Consolidated Audit Trail: The CAT’s Out of the Bag

The SEC recently released a plan to establish a Consolidated Audit Trail (CAT), one of the world’s largest data repositories that will contain a complete record of all equities and options traded in the US. [1] The plan will require national securities exchanges and FINRA (SROs), alternative trading systems (ATSs), and broker-dealers (collectively, CAT Reporters) to submit information on trade events, [2] including customers and prices, to the CAT on a daily basis. It is estimated that the CAT will aggregate between 30 billion and 120 billion trade events per day from over 2,000 sources.

The SEC first proposed the CAT after the May 2010 “flash crash” when it became clear that the data available to the SEC is fragmented with no single source that covers all SEC regulated markets. [3] As a result, the SEC mandated the SROs to develop a plan to create the CAT, which will enable the SEC to conduct cross-market surveillance and reconstruct market events more efficiently. The plan is currently in the midst of a 60-day comment period, [4] after which the SEC will have 120 days to approve it. Once approved, SROs will have two months to select a vendor who will build and maintain the CAT (Plan Processor). [5]

The release of the plan is an important milestone, but it has resulted in several pressing questions about CAT policies, operations, and technology. For example, one of the expected benefits of the CAT is the elimination of various existing reporting systems; however, the plan gives no indication of how and when existing systems will be decommissioned. Dual reporting will result in duplicative costs for CAT Reporters who also bear the cost of building and running the central CAT repository. Additionally, the CAT has been proposed as a market surveillance tool for the SEC and SROs without access for broker-dealers, but some have suggested that it could expedite regulatory inquiries if the broker-dealers had the same view of their data as their regulators.

On the technology side, aggregating the large volume of CAT data will be challenging because the data must reflect point-in-time market pricing of the security being traded and be linked to each specific trade event. Another open question is how regulators will actually use the vast amount of data that will be collected. The plan currently allows for SROs and the SEC to have the ability to search for particular types of data, and then extract it to their own systems for analysis, but this extraction has raised data security concerns given the great amount of customer information that will be reported to the CAT.

This post analyzes the most significant outstanding issues for the CAT in the areas of operations and data technology, and offers our view on what’s next.

Operational questions

The CAT will present a massive effort for CAT Reporters, and has raised a number of issues about operations and feasibility. The following topics represent the central questions we expect to be addressed in the next several months.

When will existing reporting systems be decommissioned?

The plan does not currently include a timetable for the elimination of existing regulatory reporting requirements and the decommissioning of existing systems. As a result, CAT Reporters will be burdened for at least two-and-a-half years with both their existing $1.6 billion annual reporting costs and the $1.7 billion annual costs of reporting to the CAT, according to initial estimates by the SEC. The CAT will also carry a one-time implementation cost estimated at $2.4 billion, and the industry will eventually face a one-time $2.6 billion cost of retiring existing reporting systems. When considered altogether, industry will spend more than $13 billion over the next three years to support regulatory reporting.

In order to reduce these expenditures, we expect the industry to request that the CAT plan include the necessary steps and timetable for decommissioning existing regulatory reporting systems. The elimination of existing reporting requirements will be easier if the CAT incorporates all of the data elements which are currently submitted to the existing systems. Once the Plan Processor is chosen, they will release data element specifications based on guidance from the SROs and stated objectives from the SEC. As such, the SROs should consider an analysis of the overlaps between data which is currently reported and to recommend an exhaustive set of data elements to the Plan Processor.

Who will pay for it?

The proposed funding model consists of two separate fee structures applicable to the two main types of CAT Reporters. For broker-dealers, there will be a tiered model of fixed fees based on the volume of the trade events that they would report to the CAT. This model is based on the expectation that the primary cost of maintaining the CAT will be based on processing and storing trade events. However, for SROs and ATSs, there will be a tiered model of fixed fees based on their market share volume or their contract volume for listed options. ATSs which are part of a broker-dealer will initially end up paying under both models. The SEC noted that this results in a competitive advantage to SROs over these types of ATSs since the ATSs would pay more for the same level of activity. While ATSs could reduce their payment burden by registering as exchanges, registration would come with its own costs and participation fees.

As it currently stands, the funding model would result in 85% of the estimated build cost and over 75% of the annual running costs of the CAT to be funded by the broker-dealers. In particular, broker-dealers that are Option Market Makers expect to be disproportionally affected by the message volume-based fixed fees because they typically generate 10-20 billion untradeable quote messages per day. We expect both ATSs and broker-dealers to provide substantial comments on this funding model.

Who will have access to the data?

Currently only the SROs and the SEC will be able to view and analyze consolidated data stored in the CAT. The proposed plan does not currently grant broker-dealers with access to CAT data, so they may decide to create their own version of the CAT that allows them to visualize all their trade events and point-in-time market data in the same way as the SEC and SROs. As a result, we expect broker-dealers to make the case that the CAT should be an industry utility and that they should have access to the data that they report, particularly as they will bear 75% of the operating cost.

Who will operate the CAT?

The main CAT governing body is owned by the SROs and will be managed by an Operating Committee made up of representatives from the SROs. This structure was proposed by the SEC because the SROs have existing responsibilities to oversee the securities markets.

Broker-dealers will make up an Advisory Committee to advise the Operating Committee on the implementation and operation of the CAT, but there is no obligation for the Operating Committee to follow their recommendations. Therefore, we expect broker-dealers to make the case that they should have a more direct involvement in decision making.

Data technology questions

The CAT, and specifically the Plan Processor, will need to overcome several technological hurdles in order to enable the SROs and SEC to use the data that is collected. The following questions have been discussed at length in discussions on the plan so far, and we expect them to be recurring themes in industry conversations.

How will the CAT data be used?

One of the most pressing questions regarding the CAT is how regulators and SROs will be able to use the vast amount of data that will be collected. The plan currently includes provisions to allow the SROs and SEC to search [6] and extract CAT data for analysis, but does not provide for data analytic tools or standardized reports to be sent on a recurring basis. The inclusion of recurring standardized reports was dismissed at this stage, but in order to ensure that the CAT data meets one of its primary goals (i.e., supporting the SEC and SRO’s market surveillance requirements), the plan would benefit from defining more advanced analytical capabilities and standardized reports before it is put into motion. In particular, if the standardized reports included reproductions of current regulatory reports, it would ease the process of decommissioning existing systems and could reduce the period of duplicative reporting.

How will customer information be reported?

One of the types of data to be reported to the CAT is information on broker-dealers’ customers—i.e., Personally Identifiable Information (PII)—so the SEC can determine the identity of customers originating orders across the market. However, properly matching customers throughout the market will be difficult because different broker-dealers may identify the same customer using different names, or different customers may have the same name. In order to address this issue, the proposed plan requires each broker-dealer to submit an initial set of customer information including Individual Taxpayer Identification Numbers (ITIN) or Social Security Numbers (SSN) in addition to assigning each customer a unique identifier (which would still differ between firms).

Although this type of PII would allow consistent matching of customers, there is considerable complexity in validating ITINs with the IRS and SSNs with the Social Security Administration, and we do not expect that the CAT will independently verify that the customer identifiers are correct. Instead, we expect that the SEC will rely on broker-dealers to validate PII as part of their client onboarding (KYC) procedures, and certify that the data they submit to the CAT is correct. Additionally, the Plan Processor will also be required to define and implement a format validation process for the PII data.

How will the data be secured?

Considering the sensitive nature of the data to be submitted to the CAT, the CAT Plan Processor will be required to establish a comprehensive security plan. The CAT plan specifies minimum security and encryption requirements including encryption of CAT data both when it is reported and once it is in the repository. The CAT is also expected to be subject to Regulation SCI, which requires designated SCI Entities to have reasonably designed policies and procedures to support operational stability and cybersecurity and to immediately report cyber incidents to the SEC. [7]

However, the CAT plan does not currently outline how the CAT data and PII will continue to be secure once it has been extracted from the CAT for analysis by the SEC or SROs. It also does not outline any cybersecurity requirements for the systems used to store and analyze the extracted data. One approach to heightening the security of the data would be to reduce or eliminate the need to extract data from the CAT. This would require the Plan Processor to provide both regulators and SROs with custom data analytics tools that would allow analysis directly within the repository.

How will data be synchronized?

Much of the CAT’s value for market surveillance relies on its ability to accurately sequence events that may have occurred within milliseconds of each other over the US securities market. However, event sequencing is difficult if market venues are not synchronized to a common clock source or if CAT Reporters are not recording data at millisecond-level precision. [8] In order to address this issue, the CAT plan requires CAT Reporters to synchronize their clocks to within 50 milliseconds of an industry standard clock (i.e., NIST) and to implement millisecond precision timestamping within four months of the plan’s approval. [9]

The SEC recognizes that even after synchronizing clocks to within 50 milliseconds of an industry standard clock, two venues could be potentially up to 100 milliseconds apart and give the false impression that orders on one venue were executed before the orders on another venue. This could give rise to false alerts of market manipulation which will require time consuming analysis to investigate. However, instead of shortening the clock synchronization standard, which would significantly increase CAT implementation costs, the SROs will revisit the clock synchronization standard on an annual basis.

What’s next for the CAT?

The CAT plan currently outlines a three year timeline with eight key milestones. The first major milestone is the SEC’s approval or rejection of the plan by November 13, 2016. Once the plan is approved, SROs have two months to select one of the remaining Plan Processor bidders to build the central CAT repository. It will then be a quick 10 months for the CAT to be built and for SROs to begin reporting their data to the CAT by November 2017. Large broker-dealers will have two years from the plan’s approval to begin reporting data (latest November 2018) and small broker-dealers will have three years (latest November 2019).

The first deadline that requires immediate action by the industry will be in March 2017 when SROs and broker- dealers will have to certify that the required business clock synchronization and timestamping has been implemented. Clock synchronization will not be easy, as demonstrated by issues that banks have had with a similar requirement for MiFID II in Europe. [10] While other technical specifications for data submission have not yet been published, CAT Reporters should start looking at their regulatory reporting architecture and identifying opportunities for consolidation and simplification.

Additionally, some organizations have already identified the need to purchase new infrastructure and make changes to front and middle office and client onboarding systems and processes. Since the CAT may be extended to include other products (e.g., futures) over time, broker-dealers should ensure that their new infrastructure and CAT reporting solutions are sufficiently flexible to minimize additional future effort and cost.