Thank you, Chair Gensler, and thank you to the staff for their presentation. The Commission adopted Regulation SCI in 2014 to address perceived technological vulnerabilities, improve Commission oversight, and mitigate the risk of technical “single points of failure” in the securities market.[1] Given its substantial burdens, Regulation SCI was narrowly applied to key participants, including the stock and options exchanges, registered and certain exempt clearing agencies, FINRA and the MSRB, alternative trading systems that trade stocks exceeding specified volume thresholds, and market data processors. Today, the Commission considers an expansion of Regulation SCI’s scope to include registered security-based swap data repositories (SBSDRs), registered broker-dealers exceeding certain asset or transaction activity thresholds, and additional exempt clearing agencies.

The entities covered by the expanded scope are very different businesses. A security-based swap data repository differs from a broker-dealer – and they are both quite different than FINRA and the MSRB. Moreover, each of these entities are subject to separate, existing regulatory frameworks covering much of the same ground as Regulation SCI. Yet, Regulation SCI is being imposed as a blanket new regulation. Adding a new layer of regulation, without tailoring to the different business models and their existing regulatory frameworks, is almost certain to result in unnecessary costs.

For example, the Commission established a regulatory framework for SBSDRs in 2015.[2] Specifically, Rule 13n-6 is “a broad, principles-based operational risk rule”[3] that requires that SBSDRs to “establish, maintain, and enforce written policies and procedures reasonably designed to ensure that their systems provide adequate levels of capacity, integrity, resiliency, availability, and security.”[4] In fact, the existing SBSDR rules “not only addresses SBSDR operational risk, but also other SBSDR enumerated duties, including registration, market access to services and data, governance arrangements, conflicts of interest, data collection and maintenance, privacy and disclosure requirements, and chief compliance officers.”[5]

Today’s proposal purports to complement Rule 13n-6. So what does Regulation SCI add to the existing rule? Under the proposal, Regulation SCI would require “specific elements for infrastructure planning, up-to-date development and testing methodology, regular systems reviews and testing, BC/DR [business continuity/disaster recovery] planning, monitoring for SCI events, and standards to facilitate successful collection, processing, and dissemination of market data.”[6] Yet the proposing release fails to make anything near to a compelling argument that the benefits, if any, of these highly prescriptive features are a significant improvement over existing Rule 13n-6.

But that is not all. SBSDRs are also already registered with the CFTC as swap data repositories and are subject to the CFTC’s SDR System Safeguards rule.[7] The CFTC rule requires SBSDRs to have programs of risk analysis and oversight for their operations and automated systems that address: (1) information security; (2) business continuity and disaster recovery planning and resources; (3) capacity and performance planning; (4) systems operations; (5) systems development and quality assurance; (6) physical security and environmental controls; and (7) enterprise risk management.[8] Again, the Commission provides sparse analysis in the proposing release on the additional benefits from Regulation SCI over the CFTC rule, other than the implicit suggestion that current CFTC oversight of SBSDRs is insufficient.

There are similar concerns with applying Regulation SCI to large broker-dealers given the existing regulatory framework from both the Commission and FINRA. For example, these entities are subject to the Commission’s Market Access Rule,[9] under which they “must establish, document, and maintain a system of risk management controls and supervisory procedures reasonably designed to manage the financial, regulatory, and other risks of this business activity.”[10] The Market Access Rule requires “that the financial risk management controls and supervisory procedures must be reasonably designed to limit systematically the financial exposure of the broker or dealer that could arise from market access … [and] requires that regulatory risk management controls and supervisory procedures be reasonably designed to ensure compliance with all regulatory requirements.”[11] Broker-dealers are further subject to other rules with respect to financial responsibility, record-keeping rules, business continuity and disaster recovery plans, and supervisory obligations for outsourcing.[12]

Despite the existing regulations, the Commission summarily “believes that additional protections, reporting of systems problems, and direct Commission oversight of broker-dealer technology is appropriate for the largest broker-dealers.”[13] This statement assumes that the Commission and its staff are most knowledgeable and best positioned to directly oversee registrants’ technology, but I find this assumption questionable.

But we are not yet done with adding more layers of regulation. Concurrently, the Commission is issuing proposals that would establish minimum cybersecurity rules for all broker-dealers and would revise the safeguard rule in Regulation S-P. The cybersecurity provisions in those proposals appear to overlap with portions of the Regulation SCI proposal.

If the Commission has concerns, it would be far better to explore whether the current rules can be improved as opposed to simply layering on Regulation SCI. In light of the foregoing, I cannot support the proposal. I thank the staff in the Divisions of Trading and Markets and Economic and Risk Analysis as well as the Office of the General Counsel for their efforts.