House Prepares Bill Delaying CAT amid Ongoing Difficulties

Congressman Bill Huizinga (R-MI) noted in a hearing held on November 30 by the Capital Markets, Securities, and Investment subcommittee of the House Committee on Financial Services, that holding personally identifiable information on such a database may present an opportunity for market manipulation.

“There are concerns around security of that information and the access it offers,” Huizinga said. “The CAT is a comprehensive database and the information it holds can be reversed engineered and the market can be manipulated.”

Self-regulatory organizations (SROs) such as stock exchanges were due to begin reporting to the CAT on November 15 but the system was not ready for deployment. An eleventh-hour attempt by the industry to delay the implementation was rejected the night before by the Securities and Exchange Commission (SEC), leading to an awkward situation where no party began reporting on the day.

The Committee released a draft ruling for the “American Customer and Market Protection Act” on November 21 requiring the CAT processor—Thesys Technologies and its subsidiary Thesys CAT LLC—the SEC and SROs to develop a comprehensive internal risk control mechanism. This risk control scheme must be certified by the SEC. While the CAT processor develops its risk control mechanism, the draft bill seeks to prevent Thesys from accepting personally identifying information.  

The bill will also require the SEC to conduct a cost-benefit analysis of the types of information put into the CAT, which will then be presented to Congress along with alternative data proposals.

Lawmakers and the industry have previously sought to delay the CAT owing to concerns over the security of personal information. SEC chairman Jay Clayton has refused to grant a delay, but expressed willingness to re-examine the types of data required from the CAT.

But the draft may not be what the industry wants.

“The proposed legislation will delay the CAT even more if not kill it,” said Healthy Markets Association executive officer Tyler Gellasch during the hearing. “Do we think the SEC are now data security experts? Is the SEC going to test the adequacy of the measures, and if so, how?”

The use and protection of personally identifiable information was the biggest concern of participants in the hearing, including SROs, who expressed concerns over two rounds of questioning by lawmakers. Cboe Global Markets president and chief operations officer Chris Concannon said alternatives could be explored.

“We can explore what other information we can use for the CAT and there are alternatives we can use,” he said. “We do have a pretty robust surveillance system now and we do catch manipulation already.”

Concannon floated the possibility of using a large trader identification system, similar to that used in the futures market or relying on legal entity identifiers.

Thesys, in the same hearing, noted that it is working within the requirements of the National Market System (NMS) plan that called for the creation of the CAT. Mike Beller, CEO at Thesys, said during testimony that there are specific rules and security measures built around personally identifiable information, including multi-factor authentication, encryption in transit and at rest, and separate data centers.

One of the biggest stumbling blocks for the CAT has been the selection of a chief information security officer (CISO). An alternative plan put forward by the SROs, which was subsequently rejected by the SEC’s Clayton, largely hinges on having this key hire in place, but despite progress being made, Beller said it would be some time yet before they were ready to name someone to the position.

“The CAT NMS has a lot of specifications on security and we are already developing a security and encryption plan but some of these require a chief information security officer,” Beller said. “Selection of a CISO is a collaborative effort and we just have not agreed on a candidate just yet.”

Beller added the company and the SROs have lined up over 20 candidates for the position of CISO and that they are in the process of setting up joint interviews. Both Beller and Concannon admitted it has been difficult finding applicants and attracting strong candidates to work on the CAT.

Asked by several lawmakers why the CAT is delayed, Beller said the process is inherently slow as it involves multiple parties.