PRIMER: the Consolidated Audit Trail
IFLR is part of Legal Benchmarking Limited, 4 Bouverie Street, London, EC4Y 8AX
Copyright © Legal Benchmarking Limited and its affiliated companies 2024

Accessibility | Terms of Use | Privacy Policy | Modern Slavery Statement

PRIMER: the Consolidated Audit Trail


This updated edition of IFLR's free-to-read primer series looks at the SEC's ambitious central data repository and the problems it has faced since inception

This updated explainer looks at the Consolidated Audit Trail (CAT), addressing what it is, what it will do and who reports to it, as well as the issues that it has faced so far in its development. 

What is it?

The CAT is a central repository commissioned by the US Securities and Exchange Commission (SEC) intended to help regulators efficiently and accurately track activity in the US National Market System (NMS) securities markets.

"The CAT will track orders throughout their lifecycle and identify the broker-dealers handling them, thus allowing regulators to more efficiently track activity in Eligible Securities throughout the US markets," reads the official CAT NMS plan website. "The primary goal of SEC Rule 613 is to improve the ability of the SEC and the Self-Regulatory Organisations (SROs) to oversee trading in the US securities markets."

When established, Rule 613 required US national securities exchanges and Financial Industry Regulatory Authority (Finra) to provide detailed information to the CAT providing information of each quote and order in an NMS security. For every order this is to include every single reportable event with respect to origination, modification, cancellation, routing, and execution.

See also in Practice Insight: SIFMA and SROs settle CAT reporter agreement dispute

Rule 613 was established by the SEC on July 11 2012 after the 2010 flash crash that saw the Dow Jones drop by 1,000 points in a matter of minutes. The crash happened after a trader bought and sold hundreds of mini-futures on the CME, and caused trillions of dollars to disappear from the system. The CAT was conceived as a means of tracking the system to avoid situations like this.

The SEC approved the CAT NMS plan on November 15 2016, which set in motion the actions that broker-dealers and SROs had to perform going forward.

When does it come into effect?

The first stage of reporting to the CAT officially started on June 22 2020. This includes equities reporting for large and small broker-dealers that currently report to Finra's Order Audit Trail System (OATS), the system that CAT is all but replacing. On July 20 of this year, initial options reporting will commence for larger broker dealers, and on December 13 full equities and options reporting for all broker dealers will begin. By July 2021, the CAT will be fully operational. 

As a result of the Covid-19 pandemic the initial deadline of April 20 was delayed until May and then to June. The virus also pushed the rest of the timeline back. 

What and who reports to it?

The data will be used by regulators to effectively survey the market, allowing them to focus their reconstruction efforts more effectively. Broker-dealers operating in the US equity and options markets are required to report order lifecycles for these markets on a daily basis, including orders, quotes, cancels, routes and allocations.

Broker-dealers, SROs and securities information processors (SIPs) — collectively the CAT reporters — are required to provide these specific record identifiers to support linkage processes. This list includes Finra and other national securities exchanges, and broker-dealers of all sizes.

This will have a significant impact on broker-dealers, who will have to adapt to be able to provide customer information reporting capability, order lifecycle reporting capability, synchronise clocks to an exacting standard time, and adapt processes to abide by CAT considerations. Whereas existing regulatory regimes like the order audit trail system (OATS) do not require customer-identifying information, it must be included for CAT – which has caused significant concern.

The task of reporting is obviously a mammoth one. An estimated 58 billion data points will be collected each day when it is in full operation. When asked what types of specific information are critical to include when reporting this data at the CAT and the Future of Market Surveillance panel at the Securities Industry and Financial Markets Association’s (Sifma) Equity Market Structure Conference in New York last November, senior policy advisor at the SEC Mark Donohue said it is a question of practical, cost and use.

See also: Out of the bag: understanding the tools of CAT

From the SEC perspective, he said, one of the major uses is market construction and understanding what happened during times of stress, by recreating the data.

“Rejection messages are very helpful to understand market reconstruction, but may not be as advantageous from a surveillance standpoint," he said.

He added: “We need to keep in mind the market reconstruction and policy components as well.”

Donohue continued that he can conceive a future where data elements get added to CAT so that policy decisions can be made on a more informed basis. Additional elements can point you in different directions, he concluded.

What problems is it facing?

In May, a dispute between SIFMA and a group comprised of the US SROs was resolved. SIFMA was concerned that in drafting reporter agreements for the CAT, SROs had included language that limited their own liability in the event of a data breach.

SIFMA had filed a Section 19(d) application to the Securities & Exchange Commission (SEC) after feedback from its members suggested some of the existing terms in the CAT reporter agreement were unsuitable. All industry members are required to sign the CAT reporter agreement in order to gain access to the system, for testing, certification and production reporting. "CAT is a very different beast. It contains all of the trade data for equities and options. It's going to include customer data and the lifecycle of an order," said Ellen Greene, managing director of equity and options market structure at SIFMA.

"When things are identified by a firm designated ID, even if it's masked, there is a lot of value if someone were to obtain that information. We think the cyber risk is really high." 

David Campbell, vice president of strategy and business development at Broadridge Financial Solutions, a company that provides a regulatory reporting framework for a number of global regulations for broker-dealers, including the CAT, said that broker-dealers are viewing this differently dependent on implementation status – but are in wide agreement with the trade association's complaint.

"Some never signed CAT reporting agreements and are still sticking to that. A few signed a CAT reporting agreement but then withdrew it in support of the SIFMA initiative. Then there are others who have already started reporting and signed agreements, but are supportive of the initiative," he said.

This kind of pressure is likely to have had some sort of sway on the agreement. Under the settlement, the SROs agreed to remove the specific language from the CAT reporter agreement that limits SRO liability for a breach of the database, also agreeing not to impose any limitation of liability language in the reporter agreement without first proposing a rule and going through the formal public notice, comment and approval process with the SEC. "I think everybody is concerned about the fact that firms are required by regulation to input customer-identifying data into CAT," added Campbell.

Broker-dealer Fidelity submitted a comment letter to the SEC in October that made a number of recommendations for how CAT could be improved. In the letter, Fidelity stressed a strong interest in the efficient and expeditious implementation of the CAT, echoing both SIFMA's strong stance that the compliant is not an attack on the database itself, as well as FINRA's concerns that a further delay in implementation will have negative ramifications.

What happened to Thesys?

The contract to build the CAT system was initially awarded to a subsidiary of Thesys Technologies, Thesys CAT LLC, which acted as plan processor. Thesys initially had just 11 months to build the entire system from scratch.

The first deadline for data reporting to the CAT was November 15 2017, which the SROs requested relief from. Although they were rejected by chair Jay Clayton, no reporting took place for another year.

A year later, several industry members released technical specifications for participants in the CAT to help understand their responsibilities in relation to SEC Rule 613 and the CAT plan, and also describe requirements for reporting CAT data such as detailed information about data elements and the file formats of each reportable event. This was the first time a fully-fledged, detailed specification has been provided to the industry, only three weeks before the already extended deadline.

In a statement, Brett Redfearn, director of the SEC division of trading and markets, announced the SEC wouldn’t expect to take enforcement action for failure to report data to the CAT ‘if the CAT is not sufficiently developed to receive that data'.

The big ask from the industry standpoint was a technical legal issue that the SEC had not come out and recognised. The plan required firms and SROs to be compliant and start uploading data by November, but Redfearn’s statement suggests that the staff were offering a legal pass on that because it is impossible.

“We are dealing with compliance officers and boards of directors at firms, and they have a legal obligation to make sure they are meeting all of the requirements, so there has been a longstanding request to have the SEC make a legally binding or public statement on what happens if broker-dealers miss the November 2018 deadline – which they certainty will,” said Gregg Berman, director of the market analytics and regulatory structure unit of Citadel Securities.

It's unlikely that most broker-dealers would care about that. It isn't possible to send data if the CAT doesn’t exist, which is currently the case. 

Although in January Thesys told IFLR Practice Insight that the initial stages of reporting were progressing as hoped after the reporting schedule started, and that accuracy and security remain high priorities, they were shortly replaced by the SEC – which reassigned the task to Finra.

During a December 11 testimony before the US Senate Committee on Banking, Housing, and Urban Affairs, however, SEC chairman Jay Clayton said the regulator remains frustrated by the failure of SROs to meet their obligations, as well as by delays in the development of the CAT.

See also in Practice Insight: Market and SEC clash on CAT progress

The market too was uncertain. It now seems entirely possible that the system will not function as originally intended, and the cybersecurity issues that have surrounded it since inception remain a significant concern.

During testimony, however, Clayton explained that the SROs responsible for developing and implementing CAT had missed their initial November 15 2017 deadline. “While the CAT has now begun receiving equity and options data with limited functionality, the SROs remain out of compliance with the CAT NMS plan today,” he said.

“The SROs are making some progress, but the development and implementation process remains slow and cumbersome due largely to what I believe are project governance and project management issues experienced by the SROs,” he continued.

Clayton went on to say that the Commission was frustrated, that the projected date of full delivery of March 31 2019 was not good enough, and that SROs are not meeting obligations.

In February 2019, Thesys was fired from its role, and Finra appointed. Finra and CAT NMS confirmed that it will be transitioning the CAT project to a new plan processor. In doing so, there was a significant impact on existing implementation plans. "While certain dates may change, there are no material changes planned for the industry member technical specifications," they said.

Despite this change, issues regarding data and personally identifiable information (PII) remain. In March at another Sifma conference, Clayton confirmed the agency was working on a unique customer identification for the CAT, which could allay certain fears that the industry may have – as long as it worked with the SEC.  

"There are solutions here. We'll get to a responsible place on customer data as long as everybody remains constructive," he said.

See also: SEC statement on CAT delay exactly what industry was looking for

Gift this article