In this episode of The SIFMA Podcast, SIFMA President and CEO Kenneth E. Bentsen, Jr., is joined by colleague Joe Corcoran, Managing Director and Associate General Counsel, to discuss SIFMA’s recommendations to the Securities and Exchange Commission on how to reform the Consolidated Audit Trail, or the CAT.

Transcript

Edited for clarity

Kenneth E. Bentsen Jr.: I’m Ken Bentsen, SIFMA President and CEO – welcome to our latest episode of The SIFMA Podcast.

I’m joined here today by my SIFMA colleague Joe Corcoran, managing director and associate general counsel, to talk about SIFMA’s suggestions to the Securities and Exchange Commission on how to reform the Consolidated Audit Trail, or the CAT.

Let’s jump right in. Joe, the Consolidated Audit Trail was created by the SEC in 2012 to enable regulators to track all order and trading activity throughout the U.S. markets for listed equities and options. It is run by 25 self-regulatory organizations, or SROs and it became fully operational in 2021. SIFMA has supported the goals of the CAT from the beginning, but there have been many twists and turns over the past 13 years. Can you walk us through some of those, leading to why it’s in the spotlight today?

Joe Corcoran: So, as you mentioned, one of the biggest issues that has been a concern about the CAT is its collection. Personally identifiable information or PII. The CAT collects persons, names, and addresses. And it used to collect, person Social Security numbers. The SEC, I think, recognizes concerns about privacy and data security associated with collecting Social Security numbers. So, back in 2020, the SEC issued an exemption for relief that no longer required the CAT to collect individuals’ Social Security numbers.

Anyway, another issue that we’ve been focused on for a long time with regard to the CAT is the CAT funding. SIFMA has long advocated for a fair funding model, with costs shared fairly between the self-regulatory organizations and the industry. The SEC approved a funding model for the CAT back in 2023 that we believe is not fair. That funding model is currently subject to a challenge in the 11th Circuit, and SIFMA supports that challenge. In effect, the funding model, allows the SRO essentially to put all the CAT cost on the industry.

The other issue that we’ve been focused on for many years, and it also relates to the CAT’s collection of PII, is data security. Given the sensitive nature, the data held within the CAT, SIFMA has long called upon the SEC to ensure that the data is protected to the maximum extent possible. The SEC put forward a good proposal back in August of 2020 to enhance CAT data security. Although the SEC recently withdrew that proposal, we’re going to talk about that in a little bit.

Most recently, the SROs actually proposed an amendment back in March. That would remove PII from the CAT database. The SROs amendment followed an SEC action back in February of this year in which the SEC exempted the reporting of certain PII to the CAT. The SROs in March proposed its amendment, in which they expanded the SEC action to cover all PII reported to the CAT by customers, as well as proposing that the CAT delete all PII that currently resides within it. SIFMA supports both of these actions.

Ken, so the latest on the CAT developments is, SEC Chairman Paul Atkins called for a comprehensive review of that CAT just last month. It will include an examination of the cost of the database, the reporting requirements in the scope of what is collected and stored. As you look at this review from a holistic perspective, Ken, why do you think Chair Atkins is calling for this now? And what is SIFMA’s overarching view?

Bentsen: First, I would say that Chairman Atkins ‘ announcement on this is really long overdue. The CAT has had a really tortured, development, process and SIFMA’s weighed in repeatedly, with concerns as you issue outlined over the years, since 2012, whether it’s been trying to keep, customer PII out of the CAT, protect other sensitive data that’s in the CAT, deal with issues around who has liability, once the data is collected, because our members are required to submit the data, they have no control over the data once it’s submitted. In fact, at one point, the SROs sought to put a limitation of liability. So we had all the obligation to wear a record, and we’re taking a lot of the risk and had no authority whatsoever. And then, of course, you pointed out the funding scheme, which we believe it’s been inherently flawed from the get-go.

So this is what was designed to be, a market surveillance tool, which, maybe the only positive thing that’s come out of it over the years, was the retirement of the FINRA OTC. But it still has a lot of flaws and a lot of risks to it, and so for many years we’ve been eager for the SEC to take a more aggressive oversight approach.

The other thing I’d point out is in the, in the governance structure of the CAT, because it is an NMS plan and overseen, as you mentioned 25, as we mentioned, by 25, SROs everybody’s in charge, nobody’s in charge but in particular, from the industry standpoint we have no, line of sight really into the governance to the budgeting, the cost, have been as you would expect, had lots of overruns. So, this is really incumbent upon the commission to step in and find out what’s going on here, or what are they doing? Do they need all the data that they’re collecting? Do they need all of this PII even as it’s been modified? What do they really want to accomplish with that? And what’s really the best, most fair way to fund it? So, we’re really encouraged, that Chairman Atkins, is undertaking this, and we really hope that the Commission does a very comprehensive review and then tells the marketplace what they want. What do they want from the CAT, and how do they intend to do it? How do they intend to protect the information that they collect? Do they really need all the stuff that the CAT’s been trying to get?

So maybe, Joe, you talked about the most recent SROs, proposed amendments to the case around PII, and maybe you could walk through what’s being asked about on this?

Corcoran: So the Commission actually, on the PII proposal from the SROs back in March, they just extended their time for consideration of the SROs’ proposal. The Commission is seeking further comment on the cost that the proposal would save the industry as well as the SROs.

They are also seeking comment on the ability of the Commission to do its oversight of the markets, given that the changes the SROs are proposing regarding PII within the CAT. As you mentioned, we strongly support the SROs proposal, and we’d like to see the Commission act on it, though, we really think the SEC should give direction to the industry regarding what it expects as far as CAT reforms. I note that the SEC has directed authority to make changes to NMS plans, which the CAT, as you noted, is an NMS plan. And it has used this authority in the past. Back in 2020, the SEC was frustrated with the SROs’ slow pace and standing up the CAT, and so they imposed financial penalties, essentially accountability milestones on the SROs, for the SROs to complete the CAT in a timely manner.

As you mentioned, I think those financial accountability milestones did lead to the CAT, being stood up rather rapidly, but I think it did so in a way that didn’t really focused on cost or efficiencies and so, as you mentioned, we really call on the SEC, to lead all CAT reform efforts. It is an NMS plan, but from our perspective, the SEC does have the authority to make changes to NMS plans and, from our perspective, has made a lot of the significant policy choices related to CAT, even though it theoretically is operated by the SROs.

One other thing I should note, we’ve asked the SEC to review as part of this review process that it’s conducting, to take a look at all the temporary exemptive relief it’s granted over the years and make that relief permanent. There have been aspects of the CAT, I think, for various reasons, where it’s challenging, if not impossible, for the industry to report certain information, such as the collection of verbal quote data calls, and verbal transactions on floors, and so that has been exempted. But, we really call on the SEC to take a look at all the exempt of relief with a view towards making it permanent

Bentsen: Yeah. Just a couple of things on that. I think in the proposed amendments, one of the key things is where the SEC previously gave an exemption of not having to submit PII, the proposed amendments would ban the submission of PII. That’s a really good start. The other thing is that it would have the SROs destroy everything they’ve already collected. And that’s also important. But these questions that are being asked are important as well.

The second thing on your point that the SEC does have authority to amend in NMS plans on its own, we should remember, the SROs did not come up with this idea on their own. The CAT was a creation by by the SEC. They did it through the NMS plan. So what type of changes might be made, depending again, on what the SEC thinks they want to do with the CAT? What other changes might they make that could add more efficiency, reduce costs, and protect investors?

Corcoran: The CAT, essentially, since it was stood up, requires the SROs to produce the regulatory data for the SEC review on a T+5 basis. SEC, through the CAT NMS plan, has imposed certain processing deadlines on the SROs to get the data right ready on it in-term basis prior to that T+5 deadline. We think that the SEC could relax some of those in-term processing deadlines, and the CAT would still serve its regulatory purpose. And by doing that, we think the CAT would actually save a lot of cost.

Also note that the CAT, tech specs, or technical specifications, that’s the information that the broker-dealers are required to report to CAT are exceedingly complicated and hundreds, if not thousands pages long. We believe that the tech specs can be scaled back, in a way that maintains the utility of the audit trail, but also reduces the cost of our members reporting certain information to the CAT.

One of the other areas that we’ve identified for reform is data security and privacy in the CAT, which you’ve talked about many, many times over the years, noting that the CAT needs to be held to the highest data security standards, as I mentioned. The SEC recently withdrew a proposal from 2020, which would have significantly enhanced the data security of the CAT. What are our concerns or our members’ concerns regarding the data held within CAT, and what do you think about the SEC’s recent withdrawal of its data security proposal?

Bentsen: By some estimates, the CAT may well be the largest, one of the largest databases in the world. And so it’s an environment rich target for bad actors and hackers and the like, and as we mentioned, while it’s run by FINRA CAT, an affiliate of FINRA, the regulator, it’s overseen by 25 SROs, including all of the equity exchanges. And, by one estimate, 4000 employees across all of those roles have access to CAT data. So by its very nature, there’s a lot of risk around that.

The 2020 proposal we thought was actually quite good, and it limited who could have access to the data. One exchange could have access to another exchange’s data that was held tightly within FINRA CAT. It wasn’t a fail-safe, but it was better than where we are. And well, we might have been disappointed that it was withdrawn, I think that’s in some ways understandable, because that rule proposal languished for so many years and the SEC is trying to figure out what it wants to do with CAT. That rule proposal should have been adopted in our view many years ago, and it’s unfortunate the Commission did not do it. All the more reason for, again, for doing the holistic review and thinking about, what should be reported, what is absolutely necessary to be reported, who should have access to that data, and so, this should be a key component of the SEC’s holistic review and and then future plans for the CAT, not only what are they going to collect, but how are they going to protect that data that they do collect? So we’ll be watching that very closely.

Corcoran: So, one of the other items that we have discussed, as I mentioned, for many years, is CAT funding. As I noted, the funding model that was approved by the SEC back in 2023 essentially allows the SROs to shift up pretty much all CAT costs onto the industry. We have called for the SEC to take on the funding obligation for the CAT, it really is a regulatory system that’s used by the Commission, for the Commission to do its or fulfill its regulatory mission. Ken, what are your thoughts about CAT funding and SEC taking over the funding obligation?

Bentsen: Our thinking on this has really evolved over time with our members after we battled over the constant funding scheme proposals, from the SROs that we found just to be patently unfair. And, obviously, the most recent iteration approved by the SEC is subject to litigation, so we’ll have to see what the outcome of that litigation is. But, I should add, as I mentioned before as well, the fact that the industry which has been basically stuck with the bill, has no oversight or authority with respect to annual budgets, the cost, the amount of costs that were put in in the first place when they went to one vendor, then another vendor and so our members have come to the conclusion that this would really be better funded through the normal SEC budget, through its section 31 fees that would put it under, SEC direct oversight as well as Congress, direct oversight and bring more accountability. It would then pass through a section 31 fees do through the industry, but it would be a more prudent approach to funding, in the way that the SEC’s other functions are funded.

So I think we made clear that CAT’s costs should be reduced, or there should be better oversight, there should be more robust protection of the data collected. There really needs to be an analysis of what really needs to be collected. But maybe, Joe, you can walk through how some of the thoughts about what can be done to help?

Corcoran: So one of the ideas that we’ve actually suggested to the SEC, is that the CAT hire an external, technology, consulting firm to conduct a holistic review of the CAT, its operations, its spending with a view towards figuring out ways the CAT can become more efficient, and reduce its cost. This is a common practice within the technology industry; we understand that hiring outside consultants to look at large systems and figure out ways to make them more efficient.

One of the things that I should note is that the majority of the cost incurred by the CAT is through its use of the cloud. And, cloud processing, I think is still somewhat new and I think there’s ways, for a consultant to figure out how to make, potentially make, the CAT more efficient in that regard and so we think that, the SROs should pay for this but we do think that there would be tremendous benefit, to having the SROs hire such a vendor.

Bentsen: Well, with that, Joe, I want to thank you and our listeners for being with us today. And we hope that our listeners found these conversations to be as valuable as we did. Comments and questions are always welcome. Listeners can reach us via email at [email protected]. And for more information on our views with respect to the CAT, please go to our website at sigma.org

—

You can listen to this conversation by following “The SIFMA Podcast” on Apple, Spotify, YouTube, or wherever you get your podcasts. Sign up to receive new episodes, delivered right to your inbox.

Related Resources

• Blog

  The CAT’s Out of Sync: Why the Audit Trail Needs a Tune-Up