Document headings vary by document type but may contain the following:
See the Document Drafting Handbook for more details.
Upon Written Request, Copies Available From: Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 20549-2736.
Notice is hereby given that pursuant to the Paperwork Reduction Act of 1995 (“PRA”) (44 U.S.C. 3501 et seq.), the Securities and Exchange Commission (“Commission”) is soliciting comments on the collection of information provided for in Regulation Systems Compliance and Integrity (“Regulation SCI”) (17 CFR 242.1000-1007) and Form SCI (17 CFR 249.1900) under the Securities Exchange Act of 1934 (“Exchange Act”) (15 U.S.C. 78a et seq.). The Commission plans to submit this existing collection of information to the Office of Management and Budget (“OMB”) for extension and approval.
Regulation SCI requires certain key market participants to, among other things: (1) have comprehensive policies and procedures in place to help ensure the robustness and resiliency of their technological systems, and also that their technological systems operate in compliance with the federal securities laws and with their own rules; and (2) provide certain notices and reports to the Commission to improve Commission oversight of securities market infrastructure.
Regulation SCI advances the goals of the national market system by enhancing the capacity, integrity, resiliency, availability, and security of the automated systems of entities important to the functioning of the U.S. securities markets, as well as reinforcing the requirement that such systems operate in compliance with the Exchange Act and rules and regulations thereunder, thus strengthening the infrastructure of the U.S. securities markets and improving its resilience when technological issues arise. In this respect, Regulation SCI establishes an updated and formalized regulatory framework, thereby helping to ensure more effective Commission oversight of such systems.
Respondents consist of national securities exchanges and associations, registered clearing agencies, exempt clearing agencies, plan processors, and alternative trading systems. There are currently 48 respondents, and the Commission staff estimates that, on average, 2 new respondents may become SCI entities each year, 1 of which would be a self-regulatory organization (“SRO”). Accordingly, Commission staff estimates that over the next three years there will be an average of 50 respondents per year.
In addition, in December 2020, the Commission adopted amendments to Regulation SCI in connection with updates to the national market system for the collection, consolidation, and dissemination of information with respect to quotations for and transactions in national market system (“NMS”) stocks (“Infrastructure Amendments”). Specifically, the Commission adopted a definition of “SCI competing consolidator” that will subject competing consolidators to Regulation SCI, after a transition period, if they are above a specified consolidated market data gross revenue threshold. The Infrastructure Amendments increased the number of respondents to the collections of information in Regulation SCI, and the Commission estimates that seven competing consolidators will meet this definition and be subject to the requirements of Regulation SCI.
See Securities Exchange Act Release No. 34-90610 (December 9, 2020), 86 FR 18596 (April 9, 2021) (File No. S7-03-20) (“Infrastructure Adopting Release”).
Some of these respondents were estimated to incur no, or only part of, the estimated initial burdens because they were already subject to Regulation SCI ( i.e., as plan processors, SROs or affiliates of SROs).
Rule 1001(a) requires each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. The Commission staff estimates that the total annual initial recordkeeping burden for 7 new respondents will be 4,511 hours, and the annual ongoing recordkeeping burden for all 55 respondents will be, on average, 12,760 hours. The Commission staff estimates that the 7 new respondents would incur, on average, an annual initial internal cost of compliance of $1,696,578, as well as outside legal or consulting costs of $305,500. In addition, all respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $4,801,060.
Rule 1001(b) requires each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Exchange Act and the rules and regulations thereunder and the entity's rules and governing documents, as applicable. The Commission staff estimates that the total annual initial recordkeeping burden for 7 new respondents will be 1,755 hours, and the annual ongoing recordkeeping burden for all respondents will be, on average, 8,105 hours. The Commission staff estimates that the 7 new respondents would incur an initial internal cost of compliance of $628,160, as well as outside legal or consulting costs of $175,500. In addition, all respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $2,881,660.
Rule 1001(c) requires each SCI entity to establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. The Commission staff estimates that the total annual initial recordkeeping burden for 7 new respondents will be 741 hours, and the annual ongoing recordkeeping burden for all respondents will be, on average, 2,145. The Commission staff estimates that the 7 new respondents would incur an initial internal cost of compliance of $309,868, and all respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $958,485.
Rule 1004 requires each SCI entity to establish standards for the designation of certain members or participants for BC/DR plan testing, to designate members or participants in accordance with these standards, to require participation by designated members or participants in such testing at least annually, and to coordinate such testing on an industry- or sector-wide basis with other SCI entities. The Commission staff estimates that the total annual initial recordkeeping burden for 9 new respondents will be 2,700 hours, and the annual ongoing recordkeeping burden for all respondents that are not plan processors will be, on average, 7,425 hours. The Commission staff estimates that the 7 new respondents would incur an initial internal cost of compliance of $902,865. In addition, all respondents that are not plan processors will incur, on average, an estimated ongoing annual internal cost of compliance of $2,217,600. In addition, the Commission staff estimates that the 2 plan processor respondents will incur an estimated ongoing annual cost of $108,000 for outside legal services ($54,000 per plan processor respondent × 2 respondents).
Rule 1002(b)(1) requires each SCI entity, upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, to notify the Commission immediately. The Commission staff estimates that the total annual ongoing burden for all 55 respondents will be, on average, 440 hours. The Commission staff estimates that respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $151,882.50.
Rule 1002(b)(2) requires each SCI entity, within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, to submit a written notification to the Commission pertaining to the SCI event on a good faith, best efforts basis. These notifications are required to be submitted on Form SCI. The Commission staff estimates that the total annual ongoing burden for all 55 respondents will be, on average, 6,600 hours. The Commission staff estimates that respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $2,427,325.
Rule 1002(b)(3) requires each SCI entity to provide updates to the Commission pertaining to an SCI event on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until the SCI event is resolved and the SCI entity's investigation of the SCI event is closed. The Commission staff estimates that the total annual ongoing burden for all 55 respondents will be, on average, 578 hours. The Commission staff estimates that all respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $202,235.
Rule 1002(b)(4) requires each SCI entity to submit written interim reports, as necessary, and a written final report regarding an SCI event to the Commission. These reports are required to be submitted on Form SCI. The Commission staff estimates that the total annual ongoing burden for all 55 respondents will be, on average, 9,625 hours. The Commission staff estimates that all respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $3,795,800.
Rule 1002(b)(5) requires each SCI entity to submit to the Commission quarterly reports containing a summary description of any systems disruption or systems intrusion that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants. These reports are required to be submitted on Form SCI. The Commission staff estimates that the total annual ongoing burden for all 55 respondents will be, on average, 8,800 hours. The Commission staff estimates that respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $3,329,040.
In addition, the Commission staff estimates that all 55 respondents will incur, on average, annual costs of $319,000 for outside legal advice in preparation of certain notifications required by Rule 1002(b).
Rule 1002(c)(1)(i) requires each SCI entity, promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event (other than a systems intrusion) has occurred, to disseminate certain information to its members or participants. The Commission staff estimates that the total annual ongoing burden for all 55 respondents will be, on average, 1,155 hours. The Commission staff estimates that all respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $506,815.
Rule 1002(c)(1)(ii) requires each SCI entity, when known, to promptly disseminate additional information about an SCI event (other than a systems intrusion) to its members or participants. Rule 1002(c)(1)(iii) requires each SCI entity to provide to its members or participants regular updates of any information required to be disseminated under Rules 1002(c)(1)(i) and (ii) until the SCI event is resolved. The Commission staff estimates that the total annual ongoing burden for all 55 respondents will be, on average, 6,435 hours. The Commission staff estimates that all respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $2,841,795.
Rule 1002(c)(2) requires each SCI entity to disseminate certain information regarding a systems intrusion to its members or participants, and provides an exception when the SCI entity determines that dissemination of such information would likely compromise the security of its SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. The Commission staff estimates that the total annual ongoing burden for all 55 respondents will be, on average, 550 hours. The Commission staff estimates that all respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $242,330.
In addition, the Commission staff estimates that all 55 respondents will incur, on average, annual costs of $182,600 for outside legal advice in preparation of certain notifications required by Rule 1002(c).
Rule 1003(a)(1) requires each SCI entity to submit to the Commission quarterly reports describing completed, ongoing, and planned material changes to its SCI systems and security of indirect SCI systems during the prior, current, and subsequent calendar quarters. These reports are required to be submitted on Form SCI. The Commission staff estimates that the total annual ongoing burden for all 55 respondents will be, on average, 27,500 hours. The Commission staff estimates that all respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $9,204,800.
Rule 1003(a)(2) requires each SCI entity to promptly submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under Rule 1003(a)(1). These reports are required to be submitted on Form SCI. The Commission staff estimates that the total annual ongoing burden for all 55 respondents will be, on average, 825 hours. The Commission staff estimates that all respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $293,040.
Rule 1003(b)(1) requires each SCI entity to conduct an SCI review of its compliance with Regulation SCI not less than once each calendar year, with an exception for penetration test reviews, which are required to be conducted not less than once every three years. Rule 1003(b)(1) also provides an exception for assessments of SCI systems directly supporting market regulation or market surveillance, which are required to be conducted at a frequency based on the risk assessment conducted as part of the SCI review, but in no case less than once every three years. Rule 1003(b)(2) requires each SCI entity to submit a report of the SCI review to senior management no more than 30 calendar days after completion of the review. The Commission staff estimates that the total annual ongoing burden for all 55 respondents will be, on average, 37,950 hours. The Commission staff estimates that all respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $13,623,225.
Rule 1003(b)(3) requires each SCI entity to submit the report of the SCI review to the Commission and to its board of directors or the equivalent of such board, together with any response by senior management, within 60 calendar days after its submission to senior management. These reports are required to be submitted on Form SCI. The Commission staff estimates that the total annual ongoing burden for all 55 respondents will be, on average, 55 hours. The Commission staff estimates that all respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $25,410.
In addition, the Commission staff estimates that all respondents will incur, on average, annual costs of $2,750,000 for outside legal advice in preparation of certain notifications required by Rule 1003(b).
Rule 1006 requires each SCI entity, with a few exceptions, to file any notification, review, description, analysis, or report to the Commission required under Regulation SCI electronically on Form SCI through the EFFS. An SCI entity will submit to the Commission an EAUF to register each individual at the SCI entity who will access the EFFS system on behalf of the SCI entity. The Commission staff estimates that the total annual initial burden for 7 new respondents will be 2 hours, and the annual ongoing burden for all respondents will be, on average, 8 hours. The Commission staff estimates that the 7 new respondents would incur an initial internal cost of compliance of $903. In addition, all 55 respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $3,795, as well as outside costs to obtain a digital ID of $2,750.
Rule 1002(a) requires each SCI entity, upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, to begin to take appropriate corrective action. The Commission staff estimates that the total annual initial recordkeeping burden for 7 new respondents will be 741 hours, and the annual ongoing recordkeeping burden for all 55 respondents will be, on average, 2,145 hours. The Commission staff estimates that the 7 new respondents would incur an initial internal cost of compliance of $309,868. In addition, all 55 respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $949,190.
Rule 1003(a)(1) requires each SCI entity to establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material. The Commission staff estimates that the total annual initial recordkeeping burden for 7 new respondents will be 741 hours, and the annual ongoing recordkeeping burden for all 55 respondents will be, on average, 1,485 hours. The Commission staff estimates that the 7 new respondents would incur an initial internal cost of compliance of $309,868. In addition, all 55 respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $711,095.
Regulation SCI also requires SCI entities to identify certain types of events and systems. The Commission staff estimates that the total annual initial recordkeeping burden for 7 new respondents will be 1,287 hours, and the annual ongoing recordkeeping burden for all 55 respondents will be, on average, 2,145 hours. The Commission staff estimates that the 7 new respondents would incur an initial internal cost of compliance of $507,936. In addition, all 55 respondents will incur, on average, an estimated ongoing annual internal cost of compliance of $949,190.
Rules 1005 and 1007 establish recordkeeping requirements for SCI entities other than SROs. The Commission staff estimates that for 6 new respondents that are not SROs the average annual initial burden would be 935 hours, and the annual ongoing burden for all 19 respondents will be, on average, 475 hours. The Commission staff estimates that 6 new respondents would incur an estimated internal initial internal cost of compliance of $72,930, as well as a one-time cost of $5,400 to modify existing recordkeeping systems. In addition, all 19 respondents will incur, on average, an estimated ongoing internal cost of compliance of $37,050.
The Commission estimates that the increase in the number of SCI entities raises the total industry annual burden hours to 150,619 hours and costs to $3,848,749 respectively.
Written comments are invited on: (a) whether the proposed collection of information is necessary for the proper performance of the functions of the Commission, including whether the information shall have practical utility; (b) the accuracy of the Commission's estimates of the burden of the proposed collection of information; (c) ways to enhance the quality, utility, and clarity of the information to be collected; and (d) ways to minimize the burden of the collection of information on respondents, including through the use of automated collection techniques or other forms of information technology. Consideration will be given to comments and suggestions submitted by December 23, 2024.
An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information under the PRA unless it displays a currently valid OMB control number.
Please direct your written comments to: Austin Gerig, Director/Chief Information Officer, Securities and Exchange Commission, c/o Tanya Ruttenberg, 100 F Street NE, Washington, DC 20549, or send an email to: PRA_Mailbox@sec.gov.
Dated: October 18, 2024.
J. Matthew DeLesDernier,
Deputy Secretary.
[FR Doc. 2024-24577 Filed 10-22-24; 8:45 am]
BILLING CODE 8011-01-P