Subject: File No. S7-11-10
From: Richard A. Ross

December 6, 2010

A few observations on the SEC's CAT proposal:

1. The proposal is very well written and does an excellent job detailing the types of data the SEC would require from industry participants (exchanges, brokers, and the like). However, it does appear to leave out the specific format for this data (record layout or XML tags), which might make searching and analysis more difficult.

2. The term "real time" is used throughout the document, but never defined. (There are several distinct meanings in the computer industry.)

3. Security details need to be worked out. I assume industry will insist that end-customer name be encrypted, but at what level of security -- that is, should we have the expectation that encrypted data, such as customer name on a quote, be secure from attacks for a month? Or for a century? How long should it take for SEC to decrypt the name -- in "real time"? Would overnight suffice? Note that encrypting data is a costly computational exercise, and might also significantly expand the size of the trade or quote message -- or maybe not.