CAT: A New Timeline, But Data Protection Must Remain a Top Priority

In February 2019, the SRO Operating Committee of the Consolidated Audit Trail (CAT) announced that the Financial Industry Regulatory Authority (FINRA) will be the new Plan Processor for the CAT, and they have transitioned the CAT project’s implementation and maintenance activities to a new subsidiary, “FINRA CAT LLC.”

As a result of this transition, certain key project dates have changed. At SIFMA’s recent Operations Conference & Exhibition, the “CAT: Ready, Set, Go” panelists, including FINRA CAT’s Chief Operating Officer and the SEC’s Senior Policy Advisor on the CAT, discussed the new dates:

  • 2019
    • June 27:  CAT Registration Deadline for Industry Members
    • September 30:  Connectivity Testing Begins
    • December 16:  Equities and Options – Industry Testing Begins
  • 2020
    • April to October:  Equities – Reporting Go Live
    • May to December:  Options – Reporting Go Live
  • 2021
    • April:  Remaining Market Participants – Reporting Begins

CAT Panel at SIFMA Ops 2019: The SEC, FINRA, Goldman Sachs and Susquehanna International Group discussed how the industry is working through this complex implementation project to ensure reporting obligations will be met.

Getting the implementation of the Consolidated Audit Trail on track is a focus of the SEC and the securities industry. The SROs published the final Industry Member Technical Specifications on April 29, 2019; the final version had no material changes from previous versions.

Just as importantly, we must ensure that auditable data security protocols are in place to protect the unique customer Personally Identifiable Information (PII), which will be included in the CAT when the customer database goes live in July 2022. When fully operational, the CAT will be the world’s largest database of equity securities and listed options transactions and will also maintain data on over 100 million institutional and retail accounts. The system will allow regulators to link every order through its entire life cycle (including cancellations, modifications and executions), gathering data on investors, broker-dealers and exchanges.

In a conversation with SIFMA President and CEO, Kenneth E. Bentsen, Jr., at the SIFMA C&L Annual Seminar in March, SEC Chairman Jay Clayton said, “We are as concerned about PII as anyone. We’ll get to a responsible place on customer data” – adding that if the industry works together, he believes constructive solutions can be identified and implemented to manage customer data.

To address the data security issues, SIFMA recommends:

  • Auditable Data Security Protocols: The data security program for the CAT must reflect the industry’s latest best practices to mitigate risks and include robust and proactive procedures to provide notice, communication, and remediation;
  • Limiting CAT PII: Reconsider the scope of PII that will be collected in the CAT, balancing the regulatory need to collect PII against the security concerns of a centralized PII in a single database. Designate a single SRO to perform cross-market surveillances, which would limit the number of users with access to customer data;
  • Customer Data Encryption, Transfer, and Storage: Develop a secure mechanism for the submission and storage of data, and destruction of data where storage is no longer necessary;
  • Analytics Environment: The SROs should not be permitted to bulk extract any data from the CAT. SIFMA recommends that all surveillance and analysis on CAT data occur within a highly controlled, limited access analytics environment within the CAT.

SIFMA believes that a successfully designed, implemented and secured CAT could bring great value to regulators, increasing investor protection as well as enhancing market infrastructure and regulation.  However, it is critical to ensure that the SEC and the SROs tasked with implementing the CAT NMS Plan take the necessary steps to protect sensitive customer PII, order lifecycle data, and provide transparency and protection to those impacted in the event of a data breach.

Will your firm be ready for testing this December? To learn more about CAT reporting and what your firm needs to have in place for industry testing in December 2019, and for the reporting go-live date of April 2020, visit the CAT NMS Planning website for project updates.

Ellen Greene is a Managing Director at SIFMA;  T.R. Lazo is Managing Director & Associate General Counsel at SIFMA.

See also: