SEC Regulation SCI Reviews and Audits

SEC Regulation SCI
Automation Review Compliance
January 2015
SEC Regulation SCI Systems Compliance and Integrity
On November 19, 2014 the SEC adopted new rules to require
certain key market participants to have comprehensive policies
and procedures in place surrounding their technology (Reg SCI).
Regulation SCI under the Securities Act of 1934 (“Systems
Compliance and Integrity”) replaces the current voluntary ARP
compliance program with rules whose violation of which may be
the subject to enforcement actions.
SROs, selected alternative trading systems (ATS), plan processors,
and exempt clearing agencies are required to design, develop,
test, maintain, and oversee their mission-critical systems.
The rules require them to ensure that their core technology meets
certain standards, conduct regular business continuity testing, and
provide certain notifications in the event of systems disruptions,
intrusions and other events.
Tellefsen and Company, L.L.C.
Reg SCI (Cont’d) …
High-profile technical glitches in the securities markets including
those that arose during the 2010 Flash Crash, the initial public
offerings of Facebook and BATS Global Markets as well as the
Knight Capital trading incident have illustrated that investors can
be at risk when technology fails, and confidence in the markets
can falter.
The market closures following Hurricane Sandy in 2012 also
highlighted the importance of having a robust market technology
These events, subsequent discussions and commentary from a
cross section of market participants have helped shape the
development of the new rulemaking.
Tellefsen and Company, L.L.C.
Reg SCI (Cont’d) …
The new regulations will present challenges to the Chief
Technology Officer and especially the Chief Compliance Officer,
who is responsible for the creation and enforcement of reasonable
supervisory procedures related to the implementation and
maintenance of applicable HW/SW/NW technologies and
While these responsibilities are far from a routine compliance skill
set, Reg. SCI is a continuation of a trend by the SEC of placing
increased responsibility on compliance with respect to policies and
procedures for implementing and maintaining various types of
For the past two decades, SROs have followed a voluntary set of
principles articulated in the SEC’s Automation Review Policy and
participated in what is known as the ARP Inspection Program.
Reg SCI now supersedes this (see final rulemaking in the Federal Register:
Tellefsen and Company, L.L.C.
Reg SCI – Final Rulemaking
The rulemaking was largely adopted as proposed, with the following
revisions and exceptions:
 The proposed 30 day advance reporting requirement was changed
to quarterly.
 The Direct Access requirement which would have required SCI
Entities to provide SEC staff with remote or on-site access to SCI
Systems was not adopted.
 Safe Harbor protection from liability is limited to those individuals
who reasonably discharge their responsibilities under Reg SCI.
 Senior management involved in the annual Reg SCI review will be
required to certify that they have implemented policies and
procedures reasonably designed to ensure compliance with the
Tellefsen and Company, L.L.C.
Reg SCI Is Designed to Ensure:
Core technology of national securities exchanges, self-regulatory
organizations, significant alternative trading systems, clearing
agencies, and plan processors meets certain standards.
That these entities conduct regular business continuity testing with
their members or participants.
That they provide certain notifications regarding systems
disruptions, intrusions and other types of systems issues.
The probability of technology problems is reduced, and key entities
are well-positioned to take appropriate, corrective action when
problems occur.
Tellefsen and Company, L.L.C.
Reg SCI – Applicability
The proposed rule would apply to “SCI Entities” such as:
– Self-regulatory organizations (the registered national securities
exchanges, registered clearing agencies, FINRA, and MSRB).
– Alternative Trading Systems that exceed specified volume thresholds
– Disseminators of market data under certain National Market Systems
plans (“plan processors”).
– Certain clearing agencies exempt from SEC registration.
It would apply primarily to the systems of SCI Entities that are core
to the functioning of the securities markets, such as those that
directly support trading, clearance and settlement, order routing,
market data, regulation, or surveillance.
The SEC anticipates that 14 ATSs will be required to be compliant.
It is unknown whether other business systems such as a shared
drive system or phone system are within the scope.
Tellefsen and Company, L.L.C.
SCI Entities - Requirements:
 Establish policies and supervisory procedures relating to the
capacity, integrity, resiliency and security of its technology systems.
Ensure its systems operate in the manner intended, including in
compliance with relevant federal securities laws and rules.
Take timely corrective action in response to systems disruptions,
systems compliance issues and systems intrusions.
Notify and provide the SEC with detailed information when such
systems issues occur, systems intrusions, and when there are
material changes in its systems. Written notices of “SCI Events” will
be reported to members and market participants and filed
electronically to the SEC on Form SCI.
Inform its members or participants about certain systems problems
and provide information about the systems and market participants
affected by the problem and the progress of corrective action.
Tellefsen and Company, L.L.C.
SCI Entities Requirements (Cont’d)…
 Provide quarterly notice to the SEC of any material system changes,
including completed, ongoing and planned material changes to SCI
systems and the security of indirect SCI systems, during the prior,
current and subsequent calendar quarters.
Conduct an annual review of its compliance with Regulation SCI, and
submit a report of the annual review to its senior management and
the SEC.
Plan and engage in annual business continuity and disaster recovery
Designate certain individuals or firms to participate in the testing of
its business continuity and disaster recovery plans, and coordinate
such testing with other entities on an industry- or sector-wide basis.
Demonstrate systems testing, test results and related capabilities to
SEC staff on-site during inspections.
Tellefsen and Company, L.L.C.
SCI Entities Requirements (Cont’d)…
 The SEC has granted Safe Harbor protection from liability to
individuals within SCI Entities who reasonably discharge their Reg
SCI compliance responsibilities under their policies, procedures and
 Reg SCI is effective 60 days after publication in the Federal Register,
and SCI Entities must comply with the requirements within 9 months
of the effective date.
 ATSs that satisfy volume threshold levels for the first time will be
granted an additional 6 months from that time to comply.
 SCI Entities will have 21 months from the effective date to comply
with the industry or sector wide BC/DR testing requirement.
Tellefsen and Company, L.L.C.
Policies, Procedures and Reporting
Reg SCI entities need to ensure their written policies and
procedures are up to date.
Problem tracking systems must actively capture problems, problem
identification, cause/effect and resolution.
Regular reporting to the SEC is required:
– Ad-hoc incident reporting
– Quarterly reports of planned and material system changes
– Annual Reg SCI Review
Tellefsen and Company, L.L.C.
2013- 2015
Reg SCI Testing and Oversight
Reg SCI entities need a comprehensive testing regimen in order to
be compliant.
Functional and non-functional testing of applicable Reg SCI
Comprehensive test regimens for quality assurance, regression,
capacity, stress, failover/recovery, user acceptance etc.
Development and maintenance of a test repository and active
analysis of production data.
Need for industry insight and domain market structure expertise in
the design, planning and execution of industry test initiatives.
Independent test execution, oversight and reporting.
Assistance with preparation of annual Reg SCI compliance report to
Tellefsen and Company, L.L.C.
2013- 2015
Tellefsen and Company –
Automation Review Expertise
Tellefsen and Company (TCL) has a market structure practice and
core competency and depth of experience in assisting exchanges,
clearing houses and ATS in complying with regulatory guidelines.
We have conducted numerous technology reviews for clients in the
last several years, including investment management firms, ATS,
clearing houses and exchanges.
We have also counseled and guided our clients through the
preparation for regulatory designation reviews and inspections by
the CFTC, FINRA and the SEC.
Our mission-critical systems expertise includes trading systems,
market data dissemination, clearing, risk management and market
surveillance components.
Tellefsen and Company, L.L.C.
Market Structure, Compliance and
Automation Review Expertise
Experience with prior client assignments has included the
development of testing, compliance documentation and procedures
for trading and operations management, including:
 Business impact analysis
 Business continuity management
 Capacity planning
 Systems development methodology
 Acceptance testing
 Configuration and release management
 Network management
 Problem management/problem tracking
 Information and physical security
 Failover, stress and capacity testing
Tellefsen and Company, L.L.C.
2013- 2015
Market Structure Expertise (Cont’d) …
Our firm brings unique market insight and market micro structure
experience to client assignments
Development and audit of business continuity plans, systems
failover and fall back testing strategies and plans are a core
competency of our firm, as is systems quality assurance and
acceptance testing
We have provided independent test oversight and test results
attestation for various exchanges, clearing houses and numerous
market participants.
Tellefsen and Company, L.L.C.
2013 -2015
Marketing Partnership with
Exactpro Systems
TCL has introduced a marketing partnership with Exactpro Systems,
a specialist FinTech firm focused on testing of mission-critical
trading systems and market infrastructure .
Started in 2009, Exactpro has experienced phenomenal growth as
satisfied clients consume more services - now employing over 280
Headquartered in San Rafael, California, with four quality assurance
and development centers in Russia and sales support in the UK.
Clients include global exchanges, clearing houses, inter-dealer
brokers, investment banks, ATS, futures commission merchants,
order management/execution management system providers.
Tellefsen and Company, L.L.C.
2013- 2015
Exactpro Systems –
Prior Client Experience
Major equities and commodities futures exchanges
Commodities futures clearing corporation
ATSs with low latency trading platforms
Swap Execution Facilities (SEFs)
Global derivatives and futures commission merchant
Investment bank specializing in emerging markets
Equity broker-dealer offering program and single name execution
Order management/execution management system provider to buyside and sell-side constituents
Tellefsen and Company, L.L.C.
2013- 2015
Reg SCI Testing Expertise
Requirements Definition
and Test Scenario Creation
(human, message & reporting interfaces)
Test Harnesses
Test Data Management
Intelligent Management
of Large Data Sets
Quality Assurance:
Test Planning and
Intelligent Functional and
Exploratory Testing
Process Audit and Test
Coverage Analysis
Automated Regression
Test Automation
Protocol Level Testing via:
SWIFT, MQ, SQL, Proprietary
Binary and Text-based
Data Formats, etc.
Latency and Capacity
Focused on the Lifecycle of Trading
Order and Execution
Market Venue
Reference Data
Clearing and
Financial Products
Platforms Pre and Post Trade;
Commodities, Futures,
Equities, Fixed Income, FX
Matching Engines
Middle Office
Risk Management
Smart Order
Deal Capture &
Position Keeping
Market Data
Exactpro’s Test Automation Suite
• Can test Order Entry, Market Data and
Post Trade connections in one test scenario
• Each test scenario is independent
• Allows running test scripts in any sequence
• Simulation of multiple user connections
• Server simulators
• All messages are stored into a
data base
• Generates test reports
• Executes multithreaded java
• Complexity of test algorithms is
defined by the test developer
• Supports multiple client fix
connections, order entry and
market data via FIX
• Can use GUI to iterate through
sent and received messages
• Model-based testing of market
surveillance systems
• Production-scale capacity and
• Interactive real-time alerts and reports
• Post-transactional tool
• Analyzes clients' activity and forecasts system response
• Parses and displays logs in a user-friendly way
• Parses messages and then puts each to a data base
where each column corresponds to each message field
• Allows making summarized reports, etc
• Easy to understand GUI
• Post-Trade testing tool
• Verifies each stage of the DLC
• Integrated schedule
• Automated matrices
• Can create multiple days test
• Concurrent multiple tests
• Integrated simulators
• SWIFT ISO protocol support
Load Injector:
• Simulates multiple client connections with a specified load shape
for each connection or a group of connections
• Up to 75K messages / second from a single CPU core
• Measures latencies in microsecond range
• Performance test reports
Applicability to Reg SCI
An experienced team, armed with the proper tools that can hit the ground
running to review, test and provide evidence in a cost effective fashion!
A range of well organized testing services that cover several of the
aspects essential for Reg SCI compliance
1. Conventional Non
Functional Testing:
• Load test to establish the
reasonable current and future
capacity planning estimates
• Capacity stress tests of
systems to determine their
ability to process transactions
in an accurate, timely, and
efficient manner
• Failover & recovery tests to
verify backup, contingency and
disaster recovery capabilities,
including geographically
diverse locations
2. Conventional
Functional Testing:
• Efficient testing to exercise
all key functionality and data
• Positive and negative tests
to identify vulnerabilities
pertaining to internal and
external threats, physical
hazards, and natural or
manmade disasters
• All test evidence per run
stored within an easy to
access and report test
• Automated Regression
testing of subsequent releases
and reporting of all relevant
changes within the system
3. Testing at the
Confluence of
Functional and Non
Functional Testing:
• High frequency and
algorithmic trading activity
• Testing to assure
systems capacity, integrity,
resiliency, availability and
security under realistic
participants load
• Modeling of all data
inputs and outputs from
system to evaluate the
behavior within normal
operational and outage
4. Production Data
• Capture and Analyze
data from production to
understand real usage
• Monitor and investigate
production events
• Feedback to refine test
coverage for subsequent
• Bringing QA perspective
into operational support
For More Information, Contact
Tellefsen and Company, L.LC.
John Rapa
1-212 809 3800