Regulation SCI
Regulation SCI (Systems Compliance and Integrity), adopted by the SEC in 2014, requires designated market participants — including national securities exchanges, registered clearing agencies, plan processors, and large alternative trading systems — to establish and maintain policies and procedures to ensure the robustness, resiliency, and security of their technology systems that support trading, clearance, settlement, and market data.
Technology failures at market infrastructure firms can cascade rapidly across the entire U.S. equity market, disrupting price discovery, investor access, and settlement processes. Before Regulation SCI, market infrastructure technology standards were governed largely by informal SEC guidance known as the Automation Review Policy, which lacked binding legal force and provided no consistent compliance framework. The 2010 Flash Crash and several high-profile systems failures at exchanges and clearing agencies in the early 2010s accelerated the SEC's push to codify binding technology standards.
Regulation SCI applies to SCI entities, a defined category that includes national securities exchanges, registered securities associations, registered clearing agencies, plan processors (which operate consolidated market data feeds), and any ATS that crosses specified volume thresholds. These entities must comply with requirements spanning four domains: systems capacity, systems integrity, systems security, and systems availability.
SCI entities must establish written policies and procedures reasonably designed to ensure that their systems have adequate capacity, operate as intended, are protected from unauthorized access, and are available to market participants during required operating hours. Capacity planning requires regular stress-testing against peak volume scenarios. Integrity requirements address defects in code and operational logic. Security standards require vulnerability assessments and penetration testing.
A critical operational requirement is the SCI event reporting process. When an SCI entity experiences a systems disruption, an intrusion, or a significant systems compliance issue, it must notify the SEC promptly and, for certain events, notify affected market participants. Events are classified by severity, with the most significant triggering mandatory post-incident reviews and reports to the SEC's Board of Directors or equivalent governing body.
Regulation SCI also mandates that SCI entities conduct annual reviews of their compliance programs, engage in regular business continuity testing, and maintain documented backup and recovery procedures. Entities must also review the policies and procedures of third-party service providers who support critical systems.
For market participants that are not themselves SCI entities — such as broker-dealers and institutional investors — Regulation SCI is relevant because systems failures at SCI entities directly affect their ability to execute trades, receive market data, and complete settlements. Understanding the notification and remediation obligations of SCI entities helps institutional operations teams anticipate communication flows during market disruption events.