Beware of CAT

When the consolidated audit trail (CAT) is fully operational, it will be the world’s largest database of equity securities and listed options transactions. As currently designed, the CAT will take in 58 billion records of securities orders every day, and it will maintain data on over 100 million institutional and retail accounts and their unique customer identifying information, including social security numbers, addresses, and dates of birth.

SIFMA believes that a workable, secure CAT could bring great value to regulators, benefitting the industry and increasing investor protection. The unfortunate reality is that important implementation issues remain largely unaddressed or incomplete. As noted in SIFMA’s recent testimony to Congress, there is still time to get it right.

Consolidated Audit Trail (CAT)

Beware of CAT

Perhaps most importantly, the current CAT development plan raises serious concerns around data protection and the ability to confidently secure the critical investor information it will contain.  It’s important to consider – can the Securities and Exchange Commission (SEC) and the self-regulatory organizations (SROs) demonstrate that the benefits of using investors’ personally identifiable information (PII) and identifiable proprietary trading information outweigh the risks and potential costs of a breach? Is the use of this level of data truly necessary? Storing this information in the CAT creates tremendous risk in the event of a breach, and the information on CAT security protocols is incomplete and insufficient.

Further, the CAT plan should be amended to prohibit the SEC and the SROs from downloading CAT into their own systems. Under the current plan, up to 3,000 individual users from the SROs and SEC will have downloadable access to all CAT data. That’s a lot of access to control. Instead, SIFMA suggests a sandbox approach – under which the SEC and the SROs access data from within the CAT data security perimeter.

SIFMA is also concerned that the current implementation timeline does not allow for sufficient systems development and testing to effectively implement the CAT. It is simply not feasible to set implementation deadlines before the technical specifications are even completed, which is where broker-dealers find themselves today with a deadline of November 15, 2018.

Instead of rushing forward with arbitrary deadlines, regulators should issue proposed technical specifications and seek comments. Then, once these specs are finalized, broker-dealers should be given a minimum of 12 months to complete the requirements, to allow for a phased-in approach and any error corrections. There also needs to be a more explicit and timely process for the elimination of older systems that become redundant by the CAT. A rushed CAT and wasted industry resources will not benefit investors.

Finally, I’d be remiss if I didn’t mention the CAT funding issues.  The CAT plan was developed by the SROs and includes a funding model that imposes a vast majority of the building and operational costs on broker-dealers without any substantive justification. This approach is particularly troublesome, as it benefits the SROs’ own commercial interests at the expense of the broker-dealers they regulate and with which they compete.

The SEC shared SIFMA’s concerns and suspended the fees while considering whether to approve or disapprove the proposals.  In the meantime, the SROs have responded to some of the industry’s concerns about the applicability of the fees and amended the proposals.  However, the SROs’ funding model for CAT continues to be based on imposing 75% of the total costs to broker-dealers. This requires further review.

Moving forward, a true collaboration between industry participants and the SROs will provide the opportunity for the CAT to be informed by the insights and interests of all the affected market participants, ultimately leading to a more effective and efficient outcome.  With so many investors impacted, we are committed to getting this right.

Randy Snook is executive vice president, business policies & practices for SIFMA.