The Securities and Exchange Commission’s attempt to mandate standards and testing procedures to stem the technical disruptions that have afflicted the nation’s equities exchanges since May 6, 2010, is barely out of the box—and it may be going back in.
The SEC’s effort to turn its voluntary Automation Review Policy into a mandatory set of rules, known as Regulation Systems Compliance and Integrity, is facing industry opposition to the speed at which the agency is moving.
The beef: Not enough time to digest the 377-page document published in February and to respond to the 200-plus requests for comments placed to market participants.
As of May 9, only eight comments had come in to the SEC—and only one, from technology consultancy Tellefsen & Co., offered substantive analysis. Two of the comments, from the Securities Industry and Financial Markets Association and the Financial Industry Forum, were actually requests of their own: to extend the public comment period by 90 days, from May 24 to Aug. 22.
“We believe it is critical that industry members and interested individuals have sufficient time to review and evaluate the proposal so that the Commission can have the benefit of the most thoughtful and detailed feedback possible,” SIFMA managing director and associate general counsel Theodore R. Lazo said.
Among the criticisms most widely voiced in the first weeks after the regulation was proposed by then-SEC chairman Elisse B. Walter was a lack of clear definition of what constituted materiality in the “material changes” in computer systems being made that must be reported to the agency.
There is a difficulty with “the concept of having to inform the SEC of a material change without a definition of what materiality is,” said Brad Vopni, a senior vice president of Nasdaq OMX Group at the Security Traders Association of New York conference in April.
Also at issue was how widely the regulation should be applied. As proposed, Reg SCI would apply only to “self-regulatory organizations” such as the Financial Industry Regulatory Authority, the New York Stock Exchange and other national exchanges, alternative trading systems of a certain size, the Municipal Securities Rulemaking Board and two “plan processors” that provide market data to investors. These are NYSE Euronext’s Securities Industry Automation Corporation and a unit of Nasdaq OMX Group.
“We think it will be more equitable if this rule also applied to market makers and broker-dealers that are active in the market,” said Howard Meyerson, general counsel at Liquidnet, an alternative trading system that handles anonymous trading in large blocks of shares for institutions and would be affected by the regulation.
In its current iteration, the regulation does not cover market makers or broker-dealers. But the SEC left that open, asking the industry, in one of its requests for comment, if they should be included.
The exclusion was clear when Walter announced the regulation in February and linked it to the “the May 6 flash crash, systems issues that arose during the IPOs of Facebook and BATS Global Markets, the hacking of Nasdaq’s systems, and the closing of U.S. markets in response to Superstorm Sandy,” which, she said, “all exemplify the types of problems and disruptions that can affect our marketplace.”
She did not mention the disruption of the first hour of trading on Aug. 1, 2012, when a faulty piece of code led market maker Knight Capital Group to unleash a flood of erroneous orders onto national exchanges. Knight lost more than $450 million in about 45 minutes and ended up selling itself to fellow market maker GETCO to survive the fallout from the mishap.
Knight was not available for comment on the reporting, technical standards or testing procedures that would be required of so-called Reg SCI Entities.
Covered entities would have to establish, maintain and enforce written policies and procedures that ensure their systems have sufficient capacity and resilience “to promote the maintenance of fair and orderly markets.”
The entities also would have to report to the SEC anytime there was a “system event” that required “corrective action.” These include a systems disruption or intrusion or any event that creates a “compliance issue.”
They also would have to report “material systems changes,” which could range from any major overhaul of hardware or software in their systems or other infrastructure that could affect fundamental operations. Annual reviews of systems and reports to the SEC also are required.
The intent of the rule is to cause too many changes, said Kevin Tyrrell, head of execution consulting at Bank of America Merrill Lynch, which operates an alternative trading system known as Instinct X.
It’s more about disclosure and forcing best practices, in his view. And not likely to have a big impact on technically astute firms. BofA, for its part, just went through “a whole technology overhaul” to increase capacity, according to Adam Inzirillo, director of global execution services.
“We do extensive testing, and I’d imagine most firms like us do,” Tyrrell said. “Because of this proposal, we don’t have to go out and build a testing system or anything like that. It’s already in place.”
One aspect of the testing worries Liquidnet’s Meyerson. The proposal, as it stands, mandates participation by “designated members or participants” in scheduled tests of business continuity and disaster recovery plans.
An alternative trading system cannot force a customer to participate in testing, he says. There’s no legal obligation.
“We’re not like an exchange, where we’re in a position to do that,” Meyerson said.
Reporting material changes and conducting large-scale testing are more likely to be problems faced most prominently by national exchanges. When an ATS such as Instinct X has issues, the operator—BofA—simplify notifies all clients to route orders elsewhere. The system is disabled, and even its own brokerage operations route around it on its own customers’ orders.
But when an exchange changes out aisles of servers at a data center, for instance, and something goes wrong, that can affect the entire industry. It requires disclosure—and SEC scrutiny.
But what level of scrutiny? The scope of the document leading to the regulation, by itself, has raised concern. “There’s a lot in there that needs light shed on it,” said Bryan Harkins, chief operating officer of Direct Edge, which operates two exchanges. He worries the SEC is “creating rules that, by definition, once you have a problem, you’ve violated a rule.”
Notably undetermined is what the “strict legal liability” of breaking a rule will be, said Chris Isaacson, chief operating officer of BATS Global Markets, which also operates two exchanges.
To get the industry to just focus on resolving issues before they happen and as soon as an unexpected failure occurs, the SEC should follow the lead of the Federal Aviation Authority, suggests James J. Angel, an associate professor at Georgetown University and frequent commenter on SEC proposals.
The SEC should “basically have a safe harbor for any self-reported SCI issues,” he said. “We need to change the culture of the SEC from a gotcha agency that sort of measures its progress by the level of fines it imposes and move toward one of a preventative agency.”
Improving the flow of information “is one thing,” Angel said. But complicated systems are not perfect. “We need to accept the fact that IT happens.”
Reg SCI “is not supposed to be a gotcha rule,” said James R. Burns, deputy director of the SEC’s Division of Trading and Markets, at SIFMA’s operations conference in Boca Raton, Fla., at the end of April. “It’s supposed to be a rule that sets out baselines that are standards that, in the main, have been working at the SROs for a long time and bring” ATSs and the two data processors “up to that level.”
Morgan Stanley, which operates an anonymous trading venue called MS Pool, is “taking a step back to make sure we understand every system that this would identify,” said executive director Denise Garrett, who shared the stage with Burns.
But by now, exchanges should have gotten pretty used to meeting the SEC’s expectations for creating and maintaining reliable systems through the existing Automation Review Policy, said Joseph Mecane, executive vice president and head of U.S. equities at NYSE Euronext. Even that can get ugly.
“While it’s not really a law right now, your life is going to be pretty miserable if you don’t comply with ARP,” Mecane said, at the annual meeting of the Security Traders Association of New York. “Now SCI really ups the game on that.”
(c) 2013 Traders Magazine and SourceMedia, Inc. All Rights Reserved.
http://www.tradersmagazine.com http://www.sourcemedia.com/
