The Securities and Exchange Commission has approved new rules governing IT policies and procedures at 'key market participants', in an effort to better insulate the markets from vulnerabilities posed by systems technology issues.
The SEC's proposal called Regulation SCI would replace the current voluntary compliance program with enforceable rules. It will apply to self-regulatory organisations, alternative trading systems, plan processors, and certain exempt clearing agencies.
The rules would require organisations to ensure their core technology meets certain standards, conduct business continuity testing, and provide certain notifications in the event of systems disruptions and other events.
"While it's not possible to prevent every technological error that market participants may commit, we must ensure that our regulations are designed to minimise their impact on our markets and ultimately investors," says SEC chairman Elisse B. Walter. "Reg SCI would provide more explicit technology and control standards to help ensure that our markets remain resilient against technological vulnerabilities."
SEC commissioner Luis Aguilar hailed the proposals as a step in the right direction, but expressed concern about the absence of a set of minimum standards for compliance and oversight by independent third parties. Provisions for safe harbour for firms and their staff who fail to comply with the rules were also criticised.
Says Aguilar: "In my view, an unprecedented safe harbour in a rule that does not require clear, identifiable, and meaningful standards, and that does not require policies and procedures to be reviewed by an independent third party and certified by senior officers, will result in a rule proposal that falls short of its goal - which is to ensure that our capital markets develop and maintain appropriate systems."