SEC Regulation SCI Automation Review Compliance

1. SEC Regulation SCI Automation Review Compliance January 2015

2. SEC Regulation SCI - Systems Compliance and Integrity • On November 19, 2014 the SEC adopted new rules to require certain key market participants to have comprehensive policies and procedures in place surrounding their technology (Reg SCI). • Regulation SCI under the Securities Act of 1934 (“Systems Compliance and Integrity”) replaces the current voluntary ARP compliance program with rules whose violation may be the subject to enforcement actions. • SROs, selected alternative trading systems (ATS), plan processors, and exempt clearing agencies are required to design, develop, test, maintain, and oversee their mission-critical systems. • The rules require them to ensure that their core technology meets certain standards, conduct regular business continuity testing, and provide certain notifications in the event of systems disruptions, intrusions and other events. Tellefsen and Company, L.L.C. 2013-2015

3. Reg SCI (Cont’d) … • High-profile technical glitches in the securities markets including those that arose during the 2010 Flash Crash, the initial public offerings of Facebook and BATS Global Markets as well as the Knight Capital trading incident have illustrated that investors can be at risk when technology fails, and confidence in the markets can falter. • The market closures following Hurricane Sandy in 2012 also highlighted the importance of having a robust market technology infrastructure. • These events, subsequent discussions and commentary from a cross section of market participants have helped shape the development of the new rulemaking. Tellefsen and Company, L.L.C. 2013-2015

4. • The new regulations will present challenges to the Chief Technology Officer and especially the Chief Compliance Officer, who is responsible for the creation and enforcement of reasonable supervisory procedures related to the implementation and maintenance of applicable HW/SW/NW technologies and infrastructure. • While these responsibilities are far from a routine compliance skill set, Reg. SCI is a continuation of a trend by the SEC of placing increased responsibility on compliance with respect to policies and procedures for implementing and maintaining various types of technology. • For the past two decades, SROs have followed a voluntary set of principles articulated in the SEC’s Automation Review Policy and participated in what is known as the ARP Inspection Program. • Reg SCI now supersedes this (see final rulemaking in the Federal Register: https://www.federalregister.gov/articles/2014/12/05/2014-27767/regulation-systems-compliance-and ) Reg SCI (Cont’d) … Tellefsen and Company, L.L.C. 2013-2015

5. The rulemaking was largely adopted as proposed, with the following revisions and exceptions: •The proposed 30 day advance reporting requirement was changed to quarterly. •The Direct Access requirement which would have required SCI Entities to provide SEC staff with remote or on-site access to SCI Systems was not adopted. •Safe Harbor protection from liability is limited to those individuals who reasonably discharge their responsibilities under Reg SCI. •Senior management involved in the annual Reg SCI review will be required to certify that they have implemented policies and procedures reasonably designed to ensure compliance with the rulemaking. Reg SCI – Final Rulemaking Tellefsen and Company, L.L.C. 2013-2015

6. • Core technology of national securities exchanges, self-regulatory organizations, significant alternative trading systems, clearing agencies, and plan processors meets certain standards. • That these entities conduct regular business continuity testing with their members or participants. • That they provide certain notifications regarding systems disruptions, intrusions and other types of systems issues. • The probability of technology problems is reduced, and key entities are well-positioned to take appropriate, corrective action when problems occur. Reg SCI Is Designed to Ensure: Tellefsen and Company, L.L.C. 2013-2015

7. • The proposed rule would apply to “SCI Entities” such as: – Self-regulatory organizations (the registered national securities exchanges, registered clearing agencies, FINRA, and MSRB). – Alternative Trading Systems that exceed specified volume thresholds (SCI ATS). – Disseminators of market data under certain National Market Systems plans (“plan processors”). – Certain clearing agencies exempt from SEC registration. • It would apply primarily to the systems of SCI Entities that are core to the functioning of the securities markets, such as those that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance. • The SEC anticipates that 14 ATSs will be required to be compliant. • It is unknown whether other business systems such as a shared drive system or phone system are within the scope. Reg SCI – Applicability Tellefsen and Company, L.L.C. 2013-2015

8.  Establish policies and supervisory procedures relating to the capacity, integrity, resiliency and security of its technology systems.  Ensure its systems operate in the manner intended, including in compliance with relevant federal securities laws and rules.  Take timely corrective action in response to systems disruptions, systems compliance issues and systems intrusions.  Notify and provide the SEC with detailed information when such systems issues occur, systems intrusions, and when there are material changes in its systems. Written notices of “SCI Events” will be reported to members and market participants and filed electronically to the SEC on Form SCI.  Inform its members or participants about certain systems problems and provide information about the systems and market participants affected by the problem and the progress of corrective action. SCI Entities - Requirements: Tellefsen and Company, L.L.C. 2013-2015

9.  Provide quarterly notice to the SEC of any material system changes, including completed, ongoing and planned material changes to SCI systems and the security of indirect SCI systems, during the prior, current and subsequent calendar quarters.  Conduct an annual review of its compliance with Regulation SCI, and submit a report of the annual review to its senior management and the SEC.  Plan and engage in annual business continuity and disaster recovery testing.  Designate certain individuals or firms to participate in the testing of its business continuity and disaster recovery plans, and coordinate such testing with other entities on an industry- or sector-wide basis.  Demonstrate systems testing, test results and related capabilities to SEC staff on-site during inspections. SCI Entities Requirements (Cont’d)… Tellefsen and Company, L.L.C. 2013-2015

10.  The SEC has granted Safe Harbor protection from liability to individuals within SCI Entities who reasonably discharge their Reg SCI compliance responsibilities under their policies, procedures and controls.  Reg SCI is effective 60 days after publication in the Federal Register, and SCI Entities must comply with the requirements within 9 months of the effective date.  ATSs that satisfy volume threshold levels for the first time will be granted an additional 6 months from that time to comply.  SCI Entities will have 21 months from the effective date to comply with the industry or sector wide BC/DR testing requirement. SCI Entities Requirements (Cont’d)… Tellefsen and Company, L.L.C. 2013-2015

11. • Reg SCI entities need to ensure their written policies and procedures are up to date. • Problem tracking systems must actively capture problems, problem identification, cause/effect and resolution. • Regular reporting to the SEC is required: – Ad-hoc incident reporting – Quarterly reports of planned and material system changes – Annual Reg SCI Review Policies, Procedures and Reporting Tellefsen and Company, L.L.C. 2013-2015

12. • Reg SCI entities need a comprehensive testing regimen in order to be compliant. • Functional and non-functional testing of applicable Reg SCI ecosystems. • Comprehensive test regimens for quality assurance, regression, capacity, stress, failover/recovery, user acceptance etc. • Development and maintenance of a test repository and active analysis of production data. • Need for industry insight and domain market structure expertise in the design, planning and execution of industry test initiatives. • Independent test execution, oversight and reporting. • Assistance with preparation of annual Reg SCI compliance report to SEC. Reg SCI Testing and Oversight Tellefsen and Company, L.L.C. 2013-2015

13. Exactpro Systems Company Overview Exactpro is: Our clients’ location: • A specialist firm focused on functional and non functional testing of systems that process wholesale financial products, particularly market infrastructure • A US company registered and head-quartered in San Rafael, California, with four QA & development centres in Russia and sales support in the UK • An independent company incorporated in 2009 with 10 people, has experienced phenomenal growth as satisfied clients consume more services - now employing over 280 specialists

14. Exactpro Systems Existing Customers Include: • Several major stock exchange & ATS clients with low latency trading platforms • A market leading Equities dark pool • Several post trade clearing houses • A leading SEF • A leading global derivatives (financial and commodities) broker • A significant commodity exchange and its clearing arm • A major investment bank specializing in emerging markets • A global equities broker offering program and single name execution • A software provider of adaptive trading technologies for international buy- and sell-side firms

15. 100% Focused on Systems that Process Financial Products, with Particular Focus on Electronic Trading Financial Products Platforms Pre and Post Trade; -Commodities, Derivatives Equities, Fixed Income, FX Deal Capture & Position Keeping Risk Management Middle Office Clearing and Settlement Messaging Reference Data Order and Execution Management Market Venue Connectivity Smart Order Routing Algorithmic Trading Matching Engines Market Data Distribution

16. Highly Effective in all of these Aspects of Quality Assurance Quality Assurance: test planning and management Latency & capacity testing Intelligent Management of Large Data Sets Process audit and test coverage analysis Automated regression testing Gathering requirements and test scenario creation (human, message & reporting interfaces) Intelligent functional and exploratory testing Creating and productizing state-of-the-art test harnesses Test automation Test data management Protocol level testing using FIX/FAST, SOAP, HTTP, ITCH, SWIFT, MQ, SQL, proprietary binary and text based data formats, etc.

17. Exactpro’s Bespoke Test Automation Suite ClearTH: • Post-Trade testing tool • Verifies each stage of the DLC • Integrated schedule • Automated matrices • Can create multiple days test scenarios • Concurrent multiple tests • Integrated simulators • SWIFT ISO protocol support MiniRobots: • Executes multithreaded java code • Complexity of test algorithms is defined by the test developer • Supports multiple client fix connections, order entry and market data via FIX • Can use GUI to iterate through sent and received messages Dolphin: • Model-based testing of market surveillance systems • Production-scale capacity and throughput • Interactive real-time alerts and reports Shsha: • Post-transactional tool • Analyzes clients' activity and forecasts system response • Parses and displays logs in a user-friendly way • Parses messages and then puts each to a data base table where each column corresponds to each message field • Allows making summarized reports, etc • Easy to understand GUI Load Injector: • Simulates multiple client connections with a specified load shape for each connection or a group of connections • Up to 75K messages / second from a single CPU core • Measures latencies in microsecond range • Performance test reports Sailfish: • Can test Order Entry, Market Data and Post Trade connections in one test scenario • Each test scenario is independent • Allows running test scripts in any sequence • Simulation of multiple user connections • Server simulators • All messages are stored into a data base • Generates test reports

18. Some of our Dynamic & Talented Team

19. • Exactpro Systems has introduced a marketing partnership with Tellefsen and Company (TCL), a management consulting firm founded in 1984 to provide counsel and professional services to meet the growing needs of the financial services industry. • TCL has a market structure practice and core competency and depth of experience in assisting exchanges, clearing houses and ATS in complying with regulatory guidelines. • TCL has conducted numerous technology reviews for clients in the last several years, including investment management firms, ATS, clearing houses and exchanges. • TCL has also counseled and guided our clients through the preparation for regulatory designation reviews and inspections by the CFTC, FINRA and the SEC. • TCL’s mission-critical systems expertise includes trading systems, market data dissemination, clearing, risk management and market surveillance components. Marketing Partnership with Tellefsen and Company Tellefsen and Company, L.L.C. 2013-2015

20. • Experience with prior client assignments has included the development of testing, compliance documentation and procedures for trading and operations management, including:  Business impact analysis  Business continuity management  Capacity planning  Systems development methodology  Acceptance testing  Configuration and release management  Network management  Problem management/problem tracking  Information and physical security  Failover, stress and capacity testing TCL’s Market Structure, Compliance and Automation Review Expertise Tellefsen and Company, L.L.C. 2013-2015

21. • Our firm brings unique market insight and market micro structure experience to client assignments • Development and audit of business continuity plans, systems failover and fall back testing strategies and plans are a core competency of our firm, as is systems quality assurance and acceptance testing • We have provided independent test oversight and test results attestation for various exchanges, clearing houses and numerous market participants. TCL’s Market Structure Expertise (Cont’d) … Tellefsen and Company, L.L.C. 2013-2015

22. How Does This Apply to Regulation SCI Experienced people with great tools that can hit the ground running to test and provide evidence in a cost effective fashion A range of well organised testing services that cover several of the aspects essential for Reg SCI compliance - All test evidence captured from an easy to report from test repository 1. Conventional Non Functional Testing: • Load test to establish the reasonable current and future capacity planning estimates • Capacity stress tests of systems to determine their ability to process transactions in an accurate, timely, and efficient manner • Failover & recovery tests to verify backup, contingency and disaster recovery capabilities, including geographically diverse locations 2. Conventional Functional Testing: • Efficient testing to exercise all key functionality and data set-up • Positive and negative tests to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters • All test evidence per run stored within an easy to access and report test repository • Automated Regression testing of subsequent releases and reporting of all relevant changes within the system 3. Testing at the Confluence of Functional and Non Functional Testing: • High frequency and algorithmic trading activity simulations • Testing to assure systems capacity, integrity, resiliency, availability and security under realistic participants load • Modeling of all data inputs and outputs from system to evaluate the behavior within normal operational and outage scenarios 4. Production Data Analysis: • Capture and Analyze data from production to understand real usage • Monitor and investigate production events • Feedback to refine test coverage for subsequent versions • Bringing QA perspective into operational support

23. Tellefsen and Company, L.L.C. John Rapa, President/CEO 1-212 809 3800 JJR@Tellefsen.com http://www.tellefsen.com Exactpro Systems, LLC Iosif Itkin, Co-Founder/Co-CEO +7 495 640 2460 iosif.itkin@exactprosystems.com http://www.exactpro.com/ For More Information, Contact

SEC Regulation SCI Automation Review Compliance

SEC Regulation SCI Automation Review Compliance

Recommandé

Contenu connexe

Tendances

Tendances(16)

En vedette

En vedette(17)

Similaire à SEC Regulation SCI Automation Review Compliance

Similaire à SEC Regulation SCI Automation Review Compliance(20)

Plus de Iosif Itkin

Plus de Iosif Itkin(20)

Dernier

Dernier(20)

SEC Regulation SCI Automation Review Compliance