The retirement of the Order Audit Trail System (Oats)—set for September 1—is a milestone on the long and winding road to the implementation of its replacement, the Consolidated Audit Trail (Cat), which was mandated by the Securities and Exchange Commission (SEC). But it’s just one milestone; the SEC needs to pass many more before the end of the journey—full Cat implementation—and pass them in short order if the Cat is to meet its deadlines before full go-live next year.

The Financial Industry Regulatory Authority (Finra) made the Oats retirement official in a rule change filed with the SEC on June 23. Oats was planned to be scrapped, but Finra wanted Cat data to meet certain accuracy and reliability targets first, and it wanted to move its automated equity surveillance patterns over to the Cat. This has now been achieved, and Finra can focus on Cat data quality, and the linkages between the data that will provide the granular view of the market that the SEC wants from the audit trail.

The Oats retirement is also a milestone—and a relief—for broker-dealers, many of which were reporting the same data to both Oats and the Cat. An industry source told me days before the retirement was announced that broker-dealers were anxious to be rid of this double reporting burden as soon as possible.  

The retirement is also a milestone for the exchanges—known in regulatory lingo as self-regulatory organizations (SROs)—that have so far, along with Finra, funded the Cat project. Retiring Oats falls under one of four Cat implementation criteria that the SROs must hit if they want to recover some of the expenses they have incurred in developing and managing the Cat, once the Cat’s funding model is approved.

It has seemed unlikely at times that the Cat would ever materialize, so to get to the point where it has officially replaced Oats as the definitive audit trail is cause for celebration. But the SEC is currently sitting on some important decisions, and industry representatives say they fear more limbo.

The fee schedule is one example. While the SROs have mostly funded the build and operation of the Cat so far, they don’t want to keep doing so, and the Cat operating committee has written a proposal that contemplates a fee plan where 75% of the costs would be borne by industry members and 25% by the SROs. This plan is still under consideration by the SEC.

Unsurprisingly, “Who pays for the Cat?” has been one of the stickiest problems of the project since it was a twinkle in the eye of regulators. But this is a well-established debate, with parallels in other projects; an arguably even more controversial tenet of the Cat plan is the requirement to report personally identifying information to the database.

Certain elements of the SEC are adamant that the Cat needs to collect personal information on individuals involved with trading accounts. A vendor called Kingland has been contracted to build a database called the Customer and Account Information System (CAIS), to which firms must report customer identifying and customer account information. When the Cat is fully operational, the customer and account data will be linked with the transactional information that firms have already begun reporting to the Cat, to create that powerful, holistic view of the market that the SEC wants.

An SEC attorney earlier this year said there were “a host of reasons” why linking all accounts held by one individual might be important, not to mention that the kinds of market abuse that the SEC wants to crack down on are usually committed by networks of people, rather than lone rogue traders. Requiring biographical information is important in finding the links between individuals.

On the other side of the debate, observers have framed CAIS database reporting as nothing less than a civil liberties issue.

“I’ve spoken so often my concerns about the Cat that I dread seeing my moniker change from Crypto Mom to Cat Lady,” Republican SEC Commissioner Hester Pierce quipped on a call hosted by the Federalist Society in late 2020. “But I do think the liberty implications of this proposal warrant continued discussion.”

Tracking all equities and options orders is a laudable goal, she said, but the Cat is tantamount to citizen surveillance. “Regulators, without having any grounds for suspicion, will be able to watch every move of every person who trades in our markets. We wouldn’t find it pleasant or appropriate for a government minder to monitor our purchases at a farmers market or a flea market, and it’s no more pleasant or appropriate for government regulators to do that in an equity market,” she said.

Cat security standards

The SROs have no say in what data the Cat should be collecting; they must facilitate the data collection the SEC mandates. But Finra Cat seems antsy to address the concerns of the industry that its databases, at least, are built to high cybersecurity standards.

The organization held a webinar in late June, partly to demonstrate how Cat data is kept safe. David Yacono, chief information security officer for the Cat system, told listeners then that the system is built securely, with threat protection and monitoring in place, from code review to penetration testing, compliant to security standards. Finra Cat tracks threats such as phishing and ransomware attacks, and makes extensive use of multi-factor authentication (MFA).

The Cat system is built to separate high-value data stores with limited access requirements, he said.

“The Cat system uses a segmented architecture that separates reporting storage and query functionality into different areas, different sub-sections of the systems. On the reporting side, there are well-controlled reporting interfaces that have no ability to query data and that allow very limited data change capability only after rigorous validation processes occur. And on the query subsystem side, that’s read-only, and is limited to private line access with MFA and closely monitored for any access anomalies,” he said.

Offline, immutable back-ups are retained in case, for example, a hacker was to encrypt the data in a ransomware attack, Yacono added.

Bulk downloads

But industry representatives like the Securities Industry and Financial Markets Association (Sifma) say it’s not so much the security of Finra Cat itself that is concerning, but rather the idea that the exchanges can do batch downloads of Cat data.

“Such a process would remove the data from the single secure Cat environment and place it in the hands of potentially multiple SROs and the individuals who work there,” Sifma president and CEO Ken Bentsen has said.

“Rather than mitigating risk, bulk downloading would only serve to exponentially broaden the risk that the data could be exposed. It is inconceivable from a risk management standpoint that the Commission would allow bulk downloading customer and transaction data by 24 separate entities,” Bentsen said.

The SEC’s dream for Cat is to have a granular view of the markets; for hackers, the linking of personal data with transactional data is just as powerful, albeit for different purposes. With these linkages, a nation state or sophisticated criminal gang could build a holistic picture of the markets that has never existed before, drawing links between transactions and specific firms, to, for example, understand individual firms’ trading strategies.

Quite understandably, the SROs—who have had the responsibility for the Cat thrust upon them—don’t want to assume liability for all this data. They want to shift liability for cyber breaches and data loss to the broker-dealers. Also quite understandably, Sifma vehemently opposes this idea. The SEC is still considering the SROs’ limitation of liability proposal, and on June 25, said it was giving itself more time to do so, and extended its own deadline to September 3.

But the security concerns under Cat are really concentrated on yet another proposal that is still under consideration by the SEC, after having gone through its statutory notice and comment period. The August 2020 proposed amendments to the Cat plan put forward some security enhancements that the industry—or Sifma, at least—have been broadly accepting of. Among other measures, it would only allow exchange employees to analyze Cat data within an environment called a “secured analytical workspace.” It would eliminate the requirement for reporting firms to provide social security numbers for human account holders, codifying a concession the SEC already made in an exemptive order in March 2020.

If these concessions are made by the SEC, they will go some way to alleviating broker-dealers’ concerns. But, to recap, there’s the fee schedule, the limitation of liability amendments, and the data security amendments to consider. And that’s without mentioning other, less publicized reporting requirements that will represent burdens to broker-dealers. All of this has to be dealt with before the Cat goes fully online next year.

But now that the Democratic administration has settled into the SEC and chairman Gary Gensler has set his agenda, the Cat doesn’t seem very high on it. To be fair to Gensler, he has a lot going on, what with meme stocks, pressure to regulate digital assets, and the US’s push toward better environmental, social and governance (ESG) reporting, on top of undoing Trump-era deregulation.

But the Cat is already providing huge amounts of potentially useful data, in an era when major volatility showed regulators and market participants the value of such. And the Cat has a lot of moving parts; it’s an incredibly complex project. It’s imperative that the SEC gets its collective head around it, and quickly.