Earlier this year, the Securities and Exchange Commission (SEC) submitted a draft proposal of Regulation Systems, Compliance and Integrity (SCI), which outlines specific compliance obligations relating to the technology practices of certain Self-Regulating Organizations (SROs) and Alternative Trading Systems (ATS). While the Commission’s existing Automation Review Policy (ARP) has been in place some time, adherence to the standards detailed within ARP is voluntary. By expanding ARP’s scope and making the practices therein compulsory for a cross-section of market participants, the burdens of data collection and reporting by both the SEC and SEC-regulated entities risks impeding market innovation and inundating the Commission with extraordinary volumes of data.
Many responses to the SEC’s call for public comments on SCI acknowledge it as a welcome and necessary step toward mitigating the potentially hazardous consequences resulting from a market that is increasingly reliant upon rapid-fire technology. Given the U.S. financial system’s role in the global economy, it is indeed crucial that participants adopt recognized and sensible practices for yielding reliability and stability from the technology systems underpinning our markets. The challenges of maintaining relevant policy and efficient oversight against this tableau of relentless capability expansion are numerous. While the current SCI draft represents a key milestone of technology oversight for the securities industry, there remain salient considerations for the Commission to address as it evolves SCI policy and expands its own surveillance capabilities.
While capturing the depth of SCI’s 377-page draft is impossible to do in brief - the language of the proposal codifies and expands upon the SEC’s existing voluntary Automation Review Policy (ARP) standard to “establish comprehensive planning and assessment programs to determine systems capacity and vulnerability”, directed toward Self-Regulatory Organizations (SRO) such as NYSE and NASDAQ. Within the proposal, the Commission offers guidance around the selection criteria defining the “SCI entities” to which the regulation applies, as well as detailing each SCI entity’s regulatory obligations around security, change management, service disruption, information dissemination and business continuity planning.
[How Can Firms Boost Efficiency and Reduce Risk in Corporate Actions?]
One trend exhibited by the public response to SCI is in the number of observations seeking increased clarity around specific SCI definitions. Depending on the Commission’s intent around some key SCI language, and reinforced by any established precedents in the future, passing the current proposal might result in steep implications for a SCI entity’s ability to both innovate and self-regulate.
In general, large market participants have mature and well-defined methodologies that govern the execution of significant infrastructure changes, such as data center migrations and messaging platform upgrades. For these larger entities, integrating SCI compliance into their existing programs will likely occur without crippling disruption or exorbitant cost, although there is a fear that smaller firms, which play an important role in driving innovation, will be left with a debilitating impact upon their margins. This risks tilting the system further in favor of larger participants and yielding an extended season of stagnant innovation.
Moreover, seemingly innocuous changes, or changes that are unlikely to be classified by an entity as “major” or “material,” are normally subjected to lower levels of internal oversight. Unfortunately, these categories of changes, by market participants that may or may not be SCI entities, have potential to be a major component in market disruptions.
Given the amount of entity oversight and support that major infrastructure changes are given, it is unlikely that these change categories are in fact a leading cause of market disruption. There is evidence that other changes or factors, such as intermittent latency, faulty trade execution algorithms, software logic defects or failed application deployments, are more likely contributors to major disruptive events. In one exchange’s comments to the SEC, several points were made about SCI’s language surrounding “system disruptions” and “material systems changes” that illustrate the difficulty of identifying regulatory thresholds suitable for sophisticated, nuanced technology processes. The exchange observes that SCI’s language offers the National Institute of Standards and Technology NIST standard around software development methodologies as a reference, which resembles the method many may recognize as “Waterfall”. In contrast, the exchange notes that today, many organizations developing custom software as a means of achieving competitive advantage employ “Agile” software development processes, a philosophy that evolved in direct contrast to Waterfall’s frequent vulnerability to budget overruns, misalignment of business objectives and slow innovation tempo.
One major difference between Agile and Waterfall is in the rate at which the developed software is released. Agile practitioners embrace smaller changes deployed more frequently, while Waterfall projects typically batch up features and release them between relatively long intervals. Infrequent releases of software enhancements are contraindicated in most situations; irregular application of a process inhibits mastery of that process, and the rhythm established by the automated testing and deployment inherent to Agile processes helps teams acquiesce upon more stable software iterations that deliver incremental value more frequently. Agile practitioners achieve mastery of their holistic testing and deployment mechanisms to enable teams to release reliable, tested software at will. This leads to more frequent releases, and hence decreased risk around each individual change.
As SCI proposes a notice period of 30 days before an entity executes a “material systems change”, the thresholds that define materiality become significant indeed; if the net is cast wide enough to cover changes to automated trading strategies, for instance. As many profit opportunities in a dynamic marketplace are transient in nature, trading strategies evolve as the underlying market conditions evolve. Rapidly evolving strategies may exhaust their entire useful lifespan in less than 30 days. Given the broad response seeking more specific definitions of materiality within SCI’s jurisdiction around system changes, it is hopeful that the Commission will communicate the regulatory intention around these changes in a more quantifiable manner.