A major first step of the Consolidated Audit Trail (CAT) project is underway despite requests by SROs that the effort be put on hold.
The controversial Consolidated Audit Trail (CAT) surveillance system and database of the SEC is moving ahead despite requests by major self-regulatory organizations (SROs) and industry groups that the effort be delayed because of concerns over cybersecurity and the deadline schedule.
Last week, SEC Chairman Jay Clayton underscored the regulator’s need to stay on track with the CAT rollout despite industry reservations.
“In the wake of the 2010 ‘Flash Crash,’ the SEC in 2012 adopted Rule 613 of Regulation NMS, which requires the national securities exchanges and FINRA (collectively, the SROs”) to work together to develop and submit to the SEC a plan to create, implement, and maintain a consolidated audit trail (the CAT),” Clayton says in his statement.
“Simply put, the CAT is intended to enable regulators to oversee our securities markets on a consolidated basis—and in so doing, better protect these markets and investors. The Commission approved in November 2016 a CAT NMS plan prepared by the SROs,” Clayton says. “Under the SROs’ plan, the first phase of reporting to the CAT (SRO reporting) is scheduled to start tomorrow [November 15].”
On Nov. 15, the SRO options and equity exchanges were required to begin submitting data to the central repository overseen by Thesys Technologies, which was designated in January as the CAT Plan Processor for the National Market System (NMS). A year from now, large broker-dealers must begin reporting by Nov. 15, 2018, and small broker-dealers need to be compliant by Nov. 15, 2019.
“Last night, the SROs submitted an exemptive request to the Commission that makes clear that they will not meet that deadline and certain other deadlines contemplated by the plan. The SROs’ letter requests that the Commission issue broad exemptive relief extending the initial deadline by a year and other deadlines by a year or more,” Clayton reports.
“I recognize that recently the SROs have worked together to develop an action plan for bringing the CAT on-line, albeit on a delayed basis. Further, it is clear that the SROs’ increased engagement with the SEC in recent days has been constructive,” Clayton says. “However, I am not in a position to support the issuance of the requested relief on the terms currently proposed.”
Clayton and the SEC will “continue to engage with the SROs on these issues, and I have instructed the SEC staff to make themselves available to the SROs as necessary or appropriate. I urge the SROs to continue their efforts to work cooperatively with each other and to meet their responsibilities as promptly as practicable.”
Industry lobbying group, the Securities Industry and Financial Markets Association (SIFMA) requested on Nov. 8 that the SEC impose delays upon the CAT compliance effort.
“SIFMA is requesting a delay in the CAT compliance deadline in light of our ongoing concerns with the CAT development plan, which does not adequately address SIFMA’s longstanding priorities for establishing an effective and secure CAT,” says Randy Snook, executive vice president, business policies and practices, in a letter to the SEC.
“Specific challenges with the current plan that must be addressed include a governance structure that does not give the industry a meaningful voice, a rushed implementation schedule that is simply not feasible, and proposals to eliminate duplicative regulatory reporting systems that are not sufficiently aggressive. Further, SIFMA continues to have material concerns regarding CAT data security that must be addressed before moving forward with development and data collection,” Snook says.
In the letter, Snook says that with the CAT system being “the world’s largest data repository for securities transactions,” it would be vulnerable to cyber-attacks
“Every day the system would ingest 58 billion records — orders, executions and quotes for the equities and options markets — and maintain data on over 100 million customer accounts and their unique customer information,” Snook says. “At least 3,000 individual users would have access to this information. In light of increasing cyber risk, we urge regulators to study the costs and benefits to determine if the collection, storage, and use of personally-identifiable information (PII) is necessary.”
Clayton addresses the data security issue in his statement.
“With regard to cybersecurity, I have informed the SROs that protection of the information submitted to the CAT is of paramount importance and that I am open to various paths for addressing cybersecurity matters,” Clayton says.
“Additionally, I have made it clear that the SEC will not retrieve sensitive information from the CAT unless we believe appropriate protections are in place. In this regard, Commission staff is currently conducting an evaluation of our needs for personally identifiable information (PII) in the CAT,” Clayton says. “It is important that the Commission, the SROs, and the plan processor continuously evaluate the approach to the collection, retention and protection of PII and other sensitive data, as we continue to progress in the development and operation of the CAT.”
SIFMA officials have not changed their stance since the onset of SRO reporting for the CAT repository.
“Our statement stands,” a SIFMA spokesperson says. “As noted, SIFMA continues to have material concerns regarding CAT data security that must be addressed, including the need for regulators to conduct a cost-benefit study to determine if PII collection is truly necessary for the CAT.”
A spokesperson for the CAT Operating Committee, which encompasses the Financial Industry Regulatory Authority (FINRA) and the SRO equity and options exchanges, sent the following in response to a request for comment: “The SROs are working towards implementing the CAT in as expeditious manner as possible, while ensuring sufficient time for critical dependencies, including ensuring the security of CAT data.”
Need a Reprint?