PwC Offers 10 Key Points on SEC’s Consolidated Audit Trail Plan

On November 15, 2016, the Securities and Exchange Commission (SEC) approved a plan to establish a Consolidated Audit Trail (CAT), which will contain a complete record of all equities and options traded in the U.S.[1] The plan will require national securities exchanges and FINRA (self-regulatory organizations or SROs), alternative trading systems (ATSs), and broker-dealers (collectively, CAT reporters) to submit information on trade events,[2] including customers and prices, to the CAT on a daily basis.[3] The approval of the plan is an important milestone towards full operation of the CAT, which is projected by the end of 2019 (see Appendix for full timeline of CAT milestones).

The SEC mandated the SROs to create a plan for how the CAT would be built and operated, but the plan released in April resulted in a number of industry comments.[4] In response, the approved plan updated several aspects of the proposed plan, such as the timeline for decommissioning existing reporting requirements, synchronizing time between reporters, and the makeup of the advisory committee. However, the SEC did not fully address concerns posed by broker-dealers, most importantly regarding CAT funding and broker-dealers’ lack of access to the data.

  1. No specified end date for duplicative reporting. The SEC first proposed the CAT after the May 2010 “flash crash” when it became clear that the data available to the SEC is fragmented with no single source that covers all SEC regulated markets.[5] While the CAT is expected to consolidate the fragmented data sources, the original proposal did not include a timetable for the elimination of existing reporting requirements, and instead proposed a minimum of two-and-a-half years of duplicative reporting. The approved plan still does not provide this timetable, but does create a May 2017 deadline for SROs to submit proposals for the elimination of existing requirements. Several industry commenters raised this issue due to the industry cost of reporting to both the CAT (estimated at $1.7 billion per year) and existing systems (estimated at $1.6 billion per year). However, the SEC has retained significant flexibility to extend this period by stating that existing reporting requirements would only be removed once CAT data meets “minimum standards of accuracy and reliability.”
  1. Technical specifications still to come. We previously wrote that the elimination of existing reporting requirements would be easier if the CAT incorporates all of the data that is currently submitted to existing systems.[6] In a positive sign for the industry, the approved plan states that the SROs will analyze the requirements of existing reporting regimes to ensure that the CAT will collect all data elements that are currently reported. The SEC also amended the approved plan to specify that the vendor chosen to build the CAT repository (i.e., the plan processor)[7] will release technical specifications at least 12 months before broker-dealers begin reporting to the CAT. Even though technical specifications for data submission may not be available for several months, CAT reporters should create a data dictionary that identifies the full set of information currently reported to regulators in order to identify opportunities for consolidation and simplification.
  1. Funding relief for some, but broker-dealers still bear the brunt of operating costs. One of the most significant areas of commentary to the proposed plan surrounded the funding model for building and maintaining the CAT, which consists of two separate fee structures for both types of CAT reporters – SROs/ATSs and broker-dealers. Under the proposed funding model, ATSs that are part of broker-dealers would have had to pay under both fee structures. The approved plan provided some relief by clarifying that ATSs would only pay under the same structure as SROs, namely a tiered model of fixed fees based on their market share volume or their contract volume for listed options. The fee structure for broker-dealers, however, was not modified in the final plan. It is estimated that broker-dealers, who are subject to a tiered model of fixed fees based on their volume of reported trade events, will contribute up to 75% of total CAT operating costs. As a result, broker-dealers should begin to analyze their trade event volume, paying particular attention to order routing and allocation as this will now be a contributing factor to their overall CAT fees.
  1. CAT governance structure expanded, but still no operating role for broker-dealers. The CAT governance structure is split into two parts – an operating committee and an advisory committee. The operating committee, which is made up of the 17 SROs, is responsible for overall management of the CAT. In comments to the proposed plan, broker-dealers had requested more direct involvement in the decision making process, but were ultimately left out of the operating committee. The final plan did, however, expand the membership of the advisory committee to include various types of broker-dealers, institutional investors, and a financial economist (similar to the model of FINRA’s Board). While the advisory committee will provide guidance on the operation of the CAT, the operating committee will not be obligated to follow its recommendations.
  1. Broker-dealers will not have access to data. The approved plan confirmed that only the SROs and the SEC would be able to view and analyze the data stored in the CAT, despite broker-dealers’ requests for access in comments to the proposed plan. Broker-dealers’ lack of access to data their regulators will use for surveillance purposes could lead many to create their own “internal CAT” by upgrading their internal surveillance systems. Broker-dealers that decide to do so should begin to consider costs, and in particular whether they could leverage cloud technology to build a more cost effective solution.[8]
  1. Industry still asking how regulators will use the data. Although the SEC and SROs will have full access to CAT data, it remains unclear how they will be able to analyze it. The proposed plan included provisions for the SEC and the SROs to search and bulk extract CAT data for analysis, but it was left up to the eventual plan processor to determine whether they would provide data analytics capabilities or send standardized reports to the SEC and SROs. The approved plan still did not provide any clarity on this issue despite industry requests for more details before development of the CAT proceeds.
  1. Customer identification process simplified. A key part of the CAT initiative has been to ensure that the SEC will be able to identify every customer originating orders in the market, even if they send orders through different broker-dealers. As such, the initial plan proposed that all CAT reporters would reference a customer using the same unique industry-wide identifier. However, given the cost and implementation challenge this would entail, the final plan was amended to allow broker-dealers to assign their own unique firm-designated identifier (FDI) for each customer account (e.g., account number), which would then be used along with other customer information by the CAT plan processor to create unique industry-wide identifiers. CAT reporters therefore will still need to submit certain highly sensitive personally identifiable information (PII), including social security numbers and taxpayer identification numbers, due to the difficulty of accurately matching customers across firms (i.e., due to differences in naming conventions across firms, or customers with the same name).
  1. Standards raised for data security. Considering the sensitive nature of the data to be submitted to the CAT, several industry commenters expressed concerns about the possibility of security breaches to the CAT repository, the SEC, and SRO systems. The approved plan addressed these concerns by enhancing security and encryption requirements for all CAT data, from the time the data is released to the repository to when it is extracted for analysis by the SROs. The SROs will be required to match their data security protocols to those of the CAT repository, which in turn will need to comply with the NIST Cybersecurity Framework.[9] Further, the CAT security standards will be
    re-evaluated annually to ensure that they comply with the latest industry standards.
  1. Time synchronization shortened for exchanges. Much of the CAT’s value for market surveillance relies on its ability to accurately sequence events that may have occurred within milliseconds of each other. However, event sequencing is difficult if market venues are not synchronized to a common clock source or if CAT reporters are not recording data at millisecond-level precision.[10] In order to address this issue, the proposed CAT plan required all CAT reporters to synchronize their clocks to within 50 milliseconds of an industry standard clock (i.e., NIST) and implement millisecond precision timestamping within four months of the plan’s approval (now March 2017). In the approved plan, the SEC made time synchronization more challenging for the SROs by requiring them to shorten their clock synchronization to within 100 microseconds of the NIST clock. Additionally, the SROs will now be required to provide an annual report to the SEC that assesses whether time synchronization standards need to be further shortened for certain CAT reporters.
  1. No change to implementation timeline. The approval of the plan sets in motion a three-year timeline toward full operation of the CAT, which has not been delayed. The next key deadline is for the SROs to choose a plan processor within two months (see Appendix for all key dates). However, it is in the SROs’ interest to choose a plan processor soon because the CAT repository will need to be built and tested in time for the SROs to begin reporting their data by November 2017. Large and small broker-dealers will then have until November 2018 and November 2019, respectively, to start reporting their data. Although there has been some discussion of changing regulatory priorities in the upcoming Trump administration, we expect that the CAT will remain a priority for the SEC and that the expected milestones will not change significantly.

What should broker-dealers do now?

Although broker-dealers have at least two years to start reporting their data, they should start planning for the significant effort involved in accurately reporting such high volumes of data. We recommend that broker-dealers focus on the following actions:

  • Assess existing reporting capabilities: Broker-dealers should review their current reporting infrastructure to determine whether certain systems and processes (e.g., OATS reporting) can be leveraged to support CAT requirements. In doing so, broker-dealers should identify any system or operational limitations to meeting existing requirements, and assess whether any additional limitations would arise with increased data volumes.
  • Evaluate trade and client data: In the absence of finalized technical specifications, broker-dealers should prepare by assessing their data and categorizing trade management flows based on complexity. Additionally, they should review their current process for extracting client data that would be reported to the CAT.
  • Review potential solutions: Broker-dealers should start to understand and evaluate available options to send data to the CAT (and support responses to inevitable regulatory inquiries). There are currently several options (e.g., in-house, consortium-based, vendor-based, etc.) to meet the CAT requirements; each of these options should be evaluated to determine feasibility. Further, broker-dealers should assess how emerging technologies (e.g., cloud and big data analytics solutions) can be leveraged.

Appendix

The SEC’s approval of the plan sets in motion a series of deadlines and milestones for the CAT over the next several years.

Date Milestone
November 15, 2016 CAT plan approved by the SEC
January 15, 2017 Deadline for SROs to choose a plan processor
March 15, 2017 Deadline for CAT reporters to synchronize business clocks to NIST
May 15, 2017 Deadline for SROs to file rule change proposals to eliminate duplicative reporting requirements and systems
August 15, 2017 Deadline for plan processor to release data elements and technical specifications
November 15, 2017 SROs begin reporting data to the CAT
January 15, 2018 Deadline for SROs to implement a new or enhanced surveillance system
November 15, 2018 Large broker-dealers begin reporting data to the CAT
November 15, 2019 Small broker-dealers begin reporting data to the CAT

ENDNOTES

[1] The CAT plan applies to equities and options, as well as over-the-counter equity securities, but does not currently include futures. The SEC has acknowledged that any such expansion to include products not under the SEC’s jurisdiction would need to be coordinated with the CFTC or other applicable regulatory authorities and would require a separate rulemaking.

[2] Trade events include order generation, routing, execution, modification, or cancellation.

[3] It is estimated that the CAT will aggregate between 30 billion and 120 billion trade events per day from over 2,000 sources, making it one of the world’s largest data repositories.

[4] See PwC’s Regulatory brief, Consolidated audit trail: the CAT’s out of the bag (June 2016).

[5] For example, not all SROs use the FINRA-operated Order Audit Trail System (OATS), which captures order information in stocks and OTC equity securities, nor the Consolidated Options Audit Trail System (COATS) which covers options trades but excludes the trading of the underlying assets. Additionally, Electronic Blue Sheet (EBS) reporting only covers executed trades rather than the entire order lifecycle.

[6] See note 4.

[7] The three remaining potential vendors to build the central CAT repository are FIS/Google, FINRA/Amazon, and Thesys/IBM.

[8] See PwC’s Financial services digital publication, Get your head in the cloud (August 2016).

[9] The NIST Cybersecurity Framework is a computer security framework for preventing, detecting and recovering from cyber security attacks.

[10] The SEC indicated that 39% of broker-dealers currently synchronize their clocks with less precision than what is called for by the plan.

This post comes to us from PwC and is based on the firm’s First take, “Ten key points from the final Consolidated Audit Trail plan,” dated December 8, 2016, and available here.