CAT Concerns: The Biggest Hurdles Still Facing the Massive Audit Trail

It wasn’t long after Stephen Luparello received the first draft of the US Securities and Exchange Commission’s (SEC’s) notice regarding the National Market System (NMS) plan for building the Consolidated Audit Trail (CAT) that he recognized changes needed to be made.

First drafts tend to require a bit of work, but one thing specifically stood out to the director of the division of trading and markets at the SEC. The notice and economic analysis, which looked at the plan describing how to build a comprehensive audit trail submitted to the SEC by a group of 19 self-regulatory organizations (SROs) comprising national exchanges and the Financial Industry Regulatory Authority (Finra), had a distinct number of pages. 

“Let me apologize for the length of the CAT, but the first draft I saw the actual length in terms of pages was 666,” said Luparello, while speaking at the Securities Industry and Financial Markets Association (Sifma) Ops conference held in Miami Beach, Fla., in May. “That just seemed like a really bad omen, so we added something to the economic analysis so it wasn’t 666 pages.”

The paper eventually landed at 763 pages, which, when added to the original NMS plan puts the entire document at a mind-numbing 1,090 pages, although you can’t blame Luparello’s apprehension. It might seem silly to worry about something as trivial as page numbers for a project the SEC estimates will cost the industry $2.4 billion initially and $1.7 billion annually, but the journey to getting the CAT up and running has hardly been easy.  

The platform, which will track orders, executions and quote lifecycles for all equities and options on a daily basis and store the data in a central repository, has been marred by red tape since the SEC first approved the concept of the CAT back in July 2012. 

“You need to move the computation to where the data is. If you force everybody to download all the data they need to do their analysis and then use their own analytical tools, you’re creating 12 copies of the CAT, and you’re creating 12-times as big a security problem.” Mike Beller, Tradeworx

However, on April 27 a major milestone was reached, as the SEC voted to publish the plan for public comment, along with releasing its notice, which included an economic analysis. By doing so, the Commission has knocked over the first in a seemingly long line of dominoes. That’s not to say it’s smooth sailing from here. There are still plenty of questions surrounding the CAT, specifically around cybersecurity, the retirement of redundant systems, and the overall achievability of the current timeline. 

Where We Go from Here

Regulators have always been fond of touting their own achievements, but, to their credit, releasing the CAT plan for public comment does set a few things in motion for the industry.

The SEC now has 180 days to approve the CAT NMS plan. During that time, the Commission will accept public comments on the plan for the first 60 days following its publication in the Federal Register. Once approved, the SROs have two months to select a plan processor among the remaining bidders via a two-round voting process during which each SRO has one vote. 

Reporting to the CAT begins within a year after the Commission’s approval of the plan, with the SROs being the first ones required to report data. Large broker-dealers are next, having to report within two years after the SEC’s approval of the plan. Finally, small broker-dealers must begin reporting to the CAT within three years of approval by the SEC.   

Only three of the original 31 bidders that submitted to build the CAT remain: FIS, a global provider of banking and payments technologies that acquired SunGard, the original bidder, in November 2015; Thesys Technologies, the vendor arm of high-frequency trading firm Tradeworx; and Finra, which currently operates and maintains the Order Audit Trail System (OATS), which is used to monitor trading practices for all NMS stocks and over-the-counter (OTC) equity securities. 

Thesys was the only remaining bidder that agreed to speak to Waters for this story. FIS declined to participate; Finra declined as well, stating that it was too early in its review of the SEC notice to comment substantively.

Mike Beller, CEO at Tradeworx, says he’s torn between the importance of patience while building such a massive platform and the urgency for this type of machine in the industry.

“I think that maybe it’s appropriate that the industry does this cautiously because they don’t want to make a mistake,” Beller says. “On the other hand, this capability is really needed. It’s really needed to provide the appropriate level of transparency in the markets and provide regulators with what they need to be able to really see what’s going on. I think it’s been a very difficult problem for years.”

Keep It Secure

It might seem obvious that cybersecurity would be an important issue for a database that’s projected to store thousands of terabytes of data every year. However, cybersecurity wasn’t a top priority for the industry in 2010, when the CAT was initially proposed, like it is now. 

Jess Haberman, Fidessa’s compliance director who represents the vendor on the CAT Development Advisory Group (DAG), says it’s a major area those reporting to the CAT are concerned about, specifically regarding personal identifiable information (PII). 

Maura Miller, director of securities compliance at Credit Suisse Securities and a member of the DAG, voiced similar concerns around the CAT’s cybersecurity protocol while on a panel at Sifma Ops discussing the CAT. Security was also the first topic Thesys’ Beller brought up when asked about major issues the CAT still faces before actual implementation.

And while all agree cybersecurity is important, some differ on what specific aspects of the space are most important. Haberman, who admits he’s not a security expert, believes the biggest threat comes in the form of hackers, citing the laundry list of breaches that have occurred over the past few years. For Miller, the concern is around data security once it has left the CAT.

“Once the data has been extracted from the CAT and is in the hands of an analyst of one of the regulators, what protections are there then?” Miller asked. “When it’s on one of their computers and they’re doing work with it, what happens with that data after the fact? So now they have the PII, and they’ve done their investigation and it’s on their hard drive. Can they print it and take it home? That type of stuff.”

To that point, Beller says he is a strong believer in incorporating custom analytics and big-data tools right into the actual database. He says the way the CAT was originally proposed was to have it set up as a database where SROs could extract the data they need. That idea, Beller says, violates the fundamental principle of big data.

“You need to move the computation to where the data is. If you force everybody to download all the data they need to do their analysis and then use their own analytical tools, you’re creating 12 copies of the CAT, and you’re creating 12 times as big a security problem,” Beller says. “Not because there is anything wrong with the IT capabilities of the SROs—far from it. It’s more an issue of if you could have one database that you could have all your resources focused on, it seems better than having 12 copies and having everybody’s security teams beefed up to address that.”

Regulatory Response

David Shillman, associate director of the division of trading and markets at the SEC, said security is a key consideration for the regulator, and it is hoping to get comments from experts on the standards proposed. Shillman, who sat on the CAT panel at Sifma Ops with Miller, added that the Commission will make sure the protocols protecting data in the CAT extend to the SEC when the data arrives. 

Bob Walley, a principal at Deloitte, focusing on the regulatory and capital markets who assists the SROs with the CAT NMS plan and who also sat on the panel, said there has been a lot of discussion and exploration about ensuring that what happens in the CAT stays in the CAT.

“I think the challenge from a usage perspective becomes when an individual SRO has unique data that they want to combine with CAT data, how do they start to run those queries? Candidly, we’re challenging the bidders on what those solution concepts look like,” Walley said. “There have been some creative ideas about how I can bring back elements of customer information that’s not PII that would allow some investigation to continue without necessarily disclosing the PII elements, so really trying to think outside the box. … The real caution is when you’re going to start pushing 58 billion records a day into this thing, how many copies of that do you want floating around? That’s really a major concern from everybody’s perspective.”

Retirement of Old Systems

Every beginning is also an end, and the same goes for CAT, as the launch of the platform will mean the end of other reporting systems. EBS and large trader reporting both fall into this category, but it is Finra’s OATS that has drawn the most attention. And while seemingly everyone agrees that OATS needs to be retired, how quickly that should happen is open for debate. 

In the SEC’s notice, the regulator said duplicative reporting is expected to last two-and-a-half years, based on data from the NMS plan. Dave Emero, a vice president at Goldman Sachs involved in the regulatory operations space, wasn’t shy about voicing his displeasure with those estimates while speaking on the CAT panel at Sifma Ops.

“The concept of having to run something like OATS for up to two-and-a-half years after you’ve started to report to CAT is just unfathomable from my perspective. The expense, the challenge of doing that, the waste of infrastructure, people, support and duplicative reporting for anything like that period of time to me seems totally unacceptable with a plan like this,” Emero said. “I think there definitely needs to be a little bit more creativity behind the thought process around allowing the retirement of OATS much sooner than contemplated by the plan.”

The SEC’s Shillman said the issue isn’t around analysis of overlapping systems, as much of that work can be done now, but making sure the CAT is producing reliable data. That will be the biggest hurdle when looking to retire systems, as a switch to the CAT shouldn’t mean a downgrade in data, according to Shillman. He did add that he feels the initial proposal of two to two-and-a-half years does seem a bit slow.

Deloitte’s Walley added that there is some dependency on which vendor gets selected to build the CAT, as some have discussed having the CAT produce OATS data formats to help maintain the system as it is retired.

Like Emero, Fidessa’s Haberman is a strong proponent of retiring OATS as soon as possible. Beller voiced similar sentiments, although he used it as an example of ensuring the usefulness of the CAT is considered. “It’s got to replace everything that it can replace,” Beller says. “The overlap of the systems is substantial and really, in our view, there are only a few fields or nuances that need to be captured for retirement purposes.” 

Staying on Target

There is one question still looming over all this: When will the CAT actually be up and running?

Hypothetically, if the timeline goes as planned, the SEC would approve the plan by the end of October. A winning bidder would be selected before the end of this year, reporting would begin in the fourth quarter of 2017. That’s if everything goes off without a hitch, and as anyone in financial services will tell you, especially those involved with the CAT, delays are almost inevitable. 

Shillman cited the interest among the SEC commissioners as a major reason why he believes the schedule will be stuck to. In his eyes, the industry might be able to avoid delays that are expected with a project this size thanks to the work done by the SROs developing the detailed NMS plan. Goldman’s Emero had a different take, urging the timeline to be adjustable.

“If things that are very critical to the overall timeline of reaching development don’t happen in a timely manner, we think that the overall plan for CAT should depend on those milestones. If there are delays in specifications, that shouldn’t cut into the timeline for implementation and testing. If there are delays in getting the testing environments up and running, that shouldn’t cut into the time that the industry SROs have to test,” Emero said. “We have to make sure that we don’t short circuit the process in order to meet an arbitrary deadline. It’s important that we do it right—that we build it once and don’t have to redo it multiple times down the road.” 

Salient Points

• The SEC has published a notice regarding the CAT NMS plan and voted to begin accepting public comments on it on April 27. The regulators now have 180 days to approve the plan.
• Cybersecurity is still a major issue for the CAT. Firms’ interest in having the necessary protocols and systems around their data has increased significantly since the CAT was first approved by the SEC in 2012. 
• The retirement of redundant systems is also a hot topic. Finra’s OATS is the biggest of that group. The SEC notice said it could take two to two-and-a-half years after reporting to the CAT has begun before OATS can be shut down, a sentiment many disagree with.