The US Securities and Exchange Commission (SEC)-mandated Consolidated Audit Trail (CAT) project has come to share many of those traits: it has attracted a level of interest and diversity of participants that few collective FinTech undertakings ever have, and has already seen unexpected and even dramatic twists and turns. To some, it still has a kind of radical appeal and a sweeping ambition—a rare opening to reshape US equities trade surveillance, regulatory relationships, and data availability all at once. Most of all, it is called a “CAT Plan,” yet often seems anything but planned, with the work involved seeming almost as fragmented as the equities market itself. Like Le Chat, it is a beautiful mess. But can it sustain that way?

SEC Rule 613, the original CAT mandate, will be six years old this July. The concept is older still, first proposed to then-SEC chairman Mary Shapiro in 2009. Yet as the project enters 2018—another critical year of milestones—questions about whether the CAT can be achieved have given way to what it will look like when it is done, and whether it will be worth the billions spent to build and operate it. 

Cyber Subterfuge

Drafts, consultations and delays are pro forma when it comes to large-scale regulatory change—nowhere more than the CAT, with its sprawling mix of a “plan processor” operated by Thesys; “participants” that are self-regulatory organizations (SROs), including national securities exchange operators and Finra; “members” who are broker-dealers; various industry bodies; and the SEC. That made last November’s exemptive relief request for a year-long reporting delay—presented just a day before the November 15 start date for SRO reporting—somewhat unusual. Such requests are typically telegraphed well in advance, with the regulator’s decision fairly predictable, too. The SEC’s swift rejection “never happens,” as one participant put it behind closed doors at an industry meeting this winter. “This is now a bit of a mess,” said another. A third grumbled to a colleague that it could lead to lawsuits in 2018.

Equally interesting was the letter’s stated reasoning for relief: cybersecurity. As IDM’s sibling magazine Waters has reported over several years, protecting the trade information reported into the CAT has gradually risen over time to a topline priority. For firms, it sits equal to the problems posed by the expanded universe of trading activities—including equity options—to be captured, and worries over the potential cost of reporting to “double” systems before they are ultimately replaced and retired. With Edgar and Equifax breaches still fresh in the public mind, cyber concerns weren’t coming out of nowhere.

But to read between the lines, sources say, the trouble isn’t strictly data security. “We surmise that security and chief information security officer (CISO) concerns drove the exemptive relief request, but progress on the CAT system to support the Participant interface as well as exchange efforts on implementing the Participant interface may have also contributed,” says Bill Hebert, managing director at the Financial Information Forum, a data industry group that has represented broker-dealers in the process. And while highlighting cyber so dramatically—and publicly, including it in Congressional committee testimony—could spotlight the SEC into a broader role for the project that it has thus far avoided, for now the letter has put the CAT show on bizarre hiatus. Two months after the November 15 deadline and rejected relief request, no SROs are reporting to the processor and all remain “in different states of readiness with regard to file formats and testing,” Hebert says. That, too, would seem to signal larger questions.

“There has been no official movement since November,” says Joshua Beaton, executive director and CAT Program manager at Morgan Stanley. “The ball is currently in the court of the SEC and SROs to propose a new plan for the industry. Within that plan they will likely focus upon first, handling of Personally Identifiable Information (PII), and second, new timelines. Once established, it will then fall to Thesys CAT to implement those plans. Implementation will surely include revisions to the draft specification for industry members which was published last September and to which many industry groups provided feedback in the third and fourth quarters. Also among the feedback was the discussion of messaging formats and data transmission requirements.”

‘Crazy Aunts and Uncles’

Indeed, improved specifications might be the real key to steering the project back on schedule. And in two critical spots—the SROs’ data usage, and the broker-dealers’ trade filing—better specs are as much a sociological issue as a technical one.

First, take PII. This data will, indeed, describe broker relationships, client account numbers, and even social security numbers at the individual investor level. That information is valuable in its own right—even more so once you align it with trade execution activity. Therefore, robust protections built into the custody and deployment of that information are of increasing concern in an age of sophisticated cyber-crime. But according to Tom Sporkin, a partner at Buckley Sandler in Washington, DC, and former enforcement officer at the SEC, who also participated in the original CAT rulemaking, solving this problem in the context of the CAT is a little more nuanced.

“The industry-participant technical specification obliges each SRO, within a year of reporting, to provide a plan detailing how they will use that data to enhance their trade surveillance. If you are a surveillance team at one of the SROs, you’re less nervous about the collection of that data into Thesys, which is relatively easy and safe, than you are about how that much richer dataset gets used when it is pushed back out to all SRO group members,” he says. “Right now they haven’t agreed on a standardized set of best practices for the provision of that data: Does it go to a key man? Should it be placed in a skiff, or be more freely available? Should access to certain PII elements be governed with enhanced permissioning? At least one exchange asked early on if that data can go in their sandbox. Those are questions they have to decide before moving forward.” 

This calculus involves a balance of unpalatable outcomes, and as one source put it, sorting out the situation in the SRO consortium is akin to “having 11 crazy aunts and uncles at a family reunion.” On one hand, the security risk (and cost) goes up as more and more of that transaction data is allowed to circulate, and each SRO has its own sense of the level of responsibility they want to assume by possessing it and letting it roam. Many within the group—especially among the smaller exchange operators—don’t see it as a “more data is better” scenario. They only see the downside.

On the other hand, Sporkin notes that compliance officers are being squeezed from the opposite end, as well. “They see this as opening up a new possibility of being second-guessed by regulators,” he says. “When the SEC finds, after the fact, that some malicious trading entity was messing with one venue from another, and this rich dataset was out there and if used proficiently could have detected it, they stress over being found indirectly responsible, being told ‘you let this happen.’”

There are always technical issues that arise in a project of this size and scope, according to Morgan Stanley’s Beaton. “The current challenge is around specifications, not specific technical issues,” he says. “One of the largest uncertainties currently is SIFMA’s alternate PII proposal. In addition, major technical issues are actively being discussed in industry forums—an end-of-day cutoff, sequence numbers, and complex orders, among others—and it remains to be seen how they will be resolved.”

File Under…

The second piece of data intrigue—the file format for trade data submission—is also subtle, and perhaps more curious. Quietly detailed in the latest industry-member draft spec is an instruction that only the JavaScript Object Notation (JSON) messaging format—along with comma-separated value (CSV) files can be consumed by the Thesys platform. While it is a clearer outcome than the SROs’ jumbled dynamic, it also raised eyebrows for a number of reasons.

For one, a project that has already suffered from seemingly interminable timelines can use all the flexibility it can get. Constraining participants to just one message format isn’t flexible, sources say, and does not take advantage of the significant energy put into the FIX Protocol—an existing messaging format that is already widely used by banks’ front offices. 

“Firms in the equities space have made significant investments into a FIX infrastructure over the past decades and will want to re-use what they have as much as possible,” says Hanno Klein, senior vice president of IT at Deutsche Börse and global technical committee co-chair at FIX Trading Community, the body that oversees the standard. “In the context of over-the-counter (OTC) derivatives regulatory reporting, for instance, the Commodity Futures Trading Commission (CFTC)  addressed the issue by permitting both FIXML and FpML (Financial products Markup Language, another industry-developed standard for derivatives) as valid message formats. By contrast, choosing a largely proprietary format and data transmission requires additional implementation work to map formats back and forth to FIX.”

The challenge is not so much a technical one as a question of “semantic differences” between a standard such as FIX and a proprietary approach such as JSON, Klein says. But where it becomes a bigger issue is for newly-covered smaller brokers, who now find themselves reporting to the CAT.

“Misunderstandings in terms of the nature of the required data elements are very likely to occur. Apart from the additional cost, it is an issue of additional time needed for implementation and business-level testing before being able to go live,” Klein continues. “Smaller firms have fewer resources and need the ability to use standards such as FIX even more to meet implementation deadlines set by a regulator. Plain vanilla FIX engines are a commodity and available as open-source software. There is also a fairly large number of FIX service providers that can help large and small firms to speed up the process.”

Agreeing, Morgan Stanley’s Beaton says the level of discomfort experienced will come down to prior planning—though it may also have something to do with the resources of a firm of Morgan Stanley’s size. The bank’s internal Big Data platform was funded and built prior to CAT, he explains, and its CAT solution is based on an instance of that platform. 

“Like any Big Data platform, it was designed to ingest data from a number of sources into its data model, and translating from this data model into a particular messaging format such as FIX or JSON requires some—but not a tremendous amount—of effort. Because we will be using an internal data store that is independent of any particular messaging format, we have no explicit linkage between our internal data model for CAT and the external messaging protocol. But firms that do not have an internal repository for CAT data might be more heavily impacted,” he says.

Given those stakes and potential headaches, one source wondered why Thesys, with the technology heritage of Tradeworx, would go with a “less sophisticated, less creative” protocol, given the higher data granularity, clock synchronization, inclusion of equity options, and deeper capture of trade routing across desks and venues implied by the CAT. 

But thankfully, the concerns may be short-lived. By the start of this year, Thesys began discussing requirements with the industry and potential gaps to be addressed before opening the door to FIX, and sources say some progress has already been made—though all of that good work “also remains dependent, of course, on the amount of time [made] available and the approval of the regulators,” says Thesys CAT chief compliance officer Shane Swanson.

Czars and Zombies

Both of these areas illustrate a collective effort at working to produce a useful outcome from a rocky process that is structurally fraught. The more one looks at the flimsiness of the technical details settled upon—if formalized at all—the more it becomes obvious that the November 15 deadline was a hollow one. The question now, after a couple months of decompression, is where it all goes. 

“There is certainly the possibility that, due to continued uncertainty in scope and milestones, the CAT program moves forward in a zombie-like state that delivers little value,” Beaton admits. “Were this to happen, the primary impact to broker-dealers would be opportunity costs in terms of IT spend and regulatory subject matter effort, and both are vital to manage efficiently in the current regulatory environment. We do not anticipate this happening, however, and are proceeding full steam ahead. I would think there is more risk in allowing the project to falter and then trying to regain that momentum later, than there would be to execute on the existing plan to deliver what we are confident we’ll need to do—which is quite a bit, despite the lack of detailed specifications—in 2018.”

As Sporkin at Buckley Sandler sees it, Chairman Jay Clayton and the SEC had similar thoughts on November 15. The implicit message in their decision was clear, he says: “We get the cyber concerns; we won’t touch the data until it’s hermetically sealed. But don’t stop building. Start capturing.” He also says the time has come for the Commission to take more of a leadership role, particularly in the SRO data usage puzzle. 

“I would argue that regulators should relax the requirement for SROs detailing their surveillance plans, in tandem with appointing a CAT ‘Czar’ who would oversee the physical access to that data in only a small handful of locations, and have a means-tested approach to resolving requests for the last 10 percent—the most sensitive—of the PII data,” he says. “It’s one of those rare times where you don’t want a democratic process. Someone with no regulatory risk needs to step in and pronounce where the data will be, how to get it, manage the idiosyncrasies of that group, and conduct a conservative push-out of the data. That is the SEC.”

Meanwhile, FIF’s Hebert and Thesys CCO Swanson have their own to-do lists going for piecemeal progress. It includes allowing the time for brokers to code to a final spec—ideally with the addition of FIX, which almost certainly means a delay on large firms’ 2018 reporting date—setting expectations for options reporting, developing a time horizon and strategy for retiring duplicative systems related to Finra’s Order Audit Trail System (OATS), and preparing for enhanced security measures like multi-factor authentication for access into the processor platform.

“The delays that have occurred are not unexpected when you consider that Thesys CAT won the bid in January, and was only contracted for the work in April of 2017,” Swanson says. “We firmly believe in the value of the CAT, and that has been echoed by many others in both the regulatory community as well as the industry.”

Swanson’s point is fair enough. But just as 2017 was a year to raise issues, 2018 may be—and in fact, may need to be—the year to solve those issues.