www.alston.com

This alert is published by Alston & Bird LLP to provide a summary of significant developments to our clients and friends. It is intended to be informational and does not constitute legal advice regarding any specific situation. This material may also be considered attorney advertising under court rules of certain jurisdictions.

On March 8, 2013, the U.S. Securities and Exchange Commission (SEC) issued a release proposing new Regulation Systems Compliance and Integrity (“Regulation SCI”) and amendments to Regulation ATS under the Securities and Exchange Act of 1934 (“Exchange Act”).1 As proposed, Regulation SCI would require “SCI entities” (e.g., certain self-regulatory organizations (SROs), alternative trading systems (ATSs), plan processors and exempt clearing agencies) to comply with capacity, integrity, security and testing requirements with respect to their automated systems that support their regulated activities. According to the SEC, the Regulation and related amendments are needed to formalize current SEC inspection programs and standardize industry efforts in this area, address the increased use of technology in securities trading and routing and the resulting complexities in the markets, and help prevent systems-related issues that can harm the fair and orderly operation of the markets. Comments on proposed Regulation SCI are due on or before May 24, 2013.

I. Background and Brief Summary of Proposed Regulation SCIProposed Regulation SCI is intended to replace and supplement the SEC’s current voluntary Automation Review Policy (ARP) and the two policy statements that comprise ARP, through codifying it and applying it to a broader variety of regulated entities. Essentially, proposed Regulation SCI would require SCI entities to establish written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets, and that they operate in the manner intended. Regulation SCI also would require notices and reports of “SCI events” and material systems changes to be provided to the SEC, and members or participants of SCI entities also would receive information regarding certain SCI events. SCI entities would be required to take corrective action regarding SCI events and would have to conduct annual objective systems reviews and maintain certain books and records. The current volume thresholds in Regulation ATS with respect to requirements relating to capacity, integrity and security of automated systems (Rule 301(b)(6) of Regulation ATS) are proposed to be significantly lowered from their current levels, and these lower thresholds will be applied to “SCI ATSs” and the requirements removed from Regulation ATS and transferred into Regulation SCI.

1 Release No. 34-69077 (Mar. 8, 2013), 78 FR 18084 (Mar. 25, 2013) (“Proposing Release”).

Financial Services & Products ADVISORY naPRIl 2, 2013

SEC Proposes Regulation Systems Compliance and Integrity (“Regulation SCI”)

www.alston.com 2

As proposed, Regulation SCI’s application is broad and its requirements complex, requiring expenditures of significant resources. In addition to the development and implementation of detailed systems-related policies and procedures, and required systems, business continuity and disaster recovery testing (including potentially mandated participation of participants and members of the SCI entity), the reporting burden imposed by the proposed Regulation would be great, with annual reports relating to testing, semi-annual reports relating to material systems changes, notifications (both summary and detailed notices and updates) of various types of systems-related events, pre-implementation reports relating to material systems changes that must be provided to the SEC and notifications that must be provided to members and/or participants in the SCI entity of certain systems-related events. If ultimately adopted, Regulation SCI could be even broader than what has been proposed in the various rules comprising proposed Regulation SCI, as the SEC has asked more than 200 questions regarding the details and scope of the proposed Regulation and its constituent parts. Among these are whether various provisions of the proposed Regulation should be more inclusive in numerous respects (e.g., should systems that interact with “SCI systems,” like algorithmic servers and smart order routers, fall within the requirements of the proposed Regulation), and whether proposed Regulation SCI itself should apply more universally throughout the securities industry, such as to all broker-dealer firms. (See Section IV below.)

Set out below is a summary of various provisions of Regulation SCI as proposed, as well as the relevant SEC questions posed with respect to each of those provisions or requirements.

II. Definitions

a. “SCI Entities”

While the SEC’s current ARP program has generally been limited to SROs and plan processors (such as the CTA System and Nasdaq UTP Plan), and the systems capacity, integrity and security requirements of Regulation ATS generally apply only to high-volume ATSs that are not otherwise exempt from the requirements (of which there are currently none), proposed Regulation SCI would apply to all “SCI entities.” The term “SCI entity” includes any of the following:

• SCI SRO – an SCI SRO is an SRO meeting the definition in Exchange Act Section 3(a)(26), and would include all stock and options exchanges, FINRA, registered clearing agencies (i.e., DTC, FICC, NSCC, OCC, ICE Clear Credit, ICE Clear Europe and CME) and the MSRB, but would exclude SEC-notice-registered securities futures exchanges and the NFA. There are currently 26 SROs, and each would be subject to proposed regulation SCI.

• SCI aTS – an SCI ATS is an ATS that, during at least four of the preceding six calendar months, had: (1) with respect to NMS stocks, (i) five percent or more in any single NMS stock and 0.25 percent or more in all NMS stocks, of the average daily dollar volume (ADDV) reported by an effective transaction reporting plan, or (ii) one percent or more, in all NMS stocks, of the ADDV reported by an effective transaction reporting plan; (2) with respect to securities that are not NMS stocks and for which transactions are reported to an SRO, five percent or more of the ADDV as calculated by the SRO to which such transactions are reported; or (3) with respect to municipal securities and corporate debt securities, five percent or more of either (i) the ADDV traded in the United States or (ii) the average daily transaction volume (ADTV) traded in the United States.

• Plan processors – these include any SRO or securities information processor (SIP) acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective national market system plan.

www.alston.com 3

• Exempt clearing agencies subject to aRP – currently, the only such entity is Global Joint Venture Matching Services US, LLC, known as Omgeo. Omgeo has been subject to the ARP policy statements pursuant to the terms of its exemption from registration as a clearing agency.2

Of these “SCI entities,” the provisions relating to ATSs would impose significant changes to the status quo. The current thresholds for compliance with the systems capacity, integrity and security requirements of Rule 301(b)(6)(i) of Regulation ATS are considerably higher (i.e., 20 percent of ADTV for each type of security for four of the preceding six months) than those proposed for Regulation SCI. Lowering the threshold will obviously bring more ATSs within proposed Regulation SCI, although the SEC estimates that only 10 ATSs currently trading NMS stocks would meet the proposed definition of an SCI entity.

Lowering the thresholds of current Rule 301(b)(6) of Regulation ATS in proposed Regulation SCI would be generally consistent with the current five percent ADTV thresholds applicable to the order display and execution access and fair access provisions of Regulation ATS.3 With respect to ATSs trading NMS stocks, the volume thresholds for those other provisions of Regulation ATS currently are calculated solely on a stock-by-stock basis, not a market-wide volume percentage basis, as would be included in Regulation SCI. With respect to ATSs trading securities other than NMS stocks, as proposed in Regulation SCI, the volume thresholds for non-NMS stocks, municipal securities and corporate debt securities for purposes of determining whether an ATS is a “SCI ATS” will be calculated on a market-wide basis, which is consistent with current thresholds under Regulation ATS.

The current thresholds contained in Regulation ATS, however, are based on the ADTV of each NMS stock traded by the ATS, and proposed Regulation SCI would apply thresholds generally based on ADDV.4 In addition, with respect to ATSs trading NMS stocks, there are alternate thresholds—an ATS would be an SCI entity if it had (a) five percent or more of ADDV in a single stock and 0.25 percent or more of ADDV in all NMS stocks, or (b) one percent or more of ADDV in all NMS stocks. ATSs, including dark pools, currently monitor their systems to ensure that they do not exceed certain ADTV thresholds so that they may determine whether various provisions of Regulation ATS apply.5 Using a different threshold measure in proposed Regulation SCI likely would require operators of ATSs to make significant systems changes to calculate and monitor the ADDV of all securities traded through their systems for purposes of Regulation SCI, while they would still be required to calculate ADTV for other Regulation ATS purposes.6

2 See SEC Release No. 34-44188 (April 17, 2001), 66 FR 20494 (April 23, 2001).

3 See Rules 301(b)(3) and (b)(5) of Regulation ATS. It should be noted, however, that the SEC has separately proposed that the threshold for the order display and execution access provision in Rule 301(b)(3) be lowered from five percent to 0.25 percent of the ADTV level for a single equity security. See “Regulation of Non-Public Trading Interest,” SEC Release No. 34-60997 (Nov. 13, 2009), 74 FR 63866 (Dec. 4, 2009).

4 ATSs that trade municipal securities or corporate debt securities will be “SCI entities” if they have five percent or more of either ADDV or ADTV of the market for the type of security at issue. Consequently, those ATSs will have to calculate both. The SEC estimates that there are three ATSs trading municipal securities and three ATSs trading corporate debt securities that may meet this threshold, and they are the same entities. ATSs that trade non-NMS stocks will be “SCI entities” if they have five percent or more of the ADDV of the total market for that category of security, and the SEC estimates that there are only two such ATSs.

5 It should be noted that ATSs also currently report, on a quarterly basis, total unit volume and dollar volume of trades by broad categories of securities on Form ATS-R.

6 In the Proposing Release, the SEC states that use of ADDV instead of ADTV protects ATSs against inclusion in the definition of an SCI entity because of a skew in the price level of a stock (e.g., in the case of a stock split or reverse split). See 78 FR at 10894 & n. 108. To the extent that is true, that same logic should equally apply to the other volume thresholds in Regulation ATS.

www.alston.com 4

The SEC claims to have chosen the particular thresholds in Regulation SCI as a “best estimate of when a market is of sufficient significance to the trading of the relevant class (i.e., NMS stocks, non-NMS stocks, municipal securities, and corporate debt securities) as to warrant the protections and obligations of proposed Regulation SCI,” but it also acknowledges that the proposed thresholds “have not been derived from econometric or mathematical models.”7

Consequently, the SEC seeks comment on whether it has chosen the appropriate threshold levels for inclusion of ATSs as “SCI entities.” Among the other questions posed by the SEC are:

• Are there other entities that should be included in the definition of “SCI entity,” and are there entities included in the definition of SCI entity that should not be included?8

• Regarding SCI ATSs, should the thresholds be different than proposed in terms of the numerical values used, reliance on ADDV vs. ADTV, or something else (e.g., whether a stock is liquid or illiquid, etc.)?

• Regarding SCI ATSs trading NMS stocks, should there be alternative thresholds based on individual NMS stock ADDV and/or all NMS stocks? Should similar thresholds be applied to non-NMS stocks?9

• Is there less automation among markets that trade non-NMS stocks, municipal securities and corporate debt securities as opposed to markets that trade NMS stocks? And, if so, does that warrant the different threshold levels in the proposal?

• Should the SEC adopt a single type of threshold measurement (e.g., ADDV) and/or a single dollar volume threshold measurement across all asset classes, which would be simpler and more consistent across different asset classes? If so, what should it be?

• Do ATSs have the ability to calculate whether they meet the proposed ADDV thresholds based on available data?

• Are there certain types of ATSs (e.g., ATSs that trade U.S. Treasuries and/or repos) that should not be subject to proposed Regulation SCI?

• If a broker-dealer operates more than one ATS trading a given asset class, should the trading volumes of all of the ATSs be aggregated for purposes of determining whether the threshold has been met?

B. “SCI Systems” and “SCI Security Systems”

Regulation SCI would cover the systems of SCI entities, which include both “SCI systems” and “SCI security systems.” “SCI systems” are defined in proposed Rule 1000(a) of regulations SCI as “all computer, network, electronic, technical, automated, or similar systems of, or operated by on behalf of, an SCI entity, whether in production, development, or testing, that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance.”

7 Proposing Release, 78 FR at 18095-96.

8 The SEC suggests later in the Proposing Release that it is considering extending the requirements of the Regulation to certain broker-dealers other than SCI ATSs, but has stated that, if it determines that to be appropriate, it would formally propose to do so through separate notice-and-comment rulemaking. See Proposing Release, 78 FR at 18138.

9 Interestingly, there appears to be a conflict between the proposed rule text for the definition of “SCI entity” and the language used in the Proposing Release discussing ATSs that trade “non-NMS stocks.” Specifically, under the proposed rule text, an ATS that trades “equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization” would be a SCI ATS if it meets the attendant volume threshold. The discussion in the Proposing Release, however, is focused on “non-NMS stocks” and seems to be referring to OTC stocks. See generally, Proposing Release, 78 FR at 18094-96. It should be noted that there are other types of securities that meet the definition of “equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization” other than OTC stocks.

www.alston.com 5

“SCI security systems” are defined as “any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems.” Together, the systems covered by these definitions comprise all systems of an SCI entity that directly support trading, clearance and settlement, order routing, market data, regulation and surveillance, as well as any other system sharing firm resources that, if breached, could threaten those systems; in other words, the systems that provide core market functionalities.10

These definitions also are intended to include, for example, systems of broker-dealer affiliates of exchanges that route orders for purposes of the Trade-Through Rule, as well as systems for regulation of the OTC markets and similar systems, such as the Consolidated Audit Trail repository. Notably, the SEC asserts that “if an SCI entity contracts with a third party to operate its systems (such as those that use execution algorithms) on behalf of the SCI entity, such systems also would be covered by the proposed definition of SCI systems if they directly support trading, clearance and settlement, order routing, market data, regulation or surveillance.”11

The proposed definition of “SCI security system” purposefully does not identify the types of systems intended to be covered, but instead describes them in terms of connectivity and threat risk to SCI systems. Nevertheless, the SEC does cite examples in the Proposing Release, including systems pertaining to corporate operations (e.g., systems that support web-based services, administrative services, electronic filing, email and intranet sites, and financial and accounting systems, many of which provide access to non-public information), and systems by which an SCI entity provides a service to issuers, participants or clients (e.g., transaction services, infrastructure services and data services).

In connection with these definitions, the SEC asks the following questions, among others:

• Do the definitions cover all critical systems that could pose a threat, if breached, to an SCI entity’s systems capacity, integrity, availability and security?

• Are there systems that should be excluded from the definitions? For instance, should systems operated by third parties be excluded? If included, should there be different requirements for those third parties?

• Should SCI systems and SCI security systems be treated differently, or should all of the requirements of Regulation SCI apply to both?

• Are there better ways for the SEC to ensure that SCI systems are adequately secure and protected from intrusion than by including SCI security systems within the requirements of Regulation SCI?

• If the SEC removes SCI security systems from the Regulation’s reach, should SCI entities nevertheless be required to adopt procedures to ensure that their core SCI systems are protected from security threats from other systems to which they are connected or with which they share resources?

• If the SEC deletes the definition of SCI security system from the proposed Regulation, should the SEC require SCI entities to report any intrusion into any system of an SCI entity to the SEC or to members and participants?

10 Only certain of the provisions of Regulation SCI would apply to SCI security systems. SCI security systems are included in the definitions of “material systems change,” “responsible SCI personnel,” “SCI review” and “systems intrusion.” SCI entities would be required to adopt policies and procedures relating to security standards for their SCI security systems under proposed Rule 1000(b)(1), but SCI security systems would not be subject to the systems compliance requirements of proposed Rule 1000(b)(2). However, a systems intrusion into an SCI security system would be considered an “SCI event” for purposes of the corrective action requirement of proposed Rule 1000(b)(3), as well as certain of the SEC notification requirements under proposed Rule 1000(b)(4) and the public dissemination provisions of proposed Rule 10000(b)(5)(ii).

11 Proposing Release, 78 FR at 18099.

www.alston.com 6

C. “SCI Events”

Proposed Regulation SCI would require the reporting of “SCI events,” defined as “an event at an SCI entity that constitutes: (1) a systems disruption; (2) a systems compliance issue; or a systems intrusion.” Each of these terms is further defined, and each is discussed separately below.

1. “Systems Disruption”

A systems disruption would be defined as an event in an SCI entity’s SCI systems that results in:

(1) a failure to maintain service-level agreements or constraints;

[This would include a failure or inability of the SCI entity to honor its contractual obligations to provide a specified level or speed of service to uses of its SCI systems (e.g., if a trading system agrees to process orders within 100 milliseconds, failure to do so would be a “systems disruption”). ]

(2) a disruption of normal operations, including switchover to back-up equipment with near-term recovery of primary hardware unlikely;

[This would include any switchover to back-up equipment, whether or not recovery is possible, as well as programming errors, testing errors, systems failures and situations in which a system release is backed out after it is implemented and in production.]

(3) a loss of use of any such system;

[This would include a failure of primary trading or clearance and settlement system, even if immediately replaced by backup systems without any disruption to normal operations.]

(4) a loss of transaction or clearance and settlement data;

(5) significant back-ups or delays in process;

(6) a significant diminution of ability to disseminate timely and accurate market data; or

[The SEC is purposefully leaving the standards in (5) and (6) unquantified, but they are intended to include such things as a problem with an SCI system that results in a slowdown or disruption of operations that would adversely affect customers, impair quotation or price transparency, or impair accurate and timely regulatory reporting; a throttling of message traffic for any market participant not permitted under a user agreement or rules; and the entry, processing or transmission of erroneous or inaccurate orders, trades, price-reports, other information in the securities markets or clearance and settlement systems, or any other significant deterioration in the transmission of market data in an accurate, timely and efficient manner.]

(7) a queuing of data between system components or queuing of messages to or from customers of such duration that normal service delivery is affected.

[The SEC believes the queuing of data between system components of SCI systems is often a warning signal of significant disruption of normal system operations.]

Regarding its proposed definition of “systems disruptions,” the SEC asks, among other questions:

• Should the definition be limited to SCI systems (i.e., should SCI security systems also be included in the definition of a systems disruption)?12

12 If the term were expanded to include SCI security systems, numerous of the substantive requirements of the proposed Regulation (e.g., the policies and procedures, testing, notification and dissemination requirements) would become applicable to SCI security systems.

www.alston.com 7

• Is the definition too broad, or too narrow (e.g., should “transaction or clearance and settlement data” in paragraph (4) of the definition be broadened to include customer account data, regulatory data, and/or audit trail data)?

• Should there be minimum quantifiable thresholds to meet before something is considered a systems disruption, and if so, should there be different standards for different types of systems (e.g., surveillance systems vs. order-routing systems)?

• Should there be exceptions (e.g., a de minimis exception or materiality threshold) to the definition of systems disruption?

• Should technology errors originating from third parties (i.e., member firms or ATS subscribers) that have the potential for disrupting the market be considered a “systems disruption” of the SCI entity?

2. “Systems Compliance Issue”

This term would be defined as “an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the federal securities laws and rules and regulations thereunder or the entity’s rules or governing documents, as applicable.” This is intended to cover a change to an SCI system by IT staff that results in the systems operating in a manner that fails to comply with the federal securities laws and rules thereunder, or that, for instance, causes the SCI entity to violate its subscriber agreements or ATS operating rules.13

3. “Systems Intrusion”

This term would be defined as “any unauthorized entry into the SCI systems or SCI security systems of an SCI entity.” This is intended to cover any unauthorized entry into an SCI entity’s covers systems by any outsider, employee or agents, whether part of a cyber-attack, potential criminal activity or other unauthorized attempt to retrieve, manipulate or destroy data, or access or disrupt systems of SCI entities (including via malware). It would not, however, include failed attempts at unauthorized access.

D. “Dissemination SCI Events”

Pursuant to proposed Rule 1000(b)(5) of Regulation SCI, SCI entities would be required to disseminate certain information relating to “dissemination SCI events” to members and participants. As proposed in Rule 1000(a), a “dissemination SCI event” would mean “an SCI event that is a (1) systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants.” In the case of a “dissemination SCI event,” the SCI entity must notify members or participants of the nature of the event and the steps being taken to remedy it, to enable those persons to assess what, if any, steps they need to take in light of the event.

In the case of a systems intrusion, the SCI entity would only be required to provide a summary description of the systems intrusion, including a description of the corrective action taken and when the intrusion has been or is expected to be resolved, and dissemination of that information may be delayed in certain cases. Also, the SEC is not proposing to quantify what constitutes “significant harm or loss” to market participants as a result of a systems disruption for purposes of disseminating notices, but instead is giving SCI entities reasonable discretion to decide what is “significant.” Nevertheless, the SEC believes that a trading systems problem that prevents orders from being executed or trade confirmations from being sent would be a “dissemination SCI event.”

13 If adopted, this provision could require self-reporting of possible rule violations to the SEC and/or subscribers and members.

www.alston.com 8

The SEC asks for comment on each part of the proposed definition, including whether a disruption that meets the “significant harm or loss to market participants” standard should be included as a “dissemination SCI event,” whether that standard should be better quantified, whether only certain systems disruptions (e.g., disruptions lasting more than a certain amount of time or disruptions affecting only a limited number of participants or members) should be included, and whether other types of systems disruptions should be included as a dissemination SCI event.

E. “Material Systems Changes”

Proposed Regulation SCI would require SCI entities to notify the SEC in writing at least 30 calendar days before implementation of any planned “material systems change,” including a description of the change and the expected dates for commencement and completion of the change. In the case of exigent circumstances, or if the information previously provided to the SEC becomes materially inaccurate, an SCI entity must notify the SEC as “early as reasonably practicable.”

A “material systems change” would be defined as “a change to one or more: (1) SCI systems of an SCI entity that (i) materially affects the existing capacity, integrity, resiliency, availability, or security of such systems; (ii) relies upon materially new or different technology; (iii) provides a new material service or material function; or (iv) otherwise materially affects the operations of the SEC entity; or (2) SCI security systems of an SCI entity that materially affects the existing security of such systems.” As set out in the Proposing Release, examples of these would include major systems architectural changes, reconfiguration of systems that would cause a variance of more than five percent in throughput or storage; the introduction of new business functions or services; changes to external interfaces; changes that could increase susceptibility to major outages; changes that could increase risks to data security; changes that were, or would be, reported to or referred to the entity’s senior management; and changes that could require allocation or use of significant resources.14

The SEC seeks comment on numerous aspects of this proposed definition and asks, among others, the following questions:

• Is the definition of “material systems change” clear enough?

• Are each of the standards used in the proposed definition appropriately included as a material change (e.g., is any change that relies on “materially new technology” a “material systems change”)?

• Do the examples it gives in the release constitute “material systems changes”?

• Should smaller systems changes that, if aggregated, would collectively result in a five percent variance be included in the definition?

• Should identical changes to a system over a specific period of time be aggregated for purposes of the Regulation?

• Should any change that “materially affects the existing security” of an SCI security system constitute a “material systems change” subject to SEC notification on Form SCI?

• Should quantifiable materiality standards be included in the definition of material change?

14 See Proposing Release, 78 FR at 18105-06. For SCI ATSs, this provision would be in potential conflict with filing requirements for Form ATS in Rule 301 of Regulation ATS, which requires ATSs to provide 20 days’ advance notice to the SEC with respect to material changes to the operation of an ATS.

www.alston.com 9

III. Obligations of SCI Entities

a. Policies and Procedures

Under proposed Rule 1000(b)(i) of Regulation SCI, SCI entities would be required to establish, maintain and enforce written policies and procedures, reasonably designed to ensure that SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability and security adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. At a minimum, these procedures would have to include:

(A) the establishment of reasonably current and future capacity planning estimates;

(B) periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely and efficient manner;

(C) a program to review and keep current systems development and testing methodology for such systems;

(D) regular reviews and testing of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards and natural or manmade disasters;

(E) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next-business-day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption; and

(F) standards that result in such systems being designed, developed, tested, maintained, operated and surveilled in a manner that facilitates the successful collection, processing and dissemination of market data.

Although the SEC does not specify any specific policies and procedures an SCI entity must have, and an SCI has discretion to implement any compliant policies and procedures, under proposed Rule 1000(b)(i), an SCI entity’s policies and procedures would be deemed to be “reasonably designed” if they are consistent with “SCI industry standards.” As proposed, these standards would be “(A) comprised of information technology practices that are widely available for free to information technology professionals in the financial sector; and (B) issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization.” The Proposing Release sets out a table listing industry publications that it believes comprise initial “SCI industry standards.”15

Among the questions raised by the SEC relating to these requirements are the following:

• Are the items to be included in an SCI entity’s policies and procedures appropriate or do they need modification? For example, should a specific interval (e.g., monthly or quarterly) for periodic testing be included in the rule?

• Should industry-wide testing be required for certain types of technology deployment?

• Should SCI entities be required to establish certain infrastructures or mechanisms to facilitate industry-wide testing?

• Should members/participants of SCI entities be required to participate in direct testing of certain types of technology deployments?

15 See Proposing Release, 78 FR at 18111.

www.alston.com 10

• Should the business continuity plan requirement be more specific? For instance, should business continuity and disaster recovery plans be required to include pre-determined communication plans, escalation procedures and/or kill switches?16

• Should minimum standards for what constitutes “geographically diverse” be included in the rule?

• Is the next-business-day resumption following a wide-scale disruption an appropriate time frame?

• Should an SCI entity be permitted to offer alternative methods of operation following a wide-scale disruption?

• Should user testing and certification prior to resumption of system operation after a systems disruption be required?

• Is the proposed rule’s reliance on “SCI industry standards” appropriate?

In addition, the SEC explicitly requests comment on whether there are SCI entities for which these policies and procedures requirements would be inappropriate (i.e., not cost effective), and if so, why.

B. Systems Compliance

Under proposed Rule 1000(b)(2)(i) of Regulation SCI, SCI entities would also be required to establish, maintain and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and the entity’s rules and governing documents.

Noting the complexity of systems and the breadth of the federal securities laws, the SEC has proposed safe harbors for both SCI entities and their employees, respectively. Under the safe harbor for an SCI entity, an SCI entity would be deemed not to violate Rule 1000(b)(2)(i) if:

• it has established appropriate testing, internal controls, monitoring and assessment policies, procedures and processes;17

• it has established and maintained a system for applying its policies, etc., which system is reasonably expected to prevent and detect violations of such policies, etc.; and

• it has reasonably discharged its duties as required by the policies, etc., and does not have cause to believe that the policies are not being complied with in any material respect.

The safe harbor for individuals would protect employees from liability for aiding and abetting or causing the SCI entity’s violation of Rule 1000(b)(2)(i) if the employee has reasonably discharged his or her duties and obligations under the SCI entity’s policies and procedures, and he or she was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect.

16 While the SEC stated it was not proposing at this time any requirements related to kill switches, it asks whether commenters believe that the implementation of kill switches would assist SCI entities in maintaining the integrity of their systems.

17 As part of this safe harbor condition, an SCI entity’s policies and procedures would have to include a requirement that its regulatory personnel would have to review SCI systems design, changes, testing and controls to prevent, detect and address actions that do not comply with applicable federal securities laws and rules and regulations thereunder and the SCI entity’s rules and governing documents, as applicable.

www.alston.com 11

Among the questions posed by the SEC regarding the systems compliance procedures requirements and safe harbors are:

• Should the SEC specify minimum standards for internal controls?

• Should minimum testing and monitoring frequencies be specified in the rule?

• Is the proposed role of regulatory personnel in the review, etc., of systems design, changes, testing and controls appropriate?

• Is it necessary to both establish and maintain policies and procedures as required under the safe harbor and also establish a system for applying those policies and procedures?

• Should having a “reasonable belief” that the policies and procedures are not being violated be a prerequisite for the safe harbor for individuals?

• Should the safe harbors for entities and individuals be extended to non-employees (e.g., affiliates)?

C. Notification of SCI Events

When they become aware of an SCI event, SCI entities and any “responsible SCI personnel” would be required to begin to take appropriate corrective action, which at a minimum means mitigating potential harm to investors and market integrity and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. “Responsible SCI personnel” would include any personnel, whether an employee or an agent, of an SCI entity having responsibility for an SCI system or SCI security system that is impacted by an SCI event, which could include any technology, business or operations staff with responsibility for such systems. Regarding systems compliance issues, such personnel could include regulatory, legal or compliance personnel. Any employee, even junior non-managerial employees, could be “responsible SCI personnel” depending on their roles with respect to SCI systems and SCI security systems. Employees of third-party vendors with SCI systems-related responsibilities also could be “responsible SCI personnel.”

In addition to taking such corrective action, an SCI entity is required to notify the SEC upon any responsible SCI personnel becoming aware of a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any system compliance issue or any systems intrusion. For significant SCI events, notification to the SEC should be immediate via telephone or email, followed up by the electronic submission of Form SCI within 24 hours.

Form SCI would require detailed information about, among other things, the SCI event; the estimated number and types of market participants that may be affected by the SCI event; the potential impact of the SCI event on the market; whether any members/participants have experienced a loss as a result of the SCI event and, if so, how much; steps the SCI entity is taking to address and resolve the SCI event; and whether the SCI event is a “dissemination SCI event” or not. SCI entities would be required to update the SEC on a regular basis until the SCI event is resolved. If an SCI entity distributes information to members/participants (i.e., the SCI event is a “dissemination SCI event”), that information is required to be posted on the SCI entity’s publicly available website.

Under the proposed Regulation, an SCI entity, promptly after any responsible SCI personnel becomes aware of a dissemination SCI event other than a systems intrusion, would be required to disseminate to its members or participants information concerning the systems affected by the SCI event and a summary description of the SCI

www.alston.com 12

event.18 Furthermore, when it becomes known, the SCI entity would be required to provide a detailed description of the SCI event, the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event and a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. SCI entities also would be required to provide updates to members and participants of any of the information provided under the rules. According to the Proposing Release, the SEC expects more than just a cursory explanation or general statement that a disruption has occurred.

Among the questions posed by the SEC are:

• Is the definition of “responsible SCI personnel” appropriate, or should it be limited to more senior employees?

• Should SCI entities be required to take appropriate corrective action as soon as any “responsible SCI personnel” become aware of an SCI event?

• Should SCI entities be required to adopt detailed policies and procedures regarding how to respond to an SCI event?

• Should all SCI events be reported to the SEC, or should certain types of SCI events be excepted from the notification requirements?

• Should there be immediate reporting of immediate notification SCI events occurring after normal business hours?

• Is the 24-hour written notification requirement appropriate for all SCI events?

• Is dissemination of SCI event information to members and participants appropriate, and if so, should such notifications be required to be made “promptly” after responsible SCI personnel become aware of the SCI event or at some other time?19

• Are there dissemination SCI events other than systems intrusions for which notifications to members and participants should be delayed?

D. Notification of Material Systems Changes

As noted above, the proposed Regulation would require, except in exigent circumstances, 30 calendar days’ written advance notice to the SEC of material systems changes. The SCI entity would have to provide a written description of the planned material systems changes, as well as the expected dates of commencement and completion of implementation of the planned changes on Form SCI.

In connection with this requirement, the SEC asks the following, among other, questions:

• Is the requirement to provide notification of all material systems changes too broad? Are there some systems changes that should be excepted from the rule?

18 Under the proposed Regulation, systems intrusions would be excepted from the member/participant prompt notification requirement if the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity’s SCI systems or SCI security systems or an investigation of the systems intrusion, and the SCI entity documents the reasons for its determination. When the reasons for confidentiality no longer exist, the information required by the rule would then need to be disseminated.

19 In this regard, the SEC estimates in the Proposing Release that there will be 14 dissemination SCI events other than systems intrusions for each SCI entity per year, and that, based on current experience under ARP, most such incidents would have a duration of, on average, less than two hours. See Proposing Release, 78 FR at 18149-50.

www.alston.com 13

• Should the SEC provide additional guidance on what constitutes an “exigent circumstance”?

• Will the notification requirement make an SCI entity less likely to implement systems changes?

E. Review of Systems

Proposed Rule 1000(b)(7) would require an SCI entity to conduct an “SCI review” of the SCI entity’s compliance with Regulation SCI at least annually and submit a report of the SCI review to senior management no more than 30 days after the completion of the review. An “SCI review” would be defined in proposed Rule 1000(a) as “a review, following established procedures and standards, that is performed by objective personnel having appropriate experience in conducting reviews of SCI systems and SCI security systems, and which review contains: (1) a risk assessment with respect to such systems of the SCI entity; and (2) an assessment of internal control design and effectiveness to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards.” This review also would be required to include penetration test reviews of the SCI entity’s network, firewalls and development, testing and production systems at a frequency of not less than once every three years.

The SEC has not proposed to define what is meant by “objective” personnel for purposes of conducting systems reviews, but it states in the Proposing Release that such persons should not have been involved in the development, testing or implementation of the systems being reviewed, because it believes those persons are likely to be in a better position to identify weaknesses and deficiencies that were not identified earlier. The reviewers could be employees of the SCI entity (e.g., an internal audit department) or an external firm with objective personnel.

In addition to seeking general comment on the SCI review requirement, the SEC asks the following questions, among others:

• Should the SCI review include an assessment of internal control design and effectiveness, and/or penetration test reviews of the SCI entity’s firewalls, etc., as proposed?

• Should the annual review include additional elements?

• Should the SCI review be required annually and/or the penetration test review be required once every three years, or is some other time period more appropriate?

• Should the persons conducting the reviews have certain minimum qualifications?

• Should “objective personnel” be defined in the rule?

• Would firms be required, or be more likely, to hire outside consultants to perform the reviews?

• Is the 30-day time frame to submit a report to senior management after completion of the review a reasonable time frame?

F. Periodic Reports

Proposed Rule 1000(b)(8) of Regulation SCI would require an SCI entity to submit to the SEC a copy of the report of the SCI review, together with management’s response, within 60 calendar days after its submission to senior management of the SCI entity.

www.alston.com 14

In addition, proposed Rule 1000(b)(8)(ii) would require an SCI entity to submit a report within 30 calendar days after the end of June and December of each year containing a summary description of the progress of any material systems change during the prior six months and the date (or expected date) of completion of implementation of such changes. These semi-annual reports are in addition to the notification of material systems changes that is required 30 days prior to implementation, and which must be updated when it becomes materially inaccurate, under proposed Rule 1000(b)(6).

Among the questions asked about this proposed Rule are:

• Are the time periods included in these rules appropriate?

• Should these reports be less frequent?

• Is it necessary for firms to submit semi-annual reports on material systems changes at all?

• Are there SCI entities for which these requirements would not be cost-effective?

G. Business Continuity and Disaster Recovery Testing and Reports

Proposed Rule 1000(b)(9)(i) of Regulation SCI would require an SCI entity, with respect to its business continuity and disaster recovery plans, including back-up systems, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans at least once every 12 months. (For instance, for SCI ATSs, designated subscribers would be “required” to participate in the BCP and disaster recovery testing of the ATS and its systems.) The SCI entity, however, would still have discretion to determine the manner and content of its testing (e.g., duration of testing, sample size, scenarios tested and scope of the test). In addition, proposed Rule 1000(b)(9)(ii) would require SCI entities to coordinate their testing on an industry- or sector-wide basis with other SCI entities. In the SEC’s view, it would be more cost-effective for market participants to participate in the testing of the BCP and disaster recovery plans of SCI entities on an industry- or sector-wide basis because such coordination would likely reduce duplicative testing efforts.

Proposed Rule 1000(b)(9)(iii) would require each SCI entity to designate those members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans, to participate in the testing of such plans, and to notify the SEC of the designation and its standards for designation on Form SCI and promptly update the notification after any changes to its designations or standards. For SCI ATSs, the SEC believes that its designation standards may be included in the ATS’s internal procedures and in its subscriber agreements.

Among the questions asked by the SEC on these proposed rules are:

• Should participants or members of an SCI entity be required to participate in an SCI entity’s BCP/disaster recovery testing?

• Do participants that are likely to be designated as BCP testing participants have the ability, including the infrastructure, to participate in the required testing? (For instance, the participant would have to maintain and establish connectivity to an SCI entity’s back-up systems.) What would be the economic effect of the rule on such designated participants?

• Should SCI entities be able to set their own standards for designation of members/participants in BCP testing, or should the SEC set the standards? If the latter, what should those standards be based on (e.g., geographic location, volume threshold, etc.)?

www.alston.com 15

• Should such testing be required at least once every 12 months, or would a different interval be more appropriate? For example, should such testing be required after each material systems change has been implemented?

• Should SCI entities be required to notify the SEC on Form SCI of its standards and designations, or should that information be maintained internally?

• Should the SEC require SCI entities to operate periodically from their back-up facilities during regular trading hours?

• Should the parameters of “industry- or sector-wide testing” be defined by the SEC, including the scope of the testing, frequency, and number of participating SCI entities?

• Should SCI entities be required to submit reports on the results of their BCP/disaster recovery testing to the SEC?

• Should the SEC impose additional requirements of members and/or participants of SCI entities, such as requiring them to meet the next-business-day resumption of trading standards for SCI entities in the proposed Regulation?

H. Record-Keeping Rules

Proposed Rule 1000(c) of Regulation SCI would require SCI entities to maintain copies of all documents, including reports and testing data, relating to its compliance with Regulation SCI for a period of not less than five years, the first two in a readily accessible place. Furthermore, each SCI entity, upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, would be required to take action to ensure that such records would remain accessible by the SEC or its representatives for the remainder of the period required under the proposed rule.

Furthermore, if an SCI entity uses a service bureau or other recordkeeping service to prepare or maintain its required SCI-related records, the SCI would be required to submit a written undertaking by such third party in the form required by the SEC. This is similar to the requirements applicable to third-party maintenance of broker-dealer books-and-records under Exchange Act Rule 17a-4.

Most required broker-dealer books-and-records, however, are subject to a retention period of three years pursuant to Rule 17a-4, not the five years proposed for SCI-related documents. In this regard, the SEC asks whether the five-year retention period in the proposed rule is appropriate.

IV. Proposed application of Regulation SCI to Broker-Dealers In addition to soliciting comment on whether proposed Regulation SCI should apply to security-based swap data repositories and security-based swap execution facilities, the SEC also seeks comment on whether it should include broker-dealers, other than SCI ATSs, within proposed Regulation SCI.20 In the SEC’s view, systems disruptions, systems compliance issues and systems intrusions at broker-dealers (and particular broker-dealers that handle significant order flow) could pose significant risk to the markets. While Rule 15c3-5 requires broker-dealers with market access to establish, document and maintain a system of risk management controls and supervisory procedures reasonably designed to manage the financial, regulatory and other risks arising from the provision of market access, the requirements of proposed Regulation SCI would go far beyond the requirements of Rule 15c3-5. Consequently, the SEC is considering whether some types or categories of broker-dealers (e.g., OTC market makers, exchange market

20 See Proposing Release Section III.F., 78 FR at 18133-38, for a discussion of the proposed application of the Regulation to security-based swap data repositories and security-based swap execution facilities, and Proposing Release Section III.G., 78 FR at 18138-41, for a discussion of the proposed application of the Regulation to broker-dealers other than SCI ATSs and other types of entities (such as transfer agents).

www.alston.com 16

makers, order entry firms that route order flow for execution, clearing broker-dealers and/or large multi-service broker-dealers that engage in a variety of order handling, trading and clearing activities, whether or not they have significant volumes) should be subject to some or all of Regulation SCI.

According to the SEC, if it decides that additional broker-dealers should be included with the definition of “SCI entity,” it will issue a separate release addressing that proposal. Nevertheless, it currently seeks comment on whether it should extend the requirements of proposed Regulation SCI, in whole or in part, to broker-dealers. Among the questions posed are:

• Do broker-dealers, particularly those complying with Rule 15c3-5, already comply with some of the requirements of proposed Regulation SCI?

• Does the nature of the market for broker-dealer services, including client services, market maker services or market access services, limit the ability of the market to solve the issues that proposed Regulation SCI is intended to address? For instance, if one firm experiences systems disruptions, are customers able to easily switch to another broker-dealer?

• What is the impact to overall market integrity or the protection of investors if an OTC market maker, exchange market maker or clearing broker was no longer able to operate due to a systems disruption, compliance issue or intrusion? Would requiring one or all of those categories of broker-dealers to be subject to Regulation SCI provide important stability to the overall securities market infrastructure?

• Should the SEC extend proposed Regulation SCI to all “market centers” as that term is used in Regulation NMS? If so, should that be limited to market centers meeting a particular volume threshold (e.g., should market centers other than SCI ATSs be subject to the same or different ADDV thresholds as SCI ATSs)?

• Alternatively, should the SEC require SROs to adopt rules requiring their members to adopt policies and procedures consistent with the requirements of proposed Regulation SCI (e.g., policies and procedures reasonably designed to ensure that the systems of such members operate in the manner intended, including in a manner that complies with applicable federal securities laws and rules and regulations thereunder and the SCI SRO’s rules)?

• If SROs are required to adopt such rules, does that not raise any competitive issues between SROs and ATSs?

• What types and scale of costs would be incurred by broker-dealers and others if Regulation SCI were to apply to them?

V. Conclusion As you can see from summary above and the questions posed by the SEC on all aspects of the proposed Regulation, Regulation SCI could have an extremely broad impact, not only on “SCI entities” as that term is currently defined in the proposed rule text, but also on the members of, participants in and subscribers to those entities, and ultimately, on a much larger group of market participants. Consequently, it is incumbent upon all market participants that may become subject to the proposed Regulation to make their views on the proposal known. Comments are due on or before May 24, 2013.

* * * * * * * *

If you have any questions regarding this memorandum, please contact laura S. Pruitt (202-239-3618, laura.pruitt@alston.com).

17

If you would like to receive future Financial Services & Products Advisories electronically, please forward your contact information to financialservices@alston.com. Be sure to put “subscribe” in the subject line.

If you have any questions or would like additional information, please contact your alston & Bird attorney or any of the following members of the Financial services & Products Group.:

www.alston.com

© ALSTON & BIRD LLP 2013

AtlAntA: One Atlantic Center n 1201 West Peachtree Street n Atlanta, Georgia, USA, 30309-3424 n 404.881.7000 n Fax: 404.881.7777BrUSSelS: level 20 Bastion tower n Place du Champ de Mars n B-1050 Brussels, Be n +32 2 550 3700 n Fax: +32 2 550 3719ChArlOtte: Bank of America Plaza n 101 South tryon Street n Suite 4000 n Charlotte, north Carolina, USA, 28280-4000 n 704.444.1000 n Fax: 704.444.1111DAllAS: 2828 north harwood Street n 18th Floor n Dallas, texas, USA, 75201 n 214.922.3400 n Fax: 214.922.3899lOS AnGeleS: 333 South hope Street n 16th Floor n los Angeles, California, USA, 90071-3004 n 213.576.1000 n Fax: 213-576-1100neW YOrk: 90 Park Avenue n 12th Floor n new York, new York, USA, 10016-1387 n 212.210.9400 n Fax: 212.210.9444reSeArCh triAnGle: 4721 emperor Blvd. n Suite 400 n Durham, north Carolina, USA, 27703-85802 n 919.862.2200 n Fax: 919.862.2260SiliCOn VAlleY: 275 Middlefield road n Suite 150 n Menlo Park, California, USA, 94025-4004 n 650-838-2000 n Fax: 650.838.2001WAShinGtOn, DC: the Atlantic Building n 950 F Street, nW n Washington, DC, USA, 20004-1404 n 202.756.3300 n Fax: 202.756.3333VentUrA COUntY: 2801 townsgate road n Suite 215 n Westlake Village, California, USA, 91361 n 805.497.9474 n Fax: 805.497.8804

Malachi J. Alston 704.444.1129 malachi.alston@alston.com

David J. Baum 202.239.3346 david.baum@alston.com

Willa Cohen Bruckner 212.210.9596 willa.bruckner@alston.com

Sean Doherty 212.210.9486 sean.doherty@alston.com

Martin H. Dozier 404.881.4932 martin.dozier@alston.com

Kristin P. Hinson 704.444.1332 kris.hinson@alston.com

Kamal Jafarnia 212.210.9548 kamal.jafarnia@alston.com

Clay A. Littlefield 704.444.1440 clay.littlefield@alston.com

Matthew W. Mamak 212.210.1256 matthew.mamak@alston.com

Allison Muth 212.210.9521 allison.muth@alston.com

Laura S. Pruitt 202.239.3618 laura.pruitt@alston.com

Timothy P. Selby 212.210.9494 tim.selby@alston.com

Mitra Surrell 202.239.3685 mitra.surrell@alston.com

Maureen Whalen 704.444.1294 maureen.whalen@alston.com

Sarah Whitlock 202.239.3670 sarah.whitlock@alston.com

Investment Management Group