Developing Solutions to Ensure that the Automated Systems of Our Marketplace are Secure, Robust, and Reliable
byCommissioner Luis A. Aguilar
U.S. Securities and Exchange CommissionWashington, D.C.
March 7, 2013
In recent years, the securities markets have undergone significant changes, and none has had more impact than the development of technology systems with ever-increasing speed and capacity. These systems are so fast that, in a blink of an eye, millions of trades can take place and billions of dollars can be transferred from buyers to sellers.Unfortunately, these systems can just as quickly become a destructive force with devastating consequences.
Some of the better-known examples of recent system-related issues include:
The October 2011 system errors at Direct Edge exchanges where, in just over four minutes, the exchanges caused about 27 million shares of excess trading. These shares had an approximate market value of $773 million across roughly one thousand securities. The exchanges realized a net loss of $2.1 million in connection with the positions that were assumed and liquidated.
The Commission sanctioned the Direct Edge entities for violations of the federal securities laws. In its Order, the Commission noted that the "violations occurred against the backdrop of weaknesses in Respondents’ systems, processes, and controls."6
Knight Capital Group Inc.’s $440 million trading loss in August 2012.
In just 45 minutes, Knight Capital’s computers rapidly bought and sold millions of shares. Those trades pushed the value of many stocks up, and the company’s losses appear to have occurred when it had to sell the overvalued shares back into the market at a lower price. As a result, Knight Capital lost approximately $10 million per minute, almost had to go into bankruptcy, and subsequently agreed to be purchased.8
The systems issues associated with the initial public offerings of BATS Global Markets, Inc., and Facebook, Inc., in March and May 2012, respectively.
As a result of systems issues, the BATS IPO was abandoned, and the Facebook fiasco resulted in NASDAQ offering up to $62 million to accommodate members for losses attributable to the systems issues.
The recent admission by BATS that, for a period of more than four years, its computer systems for two equity exchanges and an options platform allowed trades to take place at prices that violated the Commission’s regulations, which require exchanges to ensure that investors receive the best price.
These recent events highlight the need for the Commission to develop a secure, robust, and reliable regulatory framework to ensure that our capital markets develop and maintain systems with sufficient capacity, integrity, resiliency, availability, and security.
Today’s rule proposal, Regulation SCI (Systems Compliance and Integrity), is a step in the right direction. It is an important step forward from the purely voluntary program we have today as a result of the Commission’s 1989 policy statement, which states that SROs, on a voluntary basis, should establish comprehensive planning and assessment programs to determine systems capacity and vulnerability. At that time, the Commission noted the impact that systems problems and failures could have on public investors, broker-dealer risk exposure, and market efficiency.
Clearly, the voluntary program has failed, as the above examples illustrate.
The proposed rule would move beyond the current voluntary program and requires entities to, among other things, (i) establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its systems have adequate levels of capacity, integrity, resiliency, availability, and security to maintain the entity’s operational capability and promote the maintenance of fair and orderly markets; (ii) mandate participation in scheduled testing of the operation of the entity’s business continuity and disaster recovery plans, including backup systems, and coordinate such testing on an industry- or sector-wide basis with other entities; and (iii) make, keep, and preserve records relating to the matters covered by Regulation SCI, and provide them to Commission representatives upon request. The proposal also would require that entities submit all required written notifications and reports to the Commission electronically using new proposed Form SCI. These are all welcomed improvements.
However, although this is a positive step in the right direction, I am concerned that today’s rule proposal does not:
Require that an external review of compliance with Regulation SCI be conducted on a periodic basis by an independent third party in order to reduce the risk of conflicts of interests. Simply stated, an internal review may not be as robust and complete due to competing internal business pressures.
Provide for an entity’s senior officers to certify, in writing, that (i) the entity has processes in place to establish, document, maintain, review, test, and modify controls reasonably designed to achieve compliance with Regulation SCI; and (ii) that the annual budget and staffing levels are adequate for the entity to comply with its obligations under Regulation SCI. As Congress noted in connection with the CEO and CFO Certifications mandated by Section 302 of the Sarbanes-Oxley Act of 2002, "managers should be held accountable for the representations made by their company."
Moreover, I am concerned that today’s rule proposal would allow an explicit safe harbor for entities and their employees that establish and maintain policies and procedures that are reasonably designed to comply with Regulation SCI. Although it is not stated in today’s release, I have been told by senior staff that the Commission has never previously included an explicit safe harbor in a Commission rule requiring that regulated entities maintain policies and procedures designed to achieve a particular objective.
In my view, an unprecedented safe harbor in a rule that does not require clear, identifiable, and meaningful standards, and that does not require policies and procedures to be reviewed by an independent third party and certified by senior officers, will result in a rule proposal that falls short of its goal — which is to ensure that our capital markets develop and maintain appropriate systems.
The rule proposal asks a number of important questions that were incorporated at my request to solicit comments from the public. These questions were designed to generate information and assist the Commission in thinking through issues associated with the rule proposal. This is an important part of the Commission’s rulemaking process, which is based on a "notice and comment" procedure. I hope that the comments generated will help make this a better rule.
Despite my concerns, I am willing to support today’s rule proposal because Regulation SCI would apply to more entities than the Commission’s current ARP Inspection Program, and the proposed rule would place obligations on entities not currently included in the Commission’s ARP policy statements. The havoc caused by recent events highlight the need to have an updated and formalized regulatory framework for ensuring that the U.S. securities trading markets maintain systems with sufficient integrity, resiliency, and security. Although, I have concerns, I am hopeful they will be addressed at the adoption stage. By then, we should have a full five-member Commission.
Today’s rulemaking is a positive step in addressing the systems challenges posed by large, automated, complex, and fragmented trading centers. As the country’s capital markets regulator, the SEC must be at the forefront of proactively addressing changes in our capital market structure. The SEC should not merely respond to events that have occurred. Regulation SCI is one such proactive effort.
In closing, I want to thank the staff for its efforts. I look forward to the comments we will receive on this proposal.
Thank you.
Posts
No comments:
Post a Comment