Dan DeFrancesco speaks to those familiar with the process about what led to the New York-based vendor’s win over the incumbent, Finra, and what the industry can expect going forward.
The Consolidated Audit Trail (CAT) has been on a long and arduous road since the concept was first publicly discussed by regulators on May 26, 2010. It was on that day the Securities and Exchange Commission (SEC) held an open meeting to propose a rule requiring the industry to build a massive audit trail for tracking and storing information on every order, cancellation, modification and trade execution for exchange-listed equities and options in the US markets.
The meeting came less than a month after the Flash Crash, which saw the Dow Jones Industrial Average (DJIA) plummet almost 1,000 points in a matter of minutes, before largely recovering the losses before the market closed. Regulators’ inability to piece together what caused the event in its immediate aftermath caused the SEC to rethink the way it was collecting and storing data, leading then-SEC chairman Mary Schapiro to propose building the CAT.
It would be another two years before the SEC gave the CAT the green light, approving Rule 613 under Regulation National Markets System (Reg NMS) on July 11, 2012. The decision then put the onus on self-regulatory organizations (SROs) to submit a National Markets System (NMS) plan to the SEC detailing how to create, implement and maintain the CAT.
The CAT then spent over four years mired in red tape before arguably the most important decision of the entire process was made: selecting a firm to build the massive audit trail.
Thesys Technologies, the vendor arm of high-frequency trading firm Tradeworx—in addition to its partners on the bid: technology giant IBM, law firm Latham & Watkins, and brokerage Rosenblatt Securities—was selected. With the SEC estimating a cost to the industry of $2.4 billion initially and $1.7 billion thereafter annually, Thesys will now be tasked with leading one of the largest financial technology projects the industry has ever seen.
“You need to move the computation to where the data is. If you force everybody to download all the data they need to do their analysis and then use their own analytical tools, you’re creating 12 copies of the CAT, and you’re creating 12 times as big a security problem.” Mike Beller, Tradeworx
But how did we get here? How did a firm that is not yet 10 years old outlast 30 other bidders, including an organization that has established itself as an integral part of the financial markets and runs a system similar to the CAT, albeit on a much smaller scale? How was the process impacted by taking up the better part of a decade? And what still needs to be done before the CAT is fully functional?
WatersTechnology spoke to multiple sources—both directly involved in the CAT process and familiar with how it unfolded—on the condition of anonymity about why things panned out the way they did and what the industry can expect going forward.
Overcoming the Incumbent
When the SEC first officially posted its request for proposal (RFP) for the CAT on February 26, 2013, there was one clear favorite: the Financial Industry Regulatory Authority. Finra currently operates the Order Audit Trail System (Oats), a platform many consider to be the CAT’s predecessor and one that will likely be decommissioned once the CAT is up and running.
Most in the industry believed Finra was the default choice due to its Oats experience. Even in the days leading up to the final vote, Finra—one of three finalists along with Thesys and FIS, which acquired SunGard in November 2015—seemed to be in the driver’s seat, according to a source involved in the process.
“I think we were still considering that most people would go with Finra because it’s kind of a conservative choice,” the source says. “There were enough exchanges on Finra’s side to push it through.”
Another source familiar with the process says Finra’s advantage over the competition came from the belief that it could get the CAT up and running faster and more easily than other bidders due to the infrastructure it already had in place from running Oats for a number of years.
“We were always going under the notion that they had five to six years to modify Oats so that it would have been a seamless transition. The collection process would have been almost seamless for the industry to just continue to use their same gateways and understand connectivity and their interactions. The same personnel would be comfortable to just one day switch over and call it CAT instead of Oats. Ninety percent of what needed to be done from the industry perspective for the broker-dealers or the venues would have been similar,” the source says. “Finra was the easy choice. It was theirs to lose, and at the last minute they couldn’t satisfy a basic requirement.”
The requirement in question was that of cybersecurity, according to several sources. It’s an area that has grabbed the industry’s attention in recent years due to the amount of Personal Identifiable Information (PII) the CAT database will hold, which eventually led the SEC to make modifications to the NMS plan regarding tighter data security requirements before approving it in November 2016.
Finra’s issues weren’t around the strength of the bid’s cybersecurity but instead about what would happen if something went wrong. According to two sources—one involved in the process and one familiar with it—Finra’s unwillingness to take on all liability in case of a potential breach of the CAT database was a non-negotiable point for the SROs.
“Finra basically said that if things go wrong, or if it’s hacked, the liability is going to be shared between the SROs,” a source involved in the process said. “We were like, ‘Uh, no. No it won’t.’”
Another source involved in the process says he didn’t see Finra’s stipulation about sharing liability to be as big of an issue, but admitted that Finra’s bid was presented as running the CAT as an industry utility with shared responsibilities among the SROs.
“Every organization is concerned about cybersecurity and looking for, depending on your perspective, reducing your exposure for liability. That’s standard for anybody,” the source says. “There were some nuances in the contract terms that we had discussed with both sides. So others may have latched on to those more than I did. I think it was an area that some felt strongly one way and some felt the other way.”
Thesys has long been a vocal proponent of the importance of the CAT’s cybersecurity. Mike Beller, Tradeworx CEO and a managing partner at Thesys, has brought up the topic during previous conversations with Waters, always citing the firm’s choice to include custom analytics and big-data tools directly in the database as a differentiator.
“You need to move the computation to where the data is. If you force everybody to download all the data they need to do their analysis and then use their own analytical tools, you’re creating 12 copies of the CAT, and you’re creating 12 times as big a security problem,” said Beller while speaking to Waters back in June 2016. “Not because there is anything wrong with the IT capabilities of the SROs—far from it. It’s more an issue of, if you could have one database that you could have all your resources focused on, it seems better than having 12 copies and having everybody’s security teams beefed up to address that.”
One source familiar with the CAT process believes Finra’s resistance to taking on more liability in its bid could be tied to the change in leadership the firm had during the process. The retirement of Richard Ketchum as CEO and chairman and appointment of Robert Cook as president and CEO of the firm in the second half of 2016 could have impacted Finra’s interest in the CAT bid, according to the source.
In addition to making the initial bid on the CAT, Finra also proposed building the Comprehensive Automated Risk Data System (Cards) under Ketchum. Cards, which was proposed in late 2013, would have collected standardized information regarding account activity and security that could then be run through analytics to identify potential red flags in terms of sales practice misconduct.
The platform was criticized by many in the industry who felt it would be targeted by hackers due to the amount of valuable information it would hold and questioned the need for it when the CAT process was already in full swing. Ketchum announced in May 2015 the project would not proceed until concerns brought up during the comment period were addressed before shutting down the proposal entirely later that year.
The source says Finra’s new leader potentially might not have shared the same interest in getting involved in these types of projects. While both men worked for the SEC prior to joining Finra, Ketchum also spent time working on the business side of the industry with stints at NYSE and Nasdaq. Cook, meanwhile, was a partner at a Washington, DC-based law firm focused on the regulation of securities markets and market intermediaries before joining the SEC and then eventually Finra.
“I got to believe Ketchum would have sold his first born to get the CAT. He would have done whatever they needed to get it,” the source says. “Cook comes in and he’s not business-minded. He’s compliance minded, and he probably said this isn’t the right place for us to be.”
Ketchum, who was named to MarketAxess Holdings’ board of directors in February effective April 1, declined to comment.
Another source involved in the CAT process says Finra seemed to have a waning interest in the competition down the stretch.
“Finra seemed to not be sure whether it wanted to be in the competition or not,” the source says.
Finra declined to comment on its bid, instead reiterating the statement it made the day it was announced Thesys had been selected as the plan processor.
“Finra appreciates the opportunity to have submitted a highly competitive proposal to become the processor for the Consolidated Audit Trail. Although ultimately we were not selected to be the processor, Finra will work closely with all parties toward a smooth transition to the CAT. Finra remains committed to its robust program of cross-market surveillance and looks forward to enhancing that oversight with the uniform, comprehensive data that the CAT will provide.”
Finra wasn’t the only firm to have experienced a change in leadership while bidding on the CAT. The financial industry is a space full of mergers and acquisitions, departures and arrivals, and the time between the initial RFP and final selection—nearly four years—is a long period for a company to go without any shakeups. In fact, all three finalists dealt with some dramatic changes during the bidding process.
Manoj Narang, the founder and CEO of Tradeworx and a managing partner at Thesys, departed the firm in January 2015, leaving Beller, who was Tradeworx’s CTO and already a managing partner at Thesys, to take over the role of CEO at Tradeworx.
SunGard faced an even bigger transformation. Technology giant FIS announced that it was acquiring the Wayne, Penn.-based vendor in August 2015, with the deal ultimately closing some three months later. A source familiar with the process says changes like these have to be expected when a plan takes this long to unfold.
“In the world of technology, if you’re going to take six years to do something, every one of your bidders is going to change. That’s why it’s incomprehensible why this thing dragged on this long,” the source says. “You can’t let it go on so long that the companies don’t exist anymore or, for whatever reason, change dramatically so that they are unwilling to stand behind what they do.”
That said, it’s not as if the SROs picked a lemon to build the CAT. Nearly every source interviewed for this story spoke highly of Thesys’ capabilities in terms of its technology.
“This is a highly technical project and Thesys seemed very keen to take on all of the grizzly elements,” a source involved in the process says. “They didn’t shy away from that.”
Another source points to Thesys’ use of the cloud and the potential cost efficiencies that will provide for the industry when it comes to scalability as major benefits influencing the decision.
The challenge for Thesys, according to some sources, is regarding the service aspect of the CAT. While the vendor has no problem building the necessary machines for trade capture, having the required infrastructure in place to efficiently handle an entire industry looking to report into them could be an issue.
“A lot of folks look at this as just a technology solution. It’s not just implementing a technology solution—it’s basically almost a separate company because you also have to handle all of the administrative aspects of running the CAT, including the billing aspects on behalf of the SROs, the collection side, and also the analysis side in regards to working with the SROs and Finra to make sure that all of the various information that is submitted by the broker-dealers is normalized,” a source familiar with the process says. “I have no concern that they can’t implement the technical solution, but in putting together and running a whole CAT administration and processor along with dealing with some of these oversight requirements that they are going to have to do for the industry, I think that will be a challenge for them.”
Anshul Anand, a vice president at Thesys who led its CAT bid, points to the firm’s partners on the bid when addressing those concerns.
“While Thesys is leading the CAT processor effort, we’re fortunate to have world-class partners in IBM and Latham & Watkins. We’ll be drawing on IBM’s extensive operational experience from decades of building complex technology and support systems. Latham & Watkins brings a wealth of expertise on the compliance, oversight, and governance side,” Anand says. “Thesys CAT will leverage our collective knowledge across technology, operations, compliance and market microstructure.”
As an indication of their ability to build platforms for regulators, one source involved in the process points to Thesys’ experience running the Market Information Data Analytics System (Midas), which collects and processes data from consolidated tapes and proprietary feeds from exchanges to help the SEC surveille the markets.
However, another source says that’s not a like-for-like comparison as the CAT is a far more complex project.
“These are data feeds that they now have to create and manage and figure out and manipulate and translate and convert. Then they have got to store them. Then they have got to make them available, spin them out in a way that is compliant under an agency rule—that’s a bazillion times more complex than slicing and dicing already-delivered data feeds and providing that to the SEC; it’s not even in the same hemisphere,” says the source. “That’s like playing Legos as a baby as opposed to doing brain surgery. They’re on opposite ends of the spectrum.”
Not everyone was as supportive of the decision to award the CAT project to the Thesys consortium, though. One source involved in the process questioned whether the SROs were interested in picking the best candidate.
“When the result was announced, I heard a few folks say, ‘Well, if you had the option to choose your own auditor, would you choose the most capable, or the most incapable?” the source says.
As important as selecting a plan processor was, there is still a long way to go before the CAT is up and running. According to a source involved in the process, the next key hurdle is getting the contract signed between the SROs and Thesys. And while the negotiation process is important, the group can’t solely focus on the contract without moving forward with other parts of the plan, according to the source.
Clock synchronization for SROs and broker-dealers is the first upcoming deadline. According to SEC Rule 613’s implementation timeline, exchanges and broker-dealers must be within 100 microseconds and 50 milliseconds, respectively, of the time maintained by the National Institute of Standards and Technology (NIST) by March this year.
Reporting to the CAT officially begins in November, with SROs submitting data to the central repository. However, according to a source, that piece is likely to be less complicated as the SROs are already aggregating a lot of their data. The bigger hurdle—and the one more likely to affect the CAT timeline—is the requirement of large broker-dealers to report to the platform, which comes into effect in November 2018. Small broker-dealers must begin reporting the following year.
“That is going to be a lot of work, because it is both internal work at the firms and external work, too,” the source says. “Whether it’s that or the smaller broker-dealers reporting a year later, I think it’s that piece in many ways that is going to be the more complicated one.”
Perhaps an even more important question that needs answering is whether the entire process is a worthwhile endeavor. One source points out that if getting the CAT up and running is so vital to the markets then why has it taken so long to get this far, and what happens when the technology used by the industry continues to evolve?
“I think that if there really was a need for a CAT, it would have already been solved. Waiting six years just for the selection process shows it’s not mission-critical,” the source says. “I think it’s important that you can track data, but I think that technology is advancing with such speed that once this build is done the market structure might look different where there are other types of technologies being used. What if all the transactions are done on a blockchain? What collection of data should you download, for example? I think that it’s a challenge to be a regulator trying to come up with technical solutions, but I’m not convinced I understand the rationale for trying to solve it this way.”
Consolidated Audit Trail Timeline
The creation of the CAT has been a process over six years in the making. A lot has happened during that time. Here is an abbreviated timeline of some of its most important milestones, both past and future.
May 6, 2010 – Flash Crash occurs.
May 26, 2010 – SEC holds open meeting proposing a rule to build a Consolidated Audit Trail (CAT).
July 11, 2012 – SEC adopts Rule 613 under Reg NMS that requires SROs to create an NMS plan to build the CAT.
Feb. 22, 2013 – SROs announce the creation of the CAT Development Advisory Group (DAG) made up of industry firms to help the SROs create and implement the CAT.
Feb. 26, 2013 – CAT Request of Proposal (RFP) published.
March 25, 2013 – SROs name 15 firms that are part of the CAT DAG.
Feb. 21, 2014 – SEC approves SROs selection plan for how they should review, evaluate and narrow down bids submitted for building the CAT.
April 24, 2014 – SROs name 10 qualified bids from list of 31 initial bidders.
May 2, 2014 – SROs add 12 additional members to the CAT DAG.
June 23, 2014 – SROs start study to analyze implementation cost of the CAT.
July 1, 2014 – SROs select six shortlisted bids to build the CAT.
Sept. 30, 2014 – SROs file CAT NMS plan with the SEC.
Feb. 27, 2015 – SROs file amended and restated CAT NMS plan with the SEC.
June 17, 2015 – SEC approves Amendment No.1 to selection plan regarding bidders’ ability to revise bids prior to the SEC’s approval of NMS plan and certain nuances for voting for the plan processor.
Sept. 24, 2015 – SEC approves Amendment No. 2 to selection plan, allowing an SRO that is a bidding participant to recuse itself from voting in any round to select the plan processor in which it is affiliated with one of the bids being considered.
Nov. 16, 2015 – SEC reduces shortlisted bids from six to three.
Jan. 7, 2016 – SROs file amended and restated CAT NMS plan with the SEC.
April 27, 2016 – SEC publishes NMS plan for the CAT, seeks public comment.
Nov. 15, 2016 – SEC approves NMS plan.
Jan. 17, 2017 – SROs select Thesys Technologies as CAT plan processor.
March 2017 – Business clock synchronization for SROs and broker-dealers required.
November 2017 – SROs begin submitting data to the CAT.
January 2018 – SROs implement enhanced surveillance based on CAT data.
November 2018 – Large broker-dealers begin submitting data to the CAT.
November 2019 – Small broker-dealers begin submitting data to the CAT.
While at Sibos Toronto, James shares some interviews covering topics on blockchain, fintechs and cybersecurity.Subscribe to Weekly Wrap emails