Are Your Systems and Technology Ready for SEC Review?
March 24, 2011
Chairman Mary L. Schapiro said Wednesday that the Securities and Exchange Commission should consider making reviews of automated systems used in the exchange of stocks and other investments mandatory.
The mandate would be an outgrowth of Automation Review Policies issued a quarter century ago, after the Black Monday crash on Wall Street in 1987.
“Systems and technology can … be sources of risk, as can corporate cultures that under-emphasize compliance and risk management,’’ Schapiro said at the Compliance and Legal Society Annual Seminar in Phoenix of the Securities Industry and Financial Markets Association.
The effort would be an attempt to prevent the kind of breakdown that occurred on October 19, 1987, as panic selling drove the Dow Jones Industrial Average down 508 points to 1738.74. That 22.6 percent one-day drop led the SEC at the time to issue a pair of statements it called Automation Review policies.
Those set out expectations, but not requirements, that “market participants would acquire appropriate technology and assure its functionality -- with regular capacity planning and testing exercises, and with system vulnerability assessments.’
The program also would include an annual independent review of those systems by all market participants. Securites firms would notify the commission staff of system outages and “material system changes.”
Now, with the majority of trading happening through lightning-fast trading systems and another disruption like the May 6 Flash Crash still looming, Schapiro said the reviews could become required of a wide variety of organizations processing trades in American markets.
“Today, with risks including algorithm-generated volume surges and malevolent hackers still very much with us, I believe the SEC should consider making (Automation Review Policy) compliance mandatory,’’ she told the SIFMA compliance audience. “ Such a regulation would require market participants to meet adequate standards for the capacity, resiliency, and security of their automated systems.”
The rules could apply to exchanges, alternative trading systems handling appreciable volume, clearing agencies, depositories and securities information processors.
The SEC said not just systems, but the culture of individual enterprises may be examined.
She said the SEC’s Office of Compliance, Inspections and Examinations under Director Carlo di Florio
is using “structural enhancements, improved skill sets, technology, and a risk-focused examination strategy” to deliver a redesigned and “consistent, national examination program.”
The redesigned exams would look at the corporate governance structure of registrants around enterprise risk and internal controls. “Our examiners will be looking to see if registrants have embraced “a culture of compliance,” including enterprise risk management, within their firms,’’ she said.
The exam will ask questions such as:
• How are the business units of an entity ensuring they are taking and managing risk effectively at the product and asset class level?
• Are key risk management, control and compliance functions structured and funded to be effectively embedded in the business process?
• How are senior managers ensuring effective oversight of enterprise risk management?
• And how is the internal audit process independently verifying and providing the board and senior management with assurance about the operating effectiveness of the risk management, compliance and control functions?