Regulation SCI (Regulation Systems Compliance and Integrity)

What is Regulation SCI (Regulation Systems Compliance and Integrity)?

Regulation SCI (Regulation Systems Compliance and Integrity) is a set of rules the U.S. Securities and Exchange Commission (SEC) adopted to monitor the security and capabilities of U.S. securities markets' technology infrastructure. These rules apply to the systems of numerous SCI entities, which are organizations involved in these markets in one of the six functions designated by the SEC as "key" to these markets.

In November 2014, the SEC adopted Regulation SCI with the goal of strengthening the technology infrastructure of securities markets in the U.S. Here, strengthening means reducing the occurrence of problems in technology systems and improving their resilience if problems do occur. Regulation SCI is also meant to enhance the SEC's oversight and enforcement of securities market technology infrastructure.

The compliance date of Regulation SCI was November 3, 2015 -- nine months after its effective date. In April 2023, the SEC proposed several amendments to the regulation under the Securities Exchange Act of 1934. The proposal expands on the original definition of an SCI entity and updates certain provisions of the regulation since it was first adopted in 2014.

Important requirements under Regulation SCI

Regulation SCI requires all SCI entities to implement policies and procedures to ensure their systems have high levels of capacity, integrity, resiliency, availability and security. The aim of this rule is to ensure these systems maintain their operational capability and help to maintain fair and orderly securities markets in the U.S. In addition, all systems must operate in a manner compliant with the Exchange Act.

If an SCI event occurs, the SCI entity must immediately take corrective action and notify the SEC and all affected members of the occurrence. Entities must also review their systems at least annually and inform the SEC when they plan to make any material changes to these IT systems by means of quarterly reports. Finally, all entities must coordinate the testing of business continuity and disaster recovery plans with other SCI entities, and get other designated members or participants in testing their business continuity and disaster recovery plans in a scheduled manner.

What entities does Regulation SCI apply to?

Regulation SCI is mandatory for what the SEC refers to as SCI entities. SCI entities include these organizations that participate in U.S. securities markets:

• Self-regulatory organizations.
• Stock and options exchanges.
• Registered clearing agencies.
• Financial Industry Regulatory Authority.
• Municipal Securities Rulemaking Board.
• Alternative trading systems (ATSes).
• Plan processors, i.e., disseminators of consolidated market data.
• Some exempt clearing agencies.

In general, Regulation SCI applies to all SCI entities -- specifically, their technology systems -- that directly support any one of six key securities market functions:

• Trading.
• Clearance and settlement.
• Order routing.
• Market data.
• Market regulation.
• Market surveillance.

In addition, the provisions of Regulation SCI related to security standards and systems intrusions also apply to indirect SCI systems. Per Rule 1,000 of the regulation, indirect SCI systems are "any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems."

Accordingly, SCI entities are required to do the following:

• Identify which of their systems meet the definition of SCI systems.
• Identify the boundaries for these systems.
• Assess which controls or methods of separation are required to ensure effective physical or logical separation so that systems do not provide vulnerable points of entry into other systems.
• Review the effectiveness of these controls and methods.
• Determine whether non-SCI systems are outside the scope of the definition of indirect SCI systems.

What is an event according to Regulation SCI?

The SEC designed Regulation SCI in response to securities markets being increasingly dependent on technology and automated systems. The rules strive to reduce the number of market disturbances stemming from this reliance on technology and speed up recovery when disturbances do occur.

These disturbances are known as SCI events and include the following:

• Systems disruptions.
• Systems compliance issues.
• Systems intrusions.

SCI entities are required to notify the SEC if they experience such events. They are also required to disseminate information about certain events to affected members or participants. In the case of certain major SCI events, SCI entities must inform all their members or participants about the event.

Regulation SCI: 2015 amendments

In September 2015, the SEC updated its Regulation SCI FAQ page with important changes regarding SCI entities' relationships with third parties:

• SCI entities, referred to as contracting SCI entities, can work with third parties, or operating entities, to operate SCI systems. However, the contracting entities are responsible for implementing appropriate processes and requirements to satisfy the requirements of Regulation SCI for all their systems operated on their behalf by one or more third parties.
• If the contracting SCI entity is uncertain of its ability to manage a third-party relationship to satisfy the requirements of Regulation SCI, the SCI entity must reassess its decision to outsource to the operating entity.
• The contracting SCI entity can expect the operating entity to take steps to meet the obligations under Regulation SCI -- for example, by establishing appropriate policies and procedures for the relevant SCI system. The contracting SCI entity should also perform appropriate due diligence on the operating entity to ensure these steps are in place to fulfill the contracting SCI entity's obligations under Regulation SCI.

The 2015 Regulation SCI amendments also addressed whether ATSes can have market regulation surveillance systems. Under Regulation SCI's definition of SCI systems, ATSes that meet the volume threshold of the regulation are considered SCI entities. However, in the context of Regulation SCI, the SEC said market regulation systems refers only to those used to carry out self-regulatory responsibilities, which ATSes do not have. Thus, the SEC believes it is unlikely that an ATS would have systems that qualify as market regulation systems.

Meanwhile, the FAQ was updated to clarify which SCI systems that relate to the communication of trading halts are considered to be critical SCI systems. The SEC defines trading halts as market-wide halts -- e.g., regulatory halts -- instead of trading halts on an individual market. Given this definition, Regulation SCI defines critical SCI systems as any SCI system that is operated by or on behalf of an SCI entity that directly supports functionality related to trading halts, and one that disseminates communications related to market-wide trading halts across markets.

Regulation SCI: 2023 proposed amendments

The amendments proposed to the SCI Regulation in 2023 would expand the definition of SCI entity -- to which the regulation applies -- to include a broader range of key market participants in the U.S. securities market infrastructure. Per the expanded definition, SCI entities will also include the following:

• Registered security-based swap data repositories.
• Registered broker-dealers exceeding an asset or transaction activity threshold.
• Some additional clearing agencies exempted from registration.

In addition, the proposed updates are meant to amend some provisions related to systems classification and lifecycle management. Amendments to some other provisions are also proposed:

• Third-party or vendor management.
• Cybersecurity.
• SCI review, conducted annually by objective, qualified personnel on the SCI entity's systems.
• The role of current SCI industry standards.
• Record-keeping matters.

Updated SEC compliance regulations target online trading and digital finance transactions to improve digital asset security. Check out this FAQ on how digitization is influencing SEC compliance priorities.