CAT Got Your Tongue?: An Inside Look at the Consolidated Audit Trail's Sluggish Rollout

If a market-structure project fails to start, but nobody notices, did it really fail in the first place? That’s the question facing the Consolidated Audit Trail (CAT) at the moment. Based on the CAT NMS (national market system) plan, self-regulating organizations (SROs) such as securities exchanges were meant to start reporting information on trades to the CAT processor by November 15. That day came and went, yet no SRO filed a single report. An air of mystery surrounds that day, given that no one would say at the time why the CAT simply did not meet its deadline, while the Securities and Exchange Commission (SEC), the regulator responsible for overseeing it, is refusing to divulge any information on what action, if any, it will take.

In the aftermath of that failed deadline, several key questions remain unanswered. Where does it leave the CAT now, and will it move forward? But most importantly, why was it that the CAT simply didn’t hit its targets in the first place?

One perspective comes from a person familiar with the discussions at the CAT NMS Plan, the body of SROs and others charged with implementing the project. Like many others contacted for this piece, the source requested anonymity. “After a half-dozen years of this process moving at a glacial pace, there just doesn’t seem to be any psychological pressure on the SROs to make decisions,” the source explains. 

 CAT Queried

The CAT was first discussed in the aftermath of the Flash Crash in May 2010, when the Dow Jones Industrial Average lost around 1,000 points in under an hour, before recovering most of its value later in the day. That event triggered lengthy investigations and exposed weaknesses in market oversight, where regulators were effectively unaware of what was happening in the markets they were charged with overseeing. The solution was the CAT, a database envisioned to contain information on every order, cancellation and trade execution for exchange-traded assets in the US. The idea was to provide market surveillance, and to not only allow watchdogs to piece together what happened in the wake of severe market shocks, but perhaps provide an early warning system that such events may be imminent.

After a competitive bidding process that saw Thesys Technologies beat the likes of FIS and the Financial Industry Regulatory Authority (Finra), the contract was awarded to Thesys CAT to build the processor in May 2017. 

But in the run-up to the first day of reporting, the CAT was already facing problems. In the aftermath of a series of cyber incidents that saw not only Equifax, one of the nation’s largest credit agencies disclose that millions of Americans may have had their personal information accessed by hackers, the SEC also disclosed that its company filing system, Edgar, had been compromised in 2016. The agency later disclosed that at least two individuals had personally identifiable information (PII) exposed, and that although it hadn’t seen any evidence of this, the information accessed could have been used to manipulate the market.

The CAT was subsequently plagued with questions around the security of the data reported to it. Trade reports collected by the CAT may contain a range of extremely sensitive information, such as dates of birth, social security numbers, addresses and other data. In a string of hearings conducted by the House of Representatives and the US Senate, lawmakers proceeded to grill SEC chairman Jay Clayton on the security of the CAT, the ability of the SEC to protect the information it accessed, and crucially, raised questions over whether the CAT should be delayed.

“With the CAT serving as a central repository for order and trading activity data, I urge the SEC again to delay its implementation date until the Commission can ensure that the appropriate safeguards and internal controls are in place to protect this data,” said Republican congressman Jeb Hensarling, chairman of the House Financial Services Committee, during an October 4 hearing.

The SEC’s Clayton stood firm in his approach on all these occasions—while he said he would review what information needed to be collected by the CAT, he would not countenance a delay to the project.

By this point, it was becoming clear that nobody was ready for November 15. Two days before the expected go-live date, members of the CAT NMS plan committee—the 11 exchanges and Finra—urged the SEC to delay the implementation and push back all other reporting deadlines. In a letter dated November 13, 2017, participants asked for SRO reporting to begin on November 15, 2018, allowing sufficient time for testing of the CAT and to ensure its security. “The SROs believe that the proposed approach meets the Commission’s goal of ensuring that each quote and its related reportable events are reported to the central repository, while minimizing the burden on market participants,” the CAT NMS Plan committee said in its letter to the SEC. 

Along with the extension for exchanges, SROs also requested the SEC to push back implementation dates for large broker-dealers and the rest of the market, until at least April 2020 for large broker-dealers and April 2021 for small broker-dealers. Originally, large broker-dealers were meant to report to the CAT beginning November 2018, with smaller firms following a year later. 

The regulator denied this appeal. In a statement issued late on November 14, Clayton said that while discussions with SROs have been constructive, he was “not in a position to support the issuance of the requested relief on the terms currently proposed.” The regulator, however, instructed its staff to continue working with the SROs and the CAT processor. 

November 15 then came and passed without any reports being made to the CAT, or any action taken by the SEC. The SEC declined to answer detailed questions from Waters on this delay and what has happened subsequently, instead providing a copy of Clayton’s statement. It has also declined to provide comment beyond Clayton’s remarks regarding the condition of the CAT on numerous other occasions that it has been contacted by Waters reporters. Other SROs, including the New York Stock Exchange, ISE Gemini and MIAX Options Exchange declined to comment or referred Waters to the CAT NMS Plan, while Nasdaq did not respond to requests for comment in time for publication.

Herding CATs

Indeed, trying to find out exactly what happened—and if it was even possible to report to the CAT that day—is a difficult task at best. Waters sent a series of detailed questions to the CAT NMS Plan, which responded with a single statement. In that statement, it said that participants “are working toward implementing the CAT in as expeditious manner as possible, while ensuring sufficient time for critical dependencies, including ensuring the security of CAT data.” 

As far as it is possible to determine, the picture behind the scenes appears to be one where there was simply not enough time to put the CAT together to the standard envisaged. Thesys CAT’s chief compliance officer, Shane Swanson, says the CAT faced a “confluence of different events” that necessitated a delay. “There was a flurry of work to do as we continue to work on participants’ technical specifications in unison also working on the industry member specifications and the timelines were very compressed,” Swanson says. “The timeframes have always been very tight, but that doesn’t mean things are not achievable. It does mean that the whole process, especially with the reconsiderations around security, was an opportunity to reexamine what made the most sense going forward.”

Swanson says that dealing with continually developing technical specifications, as well as ensuring the system is extendable and can be enhanced, also factored into the decision of SROs to seek an extension. In addition, one of the requirements for the CAT is the hiring of a chief information security officer (CISO), who Swanson says is responsible for validating and authorizing security in the system—but that person was not in place on November 15. Indeed, the hiring process is under way. “As the November 15 deadline approached, we were still in the process of identifying and bringing on board a CISO, which is a vital role to fill for the CAT, and had been working collaboratively with the SROs in that process,” Swanson says. “A confluence of events decided that the most appropriate course of action was for the SROs to seek an extension.”

Thesys insists that the system it developed is secure and uses National Institute of Standards and Technology cybersecurity standards. Swanson notes that all parties involved felt that a CISO had to be in place and be given enough time to independently review all security measures.

But what could have hampered the CAT is the process by which decisions are made. It is the CAT NMS Plan committee that makes many of the resolutions around the CAT, and then reaches out to the SEC for approval, according to a source close to the process. “There needs to be an adult in the room and it should be the SEC,” the source says. “It might be time to shift this from a democracy to a dictatorship.”

The source adds that deciding how to use the data gathered through the CAT could potentially delay the project even further, particularly as the volume of information will grow once the industry begins to report to the system. 

New Schedule

Despite the missed deadlines, participants in the CAT NMS and Thesys are still actively working on the CAT, albeit following a different schedule than the one mandated by the SEC. Officially, the CAT has not been delayed even though no reporting other than test runs have occurred. 

The entire project now seems to be stuck in a gray area, where the SEC has refused to endorse the revised schedule put forward by the CAT NMS Plan on November 13—yet the SROs and others are following it anyway. The SEC, meanwhile, remains tight-lipped on the matter.

The problems, it seems, don’t stop there. During a public update on the plan, held via web conference on December 19, CAT NMS Plan chairman, Michael Simon, said that it is likely more deadlines could be missed. “It is unrealistic that dates will hold for late 2018 for broker-dealers,” Simon admitted. “The SEC has not acted upon the relief request and the SROs do not expect significant movement from the SEC at this time.” 

Swanson confirmed that Thesys is working toward the proposed deadlines and is collaborating with SROs and the SEC to improve and shorten the timeline.

Cboe Global Markets president and COO Chris Concannon said during a press event in January that the entire process is open to the SEC and the group is working closely with both the regulator and the plan processor to achieve milestones in the CAT project. 

Concannon says discussions around PII and the gathering of other sensitive information are ongoing. SEC chairman Clayton previously told lawmakers in a House Committee on Financial Services hearing that the regulator is open to considering using other types of information so that PII can be protected. “From the time I got to the Commission and got briefed on the CAT, the questions I’ve been asking are what information are we taking in? Is it sensitive? Do we need it to fulfill our mission? Can we protect it? I’ve made it clear that I don’t want information unless we need it for our mission,” Clayton said during the October 4 hearing in the House.

The Capital Markets, Securities, and Investment subcommittee of the House committee has since drafted its own bill to modify the CAT’s specifications, 15 days after SROs failed to begin reporting. The bill, known as the American Customer Information Act, was advanced by the House Financial Services Committee on January 18, but now only focuses on prohibiting the collection of certain PII.

Ongoing Work

Despite the missed November 15 deadline, it appears as though the CAT is moving forward—albeit tentatively—with Thesys CAT and the SROs determined to start using the system. In the meantime, the latest version of the technical specifications for SROs was released on January 18. The spec covers the data formats to be used during reporting, which will be JSON and CSV; reportable events; and requirements for clock synchronization. 

Thesys’ Swanson says further technical specifications for broker-dealers will be released in a two-month period beginning February 15. After the first document is released, the industry will have a few months to comment on it before another version, incorporating industry remarks, is released on April 15. 

The final version is expected to come out in late October this year. Specifications for both large and small broker-dealers will be the same, says Swanson, and firms have the opportunity to appeal to the regulators about the final specifications. 

As work progresses, both Thesys and participants are confident that the CAT will still change the market. “The CAT is alive and well. The purpose of having the CAT is as important today as it was when it was first thought of seven or eight or nine years ago,” Swanson says. “There is a strong desire for this in the industry as well as on the regulatory side, a recognition that it is in no way a small feat to accomplish, but when we deliver on the system that is easier to report and is useful for regulators and more importantly secure for others, it will be a strong move forward for the industry in terms of regulation.”

But in terms of concrete details, the CAT is behaving much like its namesake—aloof, distant, and difficult to pin down when it doesn’t want to be caught.