimate is based on the Commission's experience with 
the ARP Inspection Program. The Commission has also considered its 
preliminary estimate in the SB SDR Proposing Release for a similar 
requirement. See SB SDR Proposing Release, supra note 297, at 77349 
(estimating the ongoing burden associated with maintaining policies 
and procedures reasonably designed to ensure that the SDR's systems 
provide adequate levels of capacity, resiliency, and security). This 
estimate is for the number of hours an SCI entity would require over 
and above the usual and customary amount of time it would devote to 
maintaining policies and procedures designed to ensure its systems' 
capacity, integrity, resiliency, availability, and security.
    \378\ (Compliance Manager at 15 hours + Attorney at 15 hours) x 
(29 potential respondents currently participating in the ARP 
Inspection Program) = 870 hours.
    \379\ (Compliance Manager at 30 hours + Attorney at 30 hours) x 
(15 potential respondents not currently participating in the ARP 
inspection Program) = 900 hours.
    \380\ 870 hours for SCI entities that are current ARP Inspection 
Program participants + 900 hours for SCI entities that are not 
current ARP Inspection Program participants = 1,770 burden hours.
    \381\ (Compliance Attorney at 30 hours + Senior Systems Analyst 
at 100 hours) x (44 potential respondents) = 5,720 burden hours.
    \382\ But see infra Section IV.D.6, requesting comment on 
whether some SCI entities, particularly those that do not currently 
participate in the ARP Inspection Program, would seek to outsource 
this work and what the cost to outsource this work would be.
---------------------------------------------------------------------------

b. Policies and Procedures Required by Proposed Rule 1000(b)(2)
    With regard to proposed Rule 1000(b)(2)(i), which would require 
each SCI entity to establish, maintain, and enforce written policies 
and procedures reasonably designed to ensure that its SCI systems 
operate in the manner intended, including in a manner that complies 
with the federal securities laws and rules and regulations thereunder 
and, as applicable, the entity's rules and governing documents, the 
Commission preliminarily believes that each SCI entity would elect to 
comply with the safe harbor provisions in proposed Rules 1000(b)(2)(ii) 
and (iii), and preliminarily estimates that each SCI entity would 
initially spend approximately 180 hours to design their policies and 
procedures accordingly. This estimate would include the time necessary 
to review and revise any existing policies and procedures to ensure 
that they satisfy the proposed safe harbor provisions, and the 
Commission preliminarily believes this estimate would be the same for 
all SCI entities.\383\ Therefore, the Commission preliminarily 
estimates that proposed Rule 1000(b)(2) would carry an initial one-time 
burden of 180 hours per respondent, for a total initial one-time burden 
of 7,920 hours for all respondents.\384\ The Commission also 
preliminarily estimates that each SCI entity that is an SRO would spend 
approximately 120 hours annually to review these written policies and 
procedures to ensure that they are up-to-date and to prepare any 
necessary new or amended policies and procedures, and that other types 
of SCI entities would spend approximately 60 hours to do this 
work.\385\ Therefore, the

[[Page 18147]]

Commission preliminarily estimates that proposed Rule 1000(b)(2) would 
carry an ongoing annual burden of 120 hours per SRO respondent and 60 
hours per non-SRO respondent, for a total ongoing annual burden of 
4,200 hours for all respondents.\386\ These estimated burdens per 
respondent also would include the time expended for the review of the 
draft policies and procedures by the SCI entity's management.
---------------------------------------------------------------------------

    \383\ This estimate is based on the Commission's experience with 
the ARP Inspection Program and OCIE examinations, which review 
policies and procedures of registered entities in conjunction with 
examinations of such entities for compliance with the federal 
securities laws. Although not currently explicitly required under 
the existing ARP Inspection Program or other laws or regulations, 
the Commission expects that most, if not all, SCI entities already 
voluntarily have certain policies and procedures in place as part of 
good business management and oversight to ensure that their SCI 
systems operate in the manner intended. However, proposed Rule 
1000(b)(2)(i) would set forth specific new requirements with respect 
to such policies and procedures, and proposed Rules 1000(b)(2)(ii) 
and (iii) would specify how an SCI entity and its employees could 
satisfy the new requirement through safe harbors. Because proposed 
Rule 1000(b)(2)(i) has no analogue in the ARP Inspection Program and 
would create a new requirement for all SCI entities, for purposes of 
the PRA, the Commission preliminarily estimates that all SCI 
entities would elect to comply with the proposed safe harbor of 
proposed Rule 1000(b)(2)(ii) and be subject to the same initial 
burden to ensure that their policies and procedures satisfy the 
requirements of the proposed safe harbor.
    \384\ Based on its experience with OCIE examinations and the ARP 
Inspection Program, the Commission estimates: (Compliance Attorney 
at 30 hours + Senior Systems Analyst at 150 hours) x (44 potential 
respondents) = 7,920 burden hours.
    \385\ These estimates are based on the Commission's experience 
with the ARP Inspection Program and OCIE examinations. The 
Commission notes that its estimate of 120 hours for SCI SROs to 
annually review and update the written policies and procedures 
proposed to be required by Rule 1000(b)(2)(i), to satisfy the 
elements of the safe harbor provisions in proposed Rules 
1000(b)(2)(ii) and (iii), is higher than its estimate for SCI SROs 
to review and update the policies and procedures proposed to be 
required by Rule 1000(b)(1) and its estimate for SCI entities that 
are not SCI SROs to review and update the policies and procedures 
proposed to be required by Rule 1000(b)(2)(i), to satisfy the 
elements of the safe harbor provisions in proposed Rules 
1000(b)(2)(ii) and (iii). This higher estimate is based on the 
Commission's preliminary belief that the burden for SCI SROs would 
be greater because the rules of such entities generally change their 
rules with greater frequency. The Commission solicits comment on the 
accuracy of this information.
    \386\ Based on its experience with OCIE examinations and the ARP 
Inspection Program, the Commission estimates: (Compliance Attorney 
at 20 hours + Senior Systems Analyst at 100 hours) x (26 potential 
SCI SRO respondents) + (Compliance Attorney at 10 hours + Senior 
Systems Analyst at 50 hours) x (18 potential non-SCI SRO 
respondents) = 4,200 burden hours.
---------------------------------------------------------------------------

    As with proposed Rule 1000(b)(1), the Commission preliminarily 
believes that SCI entities would handle internally most of the work 
associated with establishing and maintaining written policies and 
procedures that are reasonably designed to ensure that their SCI 
systems operate in the manner intended, including in a manner that 
complies with the federal securities laws and rules and regulations 
thereunder and, as applicable, the entity's rules and governing 
documents, and that meet the requirements of the proposed safe harbor 
provisions of proposed Rule 1000(b)(2)(ii).\387\ However, based on its 
experience with the ARP Inspection Program, the Commission 
preliminarily believes that SCI entities also would seek outside legal 
and/or consulting advice in the initial preparation of such policies 
and procedures, and that the average cost of outside legal/consulting 
advice would be $20,000 per respondent, for a total of $880,000 for all 
respondents.\388\
---------------------------------------------------------------------------

    \387\ But see infra Section IV.D.6, requesting comment on 
whether some SCI entities, particularly those that do not currently 
participate in the ARP Inspection Program, would seek to outsource 
this work and what the cost to outsource this work would be.
    \388\ ($20,000 outside legal cost) x (44 entities) = $880,000.
---------------------------------------------------------------------------

c. Mandate Participation in Certain Testing
    Proposed Rule 1000(b)(9) would require each SCI entity, with 
respect to its business continuity and disaster recovery plans, 
including its backup systems, to require participation by designated 
members or participants in scheduled functional and performance testing 
of the operation of such plans at specified intervals, and coordinate 
such testing on an industry- or sector-wide basis with other SCI 
entities. The Commission preliminarily believes that all SCI entities 
would be subject to this proposed requirement, and that none of these 
entities currently require participation by members or participants in 
scheduled functional and performance testing of their business 
continuity and disaster recovery plans, as proposed Rule 1000(b)(9) 
would have them require.
    Although SCI entities may seek to implement the proposed 
requirements in different ways (e.g., for SCI SROs, by submitting 
proposed rule changes under Section 19(b) of the Exchange Act; for SCI 
ATSs, by revising membership or subscriber agreements and internal 
procedures; for plan processors, through an amendment to an SCI Plan 
under Rule 608 of Regulation NMS; and, for exempt clearing agencies 
subject to ARP, by revising participant agreements and internal 
procedures), the Commission preliminarily believes that the average 
paperwork burden associated with the proposed rule would be the same 
for all SCI entities because they would likely make similar changes to 
their rules, agreements, procedures, or SCI Plans, and would likely 
take similar actions to implement and coordinate mandatory testing. 
Based on its experience with SCI entities, the Commission preliminarily 
believes that SCI entities, other than plan processors, would handle 
this work internally.
    The Commission preliminarily estimates that each SCI entity (other 
than plan processors) would spend approximately 130 hours initially to 
meet the requirements of proposed Rules 1000(b)(9)(i) and (ii). This 
estimate takes into consideration the requirement to mandate 
participation by designated members or participants in testing under 
proposed Rule 1000(b)(9)(i), as well as the requirement under proposed 
Rule 1000(b)(9)(ii) that an SCI entity coordinate required testing with 
other SCI entities. Specifically, the estimated 130 hours assumes that 
it would take an SCI entity 35 hours to write a proposed rule, or 
revise a membership/subscriber agreement or participant agreement, as 
the case may be, to establish the participation requirement for the SCI 
entity's designated members or participants,\389\ and an additional 95 
hours of follow-up work (e.g., notice and schedule coordination) to 
ensure implementation. Therefore, the Commission preliminarily 
estimates that proposed Rules 1000(b)(9)(i) and (ii) would carry an 
initial burden of 130 hours per respondent, for a total initial burden 
of 5,460 hours for all respondents.\390\ For plan processors, the 
Commission preliminarily estimates that proposed Rules 1000(b)(9)(i) 
and (ii) would carry an initial cost of $52,000 per respondent,\391\ 
for a total initial cost of $104,000 hours for all plan 
processors.\392\
---------------------------------------------------------------------------

    \389\ In establishing this estimate, the Commission considered 
its estimate of the burden for an SRO to file an average proposed 
rule change. See 2012 Rule 19b-4 collection of information revision 
Supporting Statement, Office of Management and Budget, available at: 
https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=201207-3235-002.
    \390\ Based on Commission staff experience in reviewing SRO 
proposed rule change filings and past estimates for Rule 19b-4 and 
Form 19b-4, the Commission estimates as follows: (Compliance Manager 
at 10 hours + Attorney at 15 hours + Compliance Clerk at 10 hours) x 
(42 potential respondents) + (Compliance Manager at 10 hours + 
Attorney at 15 hours + Operations Specialist at 70 hours) x (42 
potential respondents) = 5,460 hours to comply with proposed Rules 
1000(b)(9)(i) and (ii).
    \391\ 130 hours x $400 per hour for outside legal services = 
$52,000. See infra note 463.
    \392\ $52,000 x 2 plan processors = $104,000.
---------------------------------------------------------------------------

    The Commission also preliminarily estimates that each SCI entity 
(other than plan processors) would spend approximately 95 hours 
annually to review the written rules or requirements to ensure that 
they remain up-to-date and to prepare any necessary amendments and 
undertake necessary coordination to ensure implementation and 
enforcement of the requirement.\393\ Therefore, the Commission 
preliminarily estimates that proposed Rules 1000(b)(9)(i) and (ii) 
would carry an ongoing annual burden of 95 hours per respondent, for a 
total ongoing annual burden of 3,990 hours for all respondents.\394\ 
For plan processors, the Commission preliminarily estimates that 
proposed Rules 1000(b)(9)(i) and (ii) would carry an ongoing annual 
cost of $38,000 hours per respondent,\395\ for

[[Page 18148]]

a total ongoing annual cost of $76,000 for all plan processors.\396\
---------------------------------------------------------------------------

    \393\ As noted above, the initial burden includes 35 hours to 
write a proposed rule, revise an agreement, or amend an SCI Plan. 
The Commission does not believe this 35-hour burden would be 
applicable on an ongoing basis.
    \394\ (Compliance Manager at 10 hours + Attorney at 15 hours + 
Operations Specialist at 70 hours) x (42 potential respondents) = 
3,990 hours. See supra note 390.
    \395\ 95 hours x $400 per hour for outside legal services = 
$38,000. See infra note 463.
    \396\ $38,000 x 2 plan processors = $76,000.
---------------------------------------------------------------------------

    The Commission preliminarily estimates that each SCI entity (other 
than plan processors) would spend approximately 35 hours initially to 
meet the requirements of proposed Rule 1000(b)(9)(iii). This estimate 
takes into consideration the burden for an SCI entity to establish 
standards for designating members or participants who must participate 
in its business continuity and disaster recovery plans testing and file 
such standards with the Commission on Form SCI, as well as the burden 
for an SCI entity to determine, compile, and submit its list of 
designated members or participants on Form SCI. Specifically, the 
Commission estimates that each SCI entity would take 35 hours to write 
a proposed rule or an internal procedure, as the case may be, to 
establish standards for designating members or participants, to apply 
the standards to compile the list of designees, and to file such 
standards and the list of designees on Form SCI.\397\ Therefore, the 
Commission preliminarily estimates that proposed Rule 1000(b)(9)(iii) 
would carry an initial burden of 35 hours per respondent, for a total 
initial burden of 1,470 hours for all respondents.\398\ For plan 
processors, the Commission preliminarily estimates that proposed Rule 
1000(b)(9)(iii) would carry an initial cost of $14,000 per 
respondent,\399\ for a total initial cost of $28,000 hours for all plan 
processors.\400\
---------------------------------------------------------------------------

    \397\ In establishing this estimate, the Commission considered 
its estimate of the burden for an SRO to file an average proposed 
rule change. See 2012 Rule 19b-4 collection of information revision 
Supporting Statement, Office of Management and Budget, available at: 
https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=201207-3235-002.
    \398\ Based on Commission staff experience in reviewing SRO 
proposed rule change filings and past estimates for Rule 19b-4 and 
Form 19b-4, the Commission estimates as follows: (Compliance Manager 
at 10 hours + Attorney at 15 hours + Compliance Clerk at 10 hours) x 
(42 potential respondents) = 1,470 hours to comply with Rule 
1000(b)(9)(iii).
    \399\ 35 hours x $400 per hour for outside legal services = 
$14,000. See infra note 463.
    \400\ $14,000 x 2 plan processors = $28,000.
---------------------------------------------------------------------------

    The Commission also preliminarily estimates that each SCI entity 
(other than plan processors) would spend approximately 3 hours annually 
to review the designation standards to ensure that they remain up-to-
date and to prepare any necessary amendments, to review its list of 
designated members or participants, and to update prior Commission 
notifications with respect to the standards for designation and the 
list of designees.\401\ Therefore, the Commission preliminarily 
estimates that proposed Rule 1000(b)(9)(iii) would carry an ongoing 
annual burden of 3 hours per respondent, for a total ongoing annual 
burden of 126 hours for all respondents.\402\ For plan processors, the 
Commission preliminarily estimates that proposed Rule 1000(b)(9)(iii) 
would carry an ongoing annual cost of $1,200 hours per respondent,\403\ 
for a total ongoing annual cost of $2,400 for all plan processors.\404\
---------------------------------------------------------------------------

    \401\ In establishing this estimate, the Commission has 
considered its estimate of the burden for an SRO to amend a Form 
19b-4. Specifically, the Commission estimated that an amendment to 
Form 19b-4 would require approximately 3 hours to complete. See 
Securities Exchange Act Release No. 50486 (October 4, 2004), 69 FR 
60287, 60294 (October 8, 2004).
    \402\ (Compliance Manager at 1.5 hours + Attorney at 1.5 hours) 
x (42 potential respondents) = 126 hours.
    \403\ 3 hours x $400 per hour for outside legal services = 
$1,200. See infra note 463.
    \404\ $1,200 x 2 plan processors = $2,400.
---------------------------------------------------------------------------

2. Notice, Dissemination, and Reporting Requirements for SCI Entities
    The proposed rules that would require an SCI entity to notify the 
Commission of SCI events, disseminate certain SCI events to members or 
participants, and submit specified reports are discussed more fully in 
Section III.C above.
a. Notices Required by Proposed Rule 1000(b)(4)
    Proposed Rule 1000(b)(4) would require notice of SCI events to the 
Commission.\405\ The burden estimates to comply with proposed Rule 
1000(b)(4) include the burdens associated with Commission notification 
of immediate notification SCI events and the submission of Form SCI in 
accordance with the instructions thereto.
---------------------------------------------------------------------------

    \405\ See supra note 351 and accompanying text for details 
regarding the content of Form SCI. Currently, there is no law or 
rule specifically requiring SCI entities to notify the Commission of 
systems problems in writing or in a specific format. Nevertheless, 
voluntary communications of systems problems to Commission staff 
occur in a variety of ways, including by telephone and email. The 
Commission notes that proposed Rule 1000(b)(4) would impose a new 
reporting requirement on SCI entities, regardless of whether they 
currently voluntarily notify the Commission of SCI events on an ad 
hoc basis. As such, the Commission preliminarily believes that a 
history of voluntarily reporting such events to the Commission would 
not lessen the future burden of reporting such events to the 
Commission on Form SCI as required under proposed Rule 1000(b)(4).
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(4)(i) would require an SCI entity, upon any 
responsible SCI personnel becoming aware of a systems disruption that 
the SCI entity reasonably estimates would have a material impact on its 
operations or on market participants, any systems compliance issue, or 
any systems intrusion, to notify the Commission of such SCI event. As 
noted above, notification required by proposed Rule 1000(b)(4)(i) may 
be done orally or in writing. The Commission preliminarily estimates 
that each SCI entity would experience an average of 40 immediate 
notification SCI events per year.\406\ The Commission further 
preliminarily estimates that one-fourth of the notifications under 
proposed Rule 1000(b)(4)(i) would be in writing (i.e., 10 written 
notifications and 30 oral notifications), and that each written 
notification would require an in-house attorney half an hour to prepare 
and submit to the Commission.\407\ Thus, the Commission preliminarily 
estimates that the initial and ongoing burden to comply with the 
notification requirement of proposed Rule 1000(b)(4)(i) would be 5 
hours annually per respondent, and 220 hours annually for all 
respondents.\408\
---------------------------------------------------------------------------

    \406\ Because the threshold for immediate notification SCI 
events is lower than the threshold for dissemination SCI events, the 
estimate for the number of immediate notification SCI events is 
higher than the estimate for the number of dissemination SCI events 
(i.e., 15 dissemination SCI events). See infra notes 414 and 424 and 
accompanying text.
    \407\ The Commission preliminarily believes this estimate is 
appropriate because the notification required by proposed Rule 
1000(b)(4)(i) would not be submitted through Form SCI, and is 
intended to be an immediate initial notification when responsible 
SCI personnel becomes aware of an immediate notification SCI event 
which contains only information known to the SCI entity at that 
time.
    \408\ (Attorney at 0.5 hour for each notice) x (10 notices) = 5 
hours. 5 hours x (44 potential respondents) = 220 burden hours. The 
Commission preliminarily believes that SCI entities would handle 
internally the work associated with the notification requirement of 
proposed Rule 1000(b)(4)(i). But see infra Section IV.D.6, 
requesting comment on whether some SCI entities, particularly those 
that do not currently participate in the ARP Inspection Program, 
would seek to outsource this work and what the cost to outsource 
this work would be.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(4)(ii) would require an SCI entity, within 24 
hours of any responsible SCI personnel becoming aware of any SCI event, 
to submit a written notification to the Commission on Form SCI 
pertaining to such SCI event. The Commission preliminarily estimates 
that each SCI entity would experience an average of 65 SCI events per 
year.\409\ Thus, the

[[Page 18149]]

Commission preliminarily estimates that there would be an average of 65 
SCI event notices per year for each respondent. The Commission 
preliminarily estimates that each notification under proposed Rule 
1000(b)(4)(ii) would require an average of 20 burden hours,\410\ with a 
compliance manager and in-house attorney each spending approximately 10 
hours in collaboration to draft, review, and submit the report. Thus, 
the Commission preliminarily estimates that the initial and ongoing 
burden to comply with the reporting requirement of proposed Rule 
1000(b)(4)(ii) would be 1,300 hours annually per respondent, and 57,200 
hours annually for all respondents.\411\
---------------------------------------------------------------------------

    \409\ This estimate is based on Commission's experience with the 
ARP Inspection Program. Approximately 175 ARP incidents were 
reported to the Commission in 2011 by entities that currently 
participate in the ARP Inspection Program. Of those entities, the 
Commission believes that 28 would fall under the proposed definition 
of SCI entity (since 2011, an additional entity has become part of 
the ARP Inspection Program, for a total of 29 SCI entities that 
participate in the ARP Inspection Program). Thus, each entity 
reported an average of approximately 6 incidents in 2011. Because 
the proposed definition of ``SCI event'' is broader than the types 
of events covered by the current ARP Inspection Program, and SCI 
entities are not currently required by law or rule to report systems 
issues to the Commission, the Commission preliminarily believes that 
the number of SCI events that would be reported to the Commission 
would be significantly more than the number of incidents reported in 
2011. The Commission acknowledges that, because these types of 
incidents are not required to be reported under the current ARP 
Inspection Program, this figure is largely an estimate and is 
difficult to ascertain. As such, the Commission seeks comment on the 
accuracy of this estimate.
    \410\ This estimate includes the burden for attaching an Exhibit 
3 (i.e., a copy in pdf or html format of any information 
disseminated to date regarding the SCI event to its members or 
participants or on the SCI entity's publicly available Web site). 
This estimate is based on Commission staff experience with the ARP 
Inspection Program. The Commission has also considered its estimate 
of the burden to complete Form 19b-4. Specifically, the Commission 
has estimated that an SRO would spend approximately 39 hours to 
complete a Form 19b-4. See 2012 Rule 19b-4 collection of information 
revision Supporting Statement, Office of Management and Budget, 
available at: https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=201207-3235-002. However, the Commission notes that, unlike Form 
19b-4, the information contained in Form SCI would only be factual. 
As such, the Commission preliminarily believes that the amount of 
time for an SCI entity to complete Form SCI would be less than the 
amount of time for an SRO to complete Form 19b-4.
    \411\ (Compliance Manager at 10 hours for each notice + Attorney 
at 10 hours for each notice) x (65 notices) = 1,300 hours. 1,300 
hours x (44 potential respondents) = 57,200 burden hours. The 
Commission preliminarily believes that SCI entities would handle 
internally the work associated with the notification requirement of 
proposed Rule 1000(b)(4)(ii). But see infra Section IV.D.6, 
requesting comment on whether some SCI entities, particularly those 
that do not currently participate in the ARP Inspection Program, 
would seek to outsource this work and what the cost to outsource 
this work would be.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(4)(iii) would require an SCI entity to submit 
written updates to the Commission on Form SCI pertaining to SCI events 
on a regular basis, or at such frequency as reasonably requested by a 
representative of the Commission, until such time as the SCI event is 
resolved. Based on Commission staff's experience with the ARP 
Inspection Program, the Commission preliminarily estimates that, on 
average, each SCI entity would submit 5 updates per year under proposed 
Rule 1000(b)(4)(iii), and that each update would require an average of 
3 burden hours,\412\ with a compliance manager and in-house attorney 
each spending approximately 1.5 hours in collaboration to draft, 
review, and submit the update. Thus, the Commission preliminarily 
estimates that the initial and ongoing burden to comply with the 
continuous update requirement of proposed Rule 1000(b)(4)(iii) would be 
15 hours annually per respondent, and 660 hours annually for all 
respondents.\413\
---------------------------------------------------------------------------

    \412\ This estimate includes the burden for attaching an Exhibit 
3 (i.e., a copy in pdf or html format of any information disclosed 
to date regarding the SCI event to its members or participants or on 
the SCI entity's publicly available Web site). In determining this 
estimate, the Commission has considered its estimate of the burden 
for an SRO to amend a Form 19b-4. Specifically, the Commission 
estimated that an amendment to Form 19b-4 would require 
approximately 3 hours to complete. See Securities Exchange Act 
Release No. 50486 (October 4, 2004), 69 FR 60287, 60294 (October 8, 
2004).
    \413\ (Compliance Manager at 1.5 hours for each update + 
Attorney at 1.5 hours for each update) x (5 updates) = 15 hours. 15 
hours x (44 potential respondents) = 660 burden hours. The 
Commission preliminarily believes that SCI entities would handle 
internally the work associated with the reporting requirement of 
proposed Rule 1000(b)(4)(iii). But see infra Section IV.D.6, 
requesting comment on whether some SCI entities, particularly those 
that do not currently participate in the ARP Inspection Program, 
would seek to outsource this work and what the cost to outsource 
this work would be.
---------------------------------------------------------------------------

b. Disseminations Required by Proposed Rule 1000(b)(5)
    Proposed Rule 1000(b)(5) would require disseminations of 
information to members or participants relating to dissemination SCI 
events. Based on the definition of dissemination SCI event, the 
Commission preliminarily estimates that each SCI entity would 
experience an average of 14 dissemination SCI events each year that are 
not systems intrusions, resulting in an average of 14 member or 
participant dissemination per respondent per year under proposed Rule 
1000(b)(5)(i).\414\
---------------------------------------------------------------------------

    \414\ This estimate is based on the Commission's experience with 
the ARP Inspection Program. Specifically, as indicated in the 
Economic Analysis Section, approximately 175 ARP incidents were 
reported to the Commission in 2011 by entities that currently 
participate in the ARP Inspection Program. Of those entities, the 
Commission believes that 28 would fall under the proposed definition 
of SCI entity (since 2011, an additional entity has become part of 
the ARP Inspection Program, for a total of 29 SCI entities that 
participate in the ARP Inspection Program). Thus, each entity 
reported an average of approximately 6 incidents in 2011. Further, 
because proposed Rule 1000(a) would define an SCI event to mean a 
systems disruption, systems compliance issue, or systems intrusion, 
the scope of proposed Regulation SCI is broader than the scope of 
incidents reported to the ARP Inspection Program, which covers 
certain systems disruptions and intrusions. As such, the Commission 
preliminarily believes that an estimate of 14 dissemination SCI 
events per year per SCI entity (other than systems disruptions) is 
appropriate.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(5)(i)(A) would require an SCI entity, 
promptly after any responsible SCI personnel becomes aware of a 
dissemination SCI event other than a systems intrusion, to disseminate 
to its members or participants the following information about such SCI 
event: (1) The systems affected by the SCI event; and (2) a summary 
description of the SCI event.
    In addition to the costs for outside legal advice discussed 
below,\415\ the Commission estimates that each initial member or 
participant dissemination would require an average of 3 hours to 
prepare and make available to members or participants, with an in-house 
attorney spending approximately 2.67 hours in drafting and reviewing 
the dissemination, and a webmaster spending approximately 0.33 hours in 
making the dissemination available to members or participants.\416\ 
Thus, the Commission preliminarily estimates that the initial and 
ongoing burden to comply with the initial member or participant 
dissemination requirement of proposed Rule 1000(b)(5)(i)(A) would be 
approximately 42 hours annually per respondent, and 1,848 hours 
annually for all respondents.\417\
---------------------------------------------------------------------------

    \415\ See infra note 428.
    \416\ This estimate is based on Commission staff's experience 
with the ARP Inspection Program. The Commission estimates that each 
initial member or participant dissemination would require an average 
of 3 hours to prepare and make available the information to members 
or participants, instead of 20 hours as estimated for proposed Rule 
1000(b)(4)(ii), because the information required to be disseminated 
to members or participants would have been used for the initial 
written notification on Form SCI. For the same reason, the 
Commission preliminarily believes that an in-house attorney will 
prepare the dissemination, which will be made available to members 
or participants by the webmaster.
    \417\ (Attorney at 2.67 hours for each notification + Webmaster 
at 0.33 hour for each notification) x (14 notifications per year) = 
42 hours. 42 hours x (44 potential respondents) = 1,848 burden 
hours. The Commission preliminarily believes that SCI entities would 
handle internally most of the work associated with the notification 
requirement of proposed Rule 1000(b)(5)(i)(A). But see infra Section 
IV.D.6, requesting comment on whether some SCI entities, 
particularly those that do not currently participate in the ARP 
Inspection Program, would seek to outsource this work and what the 
cost to outsource this work would be.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(5)(i)(B) would require the SCI entity to 
further disseminate, when known, the following information to its 
members or

[[Page 18150]]

participants: (1) A detailed description of the SCI event; (2) the SCI 
entity's current assessment of the types and number of market 
participants potentially affected by the SCI event; and (3) a 
description of the progress of its corrective action for the SCI event 
and when the SCI event has been or is expected to be resolved. In 
addition to the outside costs discussed below,\418\ the Commission 
preliminarily estimates that each update under proposed Rule 
1000(b)(5)(i)(B) would require an average of 5 hours to prepare and 
make available to members or participants,\419\ with an in-house 
attorney spending approximately 4.67 hours in drafting and reviewing 
the update, and a webmaster spending approximately 0.33 hour in making 
the update available to members or participants. Thus, the Commission 
preliminarily estimates that the initial and ongoing burden to comply 
with the update requirement of proposed Rule 1000(b)(5)(i)(B) would be 
approximately 70 hours annually per respondent, and 3,080 hours 
annually for all respondents.\420\
---------------------------------------------------------------------------

    \418\ See infra note 428.
    \419\ The Commission estimates that each update under proposed 
Rule 1000(b)(5)(i)(B) would require an average of 5 hours to prepare 
and make available to members or participants, instead of 20 hours 
as estimated for proposed Rule 1000(b)(4)(ii), because the 
information required to be disseminated to members or participants 
would have been used for the initial written notification on Form 
SCI.
    \420\ (Attorney at 4.67 hours for each update + Webmaster at 
0.33 hour for each update) x (14 updates per year) = 70 hours. 70 
hours x (44 potential respondents) = 3,080 burden hours. This 
estimate is based on Commission staff's experience with the ARP 
Inspection Program. The Commission preliminarily believes that SCI 
entities would handle internally most of the work associated with 
the update requirement of proposed Rule 1000(b)(5)(i)(B). But see 
infra Section IV.D.6, requesting comment on whether some SCI 
entities, particularly those that do not currently participate in 
the ARP Inspection Program, would seek to outsource this work and 
what the cost to outsource this work would be.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(5)(i)(C) would require an SCI entity to 
provide regular updates to members or participants of any information 
required to be disseminated under proposed Rule 1000(b)(5). As noted 
above, there were approximately 175 ARP incidents reported to the 
Commission in 2011. These incidents had durations ranging from under 
one minute to 24 hours, with most incidents having a duration of less 
than 2 hours. Based on the relatively short duration of the ARP 
incidents reported to the Commission in 2011, the Commission 
preliminarily estimates that, on average, each SCI entity would provide 
one regular update per year per dissemination SCI event under proposed 
Rule 1000(b)(5)(i)(C). In addition to the costs for outside legal 
advice discussed below,\421\ the Commission preliminarily estimates 
that each update would require an average of 1 hour to prepare and make 
available to members or participants,\422\ with an in-house attorney 
spending approximately 0.67 hour in drafting and reviewing the update, 
and a webmaster spending approximately 0.33 hour in making the update 
available to members or participants. Thus, the Commission 
preliminarily estimates that the initial and ongoing burden to comply 
with the regular update requirement of proposed Rule 1000(b)(5)(i)(C) 
would be approximately 14 hours annually per respondent, and 616 hours 
annually for all respondents.\423\
---------------------------------------------------------------------------

    \421\ See infra note 428.
    \422\ This estimate is based on the estimated burden to complete 
and submit a written update for an SCI event on Form SCI. See supra 
note 412. The Commission estimates that each regular update to a 
member or participant dissemination would require an average of 1 
hour to prepare and make available to members or participants, 
instead of 3 hours, because the information required to be provided 
to the Commission in the updates on Form SCI would also be used for 
updating the member or participation dissemination. For the same 
reason, the Commission preliminarily believes that an attorney will 
prepare the update, which will be made available by the webmaster.
    \423\ (Attorney at 0.67 hour for each update + Webmaster at 0.33 
hour for each update) x (14 updates per year) = 14 hours. 14 hours x 
(44 potential respondents) = 616 burden hours. This estimate is 
based on Commission staff's experience with the ARP Inspection 
Program. The Commission preliminarily believes that SCI entities 
would handle internally most of the work associated with the update 
requirement of proposed Rule 1000(b)(5)(i)(C). But see infra Section 
IV.D.6, requesting comment on whether some SCI entities, 
particularly those that do not currently participate in the ARP 
Inspection Program, would seek to outsource this work and what the 
cost to outsource this work would be.
---------------------------------------------------------------------------

    Under proposed Rule 1000(b)(5)(ii), promptly after any responsible 
SCI personnel becomes aware of a systems intrusion, the SCI entity 
would be required to disseminate to its members or participants a 
summary description of the systems intrusion, including a description 
of the corrective action taken by the SCI entity and when the systems 
intrusion has been or is expected to be resolved, unless the SCI entity 
determines that dissemination of such information would likely 
compromise the security of the SCI entity's SCI systems or SCI security 
systems, or an investigation of the systems intrusion, and documents 
the reasons for such determination. Based on the definition of 
dissemination SCI event, the Commission preliminarily estimates that 
each SCI entity would experience an average of 1 dissemination SCI 
event that is a systems intrusion each year, resulting in an average of 
1 member or participant dissemination per respondent per year under 
proposed Rule 1000(b)(5)(ii).\424\ In addition to the costs for outside 
legal advice discussed below,\425\ the Commission estimates that each 
member or participant dissemination under proposed Rule 1000(b)(5)(ii) 
would require an average of 3 hours to prepare and make available to 
members or participants, with an in-house attorney spending 
approximately 2.67 hours in drafting and reviewing the dissemination, 
and a webmaster spending approximately 0.33 hours in making the 
dissemination available to members or participants.\426\ Thus, the 
Commission preliminarily estimates that the initial and ongoing burden 
to comply with the member or participant dissemination requirement 
under proposed Rule 1000(b)(5)(ii) would be approximately 3 hours 
annually per respondent, and 132 hours annually for all 
respondents.\427\
---------------------------------------------------------------------------

    \424\ Based on Commission's experience with the ARP Inspection 
Program, the Commission preliminarily believes each SCI entity will 
experience on average less than one systems intrusion per year. 
However, for purposes of the PRA, the Commission preliminarily 
estimates one systems intrusion per respondent per year.
    \425\ See infra note 428.
    \426\ This estimate includes any burden for an SCI entity to 
document its reason for determining that dissemination of 
information regarding a systems intrusion would likely compromise 
the security of the SCI entity's SCI systems or SCI security 
systems, or an investigation of the systems intrusion. This estimate 
is based on Commission staff's experience with the ARP Inspection 
Program. In determining this estimate, the Commission considered its 
burden estimate for proposed Rule 1000(b)(5)(i)(A) because both 
rules would require the dissemination of certain basic information 
about a dissemination SCI event. For the same reason, the Commission 
preliminarily believes that an in-house attorney will prepare the 
dissemination, which will be made available by the webmaster.
    \427\ (Attorney at 2.67 hours for each notification + Webmaster 
at 0.33 hour for each notification) x (1 notification per year) = 3 
hours. 3 hours x (44 potential respondents) = 132 burden hours. The 
Commission preliminarily believes that SCI entities would handle 
internally most of the work associated with the dissemination 
requirement of proposed Rule 1000(b)(5)(ii). But see infra Section 
IV.D.6, requesting comment on whether some SCI entities, 
particularly those that do not currently participate in the ARP 
Inspection Program, would seek to outsource this work and what the 
cost to outsource this work would be.
---------------------------------------------------------------------------

    The Commission preliminarily believes that SCI entities would 
internally handle most of the work associated with disseminating 
information on dissemination SCI events to members or participants. 
However, based on its experience with the ARP Inspection Program, the 
Commission preliminarily believes that SCI entities also would seek 
outside legal advice in the preparation of the disseminations required 
under proposed Rule 1000(b)(5), and that the average cost of outside 
legal advice would be

[[Page 18151]]

$15,000 per respondent per year, for a total of $660,000 for all 
respondents per year.\428\
---------------------------------------------------------------------------

    \428\ ($15,000 outside legal cost) x (44 potential respondents) 
= $660,000.
---------------------------------------------------------------------------

c. Notices Required by Proposed Rules 1000(b)(6)
    Proposed Rules 1000(b)(6) would require notification to the 
Commission on Form SCI of material systems changes. The Commission 
preliminarily believes this work would be conducted internally.\429\ 
The burden estimates to comply with proposed Rule 1000(b)(6) include 
the burdens associated with submission of Form SCI in accordance with 
the instructions thereto.
---------------------------------------------------------------------------

    \429\ But see infra Section IV.D.6, requesting comment on 
whether some SCI entities, particularly those that do not currently 
participate in the ARP Inspection Program, would seek to outsource 
this work and what the cost to outsource this work would be.
---------------------------------------------------------------------------

    Specifically, proposed Rule 1000(b)(6) would require the SCI 
entity, absent exigent circumstances, to notify the Commission on Form 
SCI at least 30 calendar days before the implementation of any planned 
material systems change, including a description of the planned 
material systems change as well as the expected dates of commencement 
and completion of the implementation of such change.\430\ Based on its 
experience with the ARP Inspection Program, Commission preliminarily 
estimates that there would be an average of 60 planned material systems 
changes per respondent per year.\431\ As such, the Commission 
preliminarily estimates that there would be an average of 60 
notifications per respondent per year, and each notification would 
require an average of 2 hours to prepare and submit,\432\ with an 
attorney spending approximately 0.33 hours and a senior systems analyst 
spending approximately 1.67 hours in drafting and reviewing the 
notification. For the 15 SCI entity respondents that do not currently 
participate in the ARP Inspection Program, the Commission preliminarily 
estimates that the initial and ongoing burden to comply with the notice 
requirement of proposed Rule 1000(b)(6) would be approximately 120 
hours annually per respondent, and 1,800 hours annually for all 
respondents.\433\ Because SCI entities that currently participate in 
the ARP Inspection Program already notify the Commission of planned 
material systems changes, the Commission preliminarily estimates that 
these entities would be starting from a baseline of fifty percent, and 
that the increased burden for these 30 SCI entities would be 60 hours 
annually per respondent.\434\ The Commission preliminarily estimates 
that the total initial and ongoing burden for SCI entities that 
currently participate in the ARP Inspection Program would be 60 hours 
annually per respondent, for a total burden of 1,740 hours for all of 
these respondents.\435\ Thus, the total estimated initial and ongoing 
burden to comply with proposed Rule 1000(b)(6) would be 3,540 for all 
respondents.\436\
---------------------------------------------------------------------------

    \430\ If exigent circumstances exist, or if the information 
previously provided to the Commission regarding any planned material 
systems change becomes materially inaccurate, the SCI entity would 
be required to notify the Commission, either orally or in writing, 
with any oral notification to be memorialized within 24 hours after 
such oral notification by a written notification, as early as 
reasonably practicable.
    \431\ This estimate includes instances where the information 
previously provided to the Commission regarding any planned material 
systems change becomes materially inaccurate.
    \432\ In estimating the burden imposed by proposed Rule 
1000(b)(6), the Commission also considered its burden estimate for 
the same reporting requirement that was proposed for SB SEFs. 
Specifically, proposed Rule 822(a)(4) in the SB SEF Proposing 
Release would require an SB SEF to notify the Commission in writing 
at least 30 calendar days before the implementation of material 
systems changes. The Commission estimated that there would be an 
average of 60 notifications per respondent per year, and that each 
notification would require an average of 2 internal burden hours. 
See SB SEF Proposing Release, supra note 297, at 11029.
    \433\ (Attorney at 0.33 hour for each notification + Senior 
Systems Analyst at 1.67 hours for each notification) x (60 
notifications per year) = 120 hours. 120 hours x (15 potential 
respondents) = 1,800 burden hours.
    \434\ (Attorney at 0.33 hour for each notification + Senior 
Systems Analyst at 1.67 hours for each notification) x (30 
additional notifications per year) = 60 hours. The Commission 
preliminarily believes that the burden would result from the 
proposed broadened definitions of ``SCI systems'' and ``SCI security 
systems'' in Regulation SCI, as well as the shift from a voluntary 
to a mandatory regulatory environment.
    \435\ (60 burden hours) x (29 potential respondents) = 1,740 
burden hours.
    \436\ (1,800 burden hours for SCI entities that do not currently 
participate in the ARP Inspection Program + 1,740 burden hours for 
SCI entities that currently participate in the ARP Inspection 
Program) = 3,540 burden hours.
---------------------------------------------------------------------------

d. SCI Review Required by Proposed Rule 1000(b)(7)
    Proposed Rule 1000(b)(7) would require each SCI entity to conduct 
an SCI review of its compliance with Regulation SCI not less than once 
each calendar year, and submit a report of the SCI review to its senior 
management for review no more than 30 calendar days after completion of 
such SCI review. The Commission preliminarily estimates that the 
initial and ongoing burden of conducting an SCI review and submitting 
the SCI review to senior management of the SCI entity for review would 
be approximately 625 hours for each respondent \437\ and 27,500 hours 
annually for all respondents.\438\
---------------------------------------------------------------------------

    \437\ This estimate is the Commission's preliminary best 
estimate and is based on Commission staff's experience with SCI 
entities participating in the ARP Inspection Program. This estimate 
also is the same as the Commission's burden estimate for internal 
audits of SB SEFs. See SB SEF Proposing Release, supra note 297, at 
11028. Proposed Rule 822 in the SB SEF Proposing Release would 
require an SB SEF to submit to the Commission an annual objective 
review of the capability of its systems that support or are 
integrally related to the performance of its activities, provided 
that if a review is performed internally, an external firm shall 
report on the objectivity, competency, and work performance with 
respect to the internal review. The Commission recognizes that the 
annual review requirement proposed for SB SEFs is different, in 
certain respects, from the requirement under proposed Rule 
1000(b)(7). Specifically, the scopes of the reviews are different 
because proposed Rule 1000(b)(7) would require an SCI review of an 
SCI entity's compliance with proposed Regulation SCI. Further, 
proposed Rule 1000(b)(7) would not require an external review of an 
internal SCI review. Nevertheless, the Commission preliminarily 
believes that these differences should not result in differences in 
the burden estimate for these similar internal audits.
    \438\ (Attorney at 80 hours + Manager Internal Auditor at 170 
hours + Senior Systems Analyst at 375 hours) x (44 potential 
respondents) = 27,500 burden hours.
---------------------------------------------------------------------------

e. Reports Required by Proposed Rule 1000(b)(8)
    Proposed Rule 1000(b)(8) would require each SCI entity to submit 
certain reports to the Commission. The burden estimates to comply with 
proposed Rule 1000(b)(8) include the burdens associated with submission 
of Form SCI in accordance with the instructions thereto.
    Pursuant to proposed Rule 1000(b)(8)(i), each SCI entity would be 
required to submit to the Commission, as an attachment to Form SCI, a 
report of the SCI review required by proposed Rule 1000(b)(7), together 
with any response by senior management of the SCI entity, within 60 
calendar days after its submission to senior management of the SCI 
entity. The Commission estimates that each SCI entity would require 1 
hour to submit the SCI review using Form SCI, for a total annual 
initial and ongoing burden of 44 hours for all respondents.\439\
---------------------------------------------------------------------------

    \439\ (Attorney at 1 hour for each submission) x (1 submission 
per year) = 1 burden hour. (1 burden hour) x (44 potential 
respondents) = 44 burden hours.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(8)(ii) would require each SCI entity to 
submit, using Form SCI, a report within 30 calendar days after the end 
of June and December of each year, containing a summary description of 
the progress of any material systems changes during the six-month 
period ending on June 30 or December 31, as the case may be, and the 
date, or expected date, of completion of their implementation.

[[Page 18152]]

The Commission preliminarily estimates that the initial and ongoing 
burden to comply with proposed Rule 1000(b)(8)(ii) would be 
approximately 60 hours per respondent per report or 120 hours 
annually,\440\ and 5,280 hours annually for all respondents.\441\
---------------------------------------------------------------------------

    \440\ The Commission notes that SCI entities currently do not 
submit to the Commission written semi-annual notifications of 
material systems changes. This estimate is based on Commission 
staff's experience with various entities through the ARP Inspection 
Program.
    \441\ (Attorney at 10 hours for each report + Senior Systems 
Analyst at 50 hours for each report) x (2 reports per year) = 120 
burden hours. (120 burden hours) x (43 potential respondents) = 
5,280 burden hours. The Commission preliminarily believes that SCI 
entities would handle internally the work associated with the 
reporting requirement of proposed Rule 1000(b)(8)(ii). But see infra 
Section IV.D.6, requesting comment on whether some SCI entities, 
particularly those that do not currently participate in the ARP 
Inspection Program, would seek to outsource this work and what the 
cost to outsource this work would be.
---------------------------------------------------------------------------

3. Requirements To Take Corrective Actions, Identify Immediate 
Notification SCI Events, and Identify Dissemination SCI Events
    The proposed rules that could result in SCI entities establishing 
additional processes for compliance with proposed Regulation SCI are 
discussed more fully in Section III.C above.
a. Requirement To Take Corrective Actions
    Proposed Rule 1000(b)(3) would require an SCI entity, upon any 
responsible SCI personnel becoming aware of an SCI event, to begin to 
take corrective action which shall include, at a minimum, mitigating 
potential harm to investors and market integrity resulting from the SCI 
event and devoting adequate resources to remedy the SCI event as soon 
as reasonably practicable. Based on its experience with the ARP 
Inspection Program, the Commission believes that entities that 
participate in the ARP Inspection Program already take corrective 
actions in response to a systems issue, and believes that other SCI 
entities also take corrective actions in response to a systems issue. 
Nevertheless, the Commission preliminarily believes that proposed Rule 
1000(b)(3) would likely result in SCI entities revising their policies 
in this regard, which would help to ensure that their information 
technology staff has the ability to access systems in order to take 
appropriate corrective actions. As such, proposed Rule 1000(b)(3) may 
impose a one-time implementation burden on SCI entities associated with 
developing a process for ensuring that they are prepared for the 
corrective action requirement. Proposed Rule 1000(b)(3) also may impose 
periodic burdens on SCI entities in reviewing that process. The 
Commission preliminarily estimates that the initial burden to implement 
such a process would be 42 hours per SCI entity \442\ or 1,848 hours 
for all SCI entities.\443\ The Commission also preliminarily estimates 
that the ongoing burden to review such a process would be 12 hours 
annually per SCI entity \444\ or 528 hours annually for all SCI 
entities.\445\
---------------------------------------------------------------------------

    \442\ This estimate is based on the Commission's burden estimate 
for proposed Rule 1000(b)(1) because both proposed Rule 1000(b)(1) 
and proposed Rule 1000(b)(3) would result in certain policies and 
procedures or processes. Because proposed Rule 1000(b)(1) (except 
for policies and procedures for standards that result in such 
systems being designed, developed, tested, maintained, operated, and 
surveilled in a manner that facilitates the successful collection, 
processing, and dissemination of market data) would require the 
establishment of five policies and procedures at a minimum, the 
Commission preliminarily estimates that the initial burden to 
establish the process to comply with proposed Rule 1000(b)(3) would 
be one-fifth of the initial burden to comply with proposed Rule 
1000(b)(1) (except for policies and procedures for standards that 
result in such systems being designed, developed, tested, 
maintained, operated, and surveilled in a manner that facilitates 
the successful collection, processing, and dissemination of market 
data), or 42 hours (210 hours / 5). Further, the Commission 
preliminarily estimates that the hourly breakdown between different 
staff of the SCI entity would be in the same ratio as the 
Commission's estimate for proposed Rule 1000(b)(1) (except for 
policies and procedures for standards that result in such systems 
being designed, developed, tested, maintained, operated, and 
surveilled in a manner that facilitates the successful collection, 
processing, and dissemination of market data)--Compliance Manager at 
16 hours, Attorney at 16 hours, Senior Systems Analyst at 5 hours, 
and Operations Specialist at 5 hours. These estimates reflect the 
Commission's preliminary view that SCI entities would establish the 
process for compliance with proposed Rule 1000(b)(3) internally. But 
see infra Section IV.D.6, requesting comment on whether some SCI 
entities, particularly those that do not currently participate in 
the ARP Inspection Program, would seek to outsource this work and 
what the cost to outsource this work would be.
    \443\ (42 hours) x (44 potential respondents) = 1,848 burden 
hours.
    \444\ This estimate is based on the Commission's burden estimate 
for proposed Rule 1000(b)(1) because both proposed Rule 1000(b)(1) 
and proposed Rule 1000(b)(3) would result in certain policies and 
procedures or processes. Because proposed Rule 1000(b)(1) (except 
for policies and procedures for standards that result in such 
systems being designed, developed, tested, maintained, operated, and 
surveilled in a manner that facilitates the successful collection, 
processing, and dissemination of market data) would require the 
establishment and review of five policies and procedures at a 
minimum, the Commission preliminarily estimates that the ongoing 
burden to review the process to comply with proposed Rule 1000(b)(3) 
would be one-fifth of the ongoing burden to comply with proposed 
Rule 1000(b)(1) (except for policies and procedures for Standards 
that result in such systems being designed, developed, tested, 
maintained, operated, and surveilled in a manner that facilitates 
the successful collection, processing, and dissemination of market 
data), or 12 hours (60 hours / 5). Further, the Commission 
preliminarily estimates that the hourly breakdown between different 
staff of the SCI entity would be in the same ratio as the 
Commission's estimate for proposed Rule 1000(b)(1) (except for 
policies and procedures for standards that result in such systems 
being designed, developed, tested, maintained, operated, and 
surveilled in a manner that facilitates the successful collection, 
processing, and dissemination of market data)--Compliance Manager at 
6 hours and Attorney at 6 hours. These estimates reflect the 
Commission's preliminary view that SCI entities would review the 
process for compliance with proposed Rule 1000(b)(3) internally. But 
see infra Section IV.D.6, requesting comment on whether some SCI 
entities, particularly those that do not currently participate in 
the ARP Inspection Program, would seek to outsource this work and 
what the cost to outsource this work would be.
    \445\ (12 hours) x (44 potential respondents) = 528 burden 
hours.
---------------------------------------------------------------------------

b. Requirements To Identify Immediate Notification SCI Events and 
Dissemination SCI Events
    Proposed Rule 1000(a) would define a ``dissemination SCI event'' to 
mean an SCI event that is a: (1) Systems compliance issue; (2) systems 
intrusion; or (3) systems disruption that results, or the SCI entity 
reasonably estimates would result, in significant harm or loss to 
market participants.
    When an SCI event occurs, an SCI entity would need to determine 
whether the event is an immediate notification SCI event or a 
dissemination SCI event, because the proposed rules would impose 
different obligations on SCI entities for these types of SCI events. As 
such, immediate notification SCI events and dissemination SCI events 
may impose an initial one-time implementation burden on SCI entities in 
developing a process to ensure that they are able to quickly and 
correctly make a determination regarding whether the SCI event is 
subject to proposed Rule 1000(b)(4)(i) or (b)(5). The definition may 
also impose periodic burdens on SCI entities in reviewing that process.

[[Page 18153]]

    Because the ARP Inspection Program already provides for the 
reporting of ``significant system changes'' and ``significant system 
outages'' to Commission staff,\446\ the Commission believes that, as 
compared to entities that do not participate in the ARP Inspection 
Program, entities that currently participate in the ARP Inspection 
Program would already have internal processes for determining the 
significance of a systems issue.\447\ Therefore, the Commission 
preliminarily estimates that the proposed definition would impose half 
as much burden on entities that participate in the ARP Inspection 
Program as compared to entities that do not participate in the ARP 
Inspection Program.
---------------------------------------------------------------------------

    \446\ See supra notes 33 and 35 and accompanying text.
    \447\ The Commission recognizes that ``significant system 
changes'' and ``significant system outages'' differ from the 
proposed definitions of ``immediate notification SCI event'' and 
``dissemination SCI event.''
---------------------------------------------------------------------------

    For SCI entities that currently do not participate in the ARP 
Inspection Program, the Commission preliminarily believes that the 
initial burden would be 42 hours per entity \448\ or 630 hours for all 
such entities.\449\ For entities that currently participate in the ARP 
Inspection Program, the Commission preliminarily believes that the 
initial burden would be 21 hours \450\ per entity or 609 hours for all 
such entities.\451\ For SCI entities that currently do not participate 
in the ARP Inspection Program, the Commission preliminarily believes 
that ongoing burden would be 12 hours annually per entity \452\ or 180 
hours for all such entities.\453\ For SCI entities that currently 
participate in the ARP Inspection Program, the Commission preliminarily 
believes that ongoing burden would be 6 hours annually \454\ per entity 
or 174 hours for all such entities.\455\
---------------------------------------------------------------------------

    \448\ This estimate is based on the Commission's burden estimate 
for proposed Rule 1000(b)(1) because proposed Rule 1000(b)(1), the 
proposed definition of ``immediate notification SCI event,'' and the 
definition of ``dissemination SCI event'' would result in certain 
policies and procedures or processes. Because proposed Rule 
1000(b)(1) (except for policies and procedures for standards that 
result in such systems being designed, developed, tested, 
maintained, operated, and surveilled in a manner that facilitates 
the successful collection, processing, and dissemination of market 
data) would require the establishment of five policies and 
procedures at a minimum, the Commission preliminarily estimates that 
the initial burden to establish the process regarding the SCI event 
determinations would be one-fifth of the initial burden to comply 
with proposed Rule 1000(b)(1) (except for policies and procedures 
for standards that result in such systems being designed, developed, 
tested, maintained, operated, and surveilled in a manner that 
facilitates the successful collection, processing, and dissemination 
of market data), or 42 hours (210 hours / 5). Further, the 
Commission preliminarily estimates that the hourly breakdown between 
different staff of the SCI entity would be in the same ratio as the 
Commission's estimate for proposed Rule 1000(b)(1) (except for 
policies and procedures for standards that result in such systems 
being designed, developed, tested, maintained, operated, and 
surveilled in a manner that facilitates the successful collection, 
processing, and dissemination of market data)--Compliance Manager at 
16 hours, Attorney at 16 hours, Senior Systems Analyst at 5 hours, 
and Operations Specialist at 5 hours. These estimates reflect the 
Commission's preliminary view that SCI entities would internally 
establish the process for determining whether an SCI event is an 
immediate notification SCI event or dissemination SCI event. But see 
infra Section IV.D.6, requesting comment on whether some SCI 
entities, particularly those that do not currently participate in 
the ARP Inspection Program, would seek to outsource this work and 
what the cost to outsource this work would be.
    \449\ (42 hours) x (15 potential respondents) = 630 burden 
hours.
    \450\ 42 burden hours x 50% = 21 burden hours. These estimates 
reflect the Commission's preliminary view that SCI entities would 
internally establish the process for determining whether an SCI 
event is an immediate notification SCI event or dissemination SCI 
event. But see infra Section IV.D.6, requesting comment on whether 
some SCI entities, particularly those that do not currently 
participate in the ARP Inspection Program, would seek to outsource 
this work and what the cost to outsource this work would be.
    \451\ (21 burden hours) x (29 potential respondents) = 609 
burden hours.
    \452\ This estimate is based on the Commission's burden estimate 
for proposed Rule 1000(b)(1) because proposed Rule 1000(b)(1), the 
proposed definition of ``immediate notification SCI event,'' and the 
proposed definition of ``dissemination SCI event'' would result in 
certain policies and procedures or processes. Because proposed Rule 
1000(b)(1) (except for policies and procedures for standards that 
result in such systems being designed, developed, tested, 
maintained, operated, and surveilled in a manner that facilitates 
the successful collection, processing, and dissemination of market 
data) would require the establishment and maintenance of five 
policies and procedures at a minimum, the Commission preliminarily 
estimates that the ongoing burden to review the process regarding 
the SCI event determinations would be one-fifth of the ongoing 
burden to comply with proposed Rule 1000(b)(1) (except for policies 
and procedures for standards that result in such systems being 
designed, developed, tested, maintained, operated, and surveilled in 
a manner that facilitates the successful collection, processing, and 
dissemination of market data), or 12 hours (60 hours / 5). Further, 
the Commission preliminarily estimates that the hourly breakdown 
between different staff of the SCI entity would be in the same ratio 
as the Commission's estimate for proposed Rule 1000(b)(1) (except 
for policies and procedures for standards that result in such 
systems being designed, developed, tested, maintained, operated, and 
surveilled in a manner that facilitates the successful collection, 
processing, and dissemination of market data)--Compliance Manager at 
6 hours and Attorney at 6 hours. These estimates reflect the 
Commission's preliminary view that SCI entities would internally 
review the process for determining whether an SCI event is an 
immediate notification SCI event or dissemination SCI event. But see 
infra Section IV.D.6, requesting comment on whether some SCI 
entities, particularly those that do not currently participate in 
the ARP Inspection Program, would seek to outsource this work and 
what the cost to outsource this work would be.
    \453\ (12 burden hours) x (15 potential respondents) = 180 
burden hours.
    \454\ 12 burden hours x 50% = 6 burden hours. These estimates 
reflect the Commission's preliminary view that SCI entities would 
internally review the process for determining whether an SCI event 
is an immediate notification SCI event or dissemination SCI event. 
But see infra Section IV.D.6, requesting comment on whether some SCI 
entities, particularly those that do not currently participate in 
the ARP Inspection Program, would seek to outsource this work and 
what the cost to outsource this work would be.
    \455\ (6 burden hours) x (29 potential respondents) = 174 burden 
hours.
---------------------------------------------------------------------------

4. Recordkeeping Requirements
    As more fully discussed in Section III.D above, proposed Rule 
1000(c) would specifically require SCI entities other than SCI SROs to 
make, keep, and preserve at least one copy of all documents relating to 
its compliance with proposed Regulation SCI. The Commission is not 
proposing a new recordkeeping requirement for SCI SROs because the 
documents relating to compliance with proposed Regulation SCI are 
subject to their existing recordkeeping and retention requirements 
under Rule 17a-1 under the Exchange Act.\456\ Because Rule 17a-1 under 
the Exchange Act requires every SRO to keep on file for a period of not 
less than 5 years, the first 2 years in an easily accessible place, at 
least one copy of all documents that it makes or receives respecting 
its self-regulatory activities, and that all such documents be made 
available for examination by the Commission and its representatives, 
the Commission believes that proposed Rule 1000(c) would not result in 
any burden that is not already accounted for in the Commission's burden 
estimates for Rule 17a-1.
---------------------------------------------------------------------------

    \456\ See 17 CFR 240.17a-1.
---------------------------------------------------------------------------

    For SCI entities other than SCI SROs, Regulation SCI-related 
records would be required to be kept for a period of not less than five 
years, the first two years in a place that is readily accessible to the 
Commission or its representatives for inspection and examination.\457\ 
Upon the request of any representative of the Commission, an SCI entity 
would be required to promptly furnish to the possession of such 
representative copies of any documents required to be kept and 
preserved by it pursuant to proposed Rule 1000(c).
---------------------------------------------------------------------------

    \457\ Under the proposal, upon or immediately prior to ceasing 
to do business or ceasing to be registered under the Exchange Act, 
an SCI entity would be required to take all necessary action to 
ensure that the records required to be made, kept, and preserved by 
Rule 1000(c) would be accessible to the Commission and its 
representatives in the manner required and for the remainder of the 
period required by proposed Rule 1000(c). See proposed Rule 
1000(c)(3).

---------------------------------------------------------------------------

[[Page 18154]]

    For SCI entities other than SCI SROs, the Commission preliminarily 
estimates that the initial and ongoing burden to make, keep, and 
preserve records relating to compliance with proposed Regulation SCI 
would be approximately 25 hours annually per respondent \458\ for a 
total annual burden of 450 hours for all respondents.\459\ In addition, 
the Commission estimates that each SCI entity other than an SCI SRO 
would incur a one-time burden to set up or modify an existing 
recordkeeping system to comply with proposed Rule 1000(c). 
Specifically, the Commission estimates that, for each SCI entity other 
than an SCI SRO, setting up or modifying a recordkeeping system would 
create an initial burden of 170 hours and $900 in information 
technology costs for purchasing recordkeeping software,\460\ for a 
total initial burden of 3,060 hours \461\ and a total initial cost of 
$16,200.\462\
---------------------------------------------------------------------------

    \458\ This estimate is based on the Commission's experience with 
examinations of registered entities, the Commission's estimated 
burden for an SRO to comply with Rule 17a-1, and the Commission's 
estimated burden for a SB SEF to keep and preserve documents made or 
received in the conduct of its business. Specifically, the 
Commission estimated 50 burden hours per respondent per year in 
connection with Rule 17a-1 and proposed Rule 818(a) and (b) in the 
SB SEF Proposing Release. See 2010 Extension of Rule 17a-1 
Supporting Statement, Office of Management and Budget, available at: 
https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=201007-3235-003 
and SB SEF Proposing Release, supra note 297, at 11029. Because the 
recordkeeping requirements under Rule 17a-1 and under proposed Rule 
818(a) and (b) are broader than the recordkeeping requirement under 
proposed Rule 1000(c), the Commission preliminarily believes that an 
estimate of 25 burden hours per year per SCI entity is appropriate. 
Further, the Commission notes that this burden estimate includes the 
burden imposed by proposed Rule 1000(e). Specifically, proposed Rule 
1000(e) would provide that, if the records required to be filed or 
kept by an SCI entity under proposed Regulation SCI are prepared or 
maintained by a service bureau or other recordkeeping service on 
behalf of the SCI entity, the SCI entity would be required to ensure 
that the records are available for review by the Commission and its 
representatives by submitting a written undertaking, in a form 
acceptable to the Commission, by such service bureau or other 
recordkeeping service, which is signed by a duly authorized person 
at such service bureau or other recordkeeping service.
    \459\ (Compliance Clerk at 25 hours) x (18 potential 
respondents) = 450 burden hours.
    \460\ This estimate is based on the Commission's experience with 
examinations of registered entities and the Commission's estimated 
burden for an SB SEF to keep and preserve documents made or received 
in the conduct of its business. Specifically, the Commission 
estimated that setting up or modifying a recordkeeping system under 
proposed Rule 818 would create an initial burden of 345 hours and 
$1,800 in information technology costs per respondent. See SB SEF 
Proposing Release, supra note 297, at 11030. Because the 
recordkeeping requirements under proposed Rule 818 are broader than 
the recordkeeping requirement under proposed Rule 1000(c), the 
Commission preliminarily believes that the estimates of 170 initial 
burden hours and $900 in initial cost are appropriate.
    \461\ (170 burden hours) x (18 potential respondents) = 3,060 
burden hours.
    \462\ ($900) x (18 potential respondents) = $16,200.
---------------------------------------------------------------------------

    The Commission preliminarily believes that proposed Rule 
1000(c)(3), which would require an SCI entity, upon or immediately 
prior to ceasing to do business or ceasing to be registered under the 
Exchange Act, to take all necessary action to ensure that the records 
required to be made, kept, and preserved by Rule 1000(c)(1) and Rule 
(c)(2) remain accessible to the Commission and its representatives in 
the manner and for the remainder of the period required by Rule 
1000(c), would not result in any additional paperwork burden that is 
not already accounted for in the Commission's burden estimates for 
proposed Rule 1000(c)(1) and Rule 1000(c)(2).
6. Request for Comment on Extent and Cost of Outsourcing
    209. The Commission's estimates of the hourly burdens discussed 
above reflect the Commission's preliminary view that SCI entities would 
conduct the work proposed to be required by proposed Rules 1000(a), 
1000(b)(1), 1000(b)(2), 1000(b)(3), 1000(b)(4), 1000(b)(5), 1000(b)(6), 
1000(b)(7), 1000(b)(8), and 1000(b)(9) internally. The Commission 
acknowledges, however, that some SCI entities, particularly smaller SCI 
entities, and/or SCI entities that do not currently participate in the 
ARP Inspection Program, may elect to outsource the work if it would be 
more cost effective to so do. The Commission does not at this time have 
sufficient information to reasonably estimate the cost to outsource the 
work proposed to be required by proposed Rules 1000(a), 1000(b)(1), 
1000(b)(2), 1000(b)(3), 1000(b)(4), 1000(b)(5), 1000(b)(6), 1000(b)(7), 
1000(b)(8), and 1000(b)(9), or the number of entities that would choose 
to outsource this work, for purposes of the PRA. The Commission seeks 
comment, however, on its preliminary view that SCI entities would 
conduct such work internally. Further, the Commission seeks comment on 
whether some SCI entities would in fact find it more cost effective to 
outsource the work that would be required to comply with the proposed 
rules, and if so, how many of these SCI entities would therefore 
outsource this work and at what cost.
    For purposes of facilitating such comment, presented below are 
certain preliminary assumptions and calculations regarding such 
potential outsourcing on which the Commission requests comment. 
Specifically, for purposes of soliciting comment, the Commission is 
assuming that it would take the same number of hours for a consultant 
and/or outside attorney to complete the work to be required by proposed 
Rules 1000(a), 1000(b)(1), 1000(b)(2), 1000(b)(3), 1000(b)(4), 
1000(b)(5), 1000(b)(6), 1000(b)(7), 1000(b)(8), and 1000(b)(9), as it 
would take for an SCI entity to complete that work internally (using 
the Commission's preliminary estimates above). Further, the Commission 
is assuming that work would be conducted at a rate of $400 per 
hour.\463\
---------------------------------------------------------------------------

    \463\ This is based on an estimated $400 per hour cost for 
outside consulting and/or legal services. This is the same estimate 
used for the Commission's consolidated audit trail rule. See 
Securities Exchange Act Release No. 67457 (July 18, 2012), 77 FR 
45722 (August 1, 2012).
---------------------------------------------------------------------------

    Based on the forgoing assumptions, the estimated cost to outsource 
the work that the Commission preliminarily assumed would be done 
internally would be as follows:
    For identification of immediate notification SCI events and 
dissemination SCI events: The initial cost would be (a) for an SCI 
entity that has not participated in the ARP Inspection Program, 
$16,800; \464\ and (b) for an SCI entity that currently participates in 
the ARP Inspection Program, $8,400.\465\ The ongoing annual cost would 
be (a) for an SCI entity that has not participated in the ARP 
Inspection Program, $4,800; \466\ and (b) for an SCI entity that 
currently participates in the ARP Inspection Program, $2,400.\467\
---------------------------------------------------------------------------

    \464\ 42 hours x $400 = $16,800.
    \465\ 21 hours x $400 = $8,400.
    \466\ 12 hours x $400 = $4,800.
    \467\ 6 hours x $400 = $2,400.
---------------------------------------------------------------------------

    For proposed Rule 1000(b)(1) except proposed Rule 1000(b)(1)(i)(F): 
The initial cost would be (a) for an SCI entity that has not 
participated in the ARP Inspection Program, $84,000; \468\ and (b) for 
an SCI entity that currently participates in the ARP Inspection 
Program, $42,000.\469\ The ongoing annual costs would be (a) for an SCI 
entity that has not participated in the ARP Inspection Program, 
$24,000; \470\ and (b) for an SCI entity that currently participates in 
the ARP Inspection Program, $12,000.\471\
---------------------------------------------------------------------------

    \468\ 210 hours x $400 = $84,000.
    \469\ 105 hours x $400 = $42,000.
    \470\ 60 hours x $400 = $24,000.
    \471\ 30 hours x $400 = $12,000.
---------------------------------------------------------------------------

    For proposed Rule 1000(b)(1)(i)(F): The initial cost for each SCI 
entity would be $52,000.\472\ The ongoing

[[Page 18155]]

annual cost for each SCI entity would be $52,000.\473\
---------------------------------------------------------------------------

    \472\ 130 hours x $400 = 52,000.
    \473\ 130 hours x $400 = 52,000.
---------------------------------------------------------------------------

    For proposed Rule 1000(b)(2): The initial cost for each SCI entity 
would be $72,000.\474\ The ongoing annual cost would be (a) for an SCI 
entity that is an SCI SRO, $48,000; \475\ and (b) for an SCI entity 
that is not an SCI SRO, $24,000.\476\
---------------------------------------------------------------------------

    \474\ 180 hours x $400 = $72,000.
    \475\ 120 hours x $400 = $48,000.
    \476\ 60 hours x $400 = $24,000.
---------------------------------------------------------------------------

    For proposed Rule 1000(b)(3): The initial cost for each SCI entity 
would be $16,800.\477\ The ongoing annual cost for each SCI entity 
would be $4,800.\478\
---------------------------------------------------------------------------

    \477\ 42 hours x $400 = $16,800.
    \478\ 12 hours x $400 = $4,800.
---------------------------------------------------------------------------

    For proposed Rule 1000(b)(4): The initial and the ongoing annual 
cost for each SCI entity would be (a) for proposed Rule 1000(b)(4)(i), 
$2,000; \479\ (b) for proposed Rule 1000(b)(4)(ii), $520,000; \480\ and 
(c) for proposed Rule 1000(b)(4)(iii), $6,000.\481\
---------------------------------------------------------------------------

    \479\ 5 hours x $400 = $2,000.
    \480\ 1,300 hours x $400 = $520,000.
    \481\ 15 hours x $400 = $6,000.
---------------------------------------------------------------------------

    For proposed Rule 1000(b)(5): The initial and the ongoing annual 
cost for each SCI entity would be (a) for proposed Rule 
1000(b)(5)(i)(A), $16,800; \482\ (b) for proposed Rule 
1000(b)(5)(i)(B), $28,000; \483\ (c) for proposed Rule 
1000(b)(5)(i)(C), $5,600; \484\ and (d) for proposed Rule 
1000(b)(5)(ii), $1,200.\485\
---------------------------------------------------------------------------

    \482\ 42 hours x $400 = $16,800.
    \483\ 70 hours x $400 = $28,000.
    \484\ 14 hours x $400 = $5,600.
    \485\ 3 hours x $400 = $1,200.
---------------------------------------------------------------------------

    For proposed Rule 1000(b)(6): The initial and ongoing annual cost 
would be (a) for SCI entities that do not currently participate in the 
ARP Inspection Program, $48,000; \486\ and (b) for SCI entities that 
currently participate in the ARP Inspection Program, $24,000.\487\
---------------------------------------------------------------------------

    \486\ 120 hours x $400 = $48,000.
    \487\ 60 hours x $400 = $24,000.
---------------------------------------------------------------------------

    For proposed Rule 1000(b)(7): The initial and ongoing annual cost 
would be $250,000 for each SCI entity.\488\
---------------------------------------------------------------------------

    \488\ 625 hours x $400 = $250,000.
---------------------------------------------------------------------------

    For proposed Rule 1000(b)(8): The initial and ongoing annual cost 
for each SCI entity would be (a) for proposed Rule 1000(b)(8)(i), $400; 
\489\ and (b) for proposed Rule 1000(b)(8)(ii), $48,000 for each SCI 
entity.\490\
---------------------------------------------------------------------------

    \489\ 1 hour x $400 = $400.
    \490\ 120 hours x $400 = 48,000.
---------------------------------------------------------------------------

    For proposed Rule 1000(b)(9)(i) and (ii): The initial annual cost 
would be $52,000 for each SCI entity.\491\ The ongoing annual cost 
would be $38,000 for each SCI entity.\492\
---------------------------------------------------------------------------

    \491\ 130 hours x $400 = $52,000.
    \492\ 95 hours x $400 = $38,000.
---------------------------------------------------------------------------

    For proposed Rule 1000(b)(9)(iii): The initial annual cost would be 
$14,000 for each SCI entity.\493\ The ongoing annual cost would be 
$1,200 for each SCI entity.\494\
---------------------------------------------------------------------------

    \493\ 35 hours x $400 = $14,000.
    \494\ 3 hours x $400 = $1,200.
---------------------------------------------------------------------------

    210. As discussed above, the Commission requests comment on these 
preliminary estimates regarding potential outsourcing and the 
underlying assumptions. For example, is it reasonable to assume that 
the number of hours for a consultant and/or outside attorney to 
complete the work would be the same as the number of hours for internal 
staff to complete the work? If not, why not? Are there certain types of 
SCI entities (e.g., those having relatively few employees or a smaller 
number of systems) that would be more likely to find it cost effective 
to outsource the work, either initially or an ongoing basis? Please 
explain. Would the cost to outsource vary depending on the extent and 
volume of the outsourcing, or the period of time over which such 
outsourcing took place? Please explain.
7. Total Paperwork Burden Under Regulation SCI
    Based on the foregoing, the Commission preliminarily estimates that 
the total one-time initial burden for all SCI entities to comply with 
Regulation SCI would be 133,482 hours \495\ and the total one-time 
initial cost would be $2.6 million.\496\ The Commission preliminarily 
estimates that the total annual ongoing burden for all SCI entities to 
comply with Regulation SCI would be 117,258 hours \497\ and the total 
annual ongoing cost would be $738,400.\498\
---------------------------------------------------------------------------

    \495\ 133,482 hours = 26,765 (policies and procedures/mandatory 
testing requirements) + 100,120 (notification, dissemination, and 
reporting) + 3,087 (requirements to take corrective actions, 
identify immediate notification SCI events, and identify 
dissemination SCI events) + 3,510 (recordkeeping).
    \496\ $2.6 million = $1.9 million (policies and procedures/
mandatory testing requirements) + $660,000 (notification, 
dissemination, and reporting) + $16,200 (recordkeeping).
    \497\ 117,258 hours = 15,806 (policies and procedures/mandatory 
testing requirements) + 100,120 (notification, dissemination, and 
reporting) + 882 (requirements to take corrective actions, identify 
immediate notification SCI events, and identify dissemination SCI 
events) + 450 (recordkeeping).
    \498\ $738,400 = $78,400 (policies and procedures/mandatory 
testing requirements) + $660,000 (notification, dissemination, and 
reporting).
---------------------------------------------------------------------------

    211. The Commission seeks comment on the collection of information 
burdens associated with proposed Regulation SCI. Specifically:
    212. Do commenters agree with the Commission's estimate of the 
number of respondents required to comply with proposed Regulation SCI? 
Why or why not?
    213. Do commenters agree with the Commission's estimate of the 
burden for SCI entities to comply proposed Regulation SCI? Why or why 
not?
    214. Would there be additional burdens, beyond those described 
here, associated with the collection of information under proposed 
Regulation SCI? Please explain.
    215. How much additional burden would proposed Regulation SCI 
impose upon those SCI entities that already are voluntarily in 
compliance with existing ARP Policy Statements?
    216. Would SCI entities generally perform the work required by 
proposed Regulation SCI internally or outsource the work?

E. Collection of Information Is Mandatory

    All collections of information pursuant to the proposed rules would 
be a mandatory collection of information.

F. Confidentiality

    To the extent that the Commission receives confidential information 
pursuant to the reports and submissions that SCI entities would submit 
under proposed Form SCI, such information would be kept confidential, 
subject to the provisions of applicable law.\499\
---------------------------------------------------------------------------

    \499\ See, e.g., 5 U.S.C. 552. Exemption 4 of the Freedom of 
Information Act provides an exemption for ``trade secrets and 
commercial or financial information obtained from a person and 
privileged or confidential.'' 5 U.S.C. 552(b)(4). Exemption 8 of the 
Freedom of Information Act provides an exemption for matters that 
are ``contained in or related to examination, operating, or 
condition reports prepared by, on behalf of, or for the use of an 
agency responsible for the regulation or supervision of financial 
institutions.'' 5 U.S.C. 552(b)(8)).
---------------------------------------------------------------------------

G. Retention Period of Recordkeeping Requirements

    SCI entities would be required to retain records and information 
under proposed Regulation SCI for a period of not less than five years, 
the first two years in a place that is readily accessible to the 
Commission or its representatives.\500\
---------------------------------------------------------------------------

    \500\ See proposed Rule 1000(c).
---------------------------------------------------------------------------

H. Request for Comments

    217. Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits 
comment to: (1) Evaluate whether the proposed collection of information 
is necessary for the proper performance of

[[Page 18156]]

the functions of the agency, including whether the information shall 
have practical utility; (2) evaluate the accuracy of the agency's 
estimate of the burden of the proposed collection of information; (3) 
enhance the quality, utility, and clarity of the information to be 
collected; and (4) minimize the burden of collection of information on 
those who are to respond, including through the use of automated 
collection techniques or other forms of information technology.
    Persons wishing to submit comments on the collection of information 
requirements should direct them to the Office of Management and Budget, 
Attention: Desk Officer for the Securities and Exchange Commission, 
Office of Information and Regulatory Affairs, Room 3208, New Executive 
Office Building, Washington, DC 20503; and should send a copy to 
Elizabeth M. Murphy, Secretary, Securities and Exchange Commission, 100 
F Street NE., Washington, DC 20549-1090 with reference to File No. S7-
01-13. OMB is required to make a decision concerning the collection of 
information between 30 and 60 days after publication, so a comment to 
OMB is best assured of having its full effect if OMB receives it within 
30 calendar days of publication. The Commission will submit the 
proposed collection of information to OMB for approval. Requests for 
the materials to be submitted to OMB by the Commission with regard to 
this collection of information should be in writing, refer to File No. 
S7-01-13, and be submitted to the Securities and Exchange Commission, 
Office of Investor Education and Advocacy, 100 F Street NE., 
Washington, DC 20549-0213.

I. Reduced Burdens From Proposed Repeal of Rule 301(b)(6) (OMB Control 
Number 3235-0509)

    The instant proposal also would amend Regulation ATS under the 
Exchange Act, by removing paragraph (b)(6) of Rule 301 thereunder.\501\ 
Removal of Rule 301(b)(6) would eliminate certain ``collection of 
information'' requirements within the meaning of the PRA that the 
Commission has submitted to OMB in accordance with 44 U.S.C. 3507 and 5 
CFR 1320.11, and that OMB has approved. The approved collection of 
information is titled ``Rule 301: Requirements for Alternative Trading 
Systems,'' and has a valid OMB control number of 3235-0509.\502\ Some 
of the information collection burdens imposed by Regulation ATS would 
be reduced by the proposed repeal of Rule 301(b)(6). Specifically, the 
paperwork burdens that would be eliminated by the repeal of Rule 
301(b)(6) would be: (i) Burdens on ATSs associated with the requirement 
to make records relating to any steps taken to comply with systems 
capacity, integrity and security requirements under Rule 301 (estimated 
to be 20 hours and $2,212); \503\ and (ii) burdens on ATSs associated 
with the requirement to provide notices to the Commission to report 
systems outages (estimated to be 2.5 hours and $276.50).\504\
---------------------------------------------------------------------------

    \501\ See 17 CFR 242.301(b)(6). See also Securities Exchange Act 
Release No. 40760 (December 8, 1998), 63 FR 70844 (December 22, 
1998) (``ATS Release'').
    \502\ See Rule 301: Requirements for Alternative Trading Systems 
OMB Control No: 3235-0509 (Rule 301 supporting statement), available 
at: https://www.reginfo.gov. This approval has an expiration date of 
February 28, 2014.
    \503\ The Commission estimated that two alternative trading 
systems that register as broker-dealers and comply with Regulation 
ATS would trigger this requirement, and that the average compliance 
burden for each response would be 10 hours of in-house professional 
work at $316 per hour. Thus, the total compliance burden per year 
was estimated to be 20 hours (2 respondents x 10 hours = 20 hours). 
The total annualized cost burden was estimated to be $2,212 ($316 x 
20 hours x 35% = $2,212). See Rule 301: Requirements for Alternative 
Trading Systems OMB Control No: 3235-0509 (Rule 301 supporting 
statement), available at: https://www.reginfo.gov.
    \504\ The Commission estimated that two alternative trading 
systems that register as broker-dealers and comply with Regulation 
ATS would meet the volume thresholds that trigger systems outage 
notice obligations approximately 5 times a year, and that the 
average compliance burden for each response would be .25 hours of 
in-house professional work at $316 per hour. Thus, the total 
compliance burden per year was estimated to be 2.5 hours (2 
respondents x 5 responses each x .25 hours = 2.5 hours). The total 
annualized cost burden was estimated to be $276.50 ($316 x .25 hours 
per response x 10 responses x 35% = $276.50). See id.
---------------------------------------------------------------------------

    The Commission will submit the proposed amended collection of 
information to reflect these reductions to OMB for approval. Requests 
for the materials to be submitted to OMB by the Commission with regard 
to this collection of information should be in writing, refer to File 
No. S7-01-13, and be submitted to the Securities and Exchange 
Commission, Office of Investor Education and Advocacy, 100 F Street 
NE., Washington, DC 20549-0213.

V. Economic Analysis

A. Background

    As discussed more fully above, the Commission believes that the 
convergence of several developments--the evolution of the markets to 
become significantly more dependent upon sophisticated automated 
systems (driven by regulatory developments and the continual evolution 
of technologies for generating, routing, and executing orders), the 
limitations of the existing ARP Inspection Program, and the lessons of 
recent events (as discussed in Section I.D above)--highlight the need 
to consider an updated and formalized regulatory framework for ensuring 
that the U.S. securities trading markets develop and maintain systems 
with adequate capacity, integrity, resiliency, availability, and 
security, and reinforce the requirement that SCI systems operate in 
compliance with the Exchange Act. The Commission is also cognizant of 
the comments made at the Roundtable and the comment letters submitted 
in connection with the Roundtable.\505\ Proposed Regulation SCI would 
codify and enhance the Commission's ARP Inspection Program, as well as 
establish specific requirements to help ensure that the SCI systems of 
SCI entities operate in compliance with the federal securities laws and 
rules.
---------------------------------------------------------------------------

    \505\ See supra Section I.D.
---------------------------------------------------------------------------

    Specifically, proposed Regulation SCI would require each SCI entity 
to establish, maintain, and enforce written policies and procedures 
reasonably designed to ensure that its SCI systems and, for purposes of 
security standards, SCI security systems, have levels of capacity, 
integrity, resiliency, availability, and security, adequate to maintain 
the SCI entity's operational capability and promote the maintenance of 
fair and orderly markets, as well as written policies and procedures 
reasonably designed to ensure that its SCI systems operate in the 
manner intended, including in a manner in compliance with the federal 
securities laws and rules, and its own rules or governing documents, as 
applicable. Proposed Regulation SCI also would require SCI entities to 
provide certain notices and reports to the Commission on Form SCI 
regarding, among other things, SCI events and material systems changes. 
Further, proposed Regulation SCI would require SCI entities to 
disseminate information to members or participants relating to 
dissemination SCI events and to begin taking appropriate corrective 
action upon any responsible SCI personnel becoming aware of an SCI 
event. Additionally, proposed Regulation SCI would require each SCI 
entity to conduct an SCI review at least annually, and submit a report 
of such review to the Commission, together with any response by senior 
management. Further, proposed Regulation SCI would require an SCI 
entity, with respect to its business continuity and disaster

[[Page 18157]]

recovery plans, to require participation by designated members or 
participants in scheduled functional and performance testing of the 
operation of such plans and coordinate such testing with other SCI 
entities. Proposed Regulation SCI would also require SCI entities to 
make, keep, and preserve books and records related to compliance with 
Regulation SCI.
    The Commission is sensitive to the economic effects of proposed 
Regulation SCI, including its costs and benefits.\506\ As discussed 
further below, the Commission requests comment on all aspects of the 
costs and benefits of the proposal, including any effects the proposed 
rules may have on efficiency, competition, and capital formation.
---------------------------------------------------------------------------

    \506\ See also supra Section III.F (requesting comment on 
applying proposed Regulation SCI to SB SDRs and/or SB SEFs and 
discussing the potential costs and benefits of applying proposed 
Regulation SCI to SB SDRs and/or SB SEFs).
---------------------------------------------------------------------------

B. Economic Baseline

    As noted in Section I.A above, all registered national securities 
exchanges, all active registered clearing agencies, FINRA, two plan 
processors, one ATS, and one exempt clearing agency participate in the 
current ARP Inspection Program, which covers their automated 
systems.\507\ Under the ARP policy statements and through the ARP 
Inspection Program, these entities, among other things, are expected to 
establish current and future capacity estimates, conduct capacity 
stress tests, conduct annual reviews of whether affected systems can 
perform adequately in light of estimated capacity levels, and identify 
possible threats to the systems.\508\ The ARP policy statements and 
Commission staff letters address, among other things, independent 
reviews, the reporting of certain systems changes, intrusions, and 
outages, and the need to comply with relevant laws and rules.\509\
---------------------------------------------------------------------------

    \507\ As noted above, the Commission, in the ARP I Release, 
defined the term ``automated systems'' to refer ``collectively to 
computer systems for listed and OTC equities, as well as options, 
that electronically route orders to applicable market makers and 
systems that electronically route and execute orders, including the 
data networks that feed the systems * * * [and encompasses] systems 
that disseminate transaction and quotation information and conduct 
trade comparisons prior to settlement, including the associated 
communication networks.'' See supra note 12.
    \508\ A more complete description of the history of the ARP 
Inspection Program is discussed in supra Section I.A.
    \509\ The ARP policy statements and Commission staff letters are 
discussed in supra Section I.A.
---------------------------------------------------------------------------

    Trading volume in the securities markets has become increasingly 
dispersed across a broader range of market centers in recent 
years,\510\ with ATSs accounting for a significant portion of 
volume.\511\ However, no ATSs currently meet or exceed the volume 
thresholds that would trigger compliance with the system safeguard 
requirements of Rule 301(b)(6) of Regulation ATS.\512\ Thus, while ATSs 
comprise a significant portion of consolidated volume, only one ATS 
currently participates in the ARP Inspection Program.\513\ Dark pools 
alone comprised approximately 13 percent of consolidated volume last 
spring,\514\ but also are not part of the ARP Inspection Program. 
Further, ATSs that trade fixed income securities, including municipal 
and corporate debt securities, and non-NMS stocks (also referred to as 
OTC equities) are not represented in the ARP Inspection Program and do 
not meet the current thresholds in Regulation ATS for the application 
of systems safeguard rules.
---------------------------------------------------------------------------

    \510\ See supra notes 44, 47, and 51.
    \511\ See supra note 50 and accompanying text.
    \512\ See supra Section III.B.1.
    \513\ See supra note 25 and accompanying text.
    \514\ See Nina Mehta, Dark Pools Capture Record U.S. Volume 
Share, Bloomberg (March 1, 2012), available at: https://rblt.com/news_details.aspx?id=187.
---------------------------------------------------------------------------

    Proposed Regulation SCI would apply to SROs (including national 
securities exchanges,\515\ national securities associations, registered 
clearing agencies, and the MSRB \516\), SCI ATSs,\517\ plan 
processors,\518\ and exempt clearing agencies subject to ARP.\519\ As 
such, proposed Regulation SCI would specifically cover the trading of 
NMS stocks, OTC equities, listed options, and debt securities. The 
proposed rules also would impact multiple markets for services, 
including the markets for trading services, listing services, 
regulation and surveillance services, clearing and settlement services, 
and market data.
---------------------------------------------------------------------------

    \515\ Proposed Regulation SCI would not apply to an exchange 
that lists or trades security futures products that is notice-
registered with the Commission as a national securities exchange 
pursuant to Section 6(g) of the Exchange Act, including security 
futures exchanges. See supra note 97 and accompanying text.
    \516\ In 2011, the total par amount of municipal securities 
traded was approximately $3.3 trillion in approximately 10.4 million 
trades. See MSRB 2011 Fact Book at 8-9, available at: https://www.msrb.org/msrb1/pdfs/MSRB2011FactBook.pdf.
    \517\ See supra Section III.B.1 for the discussion of SCI ATSs.
    \518\ In addition, the Commission is soliciting comment on 
whether, and if so how, proposed Regulation SCI should apply to SB 
SDRs and/or SB SEFs. See supra Section III.F.
    \519\ See supra Section III.B.1 for the discussion of exempt 
clearing agencies subject to ARP.
---------------------------------------------------------------------------

    As indicated above, many of the entities in these service markets 
are currently covered by the ARP Inspection Program. Therefore, the 
Commission recognizes that any economic effects, including costs and 
benefits, should be compared to a baseline of current practices that 
recognizes current practices pursuant to the ARP Inspection Program and 
the limitations of the ARP Inspection Program discussed in Section I.C 
above.\520\ In addition to the ARP Inspection Program, Commission staff 
has provided guidance to ARP entities on certain aspects of the ARP 
Inspection Program (e.g., in the 2001 Staff ARP Interpretive 
Letter).\521\ Further, Commission staff has provided guidance on issues 
outside the current scope of the ARP Inspection Program (e.g., in the 
2009 Staff Systems Compliance Letter), but that are proposed to be 
addressed by Regulation SCI.\522\ Below, the Commission provides 
information on the current practices related to the types of market 
events addressed by proposed Regulation SCI, including, where 
available, information the Commission may have on the frequency of such 
events. In addition, the Commission describes why each relevant service 
market may not be structured in a way as to create a competitive 
incentive to prevent the occurrence of these market events.\523\
---------------------------------------------------------------------------

    \520\ See also supra Section I.A for the discussion of the 
current scope of the ARP Inspection Program. The Commission 
acknowledges that, to the extent current practices of SCI entities 
have been informed by the ARP policy statements, such practices have 
not been subject to a cost-benefit analysis and that the discussion 
herein considers only the incremental costs and benefits (i.e., 
compared to current practices).
    \521\ See 2001 Staff ARP Interpretive Letter, supra note 35.
    \522\ See 2009 Staff Systems Compliance Letter, supra note 36.
    \523\ The Commission compares current practices to each of the 
proposed rules in infra Section V.B.3.
---------------------------------------------------------------------------

1. SCI Events
a. Systems Disruptions
    Currently, market participants employ a variety of measures to 
avoid systems disruptions for a variety of reasons, including to 
maintain competitive advantages, to provide optimal service to members 
with access to the trading and/or other services provided by the 
entity, to comply with legal obligations and, where applicable, to 
participate in the ARP Inspection Program. The range of such measures 
are possibly highly variable among SCI entities and within the systems 
employed by SCI entities. For example, matching engines are likely 
accorded high priority given the importance of low latency in trading. 
Industry standards are not codified for such entities and systems, 
except such as in an entity's rulebook or subscriber agreement. 
Typically, however, market participants follow industry standards and 
take measures that include weekend

[[Page 18158]]

system testing and internal performance monitoring.
    When system disruptions do occur, market participants take 
corrective action in the interest of remaining competitive, to provide 
optimal service, and to comply with legal obligations. To place the 
effectiveness of the current ARP Inspection Program in perspective, 
there were approximately 175 ARP incidents reported to the Commission 
in 2011. These incidents had durations ranging from under one minute to 
24 hours, with most incidents having a duration of less than 2 hours. 
As noted above, the Commission believes that clearing systems and 
matching engines generally are given greater priority than other 
systems at SCI entities with regard to corrective action. In addition, 
the Commission believes that SCI entities that currently participate in 
the ARP Inspection Program strive to adhere to the next business day 
resumption standard for trading and two-hour resumption standard for 
clearance and settlement services, standards which the proposed rule 
would codify for all SCI entities.
    As discussed in Section I.A, participation in the ARP Inspection 
Program entails, among other things, conducting annual assessments of 
affected systems, providing notifications of significant system changes 
to the Commission, and reporting significant system outages to the 
Commission. Further, Commission staff has provided guidance to the SROs 
and other participants in the ARP Inspection Program on what should be 
considered a ``significant system change'' and a ``significant system 
outage'' for purposes of reporting systems changes and problems to 
Commission staff.\524\ As such, the Commission believes that entities 
that currently participate in the ARP Inspection Program have certain 
processes for determining whether a systems change or outage is 
``significant.'' Specifically, the 2001 Staff ARP Interpretive Letter 
sets forth the types of outages and changes that should be reported to 
the Commission and the timing of reporting. Also, as discussed below, 
the ARP policy statements are focused on automated systems. 
Specifically, entities that participate in the ARP Inspection Program 
follow the ARP policy statements with respect to systems that directly 
support trading, clearance and settlement, order routing, and market 
data. While generally only trading, clearance and settlement, order 
routing, and market data systems follow the guidelines in the ARP 
policy statements, ARP staff inspects all the categories of systems 
that are included in the proposed definition of ``SCI systems.'' \525\ 
However, ARP staff generally inspects systems that are not directly 
related to trading, clearance and settlement, order routing, or market 
data only if they detect red flags.
---------------------------------------------------------------------------

    \524\ See supra note 35.
    \525\ See supra Section III.B.2.
---------------------------------------------------------------------------

    As discussed above, the ARP Inspection Program has garnered 
participation by all active registered clearing agencies, all 
registered national securities exchanges, FINRA, plan processors, one 
ATS, and one exempt clearing agency.\526\ Specifically, the Commission 
estimates that there are currently 29 SCI entities that are 
participants in the ARP Inspection Program.\527\ As noted, there were 
approximately 175 ARP incidents reported to the Commission in 2011. 
Although some entities provide the public with notices of outages,\528\ 
others may choose otherwise and are not required to do so.
---------------------------------------------------------------------------

    \526\ See supra Section I.A.
    \527\ See supra note 368.
    \528\ See e.g., NYSE Market Status, available at: https://usequities.nyx.com/nyse/market-status; NYSE Amex Options Outage 
Update, available at: https://www.nyse.com/pdfs/Trader_Update_Amex_Outage_0928.pdf; and NYSE Arca, Recap: Exchange Outage on 
Monday Morning March 7, 2011, available at: https://www.nyse.com/pdfs/2011037ExchangeOutageNotice.pdf.
---------------------------------------------------------------------------

    Further, as discussed above, pursuant to Rule 301(b)(6) of 
Regulation ATS, certain aspects of the ARP policy statements apply to 
ATSs that meet the thresholds set forth in that rule.\529\ Currently, 
no ATSs meet such thresholds and, as such, none are required by 
Commission rule to implement systems safeguard measures. The Commission 
recognizes that it is in the interest of every market participant that 
does not participate in the ARP Inspection Program to try to avoid 
systems disruptions. Specifically, the Commission understands that 
generally, ATSs, like entities that currently participate in the ARP 
Inspection Program, employ a variety of measures to avoid systems 
disruptions, including systems testing, performance monitoring, and the 
use of fail-over back-up systems. In fact, one ATS currently 
voluntarily participates in the ARP Inspection Program.\530\ However, 
inasmuch as the ARP Inspection Program and the testing done and other 
measures taken by those entities that participate in the program have 
been beneficial to the industry, the systems of SCI entities could 
still be improved. For example, contingency planning in preparation of 
catastrophic events has not been fully adequate, as evidenced in the 
wake of Superstorm Sandy, when an extended shutdown of the equities and 
options markets resulted from, among other things, the exchanges' 
belief regarding the inability of some market participants to 
adequately operate from the backup facilities of all market 
centers.\531\ Although testing protocols were in place and the chance 
to participate in such testing was available, not all members or 
participants participated in such testing.\532\ Proposed Regulation SCI 
would require that designated members or participants of an SCI entity 
participate in scheduled functional and performance testing of the 
operation of the SCI entity's business continuity and disaster recovery 
plans, including its backup systems, and further require that SCI 
entities coordinate the testing of such plans on an industry- or 
sector-wide basis with other SCI entities. The Commission preliminarily 
believes that these proposed requirements would mitigate the chances of 
similar disruptions in the future.\533\
---------------------------------------------------------------------------

    \529\ Specifically, Rule 301(b)(6) of Regulation ATS applies to 
ATSs that, during at least four of the preceding six months, had: 
(A) With respect to any NMS stock, 20 percent or more of the average 
daily volume reported by an effective transaction reporting plan; 
(B) with respect to equity securities that are not NMS stocks and 
for which transactions are reported to a self-regulatory 
organization, 20 percent or more of the average daily volume as 
calculated by the self-regulatory organization to which such 
transactions are reported; (C) with respect to municipal securities, 
20 percent or more of the average daily volume traded in the United 
States; or (D) with respect to corporate debt securities, 20 percent 
or more of the average daily volume traded in the United States. See 
17 CFR 242.301(b)(6)(i).
    \530\ See supra note 91.
    \531\ See supra Section I.D; see also supra Section III.C.7.
    \532\ See supra Section I.D. In addition, the Commission 
understands that the scope of testing was limited.
    \533\ See proposed Rule 1000(b)(9); see also supra Section 
III.C.7.
---------------------------------------------------------------------------

b. Systems Compliance Issues
    Currently, systems compliance issues (as proposed to be defined in 
Rule 1000(a)) are not covered by the ARP Inspection Program. However, 
national securities exchanges are subject to Section 6(b) of the 
Exchange Act, which requires an exchange to be organized and to have 
the capacity to carry out the purposes of the Exchange Act and to 
comply with the provisions of the Exchange Act, the rules and 
regulations thereunder, and its own rules.\534\ FINRA is subject to 
Section 15A(b) of the Exchange Act, which requires a national 
securities association to be organized and have the capacity to carry 
out the purposes of the Exchange Act and to comply with the provisions 
of the

[[Page 18159]]

Exchange Act, the rules and regulations thereunder, the MSRB rules, and 
its own rules.\535\ Further, an ATS could face Commission sanctions if 
it fails to comply with relevant federal securities laws and rules and 
regulations thereunder. Events such as those described above have 
recently drawn attention to systems compliance issues.\536\ In part due 
to the fact that systems compliance issues are not part of the ARP 
Inspection Program, the Commission does not receive comprehensive data 
regarding such issues and, thus, their incidence cannot be concretely 
quantified. However, based on Commission staff's experience with SROs 
and the rule filing process, the Commission estimates that there are 
likely approximately seven systems compliance issues per SCI entity per 
year.
---------------------------------------------------------------------------

    \534\ See 15 U.S.C. 78f(b).
    \535\ See 15 U.S.C. 78o-3(b).
    \536\ See, e.g., supra notes 62-63 and accompanying text.
---------------------------------------------------------------------------

c. Systems Intrusions
    In ARP I, the Commission stated its view that SROs should promptly 
notify Commission staff of any instances in which unauthorized persons 
gained or attempted to gain access to SRO systems.\537\ Market 
participants employ a wide variety of measures to prevent and respond 
to systems intrusions. Generally, market participants use measures such 
as firewalls to prevent systems intrusions, and use detection software 
to identify systems intrusions. Once an intrusion has been identified, 
the affected systems typically would be isolated and quarantined, and 
forensics would be performed. Several SCI entities have been the 
subject of security issues in recent years.\538\ The Commission 
believes that, currently, these events are rarely revealed to the 
public or to the members or participants of SCI entities.
---------------------------------------------------------------------------

    \537\ See ARP I, supra note 1. See also text accompanying supra 
note 17.
    \538\ For example, as discussed above, in February 2011, NASDAQ 
OMX Group, Inc. announced that hackers had penetrated certain of its 
computer networks. See supra note 61 and accompanying text.
---------------------------------------------------------------------------

2. Potential for Market Solutions
    This section discusses potential market solutions and their 
shortcomings. Various SCI and non-SCI entities offer and compete to 
provide services in markets for trading services, listing services, 
regulatory services, clearance and settlement services, and market 
data. The markets for each of these services are regulated and 
competitive, which may make it difficult to determine if markets are 
functioning well due to competitive pressure or regulation, and how 
much can be attributed to each. However, there are limitations to such 
competition and following is a discussion of some limitations that are 
common to all of these markets. Notwithstanding what may be the 
limitations to competition in each of these markets, the Commission is 
also mindful, in evaluating whether, and if so, how, to regulate in 
this space, of the need to craft rules that appropriately take into 
account the tradeoffs between the resulting costs and benefits, and the 
effects on efficiency, competition, and capital formation, that would 
accompany such regulation.
    Market participants may be unaware when SCI events disrupt 
transactions due to, for example, a lack of timely and consistently 
disseminated information about SCI events. First, providers of services 
that experience SCI events may lack the incentive to disclose such 
events. Second, other providers of services may choose to not publicly 
comment on the identity of providers who experienced SCI events.\539\ 
For example, providers of trading services may choose not to point to 
other providers because the next SCI event may occur on their own 
systems. In addition, a person or entity pointing at other providers 
may be exposed to litigation risks.
---------------------------------------------------------------------------

    \539\ The Commission notes, however, that certain providers of 
trading services do provide public disclosure of systems issues at 
another provider. For example, when one trading venue perceives that 
a second venue is non-responsive when orders are routed to that 
second venue, the first venue will declare self-help under Rule 611 
of Regulation NMS, which permits the first venue to cease to route 
orders to the second venue in certain instances. Certain trading 
venues would provide public notification of self-help. See, e.g., 
NASDAQ Market System Status, available at: https://www.nasdaqtrader.com/Trader.aspx?id=MarketSystemStatus.
---------------------------------------------------------------------------

    While some SCI events may not directly impact markets, they are 
still an indication of the risk of SCI events at a given SCI entity. It 
is likely that market participants assume that services operate as 
promised until an SCI event occurs. Reputation and good experiences 
with a trading venue may cause market participants to trust its 
effectiveness. In the absence of problems, however, a system may be 
assumed to be fully functional. Once a problem occurs, market 
participants will update their prior assumptions and should correctly 
infer that the system is not as robust as previously believed.
    Moreover, in the case of SCI events that disrupt the entire market 
or large portions of it (e.g., the data outages during the flash crash 
on May 6, 2010), all providers of trading services may be affected at 
the same time and, as a result, market participants may find it 
challenging to identify service providers with lower risks of such SCI 
events. In light of the foregoing, members and participants of SCI 
entities would be important recipients of information disseminated 
about SCI events because they are the parties who would most naturally 
need, want, and be able to act on the information and, where 
applicable, share such disseminated information to other interested 
market participants, as discussed further below.
a. Market for Trading Services
    Trading services are offered by entities that would meet the 
definition of SCI entity, including equities exchanges, options 
exchanges, and SCI ATSs, as well as by entities that would not be 
included in the proposed definition of SCI entity, such as ATSs that 
are not SCI ATSs, OTC market makers, and broker-dealers. As discussed 
above in Section I.B, there are currently 13 national securities 
exchanges that trade equity securities, with none having an overall 
market share of greater than 20 percent.\540\ There are currently 11 
national securities exchanges that trade options.\541\ Of these 
exchanges, CBOE, ISE, and Nasdaq OMX Phlx have the most significant 
market share.\542\ ATSs--both ECNs and dark pools--as well as OTC 
market makers and broker-dealers also execute substantial volumes of 
stocks and bonds.\543\
---------------------------------------------------------------------------

    \540\ See supra note 47 and accompanying text. These national 
securities exchanges are: BATS; BATS-Y; CBOE; CHX; EDGA; EDGX; 
Nasdaq OMX BX; Nasdaq OMX Phlx; Nasdaq; NSX; NYSE; NYSE MKT; and 
NYSE Arca.
    \541\ These national securities exchanges are: BATS Exchange 
Options Market; BOX; C2; CBOE; ISE; MIAX; NASDAQ Options Market; 
Nasdaq OMX BX Options; Nasdaq OMX Phlx; NYSE Amex Options; and NYSE 
Arca.
    \542\ Specifically, during 2012, CBOE had 26.46% of the market 
share, Nasdaq OMX Phlx had 19.77%, and ISE had 15.78%. Calculated 
using data regarding number of contracts traded from Options 
Clearing Corporation, available at: https://www.theocc.com/market-data/volume/.
    \543\ As discussed above in Section III.B.1, the Commission 
estimates that the proposed definition of ``SCI entity'' would 
capture approximately 15 SCI ATSs (10 SCI ATSs in NMS stocks, two 
SCI ATSs in non-NMS stocks, and three SCI ATSs in municipal 
securities and corporate debt securities).
---------------------------------------------------------------------------

    With respect to the competitive nature of the market for trading 
services, as well as the limitations to the competitive effects, all 
providers of trading services compete and have incentives to avoid 
systems disruptions, systems compliance issues, and systems intrusions 
because, for example, brokers and other entities will be inclined to 
route orders away from trading venues

[[Page 18160]]

that have frequent systems problems. Indeed, trading service providers 
expend resources to provide quality services and attempt to mitigate 
systems disruptions, systems compliance issues, and systems intrusions; 
however, it is not clear how to distinguish between efforts 
attributable to competitive pressures, rather than existing legal 
requirements and regulatory programs such as the ARP Inspection 
Program.\544\
---------------------------------------------------------------------------

    \544\ See also supra Section V.B.1, noting the various reasons 
why SCI entities currently take action to address systems problems.
---------------------------------------------------------------------------

    The Commission recognizes that there may be limits with respect to 
the extent to which competition ameliorates systems problems associated 
with trading services. However, the Commission remains mindful of the 
need to craft rules that appropriately take into account the tradeoffs 
between the costs and benefits, and the effects on efficiency, 
competition, and capital formation, associated with any such rules. The 
Commission preliminarily believes that it is important for SCI entity 
members or participants to know about risks for SCI events at a given 
service provider. As discussed above, if information about SCI events 
is not disseminated to members or participants of SCI entities or are 
not attributable to specific SCI entities, market participants may 
misjudge the quality of trading services or otherwise make decisions 
without fully accounting for such risks. Furthermore, as evidenced by 
the extended shutdown of the equities and options markets that resulted 
from, among other things, the exchanges' belief regarding the inability 
of some market participants to adequately operate from the backup 
facilities of all market centers, contingency planning has not been 
adequate to help prevent market-wide outages.\545\ For example, as 
noted above, the NYSE offered its members the opportunity to 
participate in testing of its backup systems, but not all members chose 
to participate in such testing, and the Commission understands that the 
scope of the test was limited.\546\
---------------------------------------------------------------------------

    \545\ See supra Section I.D.
    \546\ See supra Section I.D. See also supra notes 83 and 532 and 
accompanying text.
---------------------------------------------------------------------------

    In addition, even though there are multiple trading venues, 
suppliers of trading services may have limited ability to transact in 
particular securities (e.g., certain index options may only trade on 
one options exchange). As a result, competition in the market for 
trading services may not sufficiently mitigate the occurrence of SCI 
events, and there may be insufficient disclosure of information 
regarding the quality of trading services offered by SCI entities.
b. Market for Listing Services
    Certain SCI entities are in the market for listing services. In 
this market, exchanges compete to list issuers to collect listing fees 
and to provide ancillary services to listed companies. The NYSE and 
Nasdaq are the largest U.S. exchanges in terms of the number of equity 
securities listed, with the NYSE and Nasdaq serving as the listing 
market for 3,262 and 2,691 securities, respectively, as of February 4, 
2013.\547\ U.S. exchanges face competition from other U.S. exchanges 
and from non-U.S. exchanges.
---------------------------------------------------------------------------

    \547\ See NASDAQ Company List, available at: https://www.nasdaq.com/screening/company-list.aspx, for the list of 
companies listed on NYSE and NASDAQ.
---------------------------------------------------------------------------

    Competition for listings may be limited by many factors. With 
respect to the limitations of competitive forces in the market for 
listing services, first, while a company can be listed on a certain 
exchange, trading does not necessarily occur on that exchange. In fact, 
the majority of trading occurs away from the listing exchange in 
today's U.S. equities markets.\548\ Second, there are switching costs 
associated with moving a listing from one exchange to another, which 
may cause issuers to remain at their current exchange, even in response 
to the occurrence of some SCI events. Third, certain exchanges also may 
be considered more ``prestigious'' than others and, to this extent, 
they may wield market power over other exchanges when competing for 
issuers. As a result, these exchanges may not be properly incentivized 
to provide the level of service they otherwise might if they were 
subject to greater competition. Members and participants of SCI 
entities that serve as underwriters to issuers would be important 
recipients of information disseminated by SCI entities about 
dissemination SCI events, particularly if they share such information 
with issuers making listing decisions.
---------------------------------------------------------------------------

    \548\ See BATS Market Volume Summary, available at: https://www.batstrading.com/market_summary/ (displaying the dispersion of 
trading in equity securities, which indicates that trading occurs 
away from listing exchanges).
---------------------------------------------------------------------------

c. Market for Regulation and Surveillance Services
    Regulation and surveillance are required by statutes and rules and, 
therefore, all regulated market participants (e.g., exchanges or ATSs) 
have a demand for regulation and surveillance services. Suppliers in 
this market may be in-house or third parties, and potentially include 
all of the exchanges and FINRA. Because of regulatory services 
agreements (``RSAs'') between FINRA and several national securities 
exchanges, as of February 2011, FINRA's Market Regulation Department 
was responsible for surveillance of 80 percent of the trading volume in 
U.S. equity markets and 35 percent of the volume in U.S. options 
markets.\549\ Also, in 2011, BATS and BATS-Y entered into RSAs with 
CBOE as the supplier.\550\ On the other hand, some exchanges have not 
entered into RSAs.
---------------------------------------------------------------------------

    \549\ See FINRA 2011 Annual Regulatory and Examination 
Priorities Letter (February 8, 2011), available at: https://www.finra.org/web/groups/industry/@ip/@reg/@guide/documents/industry/p122863.pdf.
    \550\ See BATS Global Markets, Inc., Amendment No. 5 to Form S-
1, dated March 21, 2012 (Registration No. 333-174166).
---------------------------------------------------------------------------

    There are other regulatory services arrangements in addition to 
RSAs. For example, in 2008, the Commission declared effective a plan 
for allocating regulatory responsibilities pursuant to Rule 17d-2,\551\ 
which among other things, allocated regulatory responsibility for the 
surveillance, investigation, and enforcement of Common Rules \552\ over 
Common NYSE Members,\553\ with respect to NYSE-listed stocks and NYSE 
Arca-listed stocks, to NYSE and over Common FINRA Members,\554\ with 
respect to NASDAQ-listed stocks, Amex-listed stocks, and any CHX 
solely-listed stock, to FINRA.\555\
---------------------------------------------------------------------------

    \551\ See Securities Exchange Act Release No. 58536 (September 
12, 2008), 73 FR 54646 (September 22, 2008). See also 17 CFR 
240.17d-2 (permitting SROs to propose joint plans for the allocation 
of regulatory responsibilities with respect to their common 
members).
    \552\ Such rules include federal securities laws and rules 
promulgated by the Commission pertaining to insider trading, and the 
rules of the plan participants that are related to insider trading 
as provided on Exhibit A to a Rule 17d-2 Plan. See Agreement for the 
Allocation of Regulatory Responsibility of Surveillance, 
Investigation and Enforcement for Insider Trading pursuant to Sec.  
17(d) of the Securities Exchange Act of 1934, 15 U.S.C. Sec.  
78q(d), and Rule 17d-2 thereunder.
    \553\ Common NYSE Members include those who are members of the 
NYSE and of at least one of the plan participants. See id.
    \554\ Common FINRA Members include those who are members of 
FINRA and of at least one of the plan participants. See id.
    \555\ Participants in this plan are: BATS, BATS-Y, CBOE, CHX, 
EDGA, EDGX, FINRA, Nasdaq OMX BX, Nasdaq OMX Phlx, Nasdaq, NSX, 
NYSE, NYSE Amex, and NYSE Arca. See id. In January 2011, this Rule 
17d-2 plan was amended as a result of an agreement under which FINRA 
assumed the responsibility for performing the market surveillance 
and enforcement functions previously conducted by NYSE Regulation 
for its U.S. equities and options markets. Under the plan, FINRA 
charges participants a fee for the performance of regulatory 
responsibilities. See Securities Exchange Act Release No. 63750 
(January 21, 2011), 76 FR 4948 (January 27, 2011). There are other 
types of Rule 17d-2 plans, including multilateral and bilateral 
plans. While other SROs perform some regulatory functions under the 
options-related market surveillance and Regulation NMS multiparty 
17d-2 plans, FINRA provides the bulk of services under all other 
17d-2 plans.

---------------------------------------------------------------------------

[[Page 18161]]

    With respect to limitations of competition that are specific to the 
market for regulatory and surveillance services, if investors, issuers, 
or other market participants become aware of SCI events by virtue of 
the members or participants of SCI entities sharing information they 
have received about dissemination SCI events, and such information 
suggests that an SRO has low-quality regulation and surveillance, they 
may avoid such venues since they may feel that their interests are not 
being adequately protected. In the case of an RSA, there is competition 
among providers of such services because the user of the service can 
enter into a contract with a different provider. An SRO that purchases 
regulatory and surveillance services pursuant to an RSA retains the 
ultimate responsibility and liability for its self-regulatory 
obligations, and has an interest in seeking a service provider that 
would provide a high level of regulatory and surveillance 
services.\556\ Since the purchaser of these services could face 
Commission sanctions and experience damages to their reputation for 
violations resulting from inadequate regulation and surveillance, 
providers of these services may have the incentive to ensure that they 
provide a high level of service.
---------------------------------------------------------------------------

    \556\ In contrast to an RSA, under Rule 17d-2(d) under the 
Exchange Act, ``[u]pon the effectiveness of such a plan or part 
thereof, any self-regulatory organization which is a party to the 
plan shall be relieved of responsibility as to any person for whom 
such responsibility is allocated under the plan to another self-
regulatory organization to the extent of such allocation.'' 17 CFR 
240.17d-2(d).
---------------------------------------------------------------------------

    A factor that limits competition in this market is that it is 
highly concentrated. As noted above, FINRA accounts for the 
surveillance of 80 percent of trading volume in U.S. equity markets 
and, although any SRO could potentially be a provider of such services, 
not all choose to do so, and thus there may not be many alternatives 
for RSAs. With respect to the market for Rule 17d-2 plans, the 
Commission recognizes that the level of competition may be limited, as 
Rule 17d-2 was intended to address regulatory duplication for broker-
dealers that are members of more than one SRO, and one of which is 
usually FINRA.
d. Market for Clearance and Settlement Services
    Certain SCI entities are in the market for clearance and settlement 
services. There are seven registered clearing agencies with active 
operations--DTC, FICC, NSCC, OCC, ICE Clear Credit, ICE Clear Europe, 
and CME \557\--as well as one exempt clearing agency.\558\ An SCI event 
in this market could have very disruptive and widespread effects on the 
financial markets. Because each clearing agency has a critical role in 
the operation of a particular product market, clearing agencies may 
already have heightened incentives to ensure that their systems have 
adequate levels of capacity, integrity, resiliency, availability, and 
security.\559\ At the same time, one of the major impediments to 
competition in this market is that it is highly concentrated in 
particular classes of securities (e.g., equities or options). This may 
limit incentives for clearing agencies to have levels of capacity, 
integrity, resiliency, availability, and security that are appropriate 
for their role in the securities market. Thus, for the market for 
clearance and settlement services, it is especially important for the 
Commission and clearing agency participants to have current and 
accurate information about SCI events to help ensure that the clearing 
agencies are properly incentivized to provide high-quality service.
---------------------------------------------------------------------------

    \557\ As noted above, active registered clearing agencies are 
part of the current ARP Inspection Program. See supra note 95 and 
accompanying text.
    \558\ As noted above, Omgeo is part of the current ARP 
Inspection Program. See supra notes 133-135 and accompanying text.
    \559\ See generally 2003 Interagency White Paper, supra note 31.
---------------------------------------------------------------------------

e. Market for Market Data
    Finally, certain SCI entities provide market data. There are two 
different types of market data, namely consolidated data and 
proprietary data. As discussed above, when Congress mandated a national 
market system in 1975, it emphasized that the systems for collecting 
and distributing consolidated market data would ``form the heart of the 
national market system.'' \560\ Moreover, the Commission has identified 
certain benefits of consolidated market data, including providing the 
public with access to a comprehensive, accurate, and reliable source of 
information for NMS stocks.\561\ One of the Commission's primary 
concerns is that the market for consolidated data functions properly.
---------------------------------------------------------------------------

    \560\ See Concept Release on Equity Market Structure, supra note 
42, at 3600 (quoting H.R. Rep. No. 94-229, 94th Cong., 1st Sess. 93 
(1975)).
    \561\ See supra note 187 and accompanying text.
---------------------------------------------------------------------------

    Market data is a critical part of the investment and trading 
process.\562\ The data is needed for pre- and post-trade transparency 
and allows market participants to make well-informed investment and 
trading decisions.\563\ Indeed, based on Commission staff experience, 
the Commission understands that many trading algorithms make trading 
decisions based primarily on market data and rely on that data being 
current and accurate. An SCI event in connection with market data could 
significantly disrupt markets.\564\
---------------------------------------------------------------------------

    \562\ See supra notes 187-189 and accompanying text.
    \563\ See id.
    \564\ For example, on January 3, 2013, Nasdaq reported that its 
securities information processor (which is the plan processor of the 
CQS Plan, an SCI plan) experienced ``an issue with stale data,'' 
which lasted approximately 10 to 15 minutes. See https://www.nasdaq.com/article/update-traders-report-technical-issue-involving-nasdaq-listed-securities-20130103-01046#.URutFaVEHmd. See 
also https://www.reuters.com/article/2013/01/03/exchanges-data-outage-idUSL1E9C3DQL20130103. As a result, last sale and quotation 
data was not available for Nasdaq-listed (``Tape C'') securities 
during that time. See id. Although proprietary data feeds were 
available, only subscribers receiving such feeds could continue 
trading with current market data during the outage. Market centers 
EDGA and EDGX temporarily suspended trading in all Tape C securities 
in response to the outage. See id.
---------------------------------------------------------------------------

    The process of collecting and disseminating consolidated quotation 
and transaction data is governed by the SCI plans. For securities 
listed on Nasdaq, data distribution is governed by the Nasdaq UTP Plan. 
For securities listed on NYSE, NYSE Amex, and several other exchanges, 
data distribution is governed by the CTA Plan and the CQS Plan. For 
options, data distribution is governed by the OPRA Plan. These SCI 
plans also oversee the collection of fees for access to the 
consolidated data network, and the allocation of the resulting revenue 
across the exchanges. Currently, there are two entities designated as 
plan processors by SCI plans--SIAC and Nasdaq.\565\ Due to the extreme 
concentration in the market segment for consolidated data, there is 
virtually no competition between SCI plan processors which could lead 
to little incentive in ensuring a high-quality product with minimal 
disruptions.
---------------------------------------------------------------------------

    \565\ See supra note 131.
---------------------------------------------------------------------------

3. Proposed Regulation SCI and Its Impact on Current Practices
    Proposed Regulation SCI would be a codification and enhancement of 
the current ARP Inspection Program. As discussed further below with 
respect to each of the proposed rules, proposed Regulation SCI would: 
(A) Be mandatory and codify many aspects of the ARP policy statements; 
(B) expand the scope of the ARP policy statements to other types of 
systems and event types; and (C) expand the scope of the ARP Inspection 
Program to other types of entities.

[[Page 18162]]

    With respect to different types of systems, as discussed in more 
detail above, the ARP policy statements are focused on automated 
systems.\566\ Specifically, entities that participate in the ARP 
Inspection Program follow the ARP policy statements with respect to 
systems that directly support trading, clearance and settlement, order 
routing, and market data.\567\ Proposed Regulation SCI, on the other 
hand, would apply to more types of systems than the ARP policy 
statements. As discussed above, in addition to the systems covered by 
the ARP Inspection Program, the proposed definition of ``SCI systems'' 
would also include systems that directly support regulation and 
surveillance that are not currently part of the ARP Inspection Program. 
Further, the provisions of proposed Regulation SCI relating to security 
standards and systems intrusions would also apply to ``SCI security 
systems,'' which would be defined to mean any systems that share 
network resources with SCI systems that, if breached, would be 
reasonably likely to pose a security threat to SCI systems.
---------------------------------------------------------------------------

    \566\ See supra Section I.A for more discussion of the ARP 
policy statements and the ARP Inspection Program. According to ARP 
I, the term ``automated systems'' or ``automated trading systems'' 
means computer systems for listed and OTC equities, as well as 
options, that electronically route orders to applicable market 
makers and systems that electronically route and execute orders, 
including the data networks that feed the systems. The term 
``automated systems'' also encompasses systems that disseminate 
transaction and quotation information and conduct trade comparisons 
prior to settlement, including the associated communication 
networks. Moreover, ARP I states that because lack of adequate 
communications capacity can be as damaging to the overall 
performance of an exchange during peak periods as poorly designed 
order processing, capacity tests of the data networks that feed the 
computer systems also should be conducted. See ARP I, supra note 1, 
at n.21.
    \567\ While generally only trading, clearance and settlement, 
order routing, and market data systems follow the guidelines in the 
ARP policy statements, ARP staff inspects all the categories of 
systems that are included in the proposed definition of ``SCI 
systems.'' However, ARP staff generally inspects systems that do not 
directly support trading, clearance and settlement, order routing, 
or market data only if staff detects red flags.
---------------------------------------------------------------------------

    Additionally, while the ARP Inspection Program and proposed 
Regulation SCI both cover certain types of systems disruptions \568\ 
and systems intrusions,\569\ proposed Regulation SCI also would cover 
systems compliance issues. Finally, the ARP Inspection Program includes 
29 participants that are SCI entities, consisting of 17 registered 
national securities exchanges, seven registered clearing agencies, 
FINRA, two plan processors, one ATS, and one exempt clearing agency. 
Because no ATSs currently satisfy the thresholds in Rule 306(b)(6)(i) 
of Regulation ATS, no ATSs currently are subject to the systems 
safeguard requirements of Regulation ATS \570\ although, as noted 
above, one ATS voluntarily participates in the ARP Inspection Program. 
Proposed Regulation SCI would include all of the entities currently 
under the ARP Inspection Program. With respect to ATSs, proposed 
Regulation SCI would include an estimated 10 SCI ATSs in NMS stocks, an 
estimated two SCI ATSs in non-NMS stocks, an estimated three SCI ATSs 
in municipal securities and corporate debt securities, and one SRO 
(i.e., the MSRB).
---------------------------------------------------------------------------

    \568\ See 2001 Staff ARP Interpretive Letter, supra note 35. See 
also supra Section III.B.3.a for a discussion of the differences 
between the definition of ``significant system outage'' as used 
currently in the ARP Inspection Program and the proposed definition 
of ``systems disruption.''
    \569\ See ARP I, supra note 1, at 48707 (referring to instances 
where unauthorized persons gained or attempted to gain access to 
systems). Proposed Rule 1000(a) would define ``systems intrusion'' 
to mean any unauthorized entry into the SCI systems or SCI security 
systems of the SCI entity.
    \570\ See 17 CFR 242.301(b)(6).
---------------------------------------------------------------------------

    Proposed Rules 1000(b)(4) and (b)(5) would require, respectively, 
that all SCI events be reported to the Commission, and that information 
relating to dissemination SCI events be disseminated to members or 
participants of an SCI entity. Proposed Rule 1000(a) would define a 
dissemination SCI event to mean an SCI event that is a: (1) Systems 
compliance issue; (2) systems intrusion; or (3) systems disruption that 
results, or the SCI entity reasonably estimates would result, in 
significant harm or loss to market participants. Under the ARP 
Inspection Program, only ``significant'' outages should be reported to 
the Commission, and there are no quantitative standards to define 
``significant'' outage. Similarly, proposed Regulation SCI would not 
specify a quantitative standard for immediate notification SCI events 
or dissemination SCI events. Instead, immediate notification SCI events 
would include any systems disruption that the SCI entity reasonably 
estimates would have a material impact on its operations or on market 
participants, any systems compliance issue, and any systems intrusion. 
With respect to dissemination SCI events, certain information about all 
systems compliance issues and systems intrusions would be required to 
be disseminated to members or participants, although information about 
systems intrusions in some cases could be delayed. Systems disruptions 
would also be dissemination SCI events, however, only if they result, 
or the SCI entity reasonably estimates would result, in significant 
harm or loss to market participants.
    Proposed Rule 1000(b)(1) (Capacity, Integrity, Resiliency, 
Availability, and Security) addresses the capacity, integrity, 
resiliency, availability, and security of the systems of SCI entities. 
Rule 1000(b)(1) would require an SCI entity to establish, maintain, and 
enforce written policies and procedures reasonably designed to ensure 
that its SCI systems and, for purposes of security standards, SCI 
security systems, have levels of capacity, integrity, resiliency, 
availability, and security, adequate to maintain the SCI entity's 
operational capability and promote the maintenance of fair and orderly 
markets.
    Proposed Rule 1000(b)(1)(i) would further require that an SCI 
entity's policies and procedures include the establishment of 
reasonable current and future capacity planning estimates, periodic 
capacity stress tests, a program to review and keep current systems 
development and testing methodology, regular reviews and testing of 
such systems, including backup systems, business continuity and 
disaster recovery plans, and standards that result in systems that 
facilitate the successful collection, processing, and dissemination of 
market data. The items in proposed Rule 1000(b)(1)(i)(A)-(E) are the 
same as those in the ARP Inspection Program and Rule 301(b)(6) of 
Regulation ATS.\571\
---------------------------------------------------------------------------

    \571\ See supra Section III.C.1 for a detailed discussion of 
proposed Rule 1000(b)(1), including comparisons to the provisions of 
the ARP Inspection Program.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(1)(ii) would further provide that an SCI 
entity's policies and procedures would be deemed to be reasonably 
designed if they are consistent with current SCI industry 
standards.\572\ The Commission preliminarily believes that SCI entities 
would be familiar with such standards because they would be required to 
be widely available for free to information technology professionals in 
the financial sector, and must be issued by an authoritative body that 
is a U.S. governmental entity or agency, association of U.S. 
governmental entities or agencies, or widely recognized 
organization.\573\ As noted above, compliance with the identified SCI 
industry standards would not be the exclusive means to comply with the

[[Page 18163]]

requirements of proposed Rule 1000(b)(1).
---------------------------------------------------------------------------

    \572\ See proposed Rule 1000(b)(1)(ii).
    \573\ See infra text commencing at note 630, discussing examples 
of SCI industry standards that may originate from NIST publications 
and/or other publications listed in Table A, and the potential costs 
they may impose on SCI entities.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(2)(i) (Systems Compliance) is not currently 
part of the ARP Inspection program and would require each SCI entity to 
establish, maintain, and enforce written policies and procedures 
reasonably designed to ensure that its SCI systems operate in the 
manner intended, including in a manner that complies with the federal 
securities laws and rules and regulations thereunder and the entity's 
rules and governing documents, as applicable.\574\
---------------------------------------------------------------------------

    \574\ However, as noted above in Section V.B.1.b, SCI entities 
are already required to comply with relevant laws and rules.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(3) (Corrective Action) would require that, 
upon any responsible SCI personnel becoming aware of an SCI event, an 
SCI entity begin to take appropriate corrective action. The Commission 
understands that market participants already take steps to address 
systems issues should they occur, but preliminarily believes that 
proposed Rule 1000(b)(3) may result in SCI entities incurring 
additional information technology costs, primarily because proposed 
Rule 1000(b)(3) requires each SCI entity, upon any responsible SCI 
personnel becoming aware of an SCI event, to begin to take appropriate 
corrective action. Thus, SCI entities would not be able to delay the 
start of taking corrective action, which in turn could result in some 
SCI entities potentially seeking to, for example, update their systems 
with newer technology earlier than they might have otherwise. As these 
increased costs would likely occur primarily as a result of SCI 
entities making usual and customary investments sooner than they would 
otherwise, these costs are difficult to quantify.
    Proposed Rule 1000(b)(4) (Commission Notification) would require 
that an SCI entity notify the Commission of all SCI events. Proposed 
Rule 1000(b)(4) would apply to more entities, systems, and types of 
systems issues than the ARP policy statements (or the 2001 Staff ARP 
Interpretive Letter) and also require more detailed reporting to the 
Commission.\575\
---------------------------------------------------------------------------

    \575\ See discussion of proposed Rule 1000(b)(4) in supra 
Section III.C.4. In addition, proposed Rule 1000(d) would require, 
with limited exception, that any written notification, review, 
description, analysis, or report to the Commission be submitted 
electronically on Form SCI.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(5) (Dissemination of Information to Members 
or Participants) would require an SCI entity to disseminate information 
relating to dissemination SCI events to members or participants. 
Proposed Rule 1000(b)(5) would impose a new requirement that is not 
currently part of the ARP Inspection Program. As noted above in Section 
V.B.1.a, some entities provide their members or participants with 
notices of outages currently. However, although proposed Rule 
1000(b)(5) would permit information regarding some systems intrusions 
to be delayed,\576\ the Commission expects that dissemination of 
information to members or participants about dissemination SCI events 
would increase significantly.
---------------------------------------------------------------------------

    \576\ See proposed Rule 1000(b)(5)(ii).
---------------------------------------------------------------------------

    With respect to proposed Rule 1000(b)(6) (Material Systems 
Changes), while entities may voluntarily submit similar material 
systems change notifications to the Commission under the ARP Inspection 
Program, proposed Regulation SCI would set forth more detailed 
requirements.\577\ Proposed Rule 1000(b)(6) would require an SCI entity 
to notify the Commission of planned material systems changes on 
proposed Form SCI at least 30 calendar days in advance of such change, 
unless exigent circumstances exist or information previously provided 
to the Commission regarding a planned material systems change has 
become materially inaccurate, necessitating notice regarding a material 
systems change with less than 30 calendar days' notice.
---------------------------------------------------------------------------

    \577\ See supra Sections III.C.4 and III.E.2 discussing the 
reporting requirements in proposed Rule 1000(b)(6).
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(7) (SCI Review) would require an SCI entity 
to conduct an SCI review of its compliance with Regulation SCI at least 
annually, and submit a report of the SCI review to senior management of 
the SCI entity for review no more than 30 calendar days after 
completion of the SCI review. Because systems reviews have always been 
part of the ARP Inspection Program, the Commission believes that most 
SCI entities currently undertake annual systems reviews, reports of 
which the Commission understands are reviewed by senior management. The 
Commission believes, however, that the scope of the systems review 
undertaken by ARP entities, and senior management involvement in in 
such reviews, varies among ARP entities. The Commission expects that 
proposed Regulation SCI, which defines the parameters of an SCI review, 
would foster greater consistency in the approach that SCI entities take 
with respect to systems reviews.
    Proposed Rule 1000(b)(8) (Reports) would require an SCI entity to 
submit various reports to the Commission. Specifically, proposed Rule 
1000(b)(8)(i) would require an SCI entity to submit a report of the SCI 
review required by proposed Rule 1000(b)(7), together with any response 
by senior management, within 60 calendar days after its submission to 
senior management of the SCI entity. Proposed Rule 1000(b)(8)(ii) would 
require an SCI entity to submit a report, within 30 calendar days after 
the end of June and December of each year, containing a summary 
description of the progress of any material systems change during the 
six-month period ending on June 30 or December 31, as the case may be, 
and the date, or expected date, of completion of implementation of such 
changes. Such reports to be filed with the Commission pursuant to 
proposed Rule 1000(b)(8) would be required to be filed electronically 
on Form SCI. Proposed Rule 1000(b)(8) would codify current practice 
under the ARP Inspection Program, in which ARP entities submit reports 
of systems reviews and report progress on material systems changes to 
ARP staff. However, proposed Rule 1000(8) would specify a more detailed 
process for submission of such reports.
    Proposed Rule 1000(b)(9) (SCI Entity Business Continuity and 
Disaster Recovery Plans Testing Requirements for Members or 
Participants) is not part of the current ARP Inspection Program and 
would require an SCI entity, with respect to its business continuity 
and disaster recovery plans, including its backup systems, to require 
participation by designated members or participants in scheduled 
functional and performance testing of the operation of such plans, in 
the manner and frequency as specified by the SCI entity, at least once 
every 12 months. In addition, the proposed rule would require an SCI 
entity to coordinate such testing on an industry- or sector-wide basis 
with other SCI entities.\578\ Further, the proposed rule would require 
each SCI entity to designate those members or participants it deems 
necessary, for the maintenance of fair and orderly markets in the event 
of the activation of its business continuity and disaster recovery 
plans, to participate in the testing of such plans. Each SCI entity 
would be required to notify the Commission of such designations and its 
standards for designation, and promptly update such notification after 
any changes to its designations or standards. Although nothing prevents 
SCI entities from doing so, the Commission currently does not mandate 
that members or participants of SCI entities test the business 
continuity and disaster recovery plans, including

[[Page 18164]]

backup systems, of SCI entities. This proposed rule would allow greater 
oversight by the Commission over the business continuity and disaster 
recovery capabilities of SCI entities. While the Commission believes 
that many SCI entities currently provide the opportunity for their 
members or participants to test their business continuity and disaster 
recovery plans, the Commission believes that few require participation 
by all or designated members or participants in such testing.\579\ In 
addition, the Commission understands that, to the extent such 
participation occurs, it may in many cases be limited in nature (e.g., 
testing for connectivity to backup systems). Finally, while the 
securities industry does coordinate certain testing, the Commission 
believes that the two-day closure of the equities and options markets 
in the wake of Superstorm Sandy has shown that more significant testing 
and better coordination of such testing could benefit market 
participants.\580\
---------------------------------------------------------------------------

    \578\ See supra note 269 and accompanying text.
    \579\ See infra note 641.
    \580\ See supra Section I.D.
---------------------------------------------------------------------------

    Proposed Rules 1000(c) and (e) relate to the recordkeeping 
requirements under proposed Regulation SCI. As discussed above, SCI 
SROs already are subject to recordkeeping requirements that would apply 
to all documents relating to their compliance with proposed Regulation 
SCI.\581\ Further, entities that participate in the ARP Inspection 
Program currently keep records related to the ARP Inspection Program, 
and the Commission recognizes that all SCI entities are subject to some 
recordkeeping requirement. Nevertheless, with respect to SCI entities 
other than SCI SROs, proposed Rules 1000(c) and (e) would impose 
specific recordkeeping requirements with respect to documents related 
to compliance with Regulation SCI and thus would impose a burden on 
such entities.
---------------------------------------------------------------------------

    \581\ See supra Section III.D.1.
---------------------------------------------------------------------------

    Lastly, proposed Rule 1000(f) would require SCI entities to provide 
Commission representatives reasonable access to its SCI systems and SCI 
security systems to allow Commission representatives to assess the 
entity's compliance with proposed Regulation SCI. As discussed above, 
although the Commission believes that Section 17(b) of the Exchange Act 
already provides the Commission with authority to access the systems of 
SCI entities, the Commission is proposing Rule 1000(f) to highlight 
such authority and help ensure that Commission representatives have 
ready access to systems of SCI entities.\582\
---------------------------------------------------------------------------

    \582\ See supra Section III.D.3.
---------------------------------------------------------------------------

C. Consideration of Costs and Benefits, and the Effect on Efficiency, 
Competition, and Capital Formation

    Section 3(f) of the Exchange Act requires the Commission, whenever 
it engages in rulemaking pursuant to the Exchange Act and is required 
to consider or determine whether an action is necessary or appropriate 
in the public interest, to consider, in addition to the protection of 
investors, whether the action would promote efficiency, competition, 
and capital formation.\583\ In addition, Section 23(a)(2) of the 
Exchange Act requires the Commission, when making rules under the 
Exchange Act, to consider the impact such rules would have on 
competition.\584\ Exchange Act Section 23(a)(2) prohibits the 
Commission from adopting any rule that would impose a burden on 
competition not necessary or appropriate in furtherance of the purposes 
of the Exchange Act.\585\ In considering these matters, the Commission 
has been mindful of the history and background discussed above and has 
considered the impact proposed Regulation SCI would have on 
competition, and preliminarily believes that proposed Regulation SCI 
would promote efficiency, competition, and capital formation, and would 
not impose a burden on competition not necessary or appropriate in 
furtherance of the purposes of the Exchange Act.
---------------------------------------------------------------------------

    \583\ 15 U.S.C. 78c(f).
    \584\ 15 U.S.C. 78w(a)(2).
    \585\ 15 U.S.C. 78w(a)(2).
---------------------------------------------------------------------------

1. Summary of Benefits, Costs and Quantification
    While the current practices of some SCI entities already satisfy 
some of the requirements of proposed Regulation SCI, the Commission 
preliminarily believes proposed Regulation SCI could benefit the U.S. 
financial markets in several ways. The Commission preliminarily 
believes that Regulation SCI should result in fewer systems 
disruptions, systems compliance issues, and systems intrusions. It 
should also increase the information available to the Commission 
regarding any systems disruptions, systems compliance issues, and 
systems intrusions that do occur. In addition, it should increase the 
information available to members or participants of SCI entities 
regarding dissemination SCI events. As explained further below, such 
disseminations of information could promote the ability of market 
participants to assess the operation of markets because events would be 
more transparent. The changes also could reduce market participants' 
search costs, ultimately improving the ability of competition to 
discourage SCI events and potentially improving the allocative 
efficiency of capital. To the extent that Regulation SCI promotes the 
allocation of capital to its most efficient uses, the Commission 
preliminarily believes that Regulation SCI may promote capital 
formation.\586\ The potential economic costs of proposed Regulation SCI 
include compliance costs, which the Commission attempts to quantify, 
and other costs. Such other costs include costs associated with the 
increase in costs and time needed to make systems changes to comply 
with new and amended rules and regulations, the impact on innovation, 
and barriers to entry.\587\
---------------------------------------------------------------------------

    \586\ The Commission notes, however, that whether there is 
ultimately an effect on capital formation will depend, in part, on 
the degree of the potential effects on allocative efficiency.
    \587\ See infra Section V.C.3.b.
---------------------------------------------------------------------------

    The Commission discusses below a number of costs and benefits that 
are related to proposed Regulation SCI. Many of these costs and 
benefits are difficult to quantify with any degree of certainty, 
especially as the practices of market participants are expected to 
evolve and appropriately adapt to changes in technology and market 
developments. In addition, the extent to which the proposed rule's 
standards and the ability to enforce such standards will help reduce 
the frequency and severity of SCI events is unknown. Therefore, much of 
the discussion is qualitative in nature but, where possible, the 
Commission quantifies the costs.
    Many, but not all, of the costs of the proposed rules involve a 
collection of information, and these costs and burdens are discussed in 
the Paperwork Reduction Act Section above.\588\ When monetized, those 
estimated burdens and costs for SCI entities total approximately $44 
million in initial costs and approximately $37 million in annual 
ongoing costs. In addition, in the Economic Cost Section below,\589\ 
the

[[Page 18165]]

Commission has quantified other costs for SCI entities that total 
between approximately $17.6 million \590\ and $132 million \591\ in 
initial costs and between $11.7 million \592\ and $88 million \593\ in 
annual ongoing costs. When aggregated, the total quantified costs for 
SCI entities are estimated as between approximately $61.6 million \594\ 
and $176 million \595\ in initial costs and between $48.7 million \596\ 
and $125 million \597\ in annual ongoing costs. In addition to the 
costs to SCI entities, the Commission also preliminarily estimates the 
total costs to members or participants of SCI entities to participate 
in the business continuity and disaster recovery plans testing 
specified by proposed Rule 1000(b)(9) to be $66 million annually.\598\ 
Thus, the total quantified costs for SCI entities and members or 
participants of SCI entities are estimated as between approximately 
$127.6 million \599\ and $242 million \600\ in initial costs and 
between $114.7 million \601\ and $191 million \602\ in annual ongoing 
costs. A detailed discussion of other potential economic costs of the 
proposal, such as potential costs to the Commission and potential 
burdens on competition, is provided below.
---------------------------------------------------------------------------

    \588\ See supra Section IV.
    \589\ See infra Section V.C.4.a (estimating the cost for: (i) 
Complying with the substantive requirements that are the subject of 
the policies and procedures required by proposed Rules 1000(b)(1) 
and (2), including consistency with SCI industry standards (which, 
solely for purposes of this Economic Analysis, would be the proposed 
SCI industry standards contained in the publications identified in 
Table A); (2) establishing and maintaining a methodology for 
ensuring that the SCI entity is prepared for the corrective action 
requirement under proposed Rule 1000(b)(3); and (iii) establishing 
and maintaining a methodology for determining whether an SCI event 
is an immediate notification SCI event or a dissemination SCI 
event).
    \590\ See infra note 634 (estimating cost for complying with the 
substantive requirements underlying policies and procedures required 
by proposed Rules 1000(b)(1) and (2)).
    \591\ See infra note 635 (estimating cost for complying with the 
substantive requirements underlying policies and procedures required 
by proposed Rules 1000(b)(1) and (2)).
    \592\ See infra note 639 (estimating cost for complying with the 
substantive requirements underlying policies and procedures required 
by proposed Rules 1000(b)(1) and (2)).
    \593\ See infra note 640 (estimating cost for complying with the 
substantive requirements underlying policies and procedures required 
by proposed Rules 1000(b)(1) and (2)).
    \594\ $61.6 million = $44 million (PRA cost) + $17.6 million 
(other costs for SCI entities).
    \595\ $176 million = $44 million (PRA cost) + $132 million 
(other costs for SCI entities).
    \596\ $48.7 million = $37 million (PRA cost) + $11.7 million 
(other costs for SCI entities).
    \597\ $125 million = $37 million (PRA cost) + $88 million (other 
costs for SCI entities).
    \598\ See infra note 643 and accompanying text.
    \599\ $127.6 million = $44 million (PRA cost) + $17.6 million 
(other costs for SCI entities) + $66 million (costs for members or 
participants of SCI entities).
    \600\ $242 million = $44 million (PRA cost) + $132 million 
(other costs for SCI entities) + $66 million (costs for members or 
participants of SCI entities).
    \601\ $114.7 million = $37 million (PRA cost) + $11.7 million 
(other costs for SCI entities) + $66 million (costs for members or 
participants of SCI entities).
    \602\ $191 million = $37 million (PRA cost) + $88 million (other 
costs for SCI entities) + $66 million (costs for members or 
participants of SCI entities).
---------------------------------------------------------------------------

2. Economic Benefits
    Broadly, although the current practices of some SCI entities 
already satisfy some of the requirements of proposed Regulation SCI, 
the Commission preliminarily believes that proposed Regulation SCI 
would bring several overarching benefits to the securities markets. 
First and most significantly, the Commission preliminarily believes 
that proposed Regulation SCI would promote more robust systems and 
hence fewer systems disruptions and market-wide closures, systems 
compliance issues, and systems intrusions. As a result, the Commission 
expects fewer interruptions to SCI systems, including systems that 
directly support execution facilities, matching engines, and the 
dissemination of market data, and fewer errors with the pricing of 
securities, which should promote price efficiency. The Commission also 
expects fewer interruptions to other SCI systems, including systems 
that directly support regulatory systems and surveillance systems, 
which should help ensure compliance with relevant laws and rules. In 
addition, the Commission would expect fewer interruptions to SCI 
security systems, which should help prevent problems that could lead to 
disruption of an SCI entity's general operations and, ultimately, its 
market-related activities.\603\
---------------------------------------------------------------------------

    \603\ See supra Section III.B.2, discussing the Commission's 
proposed definitions of SCI systems and SCI security systems.
---------------------------------------------------------------------------

    Second, the Commission preliminarily believes that proposed 
Regulation SCI would enhance the availability of relevant information 
to members or participants of SCI entities and promote dissemination of 
information to persons (i.e., members or participants of SCI entities) 
who are most directly affected by dissemination SCI events and who 
would most naturally need, want, and be able to act on the information. 
The increased availability of information regarding SCI events should 
reduce the costs to members or participants of SCI entities when 
evaluating SCI entities and improve their ability to make more informed 
decisions about whether or not to avoid dealing with entities that 
experience significant systems issues. This enhanced information, as 
well as the improved price efficiency, should lead to greater 
allocative efficiency of capital. Moreover, it is expected that the 
increased awareness of dissemination SCI events would enhance 
competition among SCI entities with respect to the maintenance of 
robust systems.
    Third, the Commission preliminarily believes that fewer market-
wide, unscheduled shutdowns would have many of the same benefits as 
avoidance of temporary shutdowns, but on a greater scale. Fourth, the 
Commission preliminarily believes that its own ability to monitor the 
markets and ensure their smooth functioning would be significantly 
enhanced by proposed Regulation SCI. These potential benefits are 
discussed in more detail below in relation to each of the proposed 
rules.
a. Rule 1000(a) Definitions
    In general, the definitions in Rule 1000(a) either clarify a 
provision or circumscribe the scope of a provision in proposed 
Regulation SCI. Therefore, many of the costs and benefits associated 
with the impacts of the definitions are incorporated in the discussion 
below on the costs and benefits of the substantive provisions where the 
definitions are used.
    This section contains a discussion of the benefits of the expansion 
in scope that are not discussed above. In summary, the Commission 
preliminarily believes that the proposed definition of ``SCI entity'' 
and ``SCI event,'' although they would broaden the scope of Regulation 
SCI beyond the scope of the ARP Inspection Program, are essential parts 
of proposed Regulation SCI.
i. SCI Entities
    As explained above, the difference between the entities that 
currently participate in the ARP Inspection Program and the entities 
covered by proposed Regulation SCI is the inclusion of additional ATSs 
and the MSRB. Because no ATSs currently meet the thresholds specified 
in Rule 301(b)(6) of Regulation ATS, other than the one ATS that 
currently participates in the ARP Inspection Program, none are subject 
to the systems safeguard requirements under that rule even though they 
comprise a significant portion of consolidated volume.\604\ The 
Commission preliminarily believes that the inclusion of SCI ATSs under 
proposed Regulation SCI would help ensure that ATSs, which serve as 
markets to bring buyers and sellers together in the national market 
system, are subject to rules regarding systems capacity, integrity, 
resiliency, availability, security, and compliance, including those 
rules that could help prevent SCI events and that require Commission 
reporting and the dissemination of information to

[[Page 18166]]

members or participants of SCI entities.\605\ The Commission 
preliminarily believes that the inclusion of the MSRB in proposed 
Regulation SCI would provide benefits to the market because, as noted 
above, the MSRB is the only SRO relating to municipal securities and 
the sole provider of consolidated market data for the municipal 
securities market.\606\
---------------------------------------------------------------------------

    \604\ As noted above, one ATS voluntarily participates in the 
ARP Inspection Program. See supra note 25.
    \605\ Proposed Regulation SCI would not expand the types of 
securities currently covered by the ARP Inspection Program and Rule 
301(b)(6) of Regulation ATS. The Commission recognizes that although 
currently no ATSs are subject to the systems safeguard requirements 
under Rule 301(b)(6) because they do not satisfy the thresholds in 
that rule, the Commission estimates that approximately 15 ATSs would 
be subject to proposed Regulation SCI.
    \606\ As discussed above, in 2008, the Commission amended Rule 
15c2-12 to designate the MSRB as the single centralized disclosure 
repository for continuing municipal securities disclosure. In 2009, 
the MSRB established EMMA, which serves as the official repository 
of municipal securities disclosure, providing the public with free 
access to relevant municipal securities data, and is the central 
database for information about municipal securities offerings, 
issuers, and obligors. Additionally, the MSRB's RTRS, with limited 
exceptions, requires municipal bond dealers to submit transaction 
data to the MSRB within 15 minutes of trade execution, and such near 
real-time post-trade transaction data can be accessed through the 
MSRB's EMMA Web site. See supra note 96.
---------------------------------------------------------------------------

ii. Systems and SCI Events
    As stated above, proposed Regulation SCI would expand on current 
practice, would apply a broader range of systems, and would include 
more event types. Specifically, entities that participate in the ARP 
Inspection Program follow the ARP policy statements with respect to 
systems that directly support trading, clearance and settlement, order 
routing, and market data. The proposed definition of ``SCI systems'' 
would include the foregoing systems as well as those that directly 
support regulation and surveillance. The Commission preliminarily 
believes that including regulation and surveillance systems could help 
ensure the SCI entity's ability to monitor its compliance with relevant 
laws, rules, and its own rules, and detect any violations of such laws 
or rules. Further, the provisions of proposed Regulation SCI regarding 
systems security and intrusions also would apply to ``SCI security 
systems.'' \607\ Because SCI security systems may present potentially 
vulnerable entry points to an SCI entity's network, the Commission also 
preliminarily believes that it is important for proposed Regulation SCI 
to include those systems with respect to security standards and systems 
intrusions.\608\
---------------------------------------------------------------------------

    \607\ See supra Section III.B.2, discussing the Commission's 
proposed definitions of SCI systems and SCI security systems.
    \608\ See id.
---------------------------------------------------------------------------

    By defining SCI events to include systems disruptions, systems 
compliance issues, and systems intrusions, proposed Regulation SCI 
would further assist the Commission in its oversight of SCI entities. 
As stated above, SCI entities already follow practices similar to parts 
of proposed Regulation SCI for certain systems disruptions and systems 
intrusions. The inclusion of systems compliance issues should help the 
Commission and market participants to become better informed of the 
efforts of the SCI entities to comply with relevant laws and rules, and 
their own rules as applicable, and could enhance the enforcement of 
such laws and rules. Further, by defining a dissemination SCI event to 
include a subset of SCI events (i.e., a systems compliance issue, 
systems intrusion, or systems disruption that would result, or the SCI 
entity reasonably estimates would result in significant harm or loss to 
market participants), proposed Regulation SCI would further assist SCI 
entity members or participants in their decisions regarding whether or 
not to utilize the systems of a given SCI entity.
b. Rule 1000(b)(1)-(10) Requirements for SCI Entities
    The development and growth of automated electronic trading have 
allowed increasing volumes of securities transactions across the 
multitude of trading centers that constitute the U.S. national market 
system. These securities transactions take place within an 
interconnected market where systems disruptions, systems compliance 
issues, and systems intrusions at one market center can impact or harm 
trading throughout the entire national market system. Thus, there is a 
need for operators of significant market systems, such as SCI entities, 
to have in place robust systems to prevent systems issues or, in the 
event that systems issues occur, to recover quickly.
    Proposed Rule 1000(b)(1)-(2) would set forth requirements relating 
to written policies and procedures that SCI entities would be required 
to establish, maintain, and enforce. Proposed Rule 1000(b)(1) would 
require an SCI entity to establish, maintain, and enforce written 
policies and procedures reasonably designed to ensure that its SCI 
systems and, for purposes of security standards, SCI security systems, 
have levels of capacity, integrity, resiliency, availability, and 
security, adequate to maintain the SCI entity's operational capability 
and promote the maintenance of fair and orderly markets.
    The rule would further provide that an SCI entity's policies and 
procedures must include the establishment of reasonable current and 
future capacity planning estimates, periodic capacity stress tests, a 
program to review and keep current systems development and testing 
methodology of such systems, regular reviews and testing of such 
systems, including backup systems, business continuity and disaster 
recovery plans, and standards that result in such systems facilitating 
the successful collection, processing, and dissemination of market 
data.\609\ As discussed above, the Commission regards SCI entities as 
part of the critical infrastructure of the U.S. securities markets and 
therefore, although proposed Rule 1000(b)(1)(i)(A)-(E) would codify 
certain provisions of the ARP policy statements, the Commission 
preliminarily believes that specifically setting forth these 
requirements in a Commission rule would benefit the securities markets 
by helping to diminish the risks and incidences of systems intrusions, 
systems compliance issues, and systems disruptions. Such policies and 
procedures should also assist in speedy recoveries from systems 
intrusions, systems compliance issues, and systems disruptions. 
Proposed Rule 1000(b)(1)(i)(F) does not have precedent in Regulation 
ATS or the ARP policy statements, and would require SCI entities to 
have standards that result in such systems being designed, developed, 
tested, maintained, operated, and surveilled in a manner that 
facilitates the successful collection, processing, and dissemination of 
market data. The Commission preliminarily believes that this proposal 
should help to ensure that timely and accurate market data is available 
to all market participants.
---------------------------------------------------------------------------

    \609\ See proposed Rule 1000(b)(1)(i)(A)-(F), discussed in supra 
Section III.C.1.a.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(1)(ii) would deem an SCI entity's policies 
and procedures required by proposed Rule 1000(b)(1) to be reasonably 
designed if they are consistent with current SCI industry 
standards.\610\ Thus, the SCI industry standards would provide 
flexibility to allow each SCI entity to determine how to best meet the 
requirements in proposed Rule 1000(b)(1), taking into account, for 
example, its nature, size, technology, business model, and other 
aspects of its business, because compliance with SCI

[[Page 18167]]

industry standards would not be the exclusive means by which an SCI 
entity could satisfy the requirements of proposed Rule 1000(b)(1).
---------------------------------------------------------------------------

    \610\ Proposed SCI industry standards are contained in the 
publications that are set forth in Table A. See supra Section 
III.C.1.b.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(2)(i), which would require written policies 
and procedures reasonably designed to ensure that an SCI entity's SCI 
systems operate in the manner intended, should help to minimize 
instances where systems do not operate in compliance with the federal 
securities laws and rules and regulations thereunder and, as 
applicable, the entity's rules and governing documents. In particular, 
the elements of the safe harbor for SCI entities in proposed Rule 
1000(b)(2)(ii)(A) relating to policies and procedures on testing and 
monitoring also should help to ensure, on an ongoing basis, that an SCI 
entity's SCI systems operate in the manner intended, including in a 
manner that complies with the federal securities laws and rules and 
regulations thereunder and, as applicable, the entity's rules and 
governing documents, thus minimizing systems compliance issues and 
consequently the total time needed to bring a system back into 
compliance.\611\ In addition, the elements of the safe harbor in 
proposed Rule 1000(b)(2)(ii)(A) relating to policies and procedures for 
systems compliance assessments by personnel familiar with applicable 
laws and rules and systems reviews by regulatory personnel should help 
ensure the performance of effective compliance audits and reviews, and 
should help provide assurance that SCI entities are operating in 
compliance with applicable laws and rules.
---------------------------------------------------------------------------

    \611\ As noted above, the Commission recognizes that SCI 
entities are already required to comply with federal securities 
laws, rules and regulations thereunder, and their own rules.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(3), which would require an SCI entity to 
begin taking appropriate corrective action upon any responsible SCI 
personnel becoming aware of an SCI event, should further help ensure 
that SCI entities invest sufficient resources as soon as reasonably 
practicable to address systems intrusions, systems compliance issues, 
and systems disruptions.\612\
---------------------------------------------------------------------------

    \612\ As noted above, the Commission believes that SCI entities 
already take corrective actions in response to systems issues.
---------------------------------------------------------------------------

    Moreover, proposed Rules 1000(b)(1)-(3) should improve price 
efficiency by reducing the likelihood and duration of systems issues, 
thereby helping to avoid the price inefficiencies that occur during 
times when systems disruptions, systems compliance issues, or systems 
intrusions can make systems unavailable or unreliable. Specifically, 
systems issues that could impact the accuracy or the timeliness, and 
thus the reliability, of market data could lead to inaccuracies in 
pricing and slow-down pricing, and make data less reliable. Therefore, 
to the extent that proposed Rules 1000(b)(1)-(3) could reduce the 
likelihood or duration of systems issues, they may lead to more 
reliable market data (because there would be less inaccuracies and the 
market data would be more timely), which could help improve the quality 
of market data. This, in turn, could enhance price efficiency in the 
market for market data, which then could promote allocative efficiency 
of capital and capital formation.
    Proposed Regulation SCI is intended, in part, to facilitate the 
Commission's ability to monitor the impact on the securities markets by 
SCI entities' systems that support the performance of the entities' 
activities. The Commission preliminarily believes that proposed Rules 
1000(b)(1)-(3), as well as 1000(b)(4), would provide for more effective 
Commission oversight of the operation of the systems of SCI entities.
    Specifically, while entities that participate in the ARP Inspection 
Program already notify Commission staff of certain systems issues, the 
Commission preliminarily believes that proposed Rule 1000(b)(4), 
relating to Commission notification of SCI events, should further 
enhance the effectiveness of Commission oversight of the operation of 
SCI entities. Under the proposed rule, upon any responsible SCI 
personnel becoming aware of an immediate notification SCI event,\613\ 
an SCI entity would be required to notify the Commission of the SCI 
event. Within 24 hours of any responsible SCI personnel becoming aware 
of an SCI event, an SCI entity would be required to submit a written 
notification pertaining to such SCI event on Form SCI. Until such time 
as the SCI event is resolved, the SCI entity would be required to 
provide updates regularly, or at such frequency as requested by an 
authorized representative of the Commission. Although this process 
would represent costs to an SCI entity,\614\ the documentation of SCI 
events will help prevent such systems failures from being dismissed or 
ignored as glitches or momentary issues because it would focus the SCI 
entity's attention on the issue and encourage allocation of SCI entity 
resources to resolve the issue as soon as reasonably practicable.
---------------------------------------------------------------------------

    \613\ See supra Section III.C.3.b.
    \614\ See supra Section IV.D.2.a.
---------------------------------------------------------------------------

    As noted above, the Commission is concerned that members or 
participants of SCI entities may be unaware of the occurrence of some 
SCI events, and therefore may make decisions without all relevant 
information. Proposed Rule 1000(b)(5) would require an SCI entity, upon 
any responsible SCI personnel becoming aware of a dissemination SCI 
event other than a systems intrusion, to disseminate certain 
information regarding the dissemination SCI event to its members or 
participants.\615\ Such information would include the systems affected 
by the event and a summary description of the event. When known, the 
SCI entity would be required to further disseminate to its members or 
participants: a detailed description of the SCI event; its current 
assessment of the types and number of market participants potentially 
affected by the SCI event; and a description of the progress of its 
corrective action for the SCI event and when the SCI event has been or 
is expected to be resolved. An SCI entity also would be required to 
provide regular updates to members or participants regarding the 
disseminated information. The Commission preliminarily believes that 
proposed Rule 1000(b)(5) would help market participants--specifically 
the members or participants of SCI entities--to better evaluate the 
operations of SCI entities based on more readily available information.
---------------------------------------------------------------------------

    \615\ For a dissemination SCI event that is a systems intrusion, 
an SCI entity must disseminate to members or participants a summary 
description of the systems intrusion, including a description of the 
corrective action taken by the SCI entity and when the systems 
intrusion has been or is expected to be resolved, unless it 
determines that dissemination of such information would likely 
compromise the security of the SCI entity's SCI systems or SCI 
security systems, or an investigation of the systems intrusion.
---------------------------------------------------------------------------

    As discussed above,\616\ the Commission believes that the existing 
competition among the markets has not sufficiently mitigated the 
occurrence of certain systems problems, and thus preliminarily believes 
that requiring the dissemination of information about certain SCI 
events, as described above, to members or participants could 
potentially further incentivize SCI entities to create more robust 
systems. In addition, targeting this set of market participants (i.e., 
an SCI entity's members or participants) to receive information about 
dissemination SCI events has the benefit of providing the information 
to those that are most likely to need, want, and act on the 
information, without imposing the additional costs associated with 
requiring broader public dissemination. Moreover, another benefit of 
increased dissemination of information about dissemination SCI events 
to SCI entity

[[Page 18168]]

members or participants would be the resultant reduction in search 
costs for market participants when they are gathering information to 
make a determination with respect to the use of an entity's services. 
Also, proposed Rule 1000(b)(5) would require SCI entities to 
disseminate specified information for dissemination SCI events, which 
would allow market participants to more easily compare the available 
information from all SCI entities for which they are members or 
participants. The foregoing benefits would be further enhanced to the 
extent information relating to dissemination SCI events is shared by 
members or participants of SCI entities with other market participants. 
Lastly, because an SCI entity would be permitted to delay dissemination 
of information regarding a systems intrusion to members or participants 
if it determines that such information would likely compromise the 
security of its SCI systems or SCI security systems, or an 
investigation of the systems intrusion, proposed Rule 1000(b)(5) would 
not undermine the need to maintain the non-public nature of certain 
systems intrusions for a temporary period (until the SCI entity 
determines that dissemination of such information would not likely 
compromise the security of the SCI entity's SCI systems or SCI security 
systems, or an investigation of the systems intrusion).
---------------------------------------------------------------------------

    \616\ See supra Section V.B.2.
---------------------------------------------------------------------------

    In summary, because proposed Regulation SCI would, among other 
things, require SCI entities to provide members and participants with 
more information regarding their operations, the Commission 
preliminarily believes that SCI entities would have additional 
incentives to establish and maintain more robust automated systems to 
minimize the occurrence of SCI events. Fewer systems issues could 
improve pricing efficiency which, in turn, could promote allocative 
efficiency of capital and thus, capital formation.
    In addition to the Commission notification requirements under 
proposed Rule 1000(b)(4), the Commission preliminarily believes that 
proposed Rule 1000(b)(6) would enhance the Commission's oversight of 
the operation of SCI entities, even though entities participating in 
the ARP Inspection Program may already provide these types of 
notifications to Commission staff. Proposed Rule 1000(b)(6) would 
require an SCI entity to notify the Commission on Form SCI of material 
systems changes at least 30 calendar days before the implementation of 
any planned material systems change. In the case of exigent 
circumstances, or if the information previously provided regarding a 
planned material systems change becomes materially inaccurate, proposed 
Rule 1000(b)(6) would require oral or written notification as early as 
reasonably practicable. Any oral notification of planned material 
systems change must be memorialized within 24 hours by a written 
notification on Form SCI. The Commission preliminarily believes that 
this provision would provide the Commission and its staff advance 
notice and time to evaluate planned material systems changes by SCI 
entities, thus improving the Commission's ability to oversee SCI 
entities.
    Proposed Rule 1000(b)(7) would require an SCI entity to conduct an 
SCI review of its compliance with Regulation SCI not less than once 
each calendar year, and submit a report of the SCI review to senior 
management of the SCI entity for review no more than 30 calendar days 
after completion of such SCI review. The Commission preliminarily 
believes that the proposal to require SCI entities to conduct an 
objective assessment of their systems at least annually would result in 
SCI entities having an improved awareness of the relative strengths and 
weaknesses of their systems independent of the assessment of ARP staff, 
which should in turn improve the value and efficiency of an ARP 
inspection.
    Proposed Rule 1000(b)(8) would require each SCI entity to submit 
certain periodic reports to the Commission through Form SCI, including 
annual reports on the SCI reviews of its compliance with Regulation SCI 
and semi-annual reports on the progress of material systems changes. 
These reports should keep the Commission informed, on an ongoing basis, 
by providing information with which the Commission could evaluate each 
SCI entity's compliance with Regulation SCI and the progress of its 
material systems changes.
    The Commission preliminarily believes that proposed Rules 
1000(b)(1)-(8), taken together, should result in actual systems 
improvements as well as enhanced availability of relevant information 
regarding SCI events to the Commission and members or participants of 
SCI entities. This, in turn, could facilitate better decisions by 
market participants, which could promote allocative efficiency of 
capital and capital formation, potentially providing an overall benefit 
to the securities markets and promoting the protection of investors and 
the public interest. Additionally, the means by which trading is 
conducted may be altered as a result of Regulation SCI. For example, if 
an SCI entity member or participant submits orders to a particular 
market for execution, and subsequently learns that the execution 
venue's systems in use may be prone to failure, such member or 
participant may choose to favor another market in the future. This 
change would potentially enhance competition as SCI entity members or 
participants rely on information disseminated regarding dissemination 
SCI events to make more informed choices about the best venue for 
execution.
    Proposed Rule 1000(b)(9)(i) would require an SCI entity, with 
respect to its business continuity and disaster recovery plans, 
including its backup systems, to require participation by designated 
members or participants in scheduled functional and performance testing 
of the operation of such plans, in the manner and frequency as 
specified by the SCI entity, at least once every 12 months. Proposed 
Rule 1000(b)(9)(ii) would further require an SCI entity to coordinate 
such testing on an industry- or sector-wide basis with other SCI 
entities. The Commission expects that this proposed requirement should 
help ensure that the securities markets will have improved backup 
infrastructure and fewer market-wide shutdowns, thus helping SCI 
entities and other market participants to avoid lost revenues and 
profits that would otherwise result from such shutdowns. Further, the 
notifications required by proposed Rule 1000(b)(9)(iii) should keep the 
Commission informed, on an ongoing basis, of an SCI entity's current 
standards for designating members or participants and current list of 
designees.
c. Rule 1000(c)-(f)--Recordkeeping, Electronic Filing, and Access
    While all SCI entities already are subject to some recordkeeping 
and access requirements, the Commission preliminarily believes the 
proposed recordkeeping and access requirements specifically related to 
proposed Regulation SCI would enhance the ability of the Commission to 
evaluate SCI entities' compliance. Specifically, proposed Rule 1000(c) 
would require each SCI entity, other than an SCI SRO, to make, keep, 
and preserve at least one copy of all documents and records relating to 
its compliance with Regulation SCI for a period of not less than five 
years.\617\ Each SCI entity also would be required to furnish such

[[Page 18169]]

documents to Commission representatives upon request. Further, 
according to proposed Rule 1000(e), if the records required to be filed 
or kept by an SCI entity under proposed Regulation SCI are prepared or 
maintained by a service bureau or other recordkeeping service on behalf 
of the SCI entity, the SCI entity must ensure that such records are 
available to review by the Commission and its representatives by 
submitting a written undertaking by such service bureau or 
recordkeeping service to that effect. The Commission preliminarily 
believes that these proposed rules should allow Commission staff to 
perform efficient inspections and examinations of SCI entities for 
their compliance with the proposed rules, and should increase the 
likelihood that Commission staff may identify conduct inconsistent with 
the proposed rules at earlier stages in the inspection and examination 
process.
---------------------------------------------------------------------------

    \617\ As discussed above in Section III.D.1, Regulation SCI-
related documents would already be included in SCI SROs' 
comprehensive recordkeeping requirements under Rule 17a-1 under the 
Exchange Act.
---------------------------------------------------------------------------

    Proposed Rule 1000(d) would require SCI entities to electronically 
submit all written information to the Commission through Form SCI 
(except any written notification submitted pursuant to proposed Rule 
1000(b)(4)(i)). The Commission preliminarily believes that this 
provision would allow the Commission to receive information in a 
uniform electronic format with specified content, which would enhance 
Commission staff's ability to review and analyze submitted information.
    Finally, proposed Rule 1000(f) would require each SCI entity to 
give Commission representatives reasonable access to its SCI systems 
and SCI security systems to allow Commission representatives to assess 
its compliance with proposed Regulation SCI. The Commission 
preliminarily believes that this provision would enhance Commission 
oversight by specifically highlighting the Commission's authority to 
have its representatives directly access and examine SCI entities' 
systems to confirm their compliance with proposed Regulation SCI.
    The Commission preliminarily believes that these requirements would 
place the Commission in a stronger position to assess the risks 
relating to SCI entities' systems and, thus, would provide the 
Commission with greater ability to protect investors. The Commission 
also preliminarily believes that its oversight should help ensure that 
SCI entities are reasonably equipped to handle market demand and 
provide liquidity, including during periods of market distress.
3. Economic Costs
a. Direct Compliance Costs
    The Commission recognizes that proposed Regulation SCI would impose 
costs on SCI entities, as well as costs on certain members or 
participants of SCI entities. The Commission preliminarily believes 
that the majority of these costs would be direct compliance costs. SCI 
entities would incur costs in establishing, maintaining, and enforcing 
policies and procedures related to systems capacity, integrity, 
resiliency, availability, security, and compliance.\618\ SCI entities 
also would incur costs in taking appropriate corrective actions upon 
any responsible SCI personnel becoming aware of an SCI event,\619\ 
notifying and updating the Commission with respect to the occurrence of 
SCI events,\620\ disseminating information to members or participants 
regarding dissemination SCI events,\621\ notifying the Commission of 
material systems changes,\622\ conducting SCI reviews,\623\ submitting 
to the Commission periodic reports,\624\ requiring designated members 
to participate in testing of business continuity and disaster recovery 
plans and coordinating such testing,\625\ and complying with 
recordkeeping and access requirements.\626\
---------------------------------------------------------------------------

    \618\ See proposed Rules 1000(b)(1) and (2). These proposed 
rules would also impose costs for outside legal and/or consulting 
advice, as set forth in the Paperwork Reduction Act Section above. 
See supra Section IV.
    \619\ See proposed Rule 1000(b)(3).
    \620\ See proposed Rule 1000(b)(4).
    \621\ See proposed Rule 1000(b)(5). This proposed rule would 
also impose costs for outside legal advice, as set forth in the 
Paperwork Reduction Act discussion above. See supra Section IV.
    \622\ See proposed Rule 1000(b)(6).
    \623\ See proposed Rule 1000(b)(7).
    \624\ See proposed Rule 1000(b)(8).
    \625\ See proposed Rule 1000(b)(9).
    \626\ See proposed Rules 1000(c), (e), and (f).
---------------------------------------------------------------------------

    As stated above in Section IV.D, proposed Regulation SCI would 
codify many of the ARP policy statement principles familiar and 
applicable to current participants in the ARP Inspection Program. The 
Commission recognizes, however, that the proposed rules would apply to 
entities that are not currently covered by the ARP Inspection Program, 
and would cover areas not currently within the scope of the ARP 
Inspection Program. Thus, those costs are incremental relative to the 
current compliance cost of the ARP Inspection Program.
    While proposed Regulation SCI would codify the provisions of the 
ARP policy statements, the proposed definitions of ``SCI entity,'' 
``SCI event,'' ``SCI systems,'' and ``SCI security systems'' are 
broader than the entities, events, and systems covered by the ARP 
Inspection Program and, as stated above, will include more entities, 
events, and systems. Specifically, proposed Rule 1000(b)(1)(i) would 
codify aspects of the ARP policy statements \627\ with the exception of 
Rule 1000(b)(1)(i)(F), which would require policies and procedures 
regarding standards that result in systems being designed, developed, 
tested, maintained, operated, and surveilled in a manner that 
facilitates the successful collection, processing, and dissemination of 
market data. In addition, because the ARP policy statements provide 
that SROs should promptly notify Commission staff of certain system 
outages and any instances in which unauthorized persons gained or 
attempted to gain access to their systems, proposed Rule 1000(b)(4), 
among other things, would codify parts of the ARP policy 
statements.\628\ Further, because the ARP policy statements provide 
that SROs should notify Commission staff of certain changes to their 
automated systems, proposed Rule 1000(b)(6) would codify a part of the 
ARP policy statements.\629\ Lastly, because the ARP policy statements 
provide that SROs should undertake reviews of their systems, proposed 
Rule 1000(b)(7), among other things, would reflect this part of the ARP 
policy statements. With respect to the proposed requirements that are 
not currently covered by the ARP Inspection Program, they include: 
policies and procedures in addition to those required by proposed Rule 
1000(b)(1)(i)(A)-(E) that would be necessary to achieve policies and 
procedures reasonably designed to ensure that systems of an SCI entity 
have levels of capacity, integrity, resiliency, availability, and 
security, adequate to maintain the SCI entity's operational capability 
and promote the maintenance of fair and orderly markets; policies and 
procedures reasonably designed to ensure the operation of SCI systems 
in the manner intended; the initiation of appropriate corrective 
actions upon any responsible SCI personnel becoming aware of an SCI 
event; the dissemination of information to members or participants;

[[Page 18170]]

requirements regarding member or participant testing; and recordkeeping 
and access with respect to Regulation SCI-related documents.
---------------------------------------------------------------------------

    \627\ Rule 301(b)(6) of Regulation ATS also contains similar 
requirements for ATSs that meet the thresholds in that rule.
    \628\ However, because of the proposed definition of ``SCI 
event,'' SCI entities must also report systems compliance issues to 
the Commission. Proposed Regulation SCI would also set forth 
detailed and specific requirements with respect to Commission 
notifications.
    \629\ Again, proposed Regulation SCI would also set forth more 
detailed and specific requirements with respect to such Commission 
notifications.
---------------------------------------------------------------------------

    Many of these incremental costs are calculated in detail in the 
Paperwork Reduction Act Section above, which estimates that the total 
one-time initial burden for all SCI entities to comply with Regulation 
SCI would be approximately 133,482 hours and $2.6 million, and that the 
total annual ongoing burden for all SCI entities to comply with 
Regulation SCI would be approximately 117,258 hours and $738,400.
    In addition to the direct cost estimates derived from the Paperwork 
Reduction Act burdens, the Commission preliminarily believes that SCI 
entities could incur costs when enforcing the policies and procedures 
required under proposed Rules 1000(b)(1) and (2), taking corrective 
action to mitigate the potential harm resulting from an SCI event under 
proposed Rule 1000(b)(3), and in determining whether an SCI event is an 
immediate notification SCI event or meets the definition of a 
dissemination SCI event under proposed Rule 1000(a).
    As discussed in detail in Section III.C.1 above, proposed Rule 
1000(b)(1) would require SCI entities to establish, maintain, and 
enforce written policies and procedures reasonably designed to ensure 
that their SCI systems and, for purposes of security standards, SCI 
security systems, have levels of capacity, integrity, resiliency, 
availability, and security, adequate to maintain the SCI entity's 
operational capability and promote the maintenance of fair and orderly 
markets. In addition to the burden of establishing and maintaining such 
policies and procedures as set forth in the Paperwork Reduction Act 
Section above, the Commission preliminarily believes that SCI entities 
would incur costs in enforcing the substantive requirements that are 
the subject of the policies and procedures.
    Further, as discussed in detail in Section III.C.2 above, proposed 
Rule 1000(b)(2) would require SCI entities to establish, maintain, and 
enforce written policies and procedures reasonably designed to ensure 
that their SCI systems operate in the manner intended, including in a 
manner that complies with federal securities laws and rules and 
regulations thereunder and the entity's rules and governing documents, 
as applicable. In addition to the burden of establishing and 
maintaining such policies and procedures as set forth in the Paperwork 
Reduction Act Section above, the Commission preliminarily believes that 
SCI entities would incur costs in enforcing the substantive 
requirements that are the subject of the policies and procedures.
    As noted above,\630\ NIST is an agency within the U.S. Department 
of Commerce that has issued numerous special publications regarding 
information technology systems. For example, one of the publications 
listed in Table A is the NIST Draft Security and Privacy Controls for 
Federal Information Systems and Organizations (Special Publication 800-
53 Rev. 4) (February 2012) (``NIST 800-53'').\631\ This publication is 
a security controls catalog providing guidance for selecting and 
specifying security controls for federal information systems and 
organizations. NIST 800-53 addresses how federal entities should 
achieve secure information systems, taking into account the fundamental 
elements of: (i) Multitiered risk management; (ii) the structure and 
organization of controls; (iii) security control baselines; (iv) the 
use of common controls and inheritance of security capabilities; (v) 
external environments and service providers; (vi) assurance and 
trustworthiness; and (vii) revisions and extensions to security 
controls and control baselines, among others. Although NIST 800-53 sets 
forth standards for federal agencies, it is also intended to serve a 
diverse audience of information system and information security 
professionals, including those having information system, security, 
and/or risk management and oversight responsibilities, information 
system development responsibilities, information security 
implementation and operational responsibilities, information security 
assessment and monitoring responsibilities, as well as commercial 
companies producing information technology products, systems, security-
related technologies, and security services.\632\
---------------------------------------------------------------------------

    \630\ See supra Section III.C.1.b.
    \631\ See NIST 800-53, available at: https://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf.
    \632\ See id. at 3.
---------------------------------------------------------------------------

    The Commission preliminarily believes that many SCI entities will 
choose to establish, maintain, and enforce policies and procedures that 
are consistent with the proposed SCI industry standards contained in 
the publications set forth in Table A for purposes of satisfying the 
requirements of proposed Rule 1000(b)(1). However, as noted above, 
compliance with the identified SCI industry standards would not be the 
exclusive means to comply with the requirements of proposed Rule 
1000(b)(1). The Commission understands that the Table A publications, 
including NIST 800-53, are familiar to information technology personnel 
employed by many SCI entities, and that some SCI entities, particularly 
the SCI SROs and plan processors that participate in the ARP Inspection 
Program, currently adhere to all or at least some of the standards in 
NIST 800-53, or similar standards set forth in publications issued by 
other standards setting bodies, with some entities fully or nearly 
fully implementing such standards, while other entities may not have 
implemented such standards as broadly. For SCI entities that are not 
part of the ARP Inspection Program, while such entities may be familiar 
with such publications and standards generally, the Commission is not 
certain as to the level of compliance with such standards, and believes 
that there may be some such entities that are fully or nearly fully 
complaint, while others may have little or no compliance with such 
standards.
    With respect to the substantive systems requirements resulting from 
adherence to SCI industry standards (which, solely for purposes of this 
Economic Analysis Section, the Commission assumes to be the proposed 
SCI industry standards contained in the publications identified in 
Table A, or publications setting forth substantially similar standards) 
underlying proposed Rule 1000(b)(1), as noted above, the Commission 
believes that certain entities that would satisfy the definition of SCI 
entity, particularly some that currently participate in the ARP 
Inspection Program, already comply with some of the requirements. On 
the other hand, the Commission believes that some SCI entities, 
including some that currently participate in the ARP Inspection 
Program, do not currently comply with some or all of the proposed 
requirements. Further, although the Commission believes that each SCI 
entity would incur costs in complying with these requirements, the 
Commission believes that some entities already comply with SCI industry 
standards with respect to some of their systems. Moreover, the 
Commission acknowledges that certain SCI entities are larger or more 
complex than others, and that proposed Rule 1000(b)(1) would impose 
higher costs on larger and more complex systems.
    Because the Commission does not at this time have sufficient 
information to reasonably estimate each SCI entity's current level of 
compliance with the proposed SCI industry standards contained in the 
publications set forth in Table A, the Commission estimates a

[[Page 18171]]

range of average costs for each SCI entity to comply with such 
standards. The Commission acknowledges that some SCI entities would 
incur costs near the bottom of the range because their systems policies 
and procedures currently meet SCI industry standards (which, as noted 
above, solely for purposes of this Economic Analysis Section, the 
Commission assumes to be the proposed SCI industry standards contained 
in the publications identified in Table A or in substantially similar 
publications). On the other hand, some SCI entities would incur costs 
near the middle or top of the range because their systems policies and 
procedures do not currently meet such standards. Because the Commission 
lacks sufficient information regarding the current practices of all SCI 
entities, the Commission seeks comment on the extent to which SCI 
entities already have in place systems policies and procedures that 
would meet the proposed SCI industry standards (which, solely for 
purposes of this Economic Analysis Section, the Commission assumes to 
be the proposed SCI industry standards contained in the publications 
identified in Table A or in substantially similar publications).
    Further, unlike the Paperwork Reduction Act Section where the 
Commission estimates a fifty-percent baseline with respect to proposed 
Rule 1000(b)(1)(i)(A)-(E) for entities that currently participate in 
the ARP Inspection Program, the Commission preliminarily estimates the 
same cost range for all SCI entities for compliance with the proposed 
substantive requirements that are the subject of the policies and 
procedures. On the one hand, the Commission believes that certain SCI 
entities (in particular, some entities that participate in the ARP 
Inspection Program) may already comply with some of the substantive 
requirements and thus would incur less incremental cost for complying 
with such requirements. On the other hand, the Commission believes that 
some SCI entities that currently participate in the ARP Inspection 
Program are larger and have more complex systems than those that do not 
participate in the ARP Inspection Program and, therefore, would incur 
more incremental cost for complying with the substantive requirements. 
As such, the Commission preliminarily believes it is unlikely that SCI 
entities that do not participate in the ARP Inspection Program would 
incur twice the cost as SCI entities that participate in the ARP 
Inspection Program to comply with the substantive systems requirements 
underlying the policies and procedures required by proposed Regulation 
SCI.
    Based on discussion with industry participants, the Commission 
preliminarily estimates that, to comply with the substantive 
requirements that are the subject of the policies and procedures 
required by proposed Rules 1000(b)(1) and (2), including consistency 
with the SCI industry standards (which, solely for purposes of this 
Economic Analysis, the Commission assumes to be the proposed SCI 
industry standards contained in the publications identified in Table A 
or in substantially similar publications) in connection with proposed 
Rule 1000(b)(1), on average, each SCI entity would incur an initial 
cost of between approximately $400,000 and $3 million.\633\ Based on 
this average, the Commission preliminarily estimates that SCI entities 
would incur a total initial cost of between approximately $17.6 million 
\634\ and $132 million.\635\ The Commission seeks comment on the 
estimated average initial cost range for SCI entities to comply with 
the substantive requirements underlying the policies and procedures 
required by proposed Rules 1000(b)(1) and (2).
---------------------------------------------------------------------------

    \633\ The Commission preliminarily estimates a range of cost for 
complying with the substantive requirements that are the subject of 
the policies and procedures required by proposed Rules 1000(b)(1) 
and (2) because some SCI entities are already in compliance with 
some of these substantive requirements. For example, the Commission 
believes that many SCI SROs (e.g., certain national securities 
exchanges and registered clearing agencies) already have or have 
begun implementation of business continuity and disaster recovery 
plans that include maintaining backup and recovery capabilities 
sufficiently resilient and geographically diverse to ensure next 
business day resumption of trading and two-hour resumption of 
clearance and settlement services following a wide-scale disruption.
    \634\ $17.6 million = ($400,000) x (44 SCI entities).
    \635\ $132 million = ($3 million) x (44 SCI entities).
---------------------------------------------------------------------------

    The preliminary cost estimates described above represent an 
estimated average cost range per SCI entity, and the Commission 
acknowledges that some of the costs to comply with the substantive 
requirements of proposed Rules 1000(b)(1) and (2) may be significantly 
higher than the estimated average for some SCI entities, while some of 
the costs may be significantly lower for other SCI entities. In 
particular, the Commission preliminarily believes that the costs 
associated with the requirement in proposed Rule 1000(b)(1)(i)(E) that 
an SCI entity have policies and procedures that include maintaining 
backup and recovery capabilities sufficiently resilient and 
geographically diverse to ensure next business day resumption of 
trading and two-hour resumption of clearance and settlement services 
following a wide-scale disruption is an area in which different SCI 
entities may encounter significantly different compliance costs. For 
example, among national securities exchanges, the Commission 
understands that many, though not all, national securities exchanges 
already have or soon expect to have backup facilities that do not rely 
on the same infrastructure components used by their primary facility. 
For those national securities exchanges that do not have such backup 
facilities, the cost to build and maintain such facilities may result 
in their compliance costs being significantly higher than those of 
national securities exchanges that already satisfy the proposed 
requirement.\636\ The application of the geographic diversity 
requirement to other entities, such as ATSs, under the proposed rule, 
would depend on the nature, size, technology, business model, and other 
aspects of their business.
---------------------------------------------------------------------------

    \636\ As noted, solely for purposes of this Economic Analysis, 
the Commission has assumed that the SCI industry standards would be 
those contained in the publications identified in Table A or in 
substantially similar publications. However, as proposed Rule 
1000(b)(1)(ii) makes clear, compliance with such current industry 
standards, including the geographic diversity requirements contained 
in the 2003 Interagency White Paper, supra note 31, is not the 
exclusive means to comply with the requirements of proposed Rule 
1000(b)(1). See also supra note 182.
---------------------------------------------------------------------------

    218. The Commission requests commenters' views on how many SCI 
entities would not currently satisfy the proposed requirement relating 
to geographic diversity of backup sites. The Commission requests 
commenters' views on the costs of establishing backup sites to satisfy 
the proposed geographic diversity requirement, particularly for 
entities that currently would not satisfy the proposed requirement. In 
such a case, given the likely significant cost and time associated with 
building such backup sites, how long do commenters believe it would 
take for SCI entities to come into compliance with such a proposed 
requirement? Would it be appropriate for the Commission to allow an 
extended period prior to which compliance with this proposed 
requirement would be effective? Why or why not? If so, how long should 
such period be and why? Should such an extended period only be 
permitted for a subset of SCI entities. If so, how should such a subset 
be determined? Please describe.
    As noted above, because the Commission does not at this time have 
sufficient information to reasonably estimate each SCI entity's current 
level

[[Page 18172]]

of compliance with the substantive requirements underlying the policies 
and procedures, the Commission preliminarily estimates a range of 
average initial costs for each SCI entity to comply with the 
substantive requirements underlying the policies and procedures 
required by proposed Rules 1000(b)(1) and (2). Based on the estimates 
of the initial costs, Commission estimates a range of average ongoing 
cost for each SCI entity to comply with the requirements using two-
thirds of the initial cost. The Commission preliminarily believes that 
a two-thirds estimate is appropriate because although proposed Rules 
1000(b)(1) and (2) would require SCI entities to comply with certain 
systems requirements including, for example, establishing reasonable 
current and future capacity planning estimates on an ongoing basis, as 
well as conducting tests and reviews of their systems on an going 
basis, the Commission preliminarily believes that SCI entities would 
incur an additional initial cost to, for example, revise the underlying 
software code of their systems to the extent needed to bring those 
systems into compliance with the requirements of the proposed rules. 
Therefore, the Commission preliminarily estimates that, to comply with 
the substantive requirements that are the subject of the policies and 
procedures required by proposed Rules 1000(b)(1) and (2), including 
consistency with SCI industry standards in connection with proposed 
Rule 1000(b)(1), on average, each SCI entity would incur an ongoing 
annual cost of between approximately $267,000 \637\ and $2 
million.\638\ Based on this estimated range, the Commission 
preliminarily estimates that SCI entities would incur a total ongoing 
cost of between approximately $11.7 million \639\ and $88 million.\640\ 
The Commission seeks comment on the estimated average ongoing cost 
range for SCI entities to comply with the substantive requirements 
underlying the policies and procedures required by proposed Rules 
1000(b)(1) and (2).
---------------------------------------------------------------------------

    \637\ $266,667 = $400,000 (estimated initial cost to comply with 
the substantive requirements) x (\2/3\).
    \638\ $2 million = $3 million (estimated initial cost to comply 
with the substantive requirements) x (\2/3\).
    \639\ $11.7 million = ($266,667) x (44 SCI entities).
    \640\ $88 million = ($2 million) x (44 SCI entities).
---------------------------------------------------------------------------

    The mandatory testing of SCI entity business continuity and 
disaster recovery plans, including backup systems, as proposed to be 
required under proposed Rule 1000(b)(9), would place an additional 
burden on SCI entities. The Commission believes that some SCI entities 
require some or all of their members or participants to connect to 
their backup systems \641\ and that most, if not all, SCI entities 
already offer their members or participants the opportunity to test 
such plans, although they do not currently mandate participation by all 
members or participants in such testing. In addition, market 
participants, including SCI entities, already coordinate certain 
business continuity plan testing to some extent. Thus, the Commission 
preliminarily believes that additional costs of proposed Rule 
1000(b)(9) to SCI entities would be minimal. However, for SCI entity 
members or participants, additional costs could be significant, and 
highly variable depending on the business continuity and disaster 
recovery plans being tested. However, based on discussions with market 
participants, the Commission preliminarily estimates the cost of the 
testing of such plans to range from immaterial administrative costs 
(for SCI entity members and participants that currently maintain 
connections to SCI entity backup systems) to a range of $24,000 to 
$60,000 per year per member or participant in connection with each SCI 
entity. Costs at the higher end of this range would accrue for members 
or participants who would need to invest in additional infrastructure 
and to maintain connectivity with an SCI entity's backup systems in 
order to participate in testing.\642\ The Commission is unable at this 
time to provide a precise cost estimate for the total aggregate cost to 
SCI entity members and participants of the requirements relating to 
proposed Rule 1000(b)(9), as it does not know how each SCI entity will 
determine its standards for designating members or participants that it 
would require to participate in the testing required by proposed Rule 
1000(b)(9)(i), and thus does not know the number of members or 
participants at each SCI entity that would be designated as required to 
participate in testing, and whether such designated members and 
participants are those that already maintain connections to SCI entity 
backup systems. However, the Commission preliminarily believes that an 
aggregate annual cost of approximately $66 million to designated 
members and participants is a reasonable estimate.\643\ The Commission 
requests comment on these estimates and the assumptions underlying 
them.
---------------------------------------------------------------------------

    \641\ See, e.g., CBOE Rule 6.18 (requiring Trading Permit 
Holders to take appropriate actions as instructed by CBOE to 
accommodate CBOE's ability to trade options via the back-up data 
center); CBOE Regulatory Circular RG12-163 (stating that Trading 
Permit Holders are required to maintain connectivity with the back-
up data center and have the ability to operate in the back-up data 
center should circumstances arise that require it to be used); NYSE 
Rule 49(b)(2)(iii) (requiring NYSE members to have contingency plans 
to accommodate the use of the systems and facilities of NYSE Arca, 
NYSE's designated backup facility). See also Securities Exchange Act 
Release No. 52446 (September 15, 2005), 70 FR 55435 (September 21, 
2005) (approving a proposed rule change by each of DTC, FICC, and 
NSCC imposing fines on ``top tier'' members that fail to conduct 
required connectivity testing for business continuity purposes, as 
reflected, e.g., in NSCC Rules and Procedures, Addendum P, available 
at: https://www.dtcc.com/legal/rules_proc/nscc_rules.pdf). See 
also, e.g., BATS Rule 18.38, Nasdaq Options Rule 13, and BOX Rule 
3180 (permitting each exchange to require members to participate in 
computer systems testing in the manner and frequency prescribed by 
such exchange).
    \642\ Based on industry sources, the Commission understands that 
most of the larger members or participants of SCI entities already 
maintain connectivity with the backup systems of SCI entities while, 
among smaller members or participants of SCI entities, there is a 
lower incidence of members or participants maintaining such 
connectivity. The Commission requests comment on the accuracy of 
this understanding.
    \643\ This estimate assumes that 44 SCI entities would each 
designate an average of 150 members or participants to participate 
in the necessary testing. Based on industry sources, the Commission 
understands that many SCI entities have between 200 and 400 members 
or participants, though some have more and some have fewer. In 
addition, the Commission preliminarily believes that is reasonable 
to estimate that the members or participants of SCI entities that 
are most likely to be designated to be required participate in 
testing are those that conduct a high level of activity with the SCI 
entity, or that play an important role for the SCI entity (such as 
market makers) and that such members or participants currently are 
likely to already maintain connectivity with an SCI entity's backup 
systems. Therefore, the Commission estimates the average cost for 
each member or participant of an SCI entity to be $10,000, which 
takes into account the fact that the Commission preliminarily 
believes that many members or participants of SCI entities that 
would be required to participate in such testing would already have 
such connectivity, and thus have minimal cost. Based on these 
assumptions, the Commission estimates that the total aggregate cost 
to all members or participants of all SCI entities to be 
approximately $66 million (44 SCI entities x 150 members or 
participants x $10,000 = $66 million).
---------------------------------------------------------------------------

    The Commission preliminarily believes that the corrective action to 
mitigate harm resulting from SCI events would impose modest incremental 
costs on SCI entities because in the usual course of business, SCI 
entities already take corrective actions in response to systems issues. 
Proposed Rule 1000(b)(3) supplements the existing incentives of SCI 
entities to correct an SCI event quickly by focusing on potential harm 
to investors and market integrity and by requiring SCI entities to 
devote adequate resources to begin to take corrective action as soon as 
reasonably practicable. Based on its experience with the ARP Inspection 
Program, the Commission believes that entities currently participating 
in the ARP Inspection Program already take

[[Page 18173]]

corrective actions in response to a systems issue, and believes that 
other SCI entities also take corrective actions in response to a 
systems issue. Nevertheless, the Commission preliminarily believes that 
proposed Rule 1000(b)(3) could result in modestly increased costs for 
SCI entities per SCI event for corrective action relative to current 
practice for SCI entities, as a result of undertaking corrective action 
sooner than they might have otherwise and/or increasing investment in 
newer more updated systems earlier than they might have otherwise. If, 
however, proposed Regulation SCI reduces the frequency and severity of 
SCI events, the overall costs to SCI entities of corrective action may 
not increase significantly from the costs incurred without proposed 
Regulation SCI. However, the degree to which proposed Regulation SCI 
will reduce the frequency and severity of SCI events is unknown. Thus, 
the Commission is, at this time, unable to estimate the precise impact 
of proposed Regulation SCI due to an SCI entity's corrective action. 
Thus, the Commission requests comment regarding the costs associated 
with proposed Regulation SCI's corrective action requirements, 
including what such costs would be on an annualized basis.\644\
---------------------------------------------------------------------------

    \644\ See also supra Section IV.D.3 (estimating paperwork 
burdens associated with SCI entities developing a process for 
ensuring that they are prepared to take corrective action as 
required by proposed Rule 1000(b)(3), and reviewing that process on 
an ongoing basis).
---------------------------------------------------------------------------

    When an SCI event occurs, an SCI entity needs to determine whether 
the event is an immediate notification SCI event or dissemination SCI 
event because the proposed rule would impose different obligations on 
SCI entities for such events. Identifying these types of SCI events may 
impose one-time implementation costs on SCI entities associated with 
developing a process for ensuring that they are able to quickly and 
correctly make such determinations, as well as periodic costs in 
reviewing the adopted process.\645\
---------------------------------------------------------------------------

    \645\ The initial and ongoing burden associated with making 
these determinations are discussed in the Paperwork Reduction Act 
Section above. See supra Section IV.D.3 (estimating burdens 
resulting from SCI entities determining whether an SCI event is an 
immediate notification SCI event or dissemination SCI event).
---------------------------------------------------------------------------

    The Commission notes that proposed Rule 1000(d) would require that 
any written notification, review, description, analysis, or report to 
the Commission (except any written notification submitted pursuant to 
proposed Rule 1000(b)(4)(i)) be submitted electronically and contain an 
electronic signature. This proposed rule would require that every SCI 
entity have the ability to submit forms electronically with an 
electronic signature. The Commission believes that most, if not all, 
SCI entities currently have the ability to access and submit an 
electronic form such that the requirement to submit Form SCI 
electronically will not impose new implementation costs. The initial 
and ongoing costs associated with various electronic submissions of 
Form SCI are discussed in the Paperwork Reduction Act Section 
above.\646\
---------------------------------------------------------------------------

    \646\ See supra Section IV.D.2 (estimating burdens resulting 
from notice, dissemination, and reporting requirements for SCI 
entities).
---------------------------------------------------------------------------

    The Commission recognizes that some of the costs imposed by 
proposed Regulation SCI may ultimately be transferred to 
intermediaries, such as market participants that access national 
securities exchanges or clearing agencies, for example, in the form of 
higher fees. The Commission recognizes that, if costs relating to 
compliance with proposed Regulation SCI are passed on in the form of 
increased prices to users of SCI entities, there may be a loss of 
efficiency as a result of the net increase in costs to SCI entity 
customers. The Commission also preliminarily believes that, for some 
SCI entities, the cost estimates may be lower than the actual costs to 
be incurred, such as for entities that are not currently part of the 
ARP Inspection Program or that have complex automated systems. However, 
on balance, the Commission preliminarily believes that the incremental 
direct cost estimates above are appropriate.
b. Other Costs
    The Commission recognizes that proposed Regulation SCI could have 
other potential costs that cannot be quantified at this time. For 
example, entities covered by the proposed rule frequently make systems 
changes to comply with new and amended rules and regulations such as 
rules and regulations under federal securities laws and SRO rules. The 
Commission recognizes that, for entities that meet the definition of 
SCI entities, because they must continue to comply with proposed 
Regulation SCI when they make systems changes, proposed Regulation SCI 
could increase the costs and time needed to make systems changes to 
comply with new and amended rules and regulations. The Commission 
requests comment on the nature of such additional costs and time.
    The Commission also considered whether proposed Regulation SCI 
would impact innovation in ATSs or raise barriers to entry. The 
Commission recognizes that, if proposed Regulation SCI were to cause 
SCI entities, including ATSs, to allocate resources towards ensuring 
they have robust systems and the personnel necessary to comply with 
proposed Regulation SCI's requirements and away from new features for 
their systems, or investing in research and development, proposed 
Regulation SCI may have a negative impact on innovation among such 
entities and thus impact competition. Similarly, if the costs of 
proposed Regulation SCI were to be viewed by persons considering 
forming new ATSs to be so onerous so as to dissuade them from starting 
new ATSs, competition would also be negatively impacted. To balance any 
concern about discouraging innovation and raising barriers to entry 
against the need for regulation, the Commission proposes thresholds for 
SCI ATSs that are designed to include only the ATSs that are most 
likely to have a significant impact on markets due to an SCI event, and 
requests comment on the thresholds.\647\ The tradeoffs associated with 
these thresholds are discussed in more detail below.
---------------------------------------------------------------------------

    \647\ See supra Section III.B.1 and supra notes 100-123 and 
accompanying text.
---------------------------------------------------------------------------

    Finally, by specifying the timing, type, and format of information 
to be submitted to the Commission and by requiring electronic 
submission of Form SCI, Commission staff should be able to more 
efficiently review and analyze the information submitted. It is 
particularly important for the Commission to be able to review and 
analyze filings on Form SCI efficiently because proposed Regulation SCI 
would require all SCI events to be reported to the Commission. The 
Commission is not proposing at this time to require the data to be 
submitted in a tagged data format (e.g., XML, XBRL, or another 
structured data format that may be tagged), although it has requested 
specific comment as to whether it should, and the costs and benefits of 
doing so.\648\ The Commission recognizes that it could more readily 
analyze filings submitted in a tagged data format than in PDF format, 
and the subsequent potential benefits to investors may be greater. 
However, these benefits are balanced against the costs to the SCI 
entities of submitting filings in a tagged format.
---------------------------------------------------------------------------

    \648\ See, e.g., request for comment in supra Section III.D.1.
---------------------------------------------------------------------------

c. Scaling
    The Commission recognizes that the benefits of every provision of 
proposed Regulation SCI may not justify the costs

[[Page 18174]]

of the provision if every requirement applied to every SCI entity and 
SCI event. In particular, the Commission recognizes that applying each 
requirement to every SCI entity and every SCI event could adversely 
affect competition and efficiency. Therefore, the Commission has 
proposed that not all SCI events be subject to the same requirements as 
immediate notification SCI events and dissemination SCI events and that 
ATSs that do not meet the definition of SCI ATS, and broker-dealers who 
are not ATSs, should not be subject to same requirements as SCI 
entities. The discussion that follows lays out the tradeoffs associated 
with determining the appropriate cutoffs for determining which events 
are immediate notification SCI events or dissemination SCI events, and 
which ATSs are SCI ATSs. In sum, the Commission believes that the 
requirements balance the need for regulation against the potential 
efficiency, competition, and capital formation concerns of the 
regulation. In the Commission's judgment, the cost of complying with 
the proposed rules would not be so large as to significantly raise 
barriers to entry or otherwise alter the competitive landscape of the 
entities involved.
    As defined in proposed Rule 1000(a), a dissemination SCI event is 
an SCI event that is a: systems compliance issue; systems intrusion; or 
system disruption that results, or the SCI entity reasonably estimate 
would result, in a significant harm or loss to market participants. If 
the criteria for dissemination SCI events is set too low, the member or 
participant dissemination requirements under proposed Regulation SCI 
could be very costly.\649\ Therefore, the Commission carefully 
considered tradeoffs in defining the term dissemination SCI event. On 
the one hand, the definition should ensure that SCI events that have 
significant impacts on the markets are captured as dissemination SCI 
events.\650\ On the other hand, not every SCI event should be included. 
There are higher costs associated with dealing with dissemination SCI 
events as compared to SCI events that are not dissemination SCI events 
due to the additional requirements relating to dissemination of 
information to members or participants. Second, SCI entity members or 
participants may be provided with unnecessary information if 
information about too many SCI events that do not have significant 
impact on the markets is disseminated to members or participants. If 
there is excessive dissemination of insignificant events, truly 
important events may get hidden among others that do not have the same 
degree of significance or impact on the securities markets.\651\ SCI 
entity members or participants also may not pay attention to 
disseminated SCI events if an excessive number of insignificant events 
are disseminated and notifications about SCI events may become routine. 
The proposed definition of dissemination SCI event is an attempt to 
balance these concerns.
---------------------------------------------------------------------------

    \649\ As noted above, an immediate notification SCI event 
includes any systems disruption that the SCI entity reasonably 
estimates would have a material impact on its operations or on 
market participants, any systems compliance issue, or any systems 
intrusion. See supra Section III.C.3.b. As with dissemination SCI 
events, if the criteria for immediate notification SCI events is set 
too low, SCI entities would incur additional costs in providing 
immediate notification to the Commission.
    \650\ With respect to immediate Commission notification, the 
Commission should be immediately notified of any systems disruption 
that the SCI entity reasonably estimates would have a material 
impact on its operations or on market participants, any systems 
compliance issue, or any systems intrusion.
    \651\ Similarly, immediate Commission notification of only 
immediate notification SCI events should help the Commission focus 
its attention on SCI events that may potentially impact an SCI 
entity's operations or market participants.
---------------------------------------------------------------------------

    Section III.B.1 discusses the definition of ``SCI ATS'' in proposed 
Rule 1000(a). The proposal would replace the threshold for NMS stocks 
of 20 percent or more of the average daily volume in any NMS stock. The 
proposal bases the definition of SCI ATS on average daily dollar volume 
and sets the threshold at five percent or more in any single NMS stock 
and one-quarter percent of more in all NMS stocks, or one percent or 
more in all NMS stocks. The proposal changes the threshold for non-NMS 
stocks to at least five percent of the aggregate average daily dollar 
volume from twenty percent of the average daily share volume. These 
proposed thresholds reflect developments in equities markets that 
resulted in a higher number of trading venues and less concentrated 
trading, and are designed to ensure that the proposed rule is applied 
to all ATSs that trade more than a limited amount of securities and for 
which SCI events may cause significant impact on the overall market. 
The main benefit of the proposed thresholds is to bring more ATSs into 
the SCI ATS definition than currently subject to the systems safeguard 
provisions of Rule 301(b)(6) of Regulation ATS, which in turn would 
make them SCI entities. This would help ensure that SCI ATSs that trade 
a certain amount of securities are covered by the proposed regulation. 
The Commission recognizes the potential for a low threshold to 
discourage automation and innovation but, as noted below, the 
Commission has balanced the concerns regarding discouraging automation 
and innovation against the need for regulation, and preliminarily 
believes that innovation is unlikely to be hampered and automation is 
likely to continue to increase. To that extent, the proposed rule uses 
a two-prong approach for NMS stocks. The threshold is based on market 
share in individual stocks. However, it is also required that the ATS 
has a certain market share of the overall market in all NMS stocks to 
prevent an ATS from being subject to proposed Regulation SCI for 
meeting the five percent threshold in any single NMS stock for a micro-
cap stock, but not having significant market share in all NMS stocks. 
As discussed above, the Commission believes that approximately 10 NMS 
stock ATSs and two non-NMS stock ATSs would fall within the definition 
of SCI ATS.\652\
---------------------------------------------------------------------------

    \652\ See supra Section III.B.1.
---------------------------------------------------------------------------

    For municipal and corporate debt securities, the proposal would 
lower the threshold from 20 percent or more to five percent or more. 
However, the proposal contemplates a two-prong approach considering 
either average daily dollar volume or average daily transaction volume, 
and exceeding the threshold in either one would qualify an ATS as an 
SCI ATS. The use of the two metrics is intended to take into account 
the fact that ATSs in the debt securities markets may handle primarily 
retail trades (i.e., large transaction volume but small dollar volume) 
or institutional-sized trades (i.e., large dollar volume but small 
transaction volume).
    The proposed thresholds for municipal and corporate debt securities 
are different from the proposed thresholds for NMS stocks. This 
difference reflects the fact that, in the debt securities markets 
(i.e., municipal securities and corporate debt securities), the degree 
of automation and electronic trading is much lower than in the markets 
for NMS stocks, which the Commission preliminarily believes may reduce 
the need for more stringent rules and regulations. In addition, the 
Commission preliminarily believes that the imposition of a threshold 
lower than five percent on the current debt securities markets could 
have the unintended effect of discouraging automation in these markets 
and discouraging new entrants into these markets. Also, due to the 
large number of issues outstanding in these debt securities markets, 
trading volume may be extremely low in a given issue, but also may 
fluctuate significantly from

[[Page 18175]]

day to day and issue to issue. Therefore, the thresholds for debt 
securities consider aggregate volume instead of volume in an individual 
issue. As discussed above, the Commission preliminarily believes that 
three municipal securities and corporate debt securities ATSs would 
fall within the definition of SCI ATS.\653\
---------------------------------------------------------------------------

    \653\ See id.
---------------------------------------------------------------------------

D. Request for Comment on Economic Analysis

    219. The Commission is sensitive to the potential economic effects, 
including the costs and benefits, of proposed Regulation SCI. The 
Commission has identified above certain costs and benefits associated 
with the proposal and requests comment on all aspects of its 
preliminary economic analysis.\654\ The Commission encourages 
commenters to identify, discuss, analyze, and supply relevant data, 
information, or statistics regarding any such costs or benefits. In 
particular, the Commission seeks comment on the following:
---------------------------------------------------------------------------

    \654\ The Commission has also considered the views expressed in 
comment letters submitted in connection with the Roundtable, as well 
as the views expressed by Roundtable participants. See supra Section 
I.C.
---------------------------------------------------------------------------

    220. Do commenters agree that the release provides a fair 
representation of current practices and how those current practices 
would change under proposed Regulation SCI? Why or why not? Please be 
specific in your response regarding current practices and how they 
would change under proposed Regulation SCI.
    221. Do commenters agree with the Commission's characterization of 
the relevant markets in which SCI entities participate, as well as the 
market failures identified with respect to each of the relevant 
markets? Why or why not? Specifically, do commenters agree with the 
identified level of competition in each of the relevant markets? Why or 
why not?
    222. What is a typical market participant's general level of 
expectation of how well the market operates? Do market participants 
currently have all the information they need to make informed decisions 
that manage their exposure to SCI events? If not, would proposed 
Regulation SCI provide the needed information? Why or why not?
    223. Do commenters agree with the Commission's analysis of the 
costs and benefits of each provision of proposed Regulation SCI, 
including the definitions under proposed Rule 1000(a)? Why or why not?
    224. Do commenters believe that there are additional benefits or 
costs that could be quantified or otherwise monetized? If so, please 
identify these categories and, if possible, provide specific estimates 
or data.
    225. Are there any additional benefits that may arise from proposed 
Regulation SCI? Or are there benefits described above that would not 
likely result from proposed Regulation SCI? If so, please explain these 
benefits or lack of benefits in detail.
    226. Are there any additional costs that may arise from proposed 
Regulation SCI? Are there any potential unintended consequences of 
proposed Regulation SCI? Or are there costs described above that would 
not likely result from proposed Regulation SCI? If so, please explain 
these costs or lack of costs in detail.
    227. Do the types or extent of any anticipated benefits or costs 
from proposed Regulation SCI differ between the different types of SCI 
entities? For example, do potential benefits or costs differ with 
respect to SCI SROs as compared to SCI ATSs? Please explain.
    228. Are there methods (including any suggested by Roundtable 
panelists or commenters) by which the Commission could reduce the costs 
imposed by Regulation SCI while still achieving the goals? Please 
explain.
    229. Does the release appropriately describe the potential impacts 
of proposed Regulation SCI on the promotion of efficiency, competition, 
and capital formation? Why or why not?
    230. To the extent that there are reasonable alternatives to any of 
the rules under proposed Regulation SCI, what are the potential costs 
and benefits of those reasonable alternatives relative to the proposed 
rules? What are the potential impacts on the promotion of efficiency, 
competition, and capital formation of those reasonable alternatives? 
For example, what would be the effect on the economic analysis of 
requiring SCI entities to conduct an SCI review that requires 
penetration testing annually? What would be the effect on the economic 
analysis of requiring SCI entities to inform members and participants 
of all SCI events? What would be the effect on the economic analysis of 
requiring filing in a tagged data format (e.g., XML, XBRL, or another 
structured data format that may be tagged)? What would be the effect on 
the economic analysis of including broker-dealers, or a subset thereof, 
in the definition of SCI entities?
    231. In addition, as noted above, the proposed requirement that an 
SCI entity disseminate information relating to dissemination SCI events 
to its members or participants is focused on disseminating information 
to those who need, want, and can act on the information disseminated. 
The Commission also preliminarily believes that this proposed 
requirement could promote competition and capital formation. Are there 
alternative mechanisms for achieving the Commission's goals while 
promoting competition and capital formation? Are there costs associated 
with this proposed approach that have not been considered? For example, 
would the requirement to disseminate information to members or 
participants about dissemination SCI events increase an SCI entity's 
litigation costs, or cause an SCI entity to lose business (e.g., if 
market participants misjudge the meaning of information disseminated 
about dissemination SCI events)? Would the benefits of the proposed 
information dissemination outweigh the costs? Why or why not? Please 
explain.
    232. The Commission also generally requests comment on the 
competitive or anticompetitive effects, as well as the efficiency and 
capital formation effects, of proposed Regulation SCI on market 
participants if the proposed rules are adopted as proposed. Commenters 
should provide analysis and empirical data to support their views on 
the competitive or anticompetitive effects, as well as the efficiency 
and capital formation effects, of proposed Regulation SCI.
    233. Finally, as stated above, proposed Rule 1000(b)(1) would 
require SCI entities to establish, maintain, and enforce written 
policies and procedures, reasonably designed to ensure that their SCI 
systems and, for purposes of security standards, SCI security systems, 
have levels of capacity, integrity, resiliency, availability, and 
security, adequate to maintain the SCI entity's operational capability 
and promote the maintenance of fair and orderly markets. As discussed 
above, the Commission is proposing that an SCI entity's policies and 
procedures required by proposed Rule 1000(b)(1) be deemed to be 
reasonably designed if they are consistent with current SCI industry 
standards.\655\ However, the costs identified above may not fully 
incorporate all of the costs of adhering to initial or future SCI 
industry standards. For example, if a SCI industry standard is based on 
the standards of NIST (which issues a number of the publications listed 
in Table A), it could include additional requirements not otherwise 
required in proposed Regulation SCI such as establishment of assurance-
related

[[Page 18176]]

controls (including, for example, conduct of integrity checks on 
software and firmware components, or monitoring of established secure 
configuration settings). Any additional requirements would likely 
impose costs on SCI entities. Therefore, the Commission requests 
comment on what benefits or costs, quantifiable or otherwise, could 
potentially be imposed by the identification of SCI industry standards. 
What are market participants' current level of compliance with the 
industry standards contained in the publications listed in Table A? 
What would be the costs to SCI entities (in addition to the cost of 
adhering to current practice) of the Commission identifying examples of 
industry standards? What would be the benefits? Please explain.
---------------------------------------------------------------------------

    \655\ Proposed SCI industry standards are contained in the 
publications identified in Table A. See supra Section III.C.1.b.
---------------------------------------------------------------------------

VI. Consideration of Impact on the Economy

    For purposes of the Small Business Regulatory Enforcement Fairness 
Act of 1996, or ``SBREFA,'' \656\ the Commission must advise OMB as to 
whether proposed Regulation SCI constitutes a ``major'' rule. Under 
SBREFA, a rule is considered ``major'' where, if adopted, it results or 
is likely to result in: (1) An annual effect on the economy of $100 
million or more (either in the form of an increase or decrease); (2) a 
major increase in costs or prices for consumers or individual 
industries; or (3) a significant adverse effect on competition, 
investment or innovation.
---------------------------------------------------------------------------

    \656\ Public Law 104-121, Title II, 110 Stat. 857 (1996) 
(codified in various sections of 5 U.S.C., 15 U.S.C. and as a note 
to 5 U.S.C. 601).
---------------------------------------------------------------------------

    234. The Commission requests comment on the potential impact of 
proposed Regulation SCI on the economy on an annual basis, on the costs 
or prices for consumers or individual industries, and any potential 
effect on competition, investment, or innovation. Commenters are 
requested to provide empirical data and other factual support for their 
views to the extent possible.

VII. Regulatory Flexibility Act Certification

    The Regulatory Flexibility Act (``RFA'') \657\ requires Federal 
agencies, in promulgating rules, to consider the impact of those rules 
on small entities. Section 603(a) \658\ of the Administrative Procedure 
Act,\659\ as amended by the RFA, generally requires the Commission to 
undertake a regulatory flexibility analysis of all proposed rules, or 
proposed rule amendments, to determine the impact of such rulemaking on 
``small entities.'' \660\ Section 605(b) of the RFA states that this 
requirement shall not apply to any proposed rule or proposed rule 
amendment, which if adopted, would not have significant economic impact 
on a substantial number of small entities.
---------------------------------------------------------------------------

    \657\ 5 U.S.C. 601 et seq.
    \658\ 5 U.S.C. 603(a).
    \659\ 5 U.S.C. 551 et seq.
    \660\ Although Section 601(b) of the RFA defines the term 
``small entity,'' the statute permits agencies to formulate their 
own definitions. The Commission has adopted definitions for the term 
``small entity'' for purposes of Commission rulemaking in accordance 
with the RFA. Those definitions, as relevant to this proposed 
rulemaking, are set forth in Rule 0-10, 17 CFR 240.0-10. See 
Securities Exchange Act Release No. 18451 (January 28, 1982), 47 FR 
5215 (February 4, 1982) (File No. AS-305).
---------------------------------------------------------------------------

A. SCI Entities

    Paragraph (a) of Rule 0-10 provides that for purposes of the RFA, a 
small entity when used with reference to a ``person'' other than an 
investment company means a person that, on the last day of its most 
recent fiscal year, had total assets of $5 million or less.\661\ With 
regard to broker-dealers, small entity means a broker or dealer that 
had total capital of less than $500,000 on the date in the prior fiscal 
year as of which its audited financial statements were prepared 
pursuant to Rule 17a-5(d) under the Exchange Act, or, if not required 
to file such statements, total capital of less than $500,000 on the 
last business day of the preceding fiscal year (or in the time that it 
has been in business, if shorter), and that is not affiliated with any 
person that is not a small business or small organization.\662\ With 
regard to clearing agencies, small entity means a clearing agency that 
compared, cleared, and settled less than $500 million in securities 
transactions during the preceding fiscal year (or in the time that it 
has been in business, if shorter), had less than $200 million of funds 
and securities in its custody or control at all times during the 
preceding fiscal year (or in the time that it has been in business, if 
shorter), and is not affiliated with any person (other than a natural 
person) that is not a small business or small organization.\663\ With 
regard to exchanges, a small entity is an exchange that has been exempt 
from the reporting requirements of Rule 601 under Regulation NMS, and 
is not affiliated with any person (other than a natural person) that is 
not a small business or small organization.\664\ With regard to 
securities information processors, a small entity is a securities 
information processor that had gross revenue of less than $10 million 
during the preceding year (or in the time it has been in business, if 
shorter), provided service to fewer than 100 interrogation devices or 
moving tickers at all times during the preceding fiscal year (or in the 
time it has been in business, if shorter), and is not affiliated with 
any person (that is not a natural person) that is not a small business 
or small organization.\665\ Under the standards adopted by the Small 
Business Administration (``SBA''), entities engaged in financial 
investments and related activities are considered small entities if 
they have $7 million or less in annual receipts.\666\
---------------------------------------------------------------------------

    \661\ See 17 CFR 240.0-10(a).
    \662\ See 17 CFR 240.0-10(c).
    \663\ See 17 CFR 240.0-10(d).
    \664\ See 17 CFR 240.0-10(e).
    \665\ See 17 CFR 240.0-10(g).
    \666\ See SBA's Table of Small Business Size Standards, 
Subsector 523 and 13 CFR 121.201. Such entities include firms 
engaged in investment banking and securities dealing, securities 
brokerage, commodity contracts dealing, commodity contracts 
brokerage, securities and commodity exchanges, miscellaneous 
intermediation, portfolio management, investment advice, trust, 
fiduciary and custody activities, and miscellaneous financial 
investment activities.
---------------------------------------------------------------------------

    Based on the Commission's existing information about the entities 
that will be subject to proposed Regulation SCI, the Commission 
preliminarily believes that SCI entities that are self-regulatory 
organizations (national securities exchanges, national securities 
associations, registered clearing agencies, and the MSRB) or exempt 
clearing agencies subject to ARP would not fall within the definition 
of ``small entity'' as described above. With regard to plan processors, 
which are defined under Rule 600(b)(55) of Regulation NMS to mean a 
self-regulatory organization or securities information processor acting 
as an exclusive processor in connection with the development, 
implementation and/or operation of any facility contemplated by an 
effective NMS plan,\667\ the Commission's definition of ``small 
entity'' as it relates to self-regulatory organizations and securities 
information processors would apply. The Commission preliminarily does 
not believe that any plan processor would be a ``small entity'' as 
defined above. With regard to SCI ATSs, because they are registered as 
broker-dealers, the Commission's definition of ``small entity'' as it 
relates to broker-dealers would apply. As stated above, the Commission 
preliminarily believes that approximately 15 ATSs would satisfy the 
definition of SCI ATSs and would be impacted by proposed Regulation 
SCI.\668\ The Commission preliminarily does not believe that any of 
these 15 SCI

[[Page 18177]]

ATSs would be a ``small entity'' as defined above.
---------------------------------------------------------------------------

    \667\ See 17 CFR 242.600(b)(55).
    \668\ See supra Section III.B.1, discussing the proposed 
definition of SCI entity.
---------------------------------------------------------------------------

B. Certification

    For the foregoing reasons, the Commission certifies that proposed 
Regulation SCI would not have a significant economic impact on a 
substantial number of small entities for the purposes of the RFA.
    235. The Commission requests comment regarding this certification. 
The Commission requests that commenters describe the nature of any 
impact on small entities and provide empirical data to illustrate the 
extent of the impact.

VIII. Statutory Authority and Text of Proposed Amendments

    Pursuant to the Exchange Act, 15 U.S.C. 78a et seq., and 
particularly, Sections 2, 3, 5, 6, 11A, 15, 15A, 17, 17A, and 23(a) 
thereof, 15 U.S.C. 78b, 78c, 78e, 78f, 78k-1, 78o, 78o-3, 78q, 78q-1, 
and 78w(a), the Commission proposes to adopt Regulation SCI under the 
Exchange Act and Form SCI under the Exchange Act, and to amend 
Regulation ATS under the Exchange Act.

List of Subjects in 17 CFR Parts 242 and 249

    Securities, brokers, reporting and recordkeeping requirements.

    For the reasons stated in the preamble, the Commission is proposing 
to amend title 17, chapter II of the Code of Federal Regulations as 
follows:

PART 242--REGULATIONS M, SHO, ATS, AC, NMS AND SCI AND CUSTOMER 
MARGIN REQUIREMENTS FOR SECURITY FUTURES

0
1a. The authority citation for part 242 continues to read as follows:

    Authority: 15 U.S.C. 77g, 77q(a), 77s(a), 78b, 78c, 78g(c)(2), 
78i(a), 78j, 78k-1(c), 78l, 78m, 78n, 78o(b), 78o(c), 78o(g), 
78q(a), 78q(b), 78q(h), 78w(a), 78dd-1, 78mm, 80a23, 80a-29, and 
80a-37.

0
1b. The heading of part 242 is revised to read as set forth above.


Sec.  242.301--[Amended]  

0
2. In Sec.  242.301, remove and reserve paragraph (b)(6).
0
3. Add an undesignated center heading and Sec.  242.1000 to read as 
follows:

Regulation SCI--Systems Compliance and Integrity


Sec.  242.1000  Definitions and requirements for SCI entities

    (a) Definitions. For purposes of this section, the following 
definitions shall apply:
    Dissemination SCI event means an SCI event that is a:
    (1) Systems compliance issue;
    (2) Systems intrusion; or
    (3) Systems disruption that results, or the SCI entity reasonably 
estimates would result, in significant harm or loss to market 
participants.
    Electronic signature has the meaning set forth in Sec.  240.19b-
4(j) of this chapter.
    Exempt clearing agency subject to ARP means an entity that has 
received from the Commission an exemption from registration as a 
clearing agency under Section 17A of the Act, and whose exemption 
contains conditions that relate to the Commission's Automation Review 
Policies (ARP), or any Commission regulation that supersedes or 
replaces such policies.
    Material systems change means a change to one or more:
    (1) SCI systems of an SCI entity that:
    (i) Materially affects the existing capacity, integrity, 
resiliency, availability, or security of such systems;
    (ii) Relies upon materially new or different technology;
    (iii) Provides a new material service or material function; or
    (iv) Otherwise materially affects the operations of the SCI entity; 
or
    (2) SCI security systems of an SCI entity that materially affects 
the existing security of such systems.
    Plan processor has the meaning set forth in Sec.  242.600(b)(55).
    Responsible SCI personnel means, for a particular SCI system or SCI 
security system impacted by an SCI event, any personnel, whether an 
employee or agent, of the SCI entity having responsibility for such 
system.
    SCI alternative trading system or SCI ATS means an alternative 
trading system, as defined in Sec.  242.300(a), which during at least 
four of the preceding six calendar months, had:
    (1) With respect to NMS stocks:
    (i) Five percent (5%) or more in any single NMS stock, and one-
quarter percent (0.25%) or more in all NMS stocks, of the average daily 
dollar volume reported by an effective transaction reporting plan; or
    (ii) One percent (1%) or more in all NMS stocks of the average 
daily dollar volume reported by an effective transaction reporting 
plan;
    (2) With respect to equity securities that are not NMS stocks and 
for which transactions are reported to a self-regulatory organization, 
five percent (5%) or more of the average daily dollar volume as 
calculated by the self-regulatory organization to which such 
transactions are reported;
    (3) With respect to municipal securities, five percent (5%) or more 
of either:
    (i) The average daily dollar volume traded in the United States; or
    (ii) The average daily transaction volume traded in the United 
States; or
    (4) With respect to corporate debt securities, five percent (5%) or 
more of either:
    (i) The average daily dollar volume traded in the United States; or
    (ii) The average daily transaction volume traded in the United 
States.
    SCI entity means an SCI self-regulatory organization, SCI 
alternative trading system, plan processor, or exempt clearing agency 
subject to ARP.
    SCI event means an event at an SCI entity that constitutes:
    (1) A systems disruption;
    (2) A systems compliance issue; or
    (3) A systems intrusion.
    SCI review means a review, following established procedures and 
standards, that is performed by objective personnel having appropriate 
experience in conducting reviews of SCI systems and SCI security 
systems, and which review contains:
    (1) A risk assessment with respect to such systems of an SCI 
entity; and
    (2) An assessment of internal control design and effectiveness to 
include logical and physical security controls, development processes, 
and information technology governance, consistent with industry 
standards; provided however, that such review shall include penetration 
test reviews of the network, firewalls, development, testing, and 
production systems at a frequency of not less than once every three 
years.
    SCI security systems means any systems that share network resources 
with SCI systems that, if breached, would be reasonably likely to pose 
a security threat to SCI systems.
    SCI self-regulatory organization or SCI SRO means any national 
securities exchange, registered securities association, or registered 
clearing agency, or the Municipal Securities Rulemaking Board; provided 
however, that for purposes of this section, the term SCI self-
regulatory organization shall not include an exchange that is notice 
registered with the Commission pursuant to 15 U.S.C. 78f(g) or a 
limited purpose national securities association registered with the 
Commission pursuant to 15 U.S.C. 78o-3(k).
    SCI systems means all computer, network, electronic, technical, 
automated, or similar systems of, or operated by or on behalf of, an 
SCI entity, whether in production, development, or testing, that 
directly support trading, clearance and

[[Page 18178]]

settlement, order routing, market data, regulation, or surveillance.
    Systems compliance issue means an event at an SCI entity that has 
caused any SCI system of such entity to operate in a manner that does 
not comply with the federal securities laws and rules and regulations 
thereunder or the entity's rules or governing documents, as applicable.
    Systems disruption means an event in an SCI entity's SCI systems 
that results in:
    (1) A failure to maintain service level agreements or constraints;
    (2) A disruption of normal operations, including switchover to 
back-up equipment with near-term recovery of primary hardware unlikely;
    (3) A loss of use of any such system;
    (4) A loss of transaction or clearance and settlement data;
    (5) Significant back-ups or delays in processing;
    (6) A significant diminution of ability to disseminate timely and 
accurate market data; or
    (7) A queuing of data between system components or queuing of 
messages to or from customers of such duration that normal service 
delivery is affected.
    Systems intrusion means any unauthorized entry into the SCI systems 
or SCI security systems of an SCI entity.
    (b) Requirements for SCI entities. Each SCI entity shall:
    (1) Capacity, Integrity, Resiliency, Availability, and Security. 
Establish, maintain, and enforce written policies and procedures 
reasonably designed to ensure that its SCI systems and, for purposes of 
security standards, SCI security systems, have levels of capacity, 
integrity, resiliency, availability, and security, adequate to maintain 
the SCI entity's operational capability and promote the maintenance of 
fair and orderly markets.
    (i) Such policies and procedures shall include, at a minimum:
    (A) The establishment of reasonable current and future capacity 
planning estimates;
    (B) Periodic capacity stress tests of such systems to determine 
their ability to process transactions in an accurate, timely, and 
efficient manner;
    (C) A program to review and keep current systems development and 
testing methodology for such systems;
    (D) Regular reviews and testing of such systems, including backup 
systems, to identify vulnerabilities pertaining to internal and 
external threats, physical hazards, and natural or manmade disasters;
    (E) Business continuity and disaster recovery plans that include 
maintaining backup and recovery capabilities sufficiently resilient and 
geographically diverse to ensure next business day resumption of 
trading and two-hour resumption of clearance and settlement services 
following a wide-scale disruption; and
    (F) Standards that result in such systems being designed, 
developed, tested, maintained, operated, and surveilled in a manner 
that facilitates the successful collection, processing, and 
dissemination of market data; and
    (ii) For purposes of this paragraph (b)(1), such policies and 
procedures shall be deemed to be reasonably designed if they are 
consistent with current SCI industry standards, which shall be:
    (A) Comprised of information technology practices that are widely 
available for free to information technology professionals in the 
financial sector; and
    (B) Issued by an authoritative body that is a U.S. governmental 
entity or agency, association of U.S. governmental entities or 
agencies, or widely recognized organization. Compliance with such 
current SCI industry standards, however, shall not be the exclusive 
means to comply with the requirements of this paragraph (b)(1).
    (2) Systems Compliance. (i) Establish, maintain, and enforce 
written policies and procedures reasonably designed to ensure that its 
SCI systems operate in the manner intended, including in a manner that 
complies with the federal securities laws and rules and regulations 
thereunder and the entity's rules and governing documents, as 
applicable.
    (ii) Safe harbor from liability for SCI entities. An SCI entity 
shall be deemed not to have violated paragraph (b)(2)(i) of this 
section if:
    (A) The SCI entity has established and maintained policies and 
procedures reasonably designed to provide for:
    (1) Testing of all such systems and any changes to such systems 
prior to implementation;
    (2) Periodic testing of all such systems and any changes to such 
systems after their implementation;
    (3) A system of internal controls over changes to such systems;
    (4) Ongoing monitoring of the functionality of such systems to 
detect whether they are operating in the manner intended;
    (5) Assessments of SCI systems compliance performed by personnel 
familiar with applicable federal securities laws and rules and 
regulations thereunder and the SCI entity's rules and governing 
documents, as applicable; and
    (6) Review by regulatory personnel of SCI systems design, changes, 
testing, and controls to prevent, detect, and address actions that do 
not comply with applicable federal securities laws and rules and 
regulations thereunder and the SCI entity's rules and governing 
documents, as applicable;
    (B) The SCI entity has established and maintained a system for 
applying such policies and procedures which would reasonably be 
expected to prevent and detect, insofar as practicable, any violations 
of such policies and procedures by the SCI entity or any person 
employed by the SCI entity, and
    (C) The SCI entity:
    (1) Has reasonably discharged the duties and obligations incumbent 
upon the SCI entity by such policies and procedures; and
    (2) Was without reasonable cause to believe that such policies and 
procedures were not being complied with in any material respect.
    (iii) Safe harbor from liability for individuals. A person employed 
by an SCI entity shall be deemed not to have aided, abetted, counseled, 
commanded, caused, induced, or procured the violation by any other 
person of paragraph (b)(2)(i) of this section if the person employed by 
the SCI entity:
    (A) Has reasonably discharged the duties and obligations incumbent 
upon such person by such policies and procedures; and
    (B) Was without reasonable cause to believe that such policies and 
procedures were not being complied with in any material respect.
    (3) Corrective Action. Upon any responsible SCI personnel becoming 
aware of an SCI event, begin to take appropriate corrective action 
which shall include, at a minimum, mitigating potential harm to 
investors and market integrity resulting from the SCI event and 
devoting adequate resources to remedy the SCI event as soon as 
reasonably practicable.
    (4) Commission Notification. (i) Upon any responsible SCI personnel 
becoming aware of a systems disruption that the SCI entity reasonably 
estimates would have a material impact on its operations or on market 
participants, any systems compliance issue, or any systems intrusion, 
notify the Commission of such SCI event.
    (ii) Within 24 hours of any responsible SCI personnel becoming 
aware of any SCI event, submit a written notification pertaining to 
such SCI event to the Commission.
    (iii) Until such time as the SCI event is resolved, submit written 
updates pertaining to such SCI event to the Commission on a regular 
basis, or at

[[Page 18179]]

such frequency as reasonably requested by a representative of the 
Commission.
    (iv) Any written notification to the Commission made pursuant to 
paragraphs (b)(4)(ii) or (b)(4)(iii) of this section shall be made 
electronically on Form SCI (Sec.  249.1900 of this chapter), and shall 
include all information as prescribed in Form SCI and the instructions 
thereto, including:
    (A) For a notification made pursuant to paragraph (b)(4)(ii) of 
this section:
    (1) All pertinent information known about an SCI event, including: 
a detailed description of the SCI event; the SCI entity's current 
assessment of the types and number of market participants potentially 
affected by the SCI event; the potential impact of the SCI event on the 
market; and the SCI entity's current assessment of the SCI event, 
including a discussion of the determination of whether the SCI event is 
a dissemination SCI event or not; and
    (2) To the extent available as of the time of the notification: A 
description of the steps the SCI entity is taking, or plans to take, 
with respect to the SCI event; the time the SCI event was resolved or 
timeframe within which the SCI event is expected to be resolved; a 
description of the SCI entity's rule(s) and/or governing document(s), 
as applicable, that relate to the SCI event; and an analysis of parties 
that may have experienced a loss, whether monetary or otherwise, due to 
the SCI event, the number of such parties, and an estimate of the 
aggregate amount of such loss.
    (B) For a notification made pursuant to paragraph (b)(4)(iii) of 
this section, an update of any information previously provided 
regarding the SCI event, including any information required by 
paragraph (b)(4)(iv)(A)(2) of this section which was not available at 
the time of submission of the notification made pursuant to paragraph 
(b)(4)(ii) of this section. Subsequent updates shall update any 
information provided regarding the SCI event until the SCI event is 
resolved.
    (C) For notifications made pursuant to paragraphs (b)(4)(ii) or 
(b)(4)(iii) of this section, attach a copy of any information 
disseminated to date regarding the SCI event to its members or 
participants or on the SCI entity's publicly available Web site.
    (5) Dissemination of information to members or participants. (i)(A) 
Promptly after any responsible SCI personnel becomes aware of a 
dissemination SCI event other than a systems intrusion, disseminate to 
its members or participants the following information about such SCI 
event:
    (1) The systems affected by the SCI event; and
    (2) A summary description of the SCI event; and
    (B) When known, further disseminate to its members or participants:
    (1) A detailed description of the SCI event;
    (2) The SCI entity's current assessment of the types and number of 
market participants potentially affected by the SCI event; and
    (3) A description of the progress of its corrective action for the 
SCI event and when the SCI event has been or is expected to be 
resolved; and
    (C) Provide regular updates to members or participants of any 
information required to be disseminated under paragraphs (b)(5)(i)(A) 
and (b)(5)(i)(B) of this section.
    (ii) Promptly after any responsible SCI personnel becomes aware of 
a systems intrusion, disseminate to its members or participants a 
summary description of the systems intrusion, including a description 
of the corrective action taken by the SCI entity and when the systems 
intrusion has been or is expected to be resolved, unless the SCI entity 
determines that dissemination of such information would likely 
compromise the security of the SCI entity's SCI systems or SCI security 
systems, or an investigation of the systems intrusion, and documents 
the reasons for such determination.
    (6) Material Systems Changes. (i) Absent exigent circumstances, 
notify the Commission in writing at least 30 calendar days before 
implementation of any planned material systems change, including a 
description of the planned material systems change as well as the 
expected dates of commencement and completion of implementation of such 
changes.
    (ii) If exigent circumstances exist, or if the information 
previously provided to the Commission regarding any planned material 
systems change has become materially inaccurate, notify the Commission, 
either orally or in writing, with any oral notification to be 
memorialized within 24 hours after such oral notification by a written 
notification, as early as reasonably practicable.
    (iii) A written notification to the Commission made pursuant to 
this paragraph (b)(6) shall be made electronically on Form SCI (Sec.  
249.1900 of this chapter), and shall include all information as 
prescribed in Form SCI and the instructions thereto.
    (7) SCI Review. Conduct an SCI review of the SCI entity's 
compliance with Regulation SCI not less than once each calendar year, 
and submit a report of the SCI review to senior management of the SCI 
entity for review no more than 30 calendar days after completion of 
such SCI review.
    (8) Reports. Submit to the Commission:
    (i) A report of the SCI review required by paragraph (b)(7) of this 
section, together with any response by senior management, within 60 
calendar days after its submission to senior management of the SCI 
entity;
    (ii) A report, within 30 calendar days after the end of June and 
December of each year, containing a summary description of the progress 
of any material systems change during the six-month period ending on 
June 30 or December 31, as the case may be, and the date, or expected 
date, of completion of implementation of such changes; and
    (iii) Any reports to be filed with the Commission pursuant to this 
paragraph (b)(8) shall be filed electronically on Form SCI (Sec.  
249.1900 of this chapter), and shall include all information as 
prescribed in Form SCI and the instructions thereto.
    (9) SCI Entity Business Continuity and Disaster Recovery Plans 
Testing Requirements for Members or Participants. With respect to an 
SCI entity's business continuity and disaster recovery plans, including 
its backup systems:
    (i) Require participation by designated members or participants in 
scheduled functional and performance testing of the operation of such 
plans, in the manner and frequency as specified by the SCI entity, at 
least once every 12 months; and
    (ii) Coordinate the testing of such plans on an industry- or 
sector-wide basis with other SCI entities.
    (iii) Each SCI entity shall designate those members or participants 
it deems necessary, for the maintenance of fair and orderly markets in 
the event of the activation of its business continuity and disaster 
recovery plans, to participate in the testing of such plans pursuant to 
paragraph (i) of this section. Each SCI entity shall notify the 
Commission of such designations and its standards for designation, and 
promptly update such notification after any changes to its designations 
or standards. A written notification made pursuant to this paragraph 
(b)(9)(iii) shall be made electronically on Form SCI (Sec.  249.1900 of 
this chapter), and shall include all information as prescribed in Form 
SCI and the instructions thereto.
    (c) Recordkeeping Requirements Related to Compliance with 
Regulation SCI. (1) An SCI SRO shall make, keep, and preserve all 
documents relating to its compliance with Regulation SCI as

[[Page 18180]]

prescribed in Sec.  240.17a-1 of this chapter.
    (2) An SCI entity that is not an SCI SRO shall:
    (i) Make, keep, and preserve at least one copy of all documents, 
including correspondence, memoranda, papers, books, notices, accounts, 
and other such records, relating to its compliance with Regulation SCI, 
including, but not limited to, records relating to any changes to its 
SCI systems and SCI security systems;
    (ii) Keep all such documents for a period of not less than five 
years, the first two years in a place that is readily accessible to the 
Commission or its representatives for inspection and examination; and
    (iii) Upon request of any representative of the Commission, 
promptly furnish to the possession of such representative copies of any 
documents required to be kept and preserved by it pursuant to 
paragraphs (c)(2)(i) and (c)(2)(ii) of this section.
    (3) Upon or immediately prior to ceasing to do business or ceasing 
to be registered under the Securities Exchange Act of 1934, an SCI 
entity shall take all necessary action to ensure that the records 
required to be made, kept, and preserved by this section shall be 
accessible to the Commission and its representatives in the manner 
required by this section and for the remainder of the period required 
by this section.
    (d) Electronic Submission. (1) Except with respect to notifications 
to the Commission made pursuant to paragraph (b)(4)(i) of this section 
or oral notifications to the Commission made pursuant to paragraph 
(b)(6)(ii) of this section, any notification, review, description, 
analysis, or report to the Commission required under this rule shall be 
submitted electronically on Form SCI (Sec.  249.1900 of this chapter) 
and shall contain an electronic signature; and
    (2) The signatory to an electronically submitted Form SCI shall 
manually sign a signature page or document, in the manner prescribed by 
Form SCI, authenticating, acknowledging, or otherwise adopting his or 
her signature that appears in typed form within the electronic filing. 
Such document shall be executed before or at the time Form SCI is 
electronically submitted and shall be retained by the SCI entity in 
accordance with paragraph (c) of this section.
    (e) Requirements for Service Bureaus. If records required to be 
filed or kept by an SCI entity under this rule are prepared or 
maintained by a service bureau or other recordkeeping service on behalf 
of the SCI entity, the SCI entity shall ensure that the records are 
available for review by the Commission and its representatives by 
submitting a written undertaking, in a form acceptable to the 
Commission, by such service bureau or other recordkeeping service, 
signed by a duly authorized person at such service bureau or other 
recordkeeping service. Such a written undertaking shall include an 
agreement by the service bureau to permit the Commission and its 
representatives to examine such records at any time or from time to 
time during business hours, and to promptly furnish to the Commission 
and its representatives true, correct, and current electronic files in 
a form acceptable to the Commission or its representatives or hard 
copies of any or all or any part of such records, upon request, 
periodically, or continuously and, in any case, within the same time 
periods as would apply to the SCI entity for such records. The 
preparation or maintenance of records by a service bureau or other 
recordkeeping service shall not relieve an SCI entity from its 
obligation to prepare, maintain, and provide the Commission and its 
representatives access to such records.
    (f) Access. Each SCI entity shall provide Commission 
representatives reasonable access to its SCI systems and SCI security 
systems to allow Commission representatives to assess the SCI entity's 
compliance with this rule.

PART 249--FORMS, SECURITIES EXCHANGE ACT OF 1934

0
4. The general authority citation for part 249 continues to read in 
part as follows:

    Authority: 15 U.S.C. 78a et seq. and 7201 et seq.; 12 U.S.C. 
5461 et seq.; and 18 U.S.C. 1350, unless otherwise noted.
* * * * *
0
5. Add subpart T, consisting of Sec.  249.1900, to read as follows:

Subpart T--Form SCI, for filing notices and reports as required by 
Regulation SCI.


Sec.  249.1900  Form SCI, for filing notices and reports as required by 
Regulation SCI.

    Form SCI shall be used to file notice and reports as required by 
Sec.  242.1000 of this chapter.

    Note: The text of Form SCI does not, and the amendments will 
not, appear in the Code of Federal Regulations.

General Instructions for Form SCI

A. Use of the Form

    Except with respect to notifications to the Commission made 
pursuant to proposed Rule 1000(b)(4)(i) or oral notifications to the 
Commission made pursuant to proposed Rule 1000(b)(6)(ii), all 
notifications and reports required to be submitted pursuant to Rule 
1000 of Regulation SCI under the Securities Exchange Act of 1934 
(``Act'') shall be filed in an electronic format through an electronic 
form filing system (``EFFS''), a secure Web site operated by the 
Securities and Exchange Commission (``Commission'').

B. Need for Careful Preparation of the Completed Form, Including 
Exhibits

    This form, including the exhibits, is intended to elicit 
information necessary for Commission staff to work with SCI self-
regulatory organizations, SCI alternative trading systems, plan 
processors, and exempt clearing agencies subject to ARP (collectively, 
``SCI entities'') to ensure the capacity, integrity, resiliency, 
availability, and security of their automated systems. An SCI entity 
must provide all the information required by the form, including the 
exhibits, and must present the information in a clear and 
comprehensible manner. Form SCI shall not be considered filed unless it 
complies with applicable requirements.

C. When To Use the Form

    Form SCI is comprised of five distinct types of filings to the 
Commission required by Rule 1000(b). The first type of filings is 
``(b)(4)'' filings for notifications regarding systems disruptions, 
systems compliance issues, or systems intrusions (collectively, ``SCI 
events''). The other four types of filings are: ``(b)(6)'' filings for 
notifications of planned material systems changes; ``(b)(8)(i)'' 
filings for reports of SCI reviews; ``(b)(8)(ii)'' filings for semi-
annual reports of material systems changes; and ``(b)(9)(iii)'' filings 
for notifications of designations and standards under Rule 1000(b)(9). 
In filling out Form SCI, an SCI entity shall select the type of filing 
and provide all information required under Rule 1000(b) specific to 
that type of filing.
Notifications for SCI Events
    For (b)(4) filings, an SCI entity must notify the Commission using 
Form SCI by selecting the appropriate box in Section 1 and filling out 
all information required by the form. Initial notifications of an SCI 
event require the inclusion of an Exhibit 1 and must be submitted no 
later than 24 hours after any responsible SCI personnel becomes aware 
of the SCI event. For the initial notification of an SCI event, the SCI 
entity must include the information required by each item under Part 1 
of

[[Page 18181]]

Exhibit 1. To the extent available as of the time of the initial 
notification, the SCI entity must also include the information listed 
under the items under Part 2 of Exhibit 1.
    If the SCI entity has not provided all the information required by 
Part 2 of Exhibit 1, any information required by Exhibit 1 requires 
updating, or the SCI event has not been resolved, the SCI entity must 
file one or more updates regarding the SCI event by attaching an 
Exhibit 2. Such updates must be submitted on a regular basis, or at 
such frequency as reasonably requested by a representative of the 
Commission. The notification to the Commission regarding an SCI event 
is not considered complete until all information required by Exhibit 1, 
including all information required by Part 2 of Exhibit 1, has been 
submitted to the Commission.
    For each SCI event, an SCI entity must also attach an Exhibit 3 
(which may be included with an Exhibit 1 or Exhibit 2, as the case may 
be) for any information disseminated regarding the SCI event to its 
members or participants or on the SCI entity's publicly available Web 
site.
Other Notifications and Reports
    For (b)(6) filings, absent exigent circumstances, an SCI entity 
must notify the Commission using Form SCI at least 30 calendar days 
before implementation of any planned material systems change. If 
exigent circumstances exist, or if the information previously provided 
to the Commission regarding any planned material systems change has 
become materially inaccurate, an SCI entity must notify the Commission, 
either orally or in writing, with any oral notification to be 
memorialized within 24 hours after such oral notification by a written 
notification, as early as reasonably practicable. For (b)(6) filings, 
the SCI entity must select the appropriate box in Section 2 and fill 
out all information required by the form, including Exhibit 4. Exhibit 
4 must include a description of the planned material systems change as 
well as the expected dates of commencement and completion of 
implementation of such change.
    For (b)(8)(i) filings, an SCI entity must submit its report of its 
SCI review to the Commission using Form SCI. A (b)(8)(i) filing must be 
submitted to the Commission within 60 calendar days after the SCI 
review has been submitted to senior management of the SCI entity. The 
SCI entity must select the appropriate box in Section 2 and fill out 
all information required by the form, including Exhibit 5. Exhibit 5 
must include the report of the SCI review, together with any response 
by senior management.
    For (b)(8)(ii) filings, an SCI entity must submit its semi-annual 
report of material systems changes to the Commission using Form SCI. A 
(b)(8)(ii) filing must be submitted to the Commission within 30 
calendar days after the end of June and December of each year. The SCI 
entity must select the appropriate box in Section 2 and fill out all 
information required by the form, including Exhibit 6. Exhibit 6 must 
include a report with a summary description of the progress of any 
material systems change during the six-month period ending on June 30 
or December 31, as the case may be, and the date, or expected date, of 
completion of implementation of such changes.
    For (b)(9) filings, an SCI entity must notify the Commission of its 
designations and standards under Rule 1000(b)(9). The SCI entity must 
select the appropriate box in Section 2 and fill out all information 
required by the form, including Exhibit 7. Exhibit 7 must include the 
SCI entity's standards for designating members or participants that it 
deems necessary, for the maintenance of fair and orderly markets in the 
event of activation of its business continuity and disaster recovery 
plans, to participate in the testing of such plans pursuant to Rule 
1000(b)(9)(i), as well as the SCI entity's list of designated members 
or participants. If an SCI entity changes its designations or 
standards, it must promptly notify the Commission of such changes on 
Exhibit 7.

D. Documents Comprising the Completed Form

    The completed form filed with the Commission shall consist of Form 
SCI, responses to all applicable items, and any exhibits required in 
connection with the filing. Each filing shall be marked on Form SCI 
with the initials of the SCI entity, the four-digit year, and the 
number of the filing for the year.

E. Contact Information; Signature; and Filing of the Completed Form

    Each time an SCI entity submits a filing to the Commission on Form 
SCI, the SCI entity must provide the contact information required by 
Section 4 of Form SCI. The contact information for systems personnel, 
regulatory personnel, and a senior officer is required. Space for 
additional contact information, if appropriate, is also provided.
    All notifications and reports required to be submitted through Form 
SCI shall be filed through the EFFS. In order to file Form SCI through 
the EFFS, SCI entities must request access to the Commission's External 
Application Server by completing a request for an external account user 
ID and password. Initial requests will be received by contacting (202) 
551-5777. An email will be sent to the requestor that will provide a 
link to a secure Web site where basic profile information will be 
requested.
    A duly authorized individual of the SCI entity shall electronically 
sign the completed Form SCI as indicated in Section 5 of the form. In 
addition, a duly authorized individual of the SCI entity shall manually 
sign one copy of the completed Form SCI, and the manually signed 
signature page shall be preserved pursuant to the requirements of Rule 
1000(c).

F. Paperwork Reduction Act Disclosure

    This collection of information will be reviewed by the Office of 
Management and Budget in accordance with the clearance requirements of 
44 U.S.C. 3507. An agency may not conduct or sponsor, and a person is 
not required to respond to, a collection of information unless it 
displays a currently valid control number. The Commission estimates 
that the average burden to respond to Form SCI will be between one and 
sixty hours depending upon the purpose for which the form is being 
filed. Any member of the public may direct to the Commission any 
comments concerning the accuracy of this burden estimate and any 
suggestions for reducing this burden.
    Except with respect to notifications to the Commission made 
pursuant to proposed Rule 1000(b)(4)(i) or oral notifications to the 
Commission made pursuant to proposed Rule 1000(b)(6)(ii), it is 
mandatory that an SCI entity file all notifications, updates, and 
reports required by Regulation SCI using Form SCI. The Commission will 
treat as confidential all information collected pursuant to Form SCI. 
Subject to the provisions of the Freedom of Information Act, 5 U.S.C. 
522 (``FOIA''), and the Commission's rules thereunder (17 CFR 
200.80(b)(4)(iii)), the Commission does not generally publish or make 
available information contained in any reports, summaries, analyses, 
letters, or memoranda arising out of, in anticipation of, or in 
connection with an examination or inspection of the books and records 
of any person or any other investigation.

G. Exhibits

    List of exhibits to be filed, as applicable:
    Exhibit 1. Notification of SCI Event. The SCI entity shall include:

[[Page 18182]]

    Part 1: All pertinent information known about the SCI event, 
including: (1) A detailed description of the SCI event; (2) the SCI 
entity's current assessment of the types and number of market 
participants potentially affected by the SCI event; (3) the potential 
impact of the SCI event on the market; and (4) the SCI entity's current 
assessment of the SCI event, including a discussion of the 
determination of whether the SCI event is a dissemination SCI event or 
not.
    Part 2: To the extent available as of the time of the notification: 
(1) A description of the steps the SCI entity is taking, or plans to 
take, with respect to the SCI event; (2) the time the SCI event was 
resolved or timeframe within which the SCI event is expected to be 
resolved; (3) a description of the SCI entity's rule(s) and/or 
governing document(s), as applicable, that relate to the SCI event; and 
(4) an analysis of parties that may have experienced a loss, whether 
monetary or otherwise, due to the SCI event, the number of such 
parties, and an estimate of the aggregate amount of such loss.
    Exhibit 2. Update Notification of SCI Event. The SCI entity shall 
provide an update of any information previously provided regarding an 
SCI event on Exhibit 1, including any information under Part 2 of 
Exhibit 1 which was not available at the time of submission of Exhibit 
1. Subsequent updates shall update any information provided regarding 
the SCI event until the SCI event is resolved.
    Exhibit 3. Information Disseminated. The SCI entity shall attach a 
copy in pdf or html format of any information disseminated to date 
regarding the SCI event to its members or participants or on the SCI 
entity's publicly available Web site.
    Exhibit 4. Notification of Planned Material Systems Change. The SCI 
entity shall, absent exigent circumstances, notify the Commission in 
writing at least 30 calendar days before implementation of any planned 
material systems change, including a description of the planned 
material systems change as well as the expected dates of commencement 
and completion of implementation of such changes. If exigent 
circumstances exist, or if the information previously provided to the 
Commission regarding any planned material systems change has become 
materially inaccurate, the SCI entity shall notify the Commission, 
either orally or in writing, with any oral notification to be 
memorialized within 24 hours after such oral notification by a written 
notification on Form SCI, as early as reasonably practicable.
    Exhibit 5. Report of SCI Review. Within 60 calendars days after its 
submission to senior management of the SCI entity, the SCI entity shall 
attach the report of the SCI review of the SCI entity's compliance with 
Regulation SCI, together with any response by senior management.
    Exhibit 6. Semi-Annual Report of Material Systems Changes. Within 
30 calendar days after the end June and December of each year, the SCI 
entity shall attach the report containing a summary description of the 
progress of any material systems change during the six-month period 
ending on June 30 or December 31, as the case may be, and the date, or 
expected date, of completion of implementation of such changes.
    Exhibit 7. Notification of Designations and Standards under Rule 
1000(b)(9). The SCI entity shall attach: (1) Its standards for 
designating members or participants it deems necessary, for the 
maintenance of fair and orderly markets in the event of the activation 
of its business continuity and disaster recovery plans, to participate 
in the testing of such plans pursuant to Rule 1000(b)(9)(i); and (2) a 
list of the designated members or participants, including the name and 
address of such members or participants.

H. Explanation of Terms

Dissemination SCI Event means an SCI event that is a: (1) Systems 
compliance issue; (2) systems intrusion; or (3) systems disruption that 
results, or the SCI entity reasonably estimates would result, in 
significant harm or loss to market participants.
Material Systems Change means a change to one or more: (1) SCI systems 
of an SCI entity that: (i) Materially affects the existing capacity, 
integrity, resiliency, availability, or security of such systems; (ii) 
relies upon materially new or different technology; (iii) provides a 
new material service or material function; or (iv) otherwise materially 
affects the operations of the SCI entity; or (2) SCI security systems 
of an SCI entity that materially affects the existing security of such 
systems.
Responsible SCI personnel means, for a particular SCI system or SCI 
security system impacted by an SCI event, any personnel, whether an 
employee or agent, of the SCI entity having responsibility for such 
system.
SCI entity means an SCI self-regulatory organization, SCI alternative 
trading system, plan processor, or exempt clearing agency subject to 
ARP.
SCI event means an event at an SCI entity that constitutes: (1) A 
systems disruption; (2) a systems compliance issue; or (3) a systems 
intrusion.
Systems Compliance Issue means an event at an SCI entity that has 
caused any SCI system of such entity to operate in a manner that does 
not comply with the federal securities laws and rules and regulations 
thereunder or the entity's rules or governing documents, as applicable.
Systems Disruption means an event in an SCI entity's SCI systems or 
procedures that results in: (1) A failure to maintain service level 
agreements or constraints; (2) a disruption of normal operations, 
including switchover to back-up equipment with near-term recovery of 
primary hardware unlikely; (3) a loss of use of any such system; (4) a 
loss of transaction or clearance and settlement data; (5) significant 
back-ups or delays in processing; (6) a significant diminution of 
ability to disseminate timely and accurate market data; or (7) a 
queuing of data between system components or queuing of messages to or 
from customers of such duration that normal service delivery is 
affected.
Systems Intrusion means any unauthorized entry into the SCI systems or 
SCI security systems of the SCI entity.
[See attachment--proposed Form SCI]
BILLING CODE P

[[Page 18183]]

[GRAPHIC] [TIFF OMITTED] TP25MR13.034


[[Page 18184]]


[GRAPHIC] [TIFF OMITTED] TP25MR13.035


[[Page 18185]]


[GRAPHIC] [TIFF OMITTED] TP25MR13.036


[[Page 18186]]


[GRAPHIC] [TIFF OMITTED] TP25MR13.037


    Dated: March 8, 2013.

    By the Commission.
Kevin M. O'Neill,
Deputy Secretary.
[FR Doc. 2013-05888 Filed 3-22-13; 8:45 am]
BILLING CODE C
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.