Download:
pdf |
pdfSUPPORTING STATEMENT
for the Paperwork Reduction Act Information Collection Submission for
Regulation SCI
This submission is being made pursuant to the Paperwork Reduction Act of 1995, 44 U.S.C.
Section 3501 et seq.
A.
JUSTIFICATION
1.
Necessity of Information Collection
Section 11A(a)(2) of the Securities Exchange Act of 1934 (“Exchange Act”), 1 enacted as
part of the Securities Acts Amendments of 1975 (“1975 Amendments”), 2 directs the
Commission, having due regard for the public interest, the protection of investors, and the
maintenance of fair and orderly markets, to use its authority under the Exchange Act to facilitate
the establishment of a national market system for securities in accordance with the Congressional
findings and objectives set forth in Section 11A(a)(1) of the Exchange Act. 3 Among the findings
and objectives in Section 11A(a)(1) is that “[n]ew data processing and communications
techniques create the opportunity for more efficient and effective market operations” 4 and “[i]t is
in the public interest and appropriate for the protection of investors and the maintenance of fair
and orderly markets to assure…the economically efficient execution of securities transactions.” 5
In addition, Sections 6(b), 15A, and 17A(b)(3) of the Exchange Act impose obligations on
national securities exchanges, national securities associations, and clearing agencies,
respectively, to be “so organized” and “[have] the capacity to…carry out the purposes of [the
Exchange Act].” 6
The U.S. securities markets have been transformed by regulatory and related
technological developments in recent years. They have, among other things, substantially
enhanced the speed, capacity, efficiency, and sophistication of the trading functions that are
available to market participants. At the same time, these technological advances have generated
an increasing risk of operational problems with automated systems, including failures,
disruptions, delays, and intrusions. Given the speed and interconnected nature of the U.S.
securities markets, a seemingly minor systems problem at a single entity can quickly create
losses and liability for market participants, and spread rapidly across the national market system,
potentially creating widespread damage and harm to market participants, including investors.
1
15 U.S.C. 78k-1(a)(2).
2
Pub. L. 94-29, 89 Stat. 97 (1975).
3
15 U.S.C. 78k-1(a)(1).
4
15 U.S.C. 78k-1(a)(1)(B).
5
15 U.S.C. 78k-1(a)(1)(C)(i).
6
See 15 U.S.C. 78f(b)(1), 78o-3(b)(2), 78q-1(b)(3), respectively. See also 15 U.S.C. 78b,
and 15 U.S.C. 78s.
�2
This transformation of the U.S. securities markets has occurred in the absence of a formal
regulatory structure governing the automated systems of key market participants. Instead, for
over two decades, Commission oversight of the technology of the U.S. securities markets has
been conducted primarily pursuant to a voluntary set of principles articulated in the
Commission’s ARP Policy Statements, 7 applied through the Commission’s Automation Review
Policy inspection program (“ARP Inspection Program”). 8 Commission staff subsequently
provided additional guidance regarding various aspects of the ARP Inspection Program through
letters to ARP entities, including recommendations regarding reporting planned systems changes
and systems issues to the Commission. National securities exchanges, national securities
associations, registered clearing agencies, plan processors, one ATS, and one exempt clearing
agency currently participate in the ARP Inspection Program.
In 1998, the Commission adopted Regulation ATS which, among other things, imposed
by rule certain aspects of the ARP Policy Statements on significant-volume ATSs. 9 Currently,
the Commission believes that one ATS is subject to these Regulation ATS requirements.
In November 2014, the Commission adopted Regulation Systems Compliance and
Integrity (“Regulation SCI”) 10 to require certain key market participants to, among other things:
(1) have comprehensive policies and procedures in place to help ensure the robustness and
resiliency of their technological systems, and also that their technological systems operate in
compliance with the federal securities laws and with their own rules; and (2) provide certain
notices and reports to the Commission to improve Commission oversight of securities market
infrastructure. Regulation SCI was adopted to update, formalize, and expand the Commission’s
ARP Inspection Program, and, with respect to SCI entities, to supersede and replace the
Commission’s ARP Policy Statements, as well as certain rules regarding systems capacity,
integrity, and security in Rule 301(b)(6) of Regulation ATS that relate to ATSs that trade NMS
and non-NMS stocks. 11
A confluence of factors contributed to the Commission’s adoption of Regulation SCI and
to the Commission’s determination that it is necessary and appropriate at this time to address the
technological vulnerabilities, and improve Commission oversight, of the core technology of key
U.S. securities markets entities, including national securities exchanges and associations,
7
See Securities Exchange Act Release Nos. 27445 (November 16, 1989), 54 FR 48703
(November 24, 1989) (“ARP I”) and 29185 (May 9, 1991), 56 FR 22490 (May 15, 1991)
(“ARP II” and, together with ARP I, the “ARP Policy Statements”).
8
In February 2014, the ARP Inspection Program was renamed the Technology Controls
Program.
9
See 17 CFR 242.301(b)(6).
10
Securities and Exchange Act Release No. 34-73639 (November 19, 2014), 79 FR 72251
(December 5, 2014).
11
See 17 CFR 242.301(b)(6)(i)(A) and 17 CFR 242.301(b)(6)(i)(B).
�3
significant alternative trading systems, clearing agencies, and plan processors. These
considerations include: the evolution of the markets to become significantly more dependent
upon sophisticated, complex and interconnected technology; the current successes and
limitations of the ARP Inspection Program; a significant number of, and lessons learned from,
recent systems issues at exchanges and other trading venues; increased concerns over “single
points of failure” in the securities markets; and the views of a wide variety of commenters
received in response to the proposing release for Regulation SCI. 12
The Commission acknowledges that the nature of technology and the level of
sophistication and automation of current market systems prevent any measure, regulatory or
otherwise, from completely eliminating all systems disruptions, intrusions, or other systems
issues. However, the Commission believes that the adoption of, and compliance by SCI entities
with Regulation SCI will advance the goals of the national market system by enhancing the
capacity, integrity, resiliency, availability, and security of the automated systems of entities
important to the functioning of the U.S. securities markets, as well as reinforce the requirement
that such systems operate in compliance with the Exchange Act and rules and regulations
thereunder, thus strengthening the infrastructure of the U.S. securities markets and improving its
resilience when technological issues arise. In this respect, Regulation SCI establishes an updated
and formalized regulatory framework, thereby helping to ensure more effective Commission
oversight of such systems.
As adopted, Rule 1001(a) requires each SCI entity to establish, maintain, and enforce
written policies and procedures for systems capacity, integrity, resiliency, availability, and
security. Rule 1001(b) requires each SCI entity to establish, maintain, and enforce written
policies and procedures to ensure that its SCI systems operate in a manner that complies with the
Exchange Act, the rules and regulations thereunder, and the SCI entity’s rules and governing
documents, as applicable. Rule 1001(c) requires each SCI entity to establish, maintain, and
enforce written policies and procedures for the identification, designation, and documentation of
responsible SCI personnel and escalation procedures. Rule 1002(a) requires each SCI entity to
begin to take appropriate corrective action upon any responsible SCI personnel having a
reasonable basis to conclude that an SCI event has occurred. Rule 1002(b) requires each SCI
entity to notify the Commission of certain SCI events. Rule 1002(c) requires each SCI entity,
with certain exceptions, to disseminate information about SCI events to affected members or
participants, and disseminate information about major SCI events to all members or participants.
Rule 1003(a) requires each SCI entity to notify the Commission of material systems changes
quarterly. Rule 1003(b) requires each SCI entity to conduct annual SCI reviews. Rule 1004
requires each SCI entity to designate certain members or participants for participation in
functional and performance testing of the SCI entity’s business continuity and disaster recovery
(“BC/DR”) plans, and to coordinate such testing with other SCI entities. Rules 1005 and 1007
set forth recordkeeping requirements for SCI entities. Rule 1006 requires, with certain
exceptions, that each SCI entity electronically file required notifications, reviews, descriptions,
analysis, or reports to the Commission on Form SCI.
12
Securities Exchange Act Release No. 69077 (March 8, 2013), 78 FR 18083 (March 25,
2013) (“SCI Proposal”).
�4
The Commission estimates that there are currently 44 entities that meet the definition of
SCI entity and are subject to the collection of information requirements of Regulation SCI. Of
these 44 respondents, 27 would meet the definition of SCI SRO, 14 would meet the definition of
SCI ATS, 2 would meet the definition of plan processor, and 1 would meet the definition of
exempt clearing agency subject to ARP. Also, of these 44 respondents, 30 currently participate
in the ARP Inspection Program, whereas 14 do not.
2.
Purpose and Use of the Information Collection 13
a.
Policies and Procedures Required by Rule 1001 (Previously Proposed
Rules 1000(b)(1) and (b)(2))
Rule 1001(a) should help to advance the goal of improving Commission review and
oversight of U.S. securities market infrastructure by requiring an SCI entity’s policies and
procedures to be reasonably designed to ensure its own operational capability, including the
ability to maintain effective operations, minimize or eliminate the effect of performance
degradations, and have sufficient backup and recovery capabilities. Because an SCI entity’s own
operational capability can have the potential to impact investors, the overall market, or the
trading of individual securities, the Commission believes that these policies and procedures will
help promote the maintenance of fair and orderly markets. Rule 1001(b) should help to prevent
the occurrence of systems compliance issues, and help SCI entities to achieve operational
compliance with the Exchange Act, the rules and regulations thereunder, and their governing
documents. Rule 1001(c) should help make it clear to all employees of the SCI entity who the
designated responsible SCI personnel are for purposes of the escalation procedures and so that
Commission staff can easily identify such responsible SCI personnel in the course of its
inspections and examinations and other interactions with SCI entities. The Commission also
believes that escalation procedures to quickly inform responsible SCI personnel of potential SCI
events will help ensure that the appropriate person(s) are provided notice of potential SCI events
so that any appropriate actions can be taken in accordance with the requirements of Regulation
SCI without unnecessary delay.
b.
Mandate Participation in Certain Testing Required by Rule 1004
(Previously Proposed Rule 1000(b)(9))
Rule 1004 should help reduce the risks associated with an SCI entity’s decision to
activate its BC/DR plans and help to ensure that such plans operate as intended, if activated. It
should also help an SCI entity to ensure that its efforts to develop effective BC/DR plans are not
13
The numbering of the rules that the Commission ultimately adopted is different from the
numbering used in the SCI Proposal and previously submitted to the Office of
Management and Budget (“OMB”). For ease of review, each heading that references an
adopted rule throughout this supporting statement includes, if applicable, a parenthetical
referencing the corresponding rule or rules from the SCI Proposal.
�5
undermined by a lack of participation by members or participants that the SCI entity believes are
necessary to the successful activation of such plans. Rule 1004 should also assist the
Commission in maintaining fair and orderly markets in a BC/DR scenario following a wide-scale
disruption.
c.
SCI Event Notice Required by Rule 1002(b) (Previously Proposed Rule
1000(b)(4))
Rule 1002(b) should foster a system for comprehensive reporting of SCI events, which
should enhance the Commission’s review and oversight of U.S. securities market infrastructure
and foster cooperation between the Commission and SCI entities in responding to SCI events.
The Commission also believes that the aggregated data that will result from the reporting of SCI
events will enhance its ability to comprehensively analyze the nature and types of various SCI
events and identify more effectively areas of persistent or recurring problems across the systems
of all SCI entities. The information in the final report required under Rule 1002(b)(4) should
provide the Commission with a comprehensive analysis to more fully understand and assess the
impact caused by an SCI event. The quarterly report required by Rule 1002(b)(5) should better
achieve the goal of keeping Commission staff informed regarding the nature and frequency of
systems disruptions and systems intrusions that arise but are reasonably estimated by the SCI
entity to have a de minimis impact on the entity’s operations or on market participants. Further,
submission and review of regular reports should facilitate Commission staff comparisons among
SCI entities and thereby permit the Commission and its staff to have a more holistic view of the
types of systems operations challenges that were posed to SCI entities in the aggregate.
d.
Dissemination of Information Required by Rule 1002(c) (Previously
Proposed Rule 1000(b)(5))
Rule 1002(c) should advance the Commission’s goal of promoting fair and orderly
markets by disseminating information about an SCI event to some or all of the SCI entity’s
members or participants, who can use such information to evaluate the event’s impact on their
trading and other activities and develop an appropriate response.
e.
Material Systems Change Notice Required by Rule 1003(a) (Previously
Proposed Rules 1000(b)(6) and (b)(8)(ii))
Rule 1003(a) should permit the Commission and its staff to have up-to-date information
regarding an SCI entity’s systems development progress and plans, and help the Commission
with its oversight of U.S. securities market infrastructure.
f.
SCI Review Required by Rule 1003(b) (Previously Proposed Rules
1000(b)(7) and (b)(8)(i))
The SCI reviews under Rule 1003(b) should not only assist the Commission in improving
its oversight of the technology infrastructure of SCI entities, but also assist each SCI entity in
assessing the effectiveness of its information technology practices, helping to ensure compliance
�6
with the safeguards provided by the requirements of Regulation SCI, identifying potential areas
of weakness that require additional or modified controls, and determining where to best devote
resources.
g.
Access to EFFS
Rule 1006 provides a uniform manner in which the Commission will receive—and SCI
entities will provide—written notifications, reviews, descriptions, analyses, or reports made
pursuant to Regulation SCI. Rule 1006 therefore allows SCI entities to efficiently draft and file
the required reports on Form SCI, and the Commission to efficiently review, analyze, and
respond to the information provided. The Commission will implement Form SCI through the
electronic form filing system (“EFFS”) currently used by SCI SROs to file Form 19b-4 filings.
In order to access EFFS, an SCI entity will submit to the Commission an External Application
User Authentication Form (“EAUF”) to register each individual at the SCI entity who access the
EFFS system on behalf of the SCI entity. The information provided via EAUF will be used by
the Commission to verify the identity of the individual submitting Form SCI on behalf of the SCI
entity and provide such individual access to the EFFS.
The Commission believes that, by utilizing the EFFS system currently used by many
SROs for Rule 19b-4 filings, it will allow for a quicker and smoother implementation of the
Form SCI submission process for certain SCI entities. The Commission also notes that it
expects, prior to the compliance date, that its staff will provide materials to SCI entities
regarding the operation of the electronic filing system to file Forms SCI.
h.
Corrective Action Required by Rule 1002(a) (Previously Proposed Rule
1000(b)(3))
Rule 1002(a) should help facilitate SCI entities’ responses to SCI events, including taking
appropriate steps necessary to remedy the problem or problems causing such SCI event and
mitigate the negative effects of the SCI event, if any, on market participants and the securities
markets more broadly.
i.
Identification of Critical SCI Systems, Major SCI Events, De Minimis SCI
events, and Material Systems Changes
The requirement in Rule 1003(a) that each SCI entity establish written criteria for
identifying material systems changes should help the Commission ensure that it is kept apprised
of the systems changes that SCI entities believe to be material and aid the Commission and its
staff in understanding the operations and functionality of the systems of an SCI entity and any
changes to such systems.
The application of different requirements (e.g., Commission notification requirements
and information dissemination requirements) to critical SCI systems, major SCI events, and de
minimis SCI events, and the policies and procedures required by SCI entities to make these
determinations, should help to ensure that the Commission is kept apprised of SCI events, and
�7
that relevant market participants have basic information about SCI events so that those notified
can better develop an appropriate response. These policies and procedures should also assist SCI
entities in complying with the notification, dissemination and reporting requirements of
Regulation SCI.
j.
Recordkeeping Required by Rules 1005 and 1007 (Previously Proposed
Rules 1000(c) and (e))
Rule 1005 should assist the Commission in understanding whether an SCI entity is
meeting its obligations under Regulation SCI, assessing whether an SCI entity has appropriate
policies and procedures with respect to its technology systems, helping to identify the causes and
consequences of an SCI event, and understanding the types of material systems changes
occurring at an SCI entity. Rule 1005 should also facilitate the Commission’s inspections and
examinations of SCI entities and assist it in evaluating an SCI entity’s compliance with
Regulation SCI. Moreover, having an SCI entity’s records available even after it has ceased to
do business or to be registered under the Exchange Act should provide an additional tool to help
the Commission to reconstruct important market events and better understand the impact of such
events.
Rule 1007 should help ensure the Commission’s ability to obtain required records that are
held by a third party who may not otherwise have an obligation to make such records available to
the Commission.
3.
Consideration Given to Information Technology
With a few exceptions, Regulation SCI requires SCI entities to submit any notification,
review, description, analysis, or report to the Commission electronically on Form SCI.
Regulation SCI is designed to streamline the reporting processes and make the processes
efficient by specifying the information required to be provided and requiring SCI entities to
electronically file Form SCI. The Commission will implement Form SCI through the EFFS
currently used by SCI SROs to file Form 19b-4 filings.
4.
Duplication
Regulation SCI replaces the two ARP policy statements and related staff guidance.
However, although Regulation SCI codifies in a Commission rule many of the principles of the
ARP policy statements, the rule would have a broader scope than those statements.
Regulation SCI also supersedes and replaces aspects of the ARP policy statements
codified in Rule 301(b)(6) of Regulation ATS, applicable to significant-volume ATSs that trade
NMS stocks and non-NMS stocks. 14 Because Regulation SCI replaces the ARP policy
14
The Commission is separately submitting a PRA package for the amendments to Rule
301(b)(6) of Regulation ATS (OMB Control No. 3235-0509).
�8
statements, related staff guidance, and aspects of Rule 301(b)(6) applicable to significant-volume
ATSs that trade NMS stocks and non-NMS stocks, Regulation SCI would not duplicate any
existing information collection.
With regard to any FINRA rules applicable to ATSs, the Commission does not believe
that these rules provide a comprehensive regulatory scheme relating to the capacity, integrity,
resiliency, availability, and security of SCI systems comparable to Regulation SCI.
5.
Effect on Small Entities
Not applicable. None of the respondents subject to the information collection will be a
small entity.
6.
Consequences of Not Conducting Collection
The collection of information is designed to ensure that SCI entities operate with adequate
capacity, integrity, resiliency, availability, and security, and in compliance with the Exchange Act
and relevant rules. Any less frequent collection would deprive the Commission of timely
information regarding systems issues and systems changes at SCI entities and SCI entities’
compliance with Regulation SCI. Any less frequent collection also would deprive the Commission
and members or participants of SCI entities of timely information regarding the occurrence and
resolution of systems issues.
7.
Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)
Several provisions of Regulation SCI require respondents to report information to the
agency more often than quarterly. These provisions include Rules 1002(b), 1002(c), and Rule
1003(a), which generally involve the provision of certain types of notifications involving an SCI
event (e.g., a systems disruption, a systems intrusion, or a systems compliance issue), either to the
Commission or to a third party, and notification to the Commission of material systems changes.
Depending on the frequency of SCI events (with exceptions for certain SCI events), SCI entities
may be required to provide information to the Commission or disseminate information to their
members or participants more than once per quarter. However, the Commission believes that
timely and comprehensive reporting of SCI events to the Commission should enhance its
oversight of U.S. securities market infrastructure and foster cooperation between the
Commission and SCI entities in responding to SCI events. For example, timely receipt of
information regarding an SCI event will help the Commission and its staff to quickly assess the
nature and scope of that SCI event, and potentially assist the SCI entity in identifying the
appropriate response. Further, the Commission believes the timely dissemination of information
about certain SCI events to member or participants of SCI entities will help members or
participants to quickly assess the nature and scope of those SCI events and whether and how they
were affected by the events, and make appropriate decisions based on those assessments.
In addition, SCI entities may be required to provide information to the Commission
regarding material systems changes more often than quarterly. In particular, although Rule
�9
1003(a) requires quarterly reports of material systems changes, it also requires prompt
supplemental reports notifying the Commission of a material error in or material omission from a
previously submitted report. The Commission believes that it should, on an ongoing basis, have
complete and correct information regarding material systems changes at an SCI entity, rather
than waiting until the next quarterly report to receive corrected information.
Rule 1005(b) requires each SCI entity (other than an SCI SRO) to make, keep, and
preserve at least one copy of all documents relating to its compliance with Regulation SCI for a
period of not less than five years, the first two years in a place that is readily accessible to the
Commission or its representatives for inspection and examination. The Commission notes that
these recordkeeping time periods are consistent with those currently applicable to self-regulatory
organizations (including SCI SROs) under Rule 17a-1 under the Exchange Act.
Finally, information submitted to the Commission under Regulation SCI could include
proprietary trade secret or other confidential information. However, if a confidential treatment
request is properly made, the Commission will keep the information collected pursuant to Form
SCI confidential to the extent permitted by law. 15
8.
Consultations Outside the Agency
The Commission requested comment on the collection of information requirements in the
SCI Proposal in March 2013. 16 The Commission considered all comments received prior to
publishing the final rule as required by 5 CFR 1320.11(f) and addresses the comments relating to
the PRA below. 17
a.
Policies and Procedures Required by Rule 1001 (Previously Proposed
Rules 1000(b)(1) and (b)(2))
Several commenters noted that the Commission underestimated the paperwork burden of
proposed Rules 1000(b)(1) and (b)(2), which require SCI entities to establish policies and
procedures with respect to various matters. One commenter noted that the systems covered by
proposed Rules 1000(b)(1) and (b)(2) are very complex and a first draft of the required policies
and procedures would take far more than the estimated number of hours to complete and keep
up-to-date. 18 Another commenter noted that the hour burdens did not take into account the
15
See, e.g., 15 U.S.C. 78x (governing the public availability of information obtained by the
Commission); 5 U.S.C. 552 et seq. (Freedom of Information Act); 17 CFR 240.24b-2.
16
See Securities Exchange Act Release No. 69077 (March 8, 2013), 78 FR 18083 (March
25, 2013).
17
All of the comments received on the SCI Proposal, including those that relate to the PRA
(and discussed below), are available at http://www.sec.gov/comments/s7-0113/s70113.shtml.
18
See letter from Norman Reed, General Counsel, Omgeo LLC, dated July 8, 2013
�10
appropriate level of management review in connection with the development of the policies and
procedures. 19 This commenter also noted that policies and procedures developed to achieve
compliance with Regulation SCI can potentially impact other areas of the SCI entity and other
SCI entities, and therefore an SCI entity would need to broadly review the policies and
procedures to ensure that they do not conflict with other policies, procedures, practices, and
processes and revise the policies and procedures accordingly. 20 This commenter suggested that a
more accurate estimate of the paperwork burden for proposed Rule 1000(b)(1) would be three to
four times the estimate in the SCI Proposal, and the allocation of the burden hours should be
weighted more heavily toward more senior staff of the organization. 21
One commenter stated that the Commission’s estimate that ARP entities would incur half
as many burden hours as non-ARP entities (i.e., a baseline of 50%) does not account for the
significant expansion of the requirements if the definition of SCI system is construed broadly,
and as a result, the burden estimates for ARP entities may be too low. 22
One commenter agreed with the Commission that ongoing paperwork burdens for
compliance with proposed Rules 1000(b)(1) and (b)(2) should be lower than the initial burden; 23
however, this commenter stated that the estimated ongoing burden is understated, but likely to a
lesser extent than with respect to the initial burden. 24 Another commenter also noted that, given
the complexity of the underlying systems and the requirements of proposed Rule 1000(b)(1),
significantly more effort and time will be required on an ongoing basis to comply with that
rule. 25
One commenter noted that the establishment of the policies and procedures under
proposed Rules 1000(b)(1) and (b)(2) would not be conducive to outsourcing, although an SCI
entity might incur some cost for outside counsel for consultation purposes. 26 On the other hand,
another commenter argued that the Commission’s burden estimate for proposed Rules
(“Omgeo Letter”) at 31-32, 34.
19
See letter from Jay M. Goldstone, Chairman, Municipal Securities Rulemaking Board,
dated June 28, 2013 (“MSRB Letter”) at 28-29. See also Omgeo Letter at 32 and 35; and
letter from Joseph Adamczyk, Executive Director, Associate General Counsel, CME
Group Inc., dated July 8, 2013 (“CME Letter”) at 3, n. 5.
20
See MSRB Letter at 29.
21
See id., at 30.
22
See letter from Marcia E. Asquith, Senior Vice President and Corporate Secretary,
FINRA, dated July 8, 2013 (“FINRA Letter”) at 7.
23
See MSRB Letter at 31.
24
See id.
25
See Omgeo Letter at 32, n. 63.
26
See MSRB Letter at 31.
�11
1000(b)(1) and 1000(b)(2) was inaccurate because of the Commission’s mistaken assumption
that SCI entities would not seek guidance from outside consultants and attorneys. 27
After consideration of the comments that the Commission underestimated the burden
associated with the required policies and procedures, the current practices of SCI entities, and the
modifications to the proposal that reduced the associated burden, the Commission is increasing
the proposed burden estimates for the policies and procedures and adjusting the estimates to
reflect modifications to the proposal. The Commission is also adding burden estimates for an
internal review of the policies and procedures by compliance directors and chief compliance
officers in response to comment that the Commission did not take into account the appropriate
level of management review. 28
With respect to SCI entities that currently participate in the ARP Inspection Program, the
Commission maintained the 50% percent baseline for these SCI entities in terms of staff burden
hours. The Commission continues to believe this baseline is appropriate because although these
entities already have substantial policies and procedures in place, the rule would require these
entities to devote substantial time to review and revise their existing policies and procedures to
ensure that they meet all of the rule requirements. However, the Commission does not believe
that a 50% baseline would be appropriate for these SCI entities in terms of senior management
review of the policies and procedures. The Commission believes that senior management of all
SCI entities, regardless of whether an SCI entity currently participates in the ARP Inspection
Program, would require a similar number of hours to review the SCI entity’s policies and
procedures to ensure compliance with the new requirements under Regulation SCI.
After consideration of the comment that the Commission underestimated the outsourcing
cost for proposed Rules 1000(b)(1) and (b)(2), the Commission is increasing the proposed
estimate of the outsourcing cost and adjusting the estimate to reflect modifications to the
proposal.
b.
Mandate Participation in Certain Testing Required by Rule 1004
(Previously Proposed Rule 1000(b)(9))
With respect to the Commission’s burden estimate for the BC/DR testing under proposed
Rule 1000(b)(9), one commenter noted that the estimate was effectively limited to ministerial
tasks of producing a rule filing and of undertaking follow-up work in connection with
implementation, does not take into account significant activities relating to the SRO rule change
process, and understates the activities necessary to implement testing with industry
participants. 29 Another commenter stated that it has contractual relationships with thousands of
27
See Omgeo Letter at 32 and 35.
28
The Chief Compliance Officer burden estimates include the time spent by other senior
officers, including Chief Information Officers and Chief Information Security Officers, as
appropriate, for a particular requirement under Regulation SCI.
29
See MSRB Letter at 38.
�12
clients, and contract negotiations always require a great deal of time and commitment from its
legal personnel. 30 One commenter noted that the requirements under proposed Rule 1000(b)(9)
would not be conducive to outsourcing. 31
The Commission adopted proposed Rule 1000(b)(9) as Rule 1004, with certain
modifications, including the elimination of the proposed requirement that an SCI entity notify
and update the Commission of its designated members or participants and its standards for
designation on Form SCI.
After consideration of the comments and the modifications to the proposal, the
Commission is substantially increasing the burden estimates for Rule 1004, and is estimating
additional hours to reflect senior management involvement in compliance with Rule 1004.
With respect to the comment that the estimates in the proposal did not take into account
significant activities relating to the SRO rule change process, the Commission notes that the
paperwork burden associated with SRO rule filings are included as part of the burden associated
with a separate collection of information (OMB Control Number 3235-0045) pursuant to Rule
19b-4 under the Exchange Act. With respect to a commenter’s statement that it has contractual
relationships with thousands of clients and that proposed Rule 1000(b)(9) would create many
thousands of burden hours, the Commission notes that the adoption of a more focused
designation requirement is likely to result in a smaller number of SCI entity members or
participants being designated for participation in testing as compared to the SCI Proposal (and as
noted above, the Commission has increased its estimated burden hours in response to comment).
The Commission believes that SCI entities have an incentive to limit the imposition of the cost
and burden associated with testing to the minimum necessary to comply with the rule. The
Commission also believes that, given the option, most SCI entities would, in the exercise of
reasonable discretion, prefer to designate fewer members or participants to participate in testing,
than to designate more. Thus, even if an SCI entity individually negotiates contract
modifications with certain designated members or participants, the Commission believes that the
burden would be substantially less than suggested by the commenter.
Based on its experience with plan processors, the Commission continues to believe that
plan processors will outsource the work related to compliance with Rule 1004.
c.
SCI Event Notice Required by Rule 1002(b) (Previously Proposed Rule
1000(b)(4))
Several commenters stated that the Commission underestimated the number of SCI
30
See Omgeo Letter at 46. This commenter noted that while a certain significant
percentage of its clients may sign the contracts without any negotiation, many do not.
See id.
31
See MSRB Letter at 38.
�13
events requiring notification to the Commission, 32 as well as the number of event updates that
would be required by the proposed rules. 33
With respect to the Commission’s estimate of the burden for Commission notification
generally, one commenter noted that preparation of Form SCI will take a fair amount of time. 34
Another commenter noted that senior management of SCI entities would want an SCI event to be
investigated before it is reported to the Commission and they (along with compliance attorneys
and officers) would want to review any report on an SCI event prior to submission to the
Commission. 35 This commenter also noted that an SCI entity would need to engage outside
counsel and possibly other parties to review such reports. 36 On the other hand, one commenter
stated its belief that none of the activities arising under proposed Rule 1000(b)(4) would be
conducive to outsourcing. 37
With respect to the Commission’s estimate of the burden for written notification to the
Commission of certain SCI events under proposed Rule 1000(b)(4)(i), one commenter noted that
considerable amounts of activities may be necessary to gather the information needed, to have
appropriate confirmations from persons with knowledge and authority with respect to the
applicable SCI system, to provide for senior management review where appropriate, and to
otherwise be in a position to draft the notification. 38 Another commenter noted that Commission
notification required by proposed Rule 1000(b)(4)(i) would require substantive input from
personnel outside of the legal and compliance departments, including IT analysts and managers
as well as impacted business analysts and managers. 39 This commenter also noted that the
32
See Omgeo Letter at 35; letter from Eric J. Swanson, Secretary, BATS Global Markets,
Inc., dated July 10, 2013 (“BATS Letter”) at 11; letter from Eric Swanson, SVP, General
Counsel and Secretary, BATS Global Markets, Inc., et al., dated July 30, 2013 (“Joint
SROs Letter”) at 18; letter from Daniel Zinn, General Counsel, OTC Markets Group Inc.,
dated September 12, 2013 (“OTC Markets Letter”) at 6; and letter from Janet McGinness,
EVP & Corporate Secretary, NYSE Euronext, dated July 9, 2013 (“NYSE Letter”) at 18.
Commenters did not specify estimates for the number of systems compliance issues an
SCI entity would experience each year.
33
See Joint SROs Letter at 19; NYSE Letter at 24; and Omgeo Letter at 36. See also
FINRA Letter at 19.
34
See FINRA Letter at 19; and letter from Roger Anerella, Managing Director, Global
Head of Securities Execution Services, UBS Investment Bank, dated July 26, 2013
(“UBS Letter”) at 6.
35
See Omgeo Letter at 35.
36
See id., at 35-36.
37
See MSRB Letter at 34-35.
38
See id., at 33.
39
See UBS Letter at 6. This commenter expressed the same concern with respect to
proposed Rule 1000(b)(4)(ii). See id.
�14
Commission erroneously assumed that verbal notifications under proposed Rule 1000(b)(4)(i)
would not consume any time. 40
With respect to the estimated burden under proposed Rule 1000(b)(4)(ii) for written
notification to the Commission within 24 hours of any responsible SCI personnel becoming
aware of any SCI event, one commenter noted that the estimate did not take into account the
considerable amounts of activities to be undertaken by other personnel, including persons with
knowledge and authority with respect to the applicable SCI system and the SCI event as well as
senior management where appropriate, in order to collect and assess the appropriate information
and to properly inform the attorney and compliance manager of such information in order to
allow them to produce an accurate notification. 41 This commenter had similar concerns with the
burden estimates for proposed Rule 1000(b)(4)(iii) as it related to the requirement that the SCI
entity submit to the Commission written updates on a regular basis, or at such frequency as
reasonably requested by a representative of the Commission until resolution of the SCI event. 42
Another commenter noted that, with respect to proposed Rule 1000(b)(4)(ii), no provision was
made for the time burden that would be placed on technology personnel in the notification
process. 43 Similarly, one commenter noted that the Commission’s burden estimate failed to take
into account technology staff and business operations personnel who spend considerable time
gathering facts and circumstances of a systems issue. 44
The Commission adopted the Commission notification requirements contained in
proposed Rule 1000(b)(4) as Rule 1002(b), with certain modifications. In particular, the
Commission refined the scope of the requirement by incorporating a risk-based approach. Also,
revisions made to a number of definitions further focus the scope of the requirement. Together,
the Commission intended these changes to reduce the frequency and volume of SCI event notices
submitted to the Commission.
Specifically, and after consideration of the comments, the more focused scope of the
immediate Commission notification requirement, and Commission staff’s experience with the
ARP Inspection Program and systems compliance-related issues at SROs, the Commission now
estimates that each SCI entity will experience an average of 45 SCI events each year that are not
40
See id.
41
See MSRB Letter at 33.
42
See id., at 33-34.
43
See Joint SROs Letter at 18. This commenter also stated that, in other sections, the
Commission either incorrectly assumes that no legal or outside counsel would be used, or
significantly underestimates the amount of legal or outside counsel expenses. See id., at
18-19.
44
See letter from Raymond Tamayo, Chief Information Officer, Options Clearing
Corporation, dated July 8, 2013 (“OCC Letter”) at 12. See also NYSE Letter at 18 and
34; and Omgeo letter at 36.
�15
de minimis SCI events, 45 resulting in 45 written notifications under Rule 1002(b)(2) and 45
written notifications under Rule 1002(b)(4). The Commission also estimates that each SCI entity
will submit 24 updates each year under Rule 1002(b)(3).
The Commission is not significantly increasing its burden estimate for proposed Rule
1000(b)(4)(i) (which was adopted as Rule 1002(b)(1)) because Rule 1002(b)(1) requires the
immediate notification of SCI events and does not specify the minimum information that must be
submitted to the Commission. The Commission believes that, for many SCI events, an SCI
entity will simply notify the Commission that an SCI event has occurred, and may not provide
the Commission with additional information because it is not yet available to the SCI entity. For
this reason, the Commission does not expect that the SCI entity will need to gather a
considerable amount of information or significantly confer with interested parties across the
entity. The Commission agrees with the view of a commenter that oral notifications would result
in burdens on an SCI entity, although it expects the burden for legal and compliance personnel to
be lower than in the case of written notifications because they would not need to draft and review
a written document for submission to the Commission. 46
The Commission is not significantly increasing its burden estimate for proposed Rule
1000(b)(4)(ii) (which was adopted as Rule 1002(b)(2)) because Rule 1002(b)(2) requires less
information than proposed Rule 1000(b)(4)(ii), although the Commission has revised the burden
estimate to account for the time spent to perform various functions and conduct multiple levels
of review. Also, because Rule 1002(b)(2) explicitly permits information to be submitted on a
good faith, best efforts basis, the Commission believes that SCI entities will be able to expend
less resources in reviewing each notification.
The Commission is not significantly increasing its burden estimate for proposed Rule
1000(b)(4)(iii) (which was adopted as Rule 1002(b)(3)). Specifically, the Commission believes
that each update required under Rule 1002(b)(3) will likely only reflect some of the information
listed under Rules 1002(b)(1) and (2) (which set forth the requirements for the initial
notification), because certain information about SCI events may not yet be available at the time
the SCI entity submits such update or may not need to be updated. As with Rule 1002(b)(1), the
Commission expects that the burden for legal and compliance personnel would be less in the
case of oral updates.
The information required to be provided to the Commission in a final report of an SCI
event under Rule 1002(b)(4) is similar to the information required to be provided under proposed
45
The estimated 45 SCI events comprise 24 systems disruptions, 20 systems compliance
issues, and one systems intrusion.
46
One commenter noted that most SCI entities would submit a writing to document that
they had satisfied the notice requirement of proposed Rule 1000(b)(4)(i). See Omgeo
Letter at 16. However, the Commission continues to estimate that one-fourth of the
notifications under Rule 1002(b)(1) will be submitted in writing and that the rest will be
provided orally.
�16
Rule 1000(b)(4)(ii). The Commission is, however, estimating a higher burden for Rule
1002(b)(4) as compared to proposed Rule 1000(b)(4)(ii) because the reports under Rule
1002(b)(4) constitute final reports regarding SCI events, and SCI entities will likely confer with
technology and business personnel and senior management to ensure that the information
provided is accurate. At the same time, the Commission is not substantially increasing the
burden estimate as compared to proposed Rule 1000(b)(4)(ii) because some of the information
required by Rule 1002(b)(4) may already have been provided in a prior notification to the
Commission.
Finally, the Commission estimates that while SCI entities will handle internally most of
the work associated with Rule 1002(b), SCI entities would seek outside legal advice in the
preparation of certain Commission notifications.
d.
Dissemination of Information Required by Rule 1002(c) (Previously
Proposed Rule 1000(b)(5))
With respect to the burden estimate for proposed Rule 1000(b)(5), which required an SCI
entity to provide specified information relating to “dissemination SCI events” to SCI entity
members or participants, one commenter stated that the Commission’s estimate is fairly
accurate. 47 Another commenter stated that the Commission underestimated the burden. 48 In
connection with expressing its concern that almost any minor or immaterial systems issue would
fall under the proposed definition of SCI event, this commenter estimated that there would be at
a minimum a ten-fold increase in reportable events from the 175 incidents in 2011 under the
ARP Inspection Program. 49
With respect to the estimated burden associated with information dissemination, this
commenter argued that the Commission incorrectly assumed that such communications would be
drafted only by a single attorney and a webmaster. 50 This commenter also noted that SCI entities
would draft different dissemination notices designed to address the particular concerns of the
different client segments it services. 51
Further, this commenter disagreed that SCI entities are likely to handle internally most of
47
See MSRB Letter at 35.
48
See Omgeo Letter at 37.
49
See id., at 37-38.
50
See id., at 38. According to this commenter, subject matter experts would include
associates from functions such as Technology, Client Support, Information Security,
Legal, Compliance, Product Management, and Sales and Relationship Management. See
id., at 38, n. 75.
51
See id., at 38.
�17
the work associated with information dissemination. 52 This commenter also argued that the
Commission’s estimate did not take into account the burden associated with addressing
responses from an SCI entity’s participants, members, or clients, which, according to this
commenter, would include hundreds of hours of SCI entity associate and management time. 53
This commenter expressed similar concerns with respect to the burden estimates for providing
additional information and updates to members or participants pursuant to proposed Rules
1000(b)(5)(i)(B) and (C), and noted that each follow-up notice would impose a burden far
greater than 5 hours. 54 This commenter also noted that the Commission underestimated that
each SCI entity would only have to provide one update each year under proposed Rule
1000(b)(5)(i)(C), and that each dissemination would only be prepared by an attorney and a
webmaster. 55
With respect to the burden estimates for proposed Rule 1000(b)(5)(ii), which, subject to a
limited exception, required an SCI entity, promptly after any responsible SCI personnel becomes
aware of a systems intrusion, to disseminate to its members or participants certain information
regarding the systems intrusion, this commenter expressed similar concern, and noted that each
dissemination under proposed Rule 1000(b)(5)(ii) would require hundreds of burden hours. 56
The Commission adopted the information dissemination requirements in proposed Rule
1000(b)(5), as final Rule 1002(c), with certain modifications from the proposal. In particular,
Rule 1002(c) scales the dissemination obligations in accordance with the nature and severity of
an SCI event. SCI events that relate to market regulation or market surveillance systems and de
minimis SCI events would not be subject to the information dissemination requirement. Also,
revisions made to a number of definitions further refine the scope of the information
dissemination requirement. Given these changes, the Commission now estimates that each SCI
entity will disseminate information regarding 36 SCI events each year, including 1 non-de
minimis systems intrusion each year. The Commission also estimates that each SCI entity will
disseminate 3 updates for each SCI event (that is not a systems intrusion) each year.
The Commission is not significantly increasing its burden estimate from proposed Rule
1000(b)(5) because the information required to be disseminated to members or participants under
Rule 1002(c) will likely already be collected for Commission notification under Rule 1002(b).
With respect to the view of a commenter that SCI entities would create different dissemination
notices designed to address the concerns of different client segments, the Commission notes that
52
See id., at 39. However, another commenter stated its belief that none of the activities
arising under proposed Rule 1000(b)(5) would be conducive to outsourcing. See MSRB
Letter at 34-35.
53
See Omgeo Letter at 39.
54
See id., at 40-41.
55
See id., at 41.
56
See id., at 41-42.
�18
Rule 1002(c) only specifies the general information that must be disseminated and does not
require that SCI entities provide different information to different clients. 57
e.
Material Systems Change Notice Required by Rule 1003(a) (Previously
Proposed Rules 1000(b)(6) and (b)(8)(ii))
Several commenters stated that the Commission underestimated the number of planned
material systems changes that would be required to be reported to the Commission under proposed
Rule 1000(b)(6).58 Some commenters also argued that the Commission underestimated the amount
of time it would take to provide the notifications under proposed Rule 1000(b)(6) because the
Commission did not take into account activities necessary to gather the information needed, or the
types of personnel that would be involved in drafting such notifications.59 One commenter stated
that the Commission’s burden estimate for proposed Rule 1000(b)(8)(ii) was fairly accurate. 60 That
commenter also stated that none of the activities arising under proposed Rules 1000(b)(6) and (b)(8)
would be conducive to outsourcing. 61
The Commission did not adopt the proposed definition of material systems change.
Rather, Rule 1003(a)(1) requires each SCI entity to establish reasonable criteria for identifying a
change to its SCI systems and the security of indirect SCI systems as material. Because Rule
1003(a)(1) allows each SCI entity to identify material systems changes, it is responsive to
commenters’ concern that the proposed definition was too broad and would result in an excessive
number of notifications. In particular, an SCI entity will have reasonable discretion in
establishing the written criteria in order to capture the systems changes that it believes are
material. With respect to commenters who specifically discussed proposed Rule 1000(b)(6), the
Commission did not adopt the 30-day advance notification requirement of that rule and is instead
adopting a new quarterly reporting requirement for material systems changes.
57
As noted above, this commenter also stated that the Commission did not take into
account the burden associated with addressing responses from an SCI entity’s
participants, members, or clients. The Commission believes that currently, SCI entities
already notify members or participants of certain systems issues. Therefore, the
Commission does not believe that the burden to respond to members or participants will
be significantly higher than SCI entities’ current practices in the absence of Regulation
SCI. The Commission also notes that Rule 1002(c) does not impose any requirements
related to responding to inquiries about the information dissemination.
58
See NYSE Letter at 26; BATS Letter at 14; and OTC Markets Letter at 21.
59
See, e.g., MSRB Letter at 35; OCC Letter at 15-16; and UBS Letter at 6.
60
See MSRB Letter at 37.
61
See id., at 36-37.
�19
f.
SCI Review Required by Rule 1003(b) (Previously Proposed Rules
1000(b)(7) and (b)(8)(i))
With respect to the burden associated with SCI reviews, one commenter stated that the
Commission’s burden estimate for proposed Rule 1000(b)(7), which would have required an SCI
entity to conduct an SCI review of its compliance with Regulation SCI not less than once each
calendar year, and submit a report of the SCI review to senior management no more than 30
calendar days after completion of such SCI review, is fairly accurate. 62 Another commenter
noted that the Commission’s estimate is too low and that the SCI review will require over 1,200
burden hours. 63 In connection with advocating for a risk-based approach for SCI reviews, one
commenter noted that if it were to attempt to conduct all of the market-related technology
application reviews that it currently conducts over four years during one year (excluding
regulatory technology applications such as those related to member regulation), it would require
approximately 6,400 to 8,320 hours. 64 According to this commenter, significantly more
resources would be required to conduct SCI reviews if the definition of SCI systems includes
non-market regulatory and surveillance systems, and development and testing systems. 65 One
commenter noted that significant portions of the SCI review could be outsourced and that the
Commission’s estimate for the overall cost of outsourcing is reasonable, although some of the
assumed hourly rates used in the SCI Proposal appear to be too low in the context of the current
market environment. 66
One commenter noted that the Commission’s estimate did not take into account the
additional work that would be required by many different SCI entity associates, including
managers and subject matter experts, in order to satisfy the requirements of proposed Rule
1000(b)(7). 67 This commenter estimated that the annual burden under proposed Rule 1000(b)(7)
would be 4,670 hours. 68 According to this commenter, if the Commission intended SCI entities
to conduct a broader scope review beyond those now required by the ARP Inspection Program,
then the annual burden would be 11,199 hours. 69
With respect to the burden estimate for proposed Rule 1000(b)(8)(i), which required an
SCI entity to submit to the Commission a report of the SCI review required by paragraph (b)(7),
62
See id., at 36.
63
See letter from Michael J. Simon, Secretary, International Securities Exchange, LLC,
dated July 8, 2013 (“ISE Letter”) at 12.
64
See FINRA Letter at 40.
65
See id.
66
See MSRB Letter at 36.
67
See Omgeo Letter at 44.
68
See id.
69
See id.
�20
together with any response by senior management, within 60 calendar days after its submission
to senior management, one commenter stated that the estimate did not address the burden on
senior management for reading, analyzing, and perhaps responding to the SCI review. 70
The Commission adopted the SCI review-related requirements contained in proposed
Rules 1000(b)(7) and (b)(8)(i), as final Rule 1003(b), with some modifications from the
proposal. For example, because the Commission has refined the scope of certain related
definitions, fewer systems will be subject to the SCI review, thereby focusing the overall scope
of the SCI review requirement. Rule 1003(b) also utilizes a more risk-based approach than the
proposal. The Commission is also requiring an SCI entity to submit the report of the SCI review,
together with any response by senior management, to the Board of Directors of the SCI entity or
the equivalent of such Board. After considering the views of commenters and the modifications
from the proposal, the Commission is not significantly increasing the burden estimate from the
proposal. However, the Commission estimates that while SCI entities would handle internally
some or most of the work associated with an SCI review, SCI entities would outsource some of
the work associated with an SCI review. 71
With respect to the comment that the burden estimate for proposed Rule 1000(b)(8)(i)
failed to account for the burden on senior management for reviewing and responding to the
report of the SCI review, the Commission notes that Rule 1003(b)(3) does not require senior
management to respond to the report of the SCI review. Nevertheless, the Commission is
including in its burden estimate for Rules 1003(b)(1) and (2) the burden for senior management
review of the report of the SCI review.
g.
Corrective Action Required by Rule 1002(a) (Previously Proposed Rule
1000(b)(3))
In the SCI Proposal, the Commission noted that, although SCI entities already take
corrective action in response to systems issues, proposed Rule 1000(b)(3) would likely result in
SCI entities revising their policies regarding taking corrective actions by requiring certain actions
to be taken upon any responsible SCI personnel becoming aware of an SCI event. One
commenter stated that basing the estimate for proposed Rule 1000(b)(3) on the percentage of the
burden estimate under proposed Rule 1000(b)(1) is appropriate, 72 and the Commission continues
to compute the burden estimate in this manner. This commenter also noted that the
establishment of policies and procedures with respect to corrective action would not be
conducive to outsourcing. 73 The Commission agrees with the commenter and continues to
70
See id.
71
The Commission acknowledges that some SCI entities may outsource work related to
SCI review to more expensive outside firms than others. On average, the Commission
believes its hourly rate for outsourcing continues to be appropriate.
72
See MSRB Letter at 31-32.
73
See id., at 32.
�21
believe that SCI entities will conduct internally most of the work related to their corrective action
procedures.
h.
Identification of Critical SCI Systems, Major SCI Events, De Minimis SCI
events, and Material Systems Changes
In the SCI Proposal, the Commission estimated that certain proposed rules may impose
burdens on SCI entities in developing and reviewing a process to ensure that they are able to
quickly and correctly make a determination regarding the nature of an SCI event. One
commenter stated that the burden estimate for policies and procedures to identify the nature of an
SCI event was effectively limited to ministerial tasks of producing such policies and procedures
in isolation from other organizational activities and needs, and took into account only minimal
supervisory or decision-making activities, therefore the Commission significantly
underestimated the total burden of compliance. 74 This commenter urged the Commission to
adjust the estimate in a manner similar to this commenter’s suggestion with regard to proposed
Rules 1000(b)(1) and (2). 75
Certain requirements under adopted Regulation SCI require each SCI entity to identify
material systems changes, critical SCI systems, major SCI events, and de minimis SCI events.
After consideration of the comments, the Commission estimates the burden for identifying such
changes, systems, or events based on the burden estimates for Rule 1001(a), which were
modified from the proposal in response to comments. The Commission is also adding burden
estimates for chief compliance officers and compliance directors.
i.
Recordkeeping Required by Rules 1005 and 1007 (Previously Proposed
Rules 1000(c) and (e))
One commenter noted that while proposed Rule 1000(c), which set forth the requirements
for SCI SROs to make, keep, and preserve all documents relating to their compliance with
Regulation SCI, does not create new recordkeeping requirements for SCI SROs (because it
incorporates the recordkeeping requirements contained in existing Rule 17a-1), the number of
records to be retained by an SRO would increase due to proposed Regulation SCI. 76 This
commenter stated that such additional recordkeeping is not costless and should be considered by
the Commission. 77 The Commission believes that existing recordkeeping systems and processes
of SCI SROs will be used to retain the records required to be created pursuant to Regulation SCI.
As a result, the Commission believes that the burden associated with retaining these additional
records is an incrementally small increase in the burden currently incurred by SROs to retain
records as required by Rule 17a-1, and that the burden associated with retaining records related
74
See MSRB Letter at 32.
75
See id.
76
See id., at 39.
77
See id.
�22
to Regulation SCI is already accounted for in the burden estimates contained in a separate
collection of information (OMB Control Number 3235-0208) pursuant to Rule 17a-1.
9.
Payment or Gift
Not applicable.
10.
Confidentiality
The Commission expects that the written policies and procedures, processes, criteria,
standards, or other written documents developed or revised by SCI entities pursuant to
Regulation SCI will be retained by SCI entities in accordance with, and for the periods specified
in Exchange Act Rule 17a-1 and Rule 1005, as applicable. Should such documents be made
available for examination or inspection by the Commission and its representatives, they would be
kept confidential subject to the provisions of applicable law. 78 In addition, the information
submitted to the Commission pursuant to Regulation SCI that is filed on Form SCI will be
treated as confidential, subject to applicable law, including amended Rule 24b-2. 79 The
information disseminated by SCI entities pursuant to Rule 1002(c) under Regulation SCI to their
members or participants will not be confidential.
11.
Sensitive Questions
The collections of information do not expressly include Personally Identifiable
Information (“PII”). At the same time, however, Commission staff understands that there are
instances when certain information (including, but not limited to, a person’s name, email, or
phone number) will be provided by a respondent in response to at least one of the collections of
information. However, Commission staff does not envision any circumstance in which a social
security number would be provided pursuant to any of the collections of information. As such,
we believe that the treatment of any PII with the collection of information associated with the
Regulation SCI is not likely to implicate the Federal Information Security Management Act of
2002 or the Privacy Act of 1974. The Systems of Record Notice (SORN) may be viewed at the
following link; http://www.sec.gov/about/privacy/sorn/secsorn49.pdf.
78
See, e.g., 15 U.S.C. 78x (governing the public availability of information obtained by the
Commission); 5 U.S.C. 552 et seq.
79
See, e.g., 15 U.S.C. 78x (governing the public availability of information obtained by the
Commission); 5 U.S.C. 552 et seq. (Freedom of Information Act); 17 CFR 240.24b-2.
�23
12.
Burden of Information Collection
a.
Policies and Procedures Required by Rule 1001(a) (Previously Proposed
Rule 1000(b)(1))
Rule 1001(a) establishes recordkeeping burdens for all 44 SCI entities. However, certain
burdens will be different for SCI entities that participate in the ARP Inspection Program (30 SCI
entities) and SCI entities that do not (14 SCI entities).
Rule 1001(a) requires each SCI entity to establish, maintain, and enforce written policies
and procedures reasonably designed to ensure that its SCI systems and, for purposes of security
standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and
security, adequate to maintain the SCI entity’s operational capability and promote the
maintenance of fair and orderly markets.
The Commission estimates that an SCI entity that has not previously participated in the
ARP Inspection Program will require an average of 534 burden hours initially to develop and
draft the policies and procedures required by Rule 1001(a) (except for the policies and
procedures required by paragraph (a)(2)(vi) for standards that result in systems being designed,
developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful
collection, processing, and dissemination of market data, which is discussed below), or 7,476 80
hours for all such SCI entities. The Commission estimates that an SCI entity that currently
participates in the ARP Inspection Program will require an average of 282 burden hours initially
to develop and draft such policies and procedures, or 8,460 hours for all such SCI entities. 81
Thus, the total initial recordkeeping burden to comply with Rule 1001(a) (except for the policies
and procedures required by paragraph (a)(2)(vi)) is 15,936 hours for all SCI entities. 82
The Commission estimates that an SCI entity that has not previously participated in the
ARP Inspection Program will require an average of 159 hours annually to review and update
such policies and procedures, or 2,226 hours for all such SCI entities. 83 The Commission
estimates that an SCI entity that currently participates in the ARP Inspection Program will
require an average of 87 hours annually to review and update such policies and procedures, or
2,610 hours for all such SCI entities. 84 Thus, the total ongoing annual recordkeeping burden to
80
534 hours × 14 SCI entities that do not participate in the ARP Inspection Program =
7,476 hours.
81
282 hours × 30 SCI entities that participate in the ARP Inspection Program = 8,460
hours.
82
7,476 hours + 8,460 hours = 15,936 hours.
83
159 hours × 14 SCI entities that do not participate in the ARP Inspection Program =
2,226 hours.
84
87 hours × 30 SCI entities that participate in the ARP Inspection Program = 2,610 hours.
�24
comply with Rule 1001(a) (except for the policies and procedures required by paragraph
(a)(2)(vi)) is 4,836 hours 85 for all SCI entities.
With respect to the requirement in Rule 1001(a)(2)(vi) for policies and procedures that
provide for standards that result in systems being designed, developed, tested, maintained,
operated, and surveilled in a manner that facilitates the successful collection, processing, and
dissemination of market data, the Commission estimates that each SCI entity will spend 160
hours initially, or 7,040 hours for all SCI entities. 86 The Commission estimates that each SCI
entity will spend 145 hours annually to review and update such policies and procedures, or 6,380
hours annually for all SCI entities. 87
In summary, the Commission estimates that, over a three-year period, the total
recordkeeping burden for complying with Rule 1001(a) is 15,136 hours per year when
annualized over three years, 88 or 344 hours per SCI entity. 89 These estimates are higher than the
recordkeeping burden that was estimated when the rule was initially proposed (as proposed Rule
1000(b)(1)). For proposed Rule 1000(b)(1), the Commission previously estimated that the
annualized recordkeeping burden would be 8,965 hours for all SCI entities, or 203.75 hours per
SCI entity.
b.
Policies and Procedures Required by Rule 1001(b) (Previously Proposed
Rule 1000(b)(2))
Rule 1001(b) establishes recordkeeping burdens for all 44 SCI entities. However, certain
burdens will be different for SCI entities that are SCI SROs (27 SCI entities) and SCI entities
that are not SCI SROs (17 SCI entities).
Rule 1001(b) requires each SCI entity to establish, maintain, and enforce written policies
and procedures reasonably designed to ensure that its SCI systems operate in a manner that
complies with the Exchange Act and the rules and regulations thereunder and the entity’s rules
and governing documents, as applicable.
The Commission estimates that each SCI entity will spend 270 hours initially to design
the systems compliance policies and procedures, or 11,880 hours for all SCI entities. 90 The
Commission estimates that each SCI SRO will spend 175 hours annually to review and update
85
2,226 hours + 2,610 hours = 4,836 hours.
86
160 hours × 44 SCI entities = 7,040 hours.
87
145 hours × 44 SCI entities = 6,380 hours.
88
(First year (15,936 + 7,040 hours) + Second year (4,836 + 6,380 hours) + Third year
(4,836 + 6,380 hours)) ÷ 3 years = 15,136 hours annualized per year.
89
15,136 hours ÷ 44 SCI entities = 344 hours per SCI entity.
90
270 hours × 44 SCI entities = 11,880 hours.
�25
such policies and procedures, or 4,725 hours for all SCI SROs. 91 The Commission estimates that
each SCI entity that is not an SRO will spend 95 hours annually to review and update such
policies and procedures, or 1,615 hours for all such SCI entities. 92 Thus, the total ongoing
annual recordkeeping burden is 6,340 hours for all SCI entities. 93
In summary, the Commission estimates that, over a three-year period, the total
recordkeeping burden for complying with Rule 1001(b) is 8,186.67 hours per year when
annualized over three years, 94 or 186.06 per SCI entity. 95 These estimates are higher than the
recordkeeping burden that was estimated when the rule was initially proposed (as proposed Rule
1000(b)(2)). For proposed Rule 1000(b)(2), the Commission previously estimated that the
annualized recordkeeping burden would be 5,440 hours, or 123.64 hours per SCI entity.
c.
Policies and Procedures Required by Rule 1001(c)
Rule 1001(c) establishes recordkeeping burdens for all 44 SCI entities.
Rule 1001(c) requires each SCI entity to establish, maintain, and enforce reasonably
designed written policies and procedures that include the criteria for identifying responsible SCI
personnel, the designation and documentation of responsible SCI personnel, and escalation
procedures to quickly inform responsible SCI personnel of potential SCI events.
The Commission estimates that each SCI entity will require 114 hours initially to
establish the criteria for identifying responsible SCI personnel and the escalation procedures, or
5,016 hours for all SCI entities. 96 The Commission also estimates that each SCI entity will
require 39 hours annually to review and update the criteria and the escalation procedures, or
1,716 hours for all SCI entities. 97
In summary, the Commission estimates that, over a three-year period, the total
recordkeeping burden for complying with Rule 1001(c) is 2,816 hours per year when annualized
91
175 hours × 27 SCI SROs = 4,725 hours.
92
95 hours × 17 non-SRO SCI entities = 1,615 hours.
93
4,725 hours + 1,615 hours = 6,340 hours.
94
(First year (11,880 hours) + Second year (6,340 hours) + Third year (6,340 hours)) ÷ 3
years = 8,186.67 hours annualized per year.
95
8,186.67 hours ÷ 44 SCI entities = 186.06 per SCI entity.
96
114 hours × 44 SCI entities = 5,016 hours.
97
39 hours × 44 SCI entities = 1,716 hours.
�26
over three years, 98 or 64 hours per SCI entity. 99 Rule 1001(c) is a new recordkeeping
requirement that was not included in the proposal.
d.
Mandate Participation in Certain Testing Required by Rule 1004
(Previously Proposed Rule 1000(b)(9))
Rule 1004 establishes recordkeeping burdens for SCI entities that are not plan processors
(42 SCI entities).
Rule 1004 requires each SCI entity to establish standards for the designation of certain
members or participants for BC/DR plan testing, to designate members or participants in
accordance with these standards, to require participation by designated members or participants
in such testing at least annually, and to coordinate such testing on an industry- or sector-wide
basis with other SCI entities.
The Commission estimates that the requirements under Rules 1004(a) (i.e., establishment
of standards for the designation of members and participants) and (c) (i.e., coordination of testing
on an industry- or sector-wide basis) will initially require 360 hours for each SCI entity that is
not a plan processor, 100 or 15,120 hours for all such SCI entities. 101 Further, the Commission
estimates that the requirements under Rules 1004(a) and (c) will require 135 hours annually for
each SCI entity that is not a plan processor, or 5,670 hours for all such SCI entities. 102 Based on
its experience with plan processors, the Commission believes that plan processors will outsource
the work related to compliance with Rule 1004 (and, accordingly, such outsourced costs have
been included in the response to Item 13).
In summary, the Commission estimates that, over a three-year period, the total
recordkeeping burden for complying with Rule 1004 is 8,820 hours per year when annualized
over three years, 103 or 210 hours per SCI entity other than plan processors. 104 These estimates
are higher than the recordkeeping burden that was estimated when the rule was initially proposed
(as proposed Rule 1000(b)(9)). Moreover, unlike proposed Rule 1000(b)(9), Rule 1004 does not
98
(First year (5,016 hours) + Second year (1,716 hours) + Third year (1,716 hours)) ÷ 3
years = 2,816 hours annualized per year.
99
2,816 hours ÷ 44 SCI entities = 64 hours per SCI entity.
100
The estimate of 360 hours includes the burden for designating members or participants
for testing, as required by Rule 1004(b).
101
360 hours × 42 SCI entities other than plan processors = 15,120 hours.
102
135 hours × 42 SCI entities other than plan processors = 5,670 hours.
103
(First year (15,120 hours) + Second year (5,670 hours) + Third year (5,670 hours)) ÷ 3
years = 8,820 hours annualized per year.
104
8,820 hours ÷ 42 SCI entities other than plan processors = 210 hours per SCI entity other
than plan processors.
�27
contain reporting requirements. The Commission estimated that the annualized recordkeeping
burden for complying with proposed Rule 1000(b)(9)(i)-(ii) would be 4,480 hours, or 106.67
hours per SCI entity. The Commission also estimated that the annualized reporting burden for
complying with proposed Rule 1000(b)(9)(iii) would be 574 hours, or 13.67 hours per SCI
entity.
e.
SCI Event Notice Required by Rule 1002(b) (Previously Proposed Rule
1000(b)(4))
Rule 1002(b) establishes reporting burdens for all 44 SCI entities.
Rule 1002(b)(1) requires each SCI entity, upon any responsible SCI personnel having a
reasonable basis to conclude that an SCI event has occurred, to notify the Commission
immediately. These notifications can be made orally or in writing, and the Commission
estimates that one-fourth of these notifications will be submitted in writing (i.e., approximately
11 events per year for each SCI entity), 105 and three-fourths will be provided orally (i.e.,
approximately 34 events per year for each SCI entity). 106 The written notifications may be
submitted on Form SCI. The Commission estimates that each written notification will require 2
hours and each oral notification will require 1.5 hours. The Commission estimates that each SCI
entity will require an average of 73 hours annually to comply with Rule 1002(b)(1), 107 or 3,212
hours for all SCI entities. 108
Rule 1002(b)(2) requires each SCI entity, within 24 hours of any responsible SCI
personnel having a reasonable basis to conclude that the SCI event has occurred, to submit a
written notification to the Commission pertaining to the SCI event on a good faith, best efforts
basis. These notifications are required to be submitted on Form SCI. The Commission estimates
that each notification under Rule 1002(b)(2) will require 24 hours for each SCI entity. The
Commission estimates that each SCI entity will require an average of 1,080 hours annually to
comply with Rule 1002(b)(2), 109 or 47,520 hours for all SCI entities. 110
Rule 1002(b)(3) requires each SCI entity to provide updates to the Commission
pertaining to an SCI event on a regular basis, or at such frequency as reasonably requested by a
representative of the Commission, until the SCI event is resolved and the SCI entity’s
investigation of the SCI event is closed. These updates can be provided orally or in writing, and
105
45 SCI events ÷ 4 = 11.25 SCI events reported in writing.
106
45 SCI events – 11 SCI events reported in writing = 34 SCI events reported orally.
107
11 written notifications each year × 2 hours per notification + 34 oral notifications each
year × 1.5 hours per notification = 73 hours.
108
73 hours × 44 SCI entities = 3,212 hours.
109
45 written notifications each year × 24 hours per notification = 1,080 hours.
110
1,080 hours × 44 SCI entities = 47,520 hours.
�28
the Commission estimates that each SCI entity will submit 6 written updates and 18 oral updates
each year. The written updates may be submitted on Form SCI. The Commission estimates that
each written update will require 6 hours and each oral update will require 4.5 hours. The
Commission estimates that each SCI entity will require an average of 117 hours annually to
comply with Rule 1002(b)(3), 111 or 5,148 hours for all SCI entities. 112
Rule 1002(b)(4) requires each SCI entity to submit written interim reports, as necessary,
and a written final report regarding an SCI event to the Commission. These reports are required
to be submitted on Form SCI. The Commission estimates that compliance with Rule 1002(b)(4)
for a particular SCI event will require 35 hours. Because the Commission estimates that each
SCI entity will experience an average of 45 SCI events each year that are not de minimis SCI
events, Rule 1002(b)(4) will result in 45 reporting requirements per SCI entity per year. The
Commission estimates that each SCI entity will require an average of 1,575 hours annually to
comply with Rule 1002(b)(4), 113 or 69,300 hours for all SCI entities. 114
Rule 1002(b)(5) requires each SCI entity to submit to the Commission quarterly reports
containing a summary description of any systems disruption or systems intrusion that has had, or
the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s
operations or on market participants. These reports are required to be submitted on Form SCI.
The Commission estimates that the initial and ongoing reporting burden to comply with the
quarterly report requirement will be 40 hours per report per SCI entity, or 160 hours annually per
SCI entity, 115 and 7,040 hours annually for all SCI entities. 116
111
6 written updates each year × 6 hours per notification + 18 oral updates each year × 4.5
hours per notification = 117 hours.
112
117 hours × 44 SCI entities = 5,148 hours.
113
45 written notifications each year × 35 hours per notification = 1,575 hours.
114
1,575 hours × 44 SCI entities = 69,300 hours. The Commission notes that this reporting
burden estimate includes the reporting burden for submitting the one interim Commission
notification required under Rule 1002(b)(4)(i)(B) (if necessary). In particular, the
Commission notes that the interim notification requires SCI entities to include the same
information as required to be included in a final notification under Rule 1002(b)(4)(i)(A),
except that SCI entities are only required to provide the information to the extent known
at the time of the interim notification. If an SCI entity submits an interim notification, it
is also required to submit a final notification, which is required to include all of the
remaining information that was not provided in the interim notification. Because all SCI
entities are required to provide the same amount of information in total for a particular
SCI event under Rule 1002(b)(4), regardless of whether they submit an interim
notification, the estimated burden for Rule 1002(b)(4) includes the burden for both the
interim notification (if necessary) and the final notification related to a particular SCI
event.
115
40 hours × 4 reports each year = 160 hours.
�29
In summary, the Commission estimates that the total reporting burden for complying with
Rule 1002(b) is 132,220 hours per year, 117 or 3,005 hours per SCI entity. 118 Because Rule
1002(b) will impose 163 reporting requirements per SCI entity per year, 119 each requirement will
require an average of 18.44 hours. 120 These estimates are higher than the reporting burden that
was estimated when the rule was initially proposed (as proposed Rule 1000(b)(4)). For proposed
Rule 1000(b)(4), the Commission estimated that the total annual reporting burden would be
58,080 hours, or 1,320 hours per SCI entity. Because the previous estimate for proposed Rule
1000(b)(4) assumed that the rule would impose 80 reporting requirements per SCI entity per
year, each notification under that estimate would have required an average of 16.5 hours per SCI
entity.
f.
Dissemination of Information Required by Rule 1002(c) (Previously
Proposed Rule 1000(b)(5))
Rule 1002(c) establishes third party disclosure burdens for all 44 SCI entities.
Rule 1002(c)(1)(i) requires each SCI entity, promptly after any responsible SCI personnel
has a reasonable basis to conclude that an SCI event (other than a systems intrusion) has
occurred, to disseminate certain information to its members or participants. The Commission
estimates that each SCI entity will disseminate information regarding 35 SCI events each year
under Rule 1002(c)(1)(i). The Commission estimates that each information dissemination under
Rule 1002(c)(1)(i) will require 7 hours. Thus, the total annual third party disclosure burden to
comply with Rule 1002(c)(1)(i) will be 245 hours per SCI entity, 121 or 10,780 hours for all SCI
entities. 122
Rule 1002(c)(1)(ii) requires each SCI entity, when known, to promptly disseminate
additional information about an SCI event (other than a systems intrusion) to its members or
participants. Rule 1002(c)(1)(iii) requires each SCI entity to provide to its members or
116
160 hours × 44 SCI entities = 7,040 hours.
117
3,212 hours (Rule 1002(b)(1)) + 47,520 hours (Rule 1002(b)(2)) + 5,148 hours (Rule
1002(b)(3)) + 69,300 hours (Rule 1002(b)(4)) + 7,040 hours (Rule 1002(b)(5)) = 132,220
hours per year.
118
132,220 hours ÷ 44 SCI entities = 3,005 hours per SCI entity.
119
45 requirements for Rule 1002(b)(1) + 45 requirements for Rule 1002(b)(2) + 24
requirements for Rule 1002(b)(3) + 45 requirements for Rule 1002(b)(4) + 4
requirements for 1002(b)(5) = 163 reporting requirements per year.
120
3,005 hours per SCI entity ÷ 163 reporting requirements = 18.44 hours per requirement
per SCI entity.
121
35 information disseminations each year × 7 hours per dissemination = 245 hours.
122
245 hours × 44 SCI entities = 10,780 hours.
�30
participants regular updates of any information required to be disseminated under Rules
1002(c)(1)(i) and (ii) until the SCI event is resolved. The Commission estimates that each SCI
entity will disseminate 3 updates for each SCI event under Rules 1002(c)(1)(ii) and (iii), or 105
updates each year. 123 The Commission estimates that each update under Rules 1002(c)(1)(ii) and
(iii) will require 13 hours. Thus, the total annual third party disclosure burden to comply with
Rules 1002(c)(1)(ii) and (iii) will be 1,365 hours per SCI entity, 124 or 60,060 hours for all SCI
entities. 125
Rule 1002(c)(2) requires each SCI entity to disseminate certain information regarding a
systems intrusion to its members or participants, and provides an exception when the SCI entity
determines that dissemination of such information would likely compromise the security of its
SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents
the reasons for such determination. The Commission estimates that each SCI entity will
disseminate information regarding 1 systems intrusion each year under Rule 1002(c)(2). The
Commission estimates that each dissemination under Rule 1002(c)(2) will require 10 hours.
Thus, the total annual third party disclosure burden to comply with Rule 1002(c)(2) will be 10
hours per SCI entity, or 440 hours for all SCI entities. 126
In summary, the total annual third party disclosure burden to comply with Rule 1002(c)
will be 71,280 hours for all SCI entities, 127 or 1,620 hours per SCI entity. 128 Because Rule
1002(c) will impose 141 third party disclosure requirements per SCI entity per year, 129 each
requirement will require an average of 11.49 hours per SCI entity. 130 These estimates are higher
than the third party disclosure burden that was estimated when the rule was initially proposed (as
proposed Rule 1000(b)(5)). For proposed Rule 1000(b)(5), the Commission previously
estimated that the total annual third party disclosure burden would be 5,676 hours for all SCI
entities, or 129 hours per SCI entity. Because the previous estimate for proposed Rule
1000(b)(5) assumed that the rule would impose 43 third party disclosure requirements per SCI
entity per year, each disclosure under that estimate would have required an average of 3 hours
per SCI entity.
123
35 SCI events × 3 updates per SCI event = 105 updates.
124
105 updates each year × 13 hours per update = 1,365 hours.
125
1,365 hours × 44 SCI entities = 60,060 hours.
126
10 hours × 44 SCI entities = 440 hours.
127
10,780 hours (Rule 1002(c)(1)(i)) + 60,060 hours (Rules 1002(c)(1)(ii) and (iii)) + 440
hours (Rule 1002(c)(2)) = 71,280 hours.
128
71,280 hours ÷ 44 SCI entities = 1,620 hours per SCI entity.
129
35 requirements under Rule 1002(c)(1)(i) + 105 requirements under Rules 1002(c)(1)(ii)
and (iii) + 1 requirement under Rule 1002(c)(2) = 141 requirements.
130
1,620 hours per SCI entity ÷ 141 requirements = 11.49 hours per requirement per SCI
entity.
�31
g.
Material Systems Change Notice Required by Rule 1003(a) (Previously
Proposed Rules 1000(b)(6) and (b)(8)(ii))
Rule 1003(a) establishes reporting burdens for all 44 SCI entities.
Rule 1003(a)(1) requires each SCI entity to submit to the Commission quarterly reports
describing completed, ongoing, and planned material changes to its SCI systems and security of
indirect SCI systems during the prior, current, and subsequent calendar quarters. These reports
are required to be submitted on Form SCI. The Commission estimates that the reporting burden
to comply with the quarterly reporting requirement will be 125 hours per report per SCI entity, or
500 hours annually per SCI entity131 and 22,000 hours annually for all SCI entities. 132
Rule 1003(a)(2) requires each SCI entity to promptly submit a supplemental report
notifying the Commission of a material error in or material omission from a report previously
submitted under Rule 1003(a)(1). These reports are required to be submitted on Form SCI. The
Commission estimates that each SCI entity will submit 2 supplemental reports each year. The
Commission estimates that the reporting burden to comply with the supplemental report
requirement will be 15 hours per report per SCI entity, or 30 hours annually per SCI entity 133 and
1,320 hours annually for all SCI entities. 134
In summary, the Commission estimates that the total reporting burden for complying with
Rule 1003(a) is 23,320 hours per year, 135 or 530 hours per SCI entity. 136 Because Rule 1003(a)
will impose 6 reporting requirements per SCI entity per year, 137 each requirement will require an
average of 88.33 hours per SCI entity. 138 These estimates are higher than the reporting burden
that was estimated when the rule was initially proposed (as proposed Rules 1000(b)(6) and
(b)(8)(ii)). For proposed Rule 1000(b)(6), the Commission previously estimated that the total
annual reporting burden would be 3,540 hours for all SCI entities, or 80.45 hours per SCI entity.
For proposed Rule 1000(b)(8)(ii), the Commission previously estimated that the total annual
reporting burden was 5,280 hours for all SCI entities, or 120 hours per SCI entity.
131
125 hours × 4 reports each year = 500 hours.
132
500 hours × 44 SCI entities = 22,000 hours.
133
15 hours × 2 reports each year = 30 hours.
134
30 hours × 44 SCI entities = 1,320 hours.
135
22,000 hours for Rule 1003(a)(1) + 1,320 hours for Rule 1003(a)(2) = 23,320 hours.
136
23,320 hours ÷ 44 SCI entities = 530 hours per SCI entity.
137
4 requirements under Rule 1003(a)(1) + 2 requirements under Rule 1003(a)(2) = 6
requirements.
138
530 hours per SCI entity ÷ 6 requirements = 88.33 hours per requirement per SCI entity.
�32
h.
SCI Review Required by Rule 1003(b) (Previously Proposed Rules
1000(b)(7) and (b)(8)(i))
Rule 1003(b) establishes recordkeeping and reporting burdens for all 44 SCI entities.
Rule 1003(b)(1) requires each SCI entity to conduct an SCI review of its compliance with
Regulation SCI not less than once each calendar year, with an exception for penetration test
reviews, which are required to be conducted not less than once every three years. Rule
1003(b)(1) also provides an exception for assessments of SCI systems directly supporting market
regulation or market surveillance, which are required to be conducted at a frequency based on the
risk assessment conducted as part of the SCI review, but in no case less than once every three
years. Rule 1003(b)(2) requires each SCI entity to submit a report of the SCI review to senior
management no more than 30 calendar days after completion of the review. The Commission
estimates that the recordkeeping burden of conducting an SCI review and submitting the SCI
review to senior management of the SCI entity for review will be approximately 690 hours for
each SCI entity, and 30,360 hours annually for all SCI entities. 139 These estimates are higher
than the recordkeeping burden that was estimated when the rule was initially proposed (as
proposed Rule 1000(b)(7)). For proposed Rule 1000(b)(7), the Commission previously
estimated that the total annual recordkeeping burden would be 27,500 hours for all SCI entities,
or 625 hours per SCI entity.
Rule 1003(b)(3) requires each SCI entity to submit the report of the SCI review to the
Commission and to its board of directors or the equivalent of such board, together with any
response by senior management, within 60 calendar days after its submission to senior
management. These reports are required to be submitted on Form SCI. The Commission
estimates that each SCI entity will require 1 hour per year to submit the report of the SCI review
and any response by senior management to the Commission and to its board of directors or the
equivalent of such board, for a reporting burden of 44 hours for all SCI entities. 140 These
estimates are the same as the reporting burden that was estimated when Rule 1003(b)(3) was
initially proposed (as proposed Rule 1000(b)(8)(i)).
i.
Access to EFFS
Rule 1006 requires each SCI entity, with a few exceptions, to file any notification,
review, description, analysis, or report to the Commission required under Regulation SCI
electronically on Form SCI. The Commission will implement Form SCI through the EFFS
currently used by SCI SROs to file Form 19b-4 filings. Access to EFFS establishes reporting
burdens for all 44 SCI entities.
An SCI entity will submit to the Commission an EAUF to register each individual at the
SCI entity who will access the EFFS system on behalf of the SCI entity. The Commission is
139
690 hours × 44 SCI entities = 30,360 hours.
140
1 hour × 44 SCI entities = 44 hours.
�33
including in its burden estimates the reporting burden for completing the EAUF for each
individual at an SCI entity that will request access to EFFS. The Commission estimates that
initially, on average, two individuals at each SCI entity will request access to EFFS through the
EAUF, and each EAUF will require 0.15 hours to complete and submit. Therefore, each SCI
entity will initially require 0.3 hours to complete the requisite EAUFs, 141 or 13.2 hours for all
SCI entities. 142 The Commission also estimates that annually, on average, one individual at each
SCI entity will request access to EFFS through EAUF. Therefore, the ongoing burden to
complete the EAUF will be 0.15 hours annually per SCI entity, 143 or 6.6 hours annually for all
SCI entities. 144
In summary, the Commission estimates that, over a three-year period, the total reporting
burden for registering individuals to be given access to EFFS is 8.8 hours per year when
annualized over three years, 145 or 0.2 hours per SCI entity. 146 Because access to EFFS will
impose an average of 1.33 reporting requirements per SCI entity per year, 147 each requirement
will require an average of 0.15 hours. 148 These estimates were not included in the proposal.
j.
Corrective Action Required by Rule 1002(a) (Previously Proposed Rule
1000(b)(3))
Rule 1002(a) establishes recordkeeping burdens for all 44 SCI entities.
Rule 1002(a) requires each SCI entity, upon any responsible SCI personnel having a
reasonable basis to conclude that an SCI event has occurred, to begin to take appropriate
corrective action. The Commission believes that Rule 1002(a) will likely result in SCI entities
developing and revising their processes for corrective action. The Commission estimates that the
initial recordkeeping burden to implement such a process will be 114 hours per SCI entity, or
5,016 hours for all SCI entities. 149 The Commission also estimates that the ongoing
recordkeeping burden to review such process will be 39 hours annually per SCI entity, or 1,716
141
0.15 hours per EAUF × 2 individuals = 0.3 hours per SCI entity.
142
0.30 hours × 44 SCI entities = 13.2 hours.
143
0.15 hours per EAUF × 1 individual = 0.15 hours per SCI entity.
144
0.15 hours × 44 SCI entities = 6.6 hours.
145
(First year (13.2 hours) + Second year (6.6 hours) + Third year (6.6 hours)) ÷ 3 years =
8.8 hours annualized per year.
146
8.8 hours ÷ 44 SCI entities = 0.2 hours per SCI entity.
147
(First year (2 requirements) + Second year (1 requirement) + Third year (1 requirement))
÷ 3 years = 1.33 requirements per year.
148
0.2 hours per SCI entity ÷ 1.33 reporting requirements = 0.15 hours per requirement per
SCI entity.
149
114 hours × 44 SCI entities = 5,016 hours.
�34
hours annually for all SCI entities. 150
In summary, the Commission estimates that, over a three-year period, the total
recordkeeping burden to comply with Rule 1002(a) will be 2,816 hours per year when
annualized over three years, 151 or 64 hours per SCI entity. 152 These estimates are higher than the
recordkeeping burden that was estimated when the rule was initially proposed (as proposed Rule
1000(b)(3)). For proposed Rule 1000(b)(3), the Commission previously estimated that the total
annualized recordkeeping burden would be 968 hours for all SCI entities, or 22 hours per SCI
entity.
k.
Identification of Critical SCI Systems, Major SCI Events, De Minimis SCI
events, and Material Systems Changes
Identification of critical SCI systems, major SCI events, de minimis SCI events, and
material systems changes establishes recordkeeping burdens for all 44 SCI entities.
Rule 1003(a)(1) requires each SCI entity to establish reasonable written criteria for
identifying a change to its SCI systems and the security of indirect SCI systems as material.
Because the ARP Inspection Program already provides for the reporting “significant systems
changes” to Commission staff, the Commission is estimating a 50% baseline for the staff burden
estimates for SCI entities that currently participate in the ARP Inspection Program. However,
the Commission does not believe that a 50% baseline would be appropriate for these SCI entities
in terms of senior management review. The Commission believes that, although these entities
already have some internal processes for determining the significance of a systems change, their
senior management will require the same number of hours as other SCI entities to review and
ensure that the process is reasonable, as required by Rule 1003(a)(1).
The Commission estimates that each SCI entity that does not participate in the ARP
Inspection Program (14 SCI entities) will initially require 114 hours to establish the criteria for
identifying material systems changes, or 1,596 hours for all such SCI entities. 153 The
Commission estimates that each SCI entity that currently participates in the ARP Inspection
Program (30 SCI entities) will initially require 72 hours to establish the criteria, or 2,160 hours
for all such SCI entities. 154 Thus, the total initial recordkeeping burden to establish such process
150
39 hours × 44 SCI entities = 1,716 hours.
151
(First year (5,016 hours) + Second year (1,716 hours) + Third year (1,716 hours)) ÷ 3
years = 2,816 hours annualized per year.
152
2,816 hours ÷ 44 SCI entities = 64 hours per SCI entity.
153
114 hours × 14 SCI entities that do not participate in the ARP Inspection Program =
1,596 hours.
154
72 hours × 30 SCI entities that participate in the ARP Inspection Program = 2,160 hours.
�35
will be 3,756 hours. 155
The Commission estimates that each SCI entity that does not participate in the ARP
Inspection Program will require 39 hours annually to review and update the criteria for
identifying material systems changes, or 546 hours for all such SCI entities. 156 The Commission
estimates that each SCI entity that currently participates in the ARP Inspection Program will
require 27 hours annually to review and update the criteria, or 810 hours for all such SCI
entities. 157 Thus, the total annual ongoing recordkeeping burden for such process will be 1,356
hours. 158
The Commission estimates that, over a three-year period, the total recordkeeping burden
for establishing and reviewing the processes for the identification of material systems changes
will be 2,156 hours per year when annualized over three years, 159 or 49 per SCI entity. 160 These
estimates were not included in the proposal.
Regulation SCI also requires SCI entities to identify certain types of events and systems.
The Commission believes that the identification of critical SCI systems, major SCI events, and
de minimis SCI events will impose an initial one-time implementation burden on SCI entities in
developing processes to quickly and correctly identify the nature of a system or event. The
identification of these systems and events may also impose periodic burdens on SCI entities in
reviewing and updating the processes. For reasons similar to those discussed above in the
context of material systems changes, the Commission estimates a 50% baseline for staff burden
for SCI entities that currently participate in the ARP Inspection program, but not for senior
management burden for such SCI entities.
The Commission estimates that each SCI entity that does not participate in the ARP
Inspection Program will require 198 hours initially to establish the criteria for identifying certain
systems and events, or 2,772 hours for all such SCI entities. 161 The Commission estimates that
each SCI entity that currently participates in the ARP Inspection Program will require 114 hours
initially to establish the criteria for identifying certain systems and events, or 3,420 hours for all
155
1,596 hours for non-ARP entities + 2,160 hours for ARP entities = 3,756 hours.
156
39 hours × 14 SCI entities that do not participate in the ARP Inspection Program = 546
hours.
157
27 hours × 30 SCI entities that participate in the ARP Inspection Program = 810 hours.
158
546 hours for non-ARP entities + 810 hours for ARP entities = 1,356 hours.
159
(First year (3,756 hours) + Second year (1,356 hours) + Third year (1,356 hours)) ÷ 3
years = 2,156 hours annualized per year.
160
2,156 hours ÷ 44 SCI entities = 49 hours per SCI entity.
161
198 hours × 14 SCI entities that do not participate in the ARP Inspection Program =
2,772 hours.
�36
such SCI entities. 162 Thus, the total initial recordkeeping burden to establish such process will
be 6,192 hours. 163
The Commission estimates that each SCI entity that does not participate in the ARP
Inspection Program will require 63 hours annually to review and update the criteria for
identifying certain systems and events, or 882 hours for all such SCI entities. 164 The
Commission estimates that each SCI entity that currently participates in the ARP Inspection
Program will require 39 hours annually to review and update such criteria, or 1,170 hours for all
such SCI entities. 165 Thus, the total annual ongoing recordkeeping burden for such process will
be 2,052 hours. 166
The Commission estimates that, over a three-year period, the total recordkeeping burden
for establishing and reviewing the processes for the identification of certain systems and events
will be 3,432 hours per year when annualized over three years, 167 or 78 per SCI entity. 168 These
estimates are higher than the estimated recordkeeping burden that was included in connection
with the proposal for the identification of immediate notification SCI events and dissemination
SCI events. Specifically, the Commission initially estimated that the annualized recordkeeping
burden for developing and reviewing a process to determine the significance of SCI events
would be 649 hours for all SCI entities, or 14.75 hours for each SCI entity.
In summary, the Commission estimates that, over a three-year period, the total
recordkeeping burden for establishing and reviewing the processes for the identification of
material systems changes and certain systems and events will be 5,588 hours per year when
annualized over three years, 169 or 127 per SCI entity. 170
162
114 hours × 30 SCI entities that participate in the ARP Inspection Program = 3,420
hours.
163
2,772 hours for non-ARP entities + 3,420 hours for ARP entities = 6,192 hours.
164
63 hours × 14 SCI entities that do not participate in the ARP Inspection Program = 882
hours.
165
39 hours × 30 SCI entities that participate in the ARP Inspection Program = 1,170 hours.
166
882 hours for non-ARP entities + 1,170 hours for ARP entities = 2,052 hours.
167
(First year (6,192 hours) + Second year (2,052 hours) + Third year (2,052 hours)) ÷ 3
years = 3,432 hours annualized per year.
168
3,432 hours ÷ 44 SCI entities = 78 hours per SCI entity.
169
(First year (3,756 + 6,192 hours) + Second year (1,356 + 2,052 hours) + Third year
(1,356 + 2,052 hours)) ÷ 3 years = 5,588 hours annualized per year.
170
5,588 hours ÷ 44 SCI entities = 127 hours per SCI entity.
�37
l.
Recordkeeping Required by Rules 1005 and 1007 (Previously Proposed
Rules 1000(c) and (e))
The recordkeeping requirements establish recordkeeping burdens for SCI entities other
than SCI SROs (17 SCI entities).
The Commission estimates that the burden to make, keep, and preserve records relating
to compliance with Regulation SCI, as required by Rule 1005(b), will be approximately 25 hours
annually per SCI entity that is not an SCI SRO. Therefore, the Commission estimates a total
annual burden of 425 hours for all such SCI entities. 171 The Commission also estimates that, for
each SCI entity other than an SCI SRO, setting up or modifying a recordkeeping system to
comply with Rule 1005 will create an initial burden of 170 hours, or 2,890 hours for all SCI
entities other than SCI SROs. 172
In summary, the Commission estimates that, over a three-year period, the total
recordkeeping burden for all SCI entities other than SCI SROs to comply with the recordkeeping
requirement will be 1,388.33 hours per year when annualized over three years, 173 or 81.67 hours
per SCI entity that is not an SCI SRO. 174 The estimate for each such SCI entity is the same as
the recordkeeping burden that was estimated when Rule 1005 and Rule 1007 were proposed (in
proposed Rules 1000(c) and (e)). The total estimate for all such SCI entities is lower than the
recordkeeping burden that was estimated when the rule was initially proposed (as proposed
Rules 1000(c) and (e)) due to the fewer number of such SCI entities estimated. For proposed
Rules 1000(c) and (e), the Commission previously estimated that the annualized recordkeeping
burden for all SCI entities other than SCI SROs would be 1,470 hours, or 81.67 hours per SCI
entity that is not an SCI SRO.
171
25 hours × 17 non-SRO SCI entities = 425 hours.
172
170 hours × 17 non-SRO SCI entities = 2,890 hours.
173
(First year (2,890 + 425 hours) + Second year (425 hours) + Third year (425 hours)) ÷ 3
years = 1388.33 hours annualized per year.
174
1,388.33 hours ÷ 17 SCI entities that are not SCI SROs = 81.67 hours per entity.
�38
m.
Summary of Hourly Burdens
The table below summarizes the Commission’s estimate of the total hourly burden for
SCI entities under Regulation SCI.
Nature of Information Collection Burden
Policies and procedures required by Rule 1001(a)
Annualized Aggregate Hourly Burden
Estimate
15,136 (Recordkeeping)
Policies and procedures required by Rule 1001(b)
8,186.67 (Recordkeeping)
Policies and procedures required by Rule 1001(c)
2,816 (Recordkeeping)
Mandate participation in certain testing required by
Rule 1004
8,820 (Recordkeeping)
SCI event notice required by Rule 1002(b)
132,220 (Reporting)
Dissemination of information required by Rule
1002(c)
71,280 (Third Party Disclosure)
Material systems change notice required by Rule
1003(a)
23,320 (Reporting)
SCI review required by Rule 1003(b)
30,360 (Recordkeeping)
44 (Reporting)
Access to EFFS
8.8 (Reporting)
Corrective action required by Rule 1002(a)
2,816 (Recordkeeping)
Identification of critical SCI systems, major SCI
events, de minimis SCI events, and material systems
changes
5,588 (Recordkeeping)
Recordkeeping required by Rules 1005 and 1007
1,388.33 (Recordkeeping)
�39
The following table breaks down the Commission’s estimate of the total hourly burden
for SCI entities under Regulation SCI.
Number
of
Response
s Per
Year
Initial
Burden Per
Response
Per Year
Per
Responden
t
Ongoing
Burden Per
Response
Per Year
Per
Responden
t
Annualized
Burden
Estimate
Per
Responden
t
Annualize
d Hourly
Burden
Estimate
IndustryWide
Small
Busines
s
Entities
Affected
Nature of Information Collection
Burden
Previous
Rule(s)
Type of
Burden
Number of
Respondent
s
Policies and Procedures required by
Rule 1001(a)
1000(b)(1)
Recordkeepin
g
44
1
174.06
169.94
344.00
15,136.00
0
Policies and Procedures required by
Rule 1001(b)
1000(b)(2)
Recordkeepin
g
44
1
90.00
96.06
186.06
8,186.67
0
Recordkeepin
g
44
1
38.00
26.00
64.00
2,816.00
0
Policies and Procedures required by
Rule 1001(c)
Mandate Participation in certain testing
required by Rule 1004 (plan processors)
1000(b)(9)
Recordkeepin
g
2
1
0.00
0.00
0.00
0.00
0
Mandate Participation in certain testing
required by Rule 1004 (non-plan
processors)
1000(b)(9)
Recordkeepin
g
42
1
120.00
90.00
210.00
8,820.00
0
SCI event notice required by Rule
1002(b)
1000(b)(4)
Reporting
44
163
0.00
18.44
3,005.72
132,251.68
0
Dissemination of information required
by Rule 1002(c)
1000(b)(5)
Third-Party
Disclosure
44
141
0.00
11.49
1,620.09
71,283.96
0
Material Systems change notice
required by Rule 1003(a)
1000(b)(6)
and (b)(8)(ii)
Reporting
44
6
0.00
88.33
529.98
23,319.12
0
SCI review required by Rule 1003(b)(1)
and (b)(2)
1000(b)(7)
and (b)(8)(i)
Recordkeepin
g
44
1
0.00
690.00
690.00
30,360.00
0
SCI review required by Rule 1003(b)(3)
1000(b)(7)
and (b)(8)(i)
Reporting
44
1
0.00
1.00
1.00
44.00
0
Access to EFFS - EAUF
Reporting
44
1.33
0.075
0.075
0.20
8.80
0
Access to EFFS - Digital ID
Reporting
44
2
0.00
0.00
0.00
0.00
0
Corrective Action required by Rule
1002(a)
Recordkeepin
g
44
1
38.00
26.00
64.00
2,816.00
0
Recordkeepin
g
44
1
75.36
51.64
127.00
5,588.00
0
Recordkeepin
g
17
1
56.67
25.00
81.67
1,388.33
0
6,923.72
302,018.56
1000(b)(3)
Identification of critical SCI systems,
major SCI events, de minimis SCI
events, and material systems changes
Recordkeeping required by Rules 1005
and 1007
1000(c) and
(e)
�40
13.
Costs to Respondents
a.
Policies and Procedures Required by Rule 1001(a) (Previously Proposed
Rule 1000(b)(1))
Rule 1001(a) imposes recordkeeping costs for all 44 SCI entities. In establishing,
maintaining, and enforcing the policies and procedures required by Rule 1001(a), the
Commission believes that each SCI entity will seek outside legal and/or consulting services in
the initial preparation of such policies and procedures. The total annualized recordkeeping cost
of seeking outside legal and/or consulting services will be $689,333.33 for all SCI entities
($47,000 for the first year × 44 SCI entities ÷ 3 years), or $15,666.67 per SCI entity. 175 These
estimates are higher than the recordkeeping cost that was estimated when the rule was initially
proposed (as proposed Rule 1000(b)(1)). For proposed Rule 1000(b)(1), the Commission
previously estimated that the total annualized recordkeeping cost of seeking outside legal and/or
consulting services would be $293,333 for all SCI entities, or $6,666.67 per SCI entity.
b.
Policies and Procedures Required by Rule 1001(b) (Previously Proposed
Rule 1000(b)(2))
Rule 1001(b) imposes recordkeeping costs for all 44 SCI entities. In establishing,
maintaining, and enforcing the policies and procedures required by Rule 1001(b), the
Commission believes that each SCI entity will seek outside legal and/or consulting services in
the initial preparation of such policies and procedures. The total annualized cost of seeking
outside legal and/or consulting services will be $396,000 ($27,000 for the first year × 44 SCI
entities ÷ 3 years), or $9,000 per SCI entity. 176 These estimates are higher than the
recordkeeping cost that was estimated when the rule was initially proposed (as proposed Rule
1000(b)(2)). For proposed Rule 1000(b)(2), the Commission previously estimated that the total
annualized recordkeeping cost of seeking outside legal and/or consulting services would be
$293,333, or $6,666.67 per SCI entity.
c.
Policies and Procedures Required by Rule 1001(c)
The Commission does not expect SCI entities to incur any external PRA costs in
connection with the policies and procedures required under Rule 1001(c). Rule 1001(c) is a new
recordkeeping requirement that was not included in the proposal.
d.
Mandate Participation in Certain Testing Required by Rule 1004
(Previously Proposed Rule 1000(b)(9))
Rule 1004 imposes recordkeeping costs for SCI entities that are plan processors (2 SCI
entities). In complying with Rule 1004, the Commission believes that plan processors will seek
175
$689,333.33 ÷ 44 SCI entities = $15,666.67 per SCI entity.
176
$396,000 ÷ 44 SCI entities = $9,000 per SCI entity.
�41
outside legal services. The Commission estimates that the total initial recordkeeping cost of
seeking outside legal services for compliance with Rule 1004 will be $288,000 for all plan
processors ($144,000 × 2 plan processors). The Commission estimates that the total annual
ongoing recordkeeping cost of seeking outside legal services for compliance with Rule 1004 will
be $108,000 ($54,000 × 2 plan processors). The total annualized recordkeeping cost for
complying with Rule 1004 will be $168,000, 177 or $84,000 per plan processor. 178 These
estimates are higher than the recordkeeping cost that was estimated when the rule was initially
proposed (as proposed Rule 1000(b)(9)). Moreover, unlike proposed Rule 1000(b)(9), Rule
1004 does not contain reporting costs. The Commission previously estimated that the total
annualized recordkeeping cost for complying with proposed Rule 1000(b)(9)(i)-(ii) would be
$85,333.33, or $42,666.67 per plan processor. The Commission also previously estimated that
the total annualized reporting cost for complying with proposed Rule 1000(b)(9)(iii) would be
$10,933.33, or $5,466.67 per plan processor.
e.
SCI Event Notice Required by Rule 1002(b) (Previously Proposed Rule
1000(b)(4))
Rule 1002(b) imposes reporting costs for all 44 SCI entities. The Commission estimates
that while SCI entities will handle internally most of the work associated with Rule 1002(b), SCI
entities will seek outside legal advice in the preparation of certain Commission notifications.
The total annual reporting cost of seeking outside legal advice will be $1,980,000 for all SCI
entities ($45,000 × 44 SCI entities). Because Rule 1002(b) will impose 163 reporting
requirements per SCI entity per year, each requirement will require an average of $276.07. 179
The proposal did not include an estimate of outsourcing costs for work associated with Proposed
Rule 1000(b)(4) because the Commission believed that SCI entities would not engage outside
counsel for such work, In response to comment, 180 the Commission has added reporting cost
associated with seeking outside legal advice.
f.
Dissemination of Information Required by Rule 1002(c) (Previously
Proposed Rule 1000(b)(5))
Rule 1002(c) imposes third party disclosure costs for all 44 SCI entities. The
Commission believes SCI entities will seek outside legal advice in the preparation of the
information dissemination under Rule 1002(c). The total annual third party disclosure cost of
seeking outside legal advice will be $1,584,000 ($36,000 per SCI entity per year × 44 SCI
entities). Because Rule 1002(c) will impose 141 third party disclosure requirements per SCI
177
(First year ($288,000) + Second year ($108,000) + Third year ($108,000)) ÷ 3 years =
$168,000 annualized per year.
178
$168,000 ÷ 2 plan processors = $84,000 per plan processor.
179
$45,000 per SCI entity ÷ 163 requirements = $276.07 per requirement per SCI entity.
180
See Omgeo Letter at 35-36.
�42
entity per year, each requirement will require an average of $255.32. 181 The estimate of total
cost is higher than the total third party disclosure cost that was estimated when the rule was
initially proposed (as proposed Rule 1000(b)(5)), but the cost estimate per disclosure is lower.
For proposed Rule 1000(b)(5), the Commission previously estimated that the total annual cost of
seeking outside legal advice would be $660,000. Because proposed Rule 1000(b)(5) would
impose 43 third party disclosure requirements per SCI entity per year, each notification would
require an average of $348.84 per SCI entity.
g.
Material Systems Change Notice Required by Rule 1003(a) (Previously
Proposed Rules 1000(b)(6) and (b)(8)(ii))
The Commission does not expect SCI entities to incur any external PRA costs in
connection with the reports required under Rule 1003(a). This is consistent with the
Commission’s approach to proposed Rules 1000(b)(6) and (b)(8)(ii).
h.
SCI Review Required by Rule 1003(b) (Previously Proposed Rules
1000(b)(7) and (b)(8)(i))
Rule 1003(b) imposes recordkeeping costs for all 44 SCI entities. The Commission
estimates that while SCI entities will handle internally some or most of the work associated with
compliance with Rule 1003(b), SCI entities will outsource some of the work associated with an
SCI review. The total annual recordkeeping cost of outsourcing will be $2,200,000 ($50,000 ×
44 SCI entities). The proposal did not include an estimate of outsourcing costs for work
associated with Proposed Rules 1000(b)(7) and (b)(8)(i) because the Commission believed that
SCI entities would not engage outside consultants for such work, In response to comment, 182 the
Commission has added outsourcing costs associated with the work required by Rule 1003(b). .
i.
Access to EFFS
As noted above, Rule 1006 requires each SCI entity, with a few exceptions, to file any
notification, review, description, analysis, or report to the Commission required under
Regulation SCI electronically on Form SCI. The Commission will implement Form SCI through
the EFFS currently used by SCI SROs to file Form 19b-4 filings. Obtaining the ability for an
individual to electronically sign a Form SCI imposes reporting costs for all 44 SCI entities. The
Commission estimates that each SCI entity will designate two individuals to sign Form SCI each
year, and each such individual must obtain a digital ID at the cost of approximately $25 each
year. Therefore, each SCI entity will require $50 annually to obtain digital IDs, 183 or $2,200 for
all SCI entities. 184 These estimates were not included in the proposal.
181
$36,000 per SCI entity ÷ 141 requirements = $255.32 per requirement per SCI entity.
182
See MSRB Letter at 36.
183
$25 per digital ID × 2 individuals = $50.
184
$50 per SCI entity × 44 SCI entities = $2,200.
�43
j.
Corrective Action Required by Rule 1002(a) (Previously Proposed Rule
1000(b)(3))
The Commission does not expect SCI entities to incur any external PRA costs in
connection with the requirement to take corrective actions under Rule 1002(a). This is consistent
with the Commission’s approach to proposed Rule 1000(b)(3).
k.
Identification of Critical SCI Systems, Major SCI Events, De Minimis SCI
events, and Material Systems Changes
The Commission does not expect SCI entities to incur any external PRA costs in
connection with the identification of critical SCI systems, major SCI events, de minimis SCI
events, and material systems changes. This is consistent with the Commission’s approach in the
proposal for the identification of immediate notification SCI events and dissemination SCI
events.
l.
Recordkeeping Required by Rules 1005 and 1007 (Previously Proposed
Rules 1000(c) and (e))
The recordkeeping requirements impose recordkeeping costs for SCI entities other than
SCI SROs (17 SCI entities). The Commission estimates that an SCI entity other than an SCI
SRO will incur a one-time recordkeeping cost of $900 to set up or modify an existing
recordkeeping system to comply with the recordkeeping requirements. For SCI entities other
than SCI SROs, the total annualized recordkeeping cost for complying with the recordkeeping
requirements will be $5,100, 185 or $300 per SCI entity that is not a SCI SRO. 186 The estimate for
each such SCI entity is the same as the recordkeeping cost that was estimated when the rules
were initially proposed (as proposed Rules 1000(c) and (e)). The total estimate for all such SCI
entities is lower than the recordkeeping cost that was estimated when the rules were initially
proposed (as proposed Rules 1000(c) and (e)) due to the fewer number of such SCI entities
estimated. For proposed Rules 1000(c) and (e), the Commission previously estimated that the
total annualized recordkeeping cost for all SCI entities other than SCI SROs would be $5,400, or
$300 per SCI entity that is not an SCI SRO.
185
$900 × 17 SCI entities that are not SCI SROs ÷ 3 years = $5,100 annualized per year.
186
$5,100 ÷ 17 SCI entities that are not SCI SROs = $300 per SCI entity that is not an SCI
SRO.
�44
m.
Summary of Cost Burdens
The table below summarizes the Commission’s estimate of the total cost burden for SCI
entities under Regulation SCI.
Nature of Information Collection Burden
Burden Estimate in Dollars
Policies and procedures required by Rule 1001(a)
$689,333.33 (Recordkeeping)
Policies and procedures required by Rule 1001(b)
$396,000 (Recordkeeping)
Mandate participation in certain testing required by
Rule 1004
$168,000 (Recordkeeping)
SCI event notice required by Rule 1002(b)
$1,980,000 (Reporting)
Dissemination of information required by Rule
1002(c)
$1,584,000 (Third Party Disclosure)
SCI review required by Rule 1003(b)
$2,200,000 (Recordkeeping)
Access to EFFS
$2,200 (Reporting)
Recordkeeping required by Rules 1005 and 1007
$5,100 (Recordkeeping)
�45
The following table breaks down the Commission’s estimate of the total cost burden for
SCI entities under Regulation SCI.
Number
of
Response
s Per
Year
Initial Cost
Per
Response
Per Year
Per
Responden
t
Ongoing
Cost Per
Response
Per Year
Per
Responden
t
Annualized
Cost
Estimate
Per
Responden
t
Annualized
Cost
Estimate
IndustryWide
Small
Busines
s
Entities
Affecte
d
Nature of Information Collection
Burden
Previous
Rule(s)
Type of
Burden
Number of
Respondent
s
Policies and Procedures required by
Rule 1001(a)
1000(b)(1)
Recordkeepin
g
44
1
$15,666.67
$0.00
$15,666.67
$689,333.33
0
Policies and Procedures required by
Rule 1001(b)
1000(b)(2)
Recordkeepin
g
44
1
$9,000.00
$0.00
$9,000.00
$396,000.00
0
Recordkeepin
g
44
1
$0.00
$0.00
$0.00
$0.00
0
Policies and Procedures required by
Rule 1001(c)
Mandate Participation in certain testing
required by Rule 1004 (plan processors)
1000(b)(9)
Recordkeepin
g
2
1
$48,000.00
$36,000.00
$84,000.00
$168,000.00
0
Mandate Participation in certain testing
required by Rule 1004 (non-plan
processors)
1000(b)(9)
Recordkeepin
g
42
1
$0.00
$0.00
$0.00
$0.00
0
SCI event notice required by Rule
1002(b)
1000(b)(4)
Reporting
44
163
$0.00
$276.07
$44,999.41
$1,979,974.0
4
0
Dissemination of information required
by Rule 1002(c)
1000(b)(5)
Third-Party
Disclosure
44
141
$0.00
$255.32
$36,000.12
$1,584,005.2
8
0
Material Systems change notice
required by Rule 1003(a)
1000(b)(6)
and (b)(8)(ii)
Reporting
44
6
$0.00
$0.00
$0.00
$0.00
0
SCI review required by Rule 1003(b)(1)
and (b)(2)
1000(b)(7)
and (b)(8)(i)
Recordkeepin
g
44
1
$0.00
$50,000.00
$50,000.00
$2,200,000.0
0
0
SCI review required by Rule 1003(b)(3)
1000(b)(7)
and (b)(8)(i)
Reporting
44
1
$0.00
$0.00
$0.00
$0.00
0
Access to EFFS - EAUF
Reporting
44
1.33
$0.00
$0.00
$0.00
$0.00
0
Access to EFFS - Digital ID
Reporting
44
2
$0.00
$25.00
$50.00
$2,200.00
0
Corrective Action required by Rule
1002(a)
Recordkeepin
g
44
1
$0.00
$0.00
$0.00
$0.00
0
Recordkeepin
g
44
1
$0.00
$0.00
$0.00
$0.00
0
Recordkeepin
g
17
1
$300.00
$0.00
$300.00
$5,100.00
0
$240,016.2
0
$7,024,612.6
5
1000(b)(3)
Identification of critical SCI systems,
major SCI events, de minimis SCI
events, and material systems changes
Recordkeeping required by Rules 1005
and 1007
1000(c) and
(e)
�46
14.
Cost to Federal Government
The Commission estimates that it will incur one-time costs related to programming, testing,
and deployment in order to establish an electronic system for Form SCI. The Commission also
expects to incur ongoing maintenance costs. Third party contractors will perform most of the work
except for some testing and project management, which will be performed by Commission staff.
The Commission estimates that the total costs to establish such a system will be $900,000 initially
and $180,000 annually thereafter, or $420,000 per year annualized over three years. 187
While the scope of Regulation SCI is broader than the scope of the ARP Inspection
Program, the Commission believes that the resources currently devoted to the ARP Inspection
Program can be repurposed to meet many of the demands of Regulation SCI. The Commission
recognizes, however, that Regulation SCI will potentially require additional technology and human
resources.
15.
Changes in Burden
Not applicable. The Commission is adopting Regulation SCI for the first time.
16.
Information Collections Planned for Statistical Purposes
Not applicable. The information collections above are not planned for statistical purposes.
17.
Approval to Omit OMB Expiration Date
We request authorization to omit the expiration date on the electronic version of Form
SCI, although the OMB control number will be displayed. Including the expiration date on the
electronic version of the form will result in increased costs, because the need to make changes to
the form may not follow the application’s scheduled version release dates.
18.
Exceptions to Certification for Paperwork Reduction Act Submissions
This collection complies with the requirements in 5 CFR 1320.9.
B.
COLLECTION OF INFORMATION EMPLOYING STATISTICAL METHODS
This collection does not involve statistical methods.
187
(First year ($900,000) + Second year ($180,000) + Third year ($180,000)) ÷ 3 years =
$420,000 annualized per year.
�
| File Type | application/pdf |
| File Title | Reg SCI Supporting Statement (Adopting) - 5-19-15 |
| Author | SEC |
| File Modified | 2015-05-21 |
| File Created | 2015-05-21 |