Industry Tight-Lipped on CAT Status as Deadline Hits

Self-regulatory organizations (SROs), including the main US stock markets, were scheduled to begin reporting participant data to the Consolidated Audit Trail (CAT) as of November 15, 2017. However, a number of SROs sent a lengthy letter to the US Securities and Exchange Commission (SEC) on November 13, requesting delays to the scheduled compliance dates of up to a year or more, amid ongoing technical issues and concerns regarding cybersecurity.

On November 14, late in the day, SEC chairman Jay Clayton rejected a delay, saying that he was “not in a position to support the issuance of the requested relief on the terms currently proposed.”

In the letter, SROs warned that they would not be able to meet compliance dates as scheduled. A range of participants contacted by WatersTechnology, including the New York Stock Exchange, Cboe Global Markets, and Nasdaq either declined to comment or did not respond to requests for comment on whether they would begin reporting today. Thesys Technologies—which is responsible for the construction and operation of the CAT—said simply that it was “committed to working with CAT NMS plan participants and the SEC throughout this process.”

Spokespeople for the SEC, too, refused to clarify if the agency expected reporting to begin as scheduled, or to expand upon remarks made by Clayton in his statement, in which he urged SROs to “work cooperatively with each other and to meet their responsibilities as promptly as practicable.”

Several exchanges directed requests to the CAT Operating Committee, which said that it would “remain committed to building the CAT and work on the CAT continues throughout this process,” but declined to answer specific questions on whether reporting would begin as scheduled.

Jess Haberman, director of compliance at vendor Fidessa, says that while Clayton “made clear in his statement” that SROs would not begin reporting, the incident has raised questions about the path forward for the CAT.

“We think there are now only two choices—the SROs can continue to stick to the timetable outlined in their request, taking the stand that is the only sensible course of action, or they can reach some kind of compromise and consensus with the Commission and agree to a tighter timeframe,” he says. “The interesting question is whether they can do that with confidence that the shorter timeframe can be met while still addressing their legitimate security concerns. And if both sides do not change their views, will the Commission take disciplinary action against the SROs for not meeting deadlines that the SROs determined were unrealistic and risky?”

Regardless of the approach taken, Haberman adds, the “collaborative relationship between the Commission and the SROs is under considerable strain.”

The CAT has come under intense scrutiny in recent months, following the disclosure of a cybersecurity incident at the SEC, in which its company filings system was infiltrated and personal details of at least two people were potentially exposed. The SEC came in for a barrage of criticism from Congressional committees following the incident, related to the length of time it took from when the incident occurred, in 2016, to when it was disclosed, on September 20, 2017.

Senators and Congressmen urged the SEC to delay the CAT until the agency was certain it could secure the information it drew from the system, which includes a range of personally identifiable information associated with trade reports. Since then, the CAT has become something of a lightning rod for criticism.

Indeed, the SROs’ letter, signed by the major US equity market operators, hinged in large part on the perceived need to appoint a chief information security officer to oversee revamped plans regarding the construction of the CAT.

The SEC, for its part, has said that it is willing to re-examine what data is required from the CAT, with a view to reducing the level of personal information it will hold.

“With regard to cybersecurity, I have informed the SROs that protection of the information submitted to the CAT is of paramount importance and that I am open to various paths for addressing cybersecurity matters,” Clayton said in his November 14 statement. “Additionally, I have made it clear that the SEC will not retrieve sensitive information from the CAT unless we believe appropriate protections are in place. In this regard, Commission staff is currently conducting an evaluation of our needs for personally identifiable information in the CAT.”