SEC Approves Plan to Create Consolidated Audit Trail
FOR IMMEDIATE RELEASE
Washington D.C., Nov. 15, 2016 —
The Securities and Exchange Commission today voted to approve a national market system (NMS) plan to create a single, comprehensive database known as the consolidated audit trail (CAT) that will enable regulators to more efficiently and thoroughly track all trading activity in the U.S. equity and options markets.
“With the approval and ultimate implementation of CAT, the Commission’s regulatory capacity strongly embraces 21st century technology, enabling the Commission and the SROs to harness data and technology to more effectively oversee market participants,” said SEC Chair Mary Jo White. “Through the CAT, regulators will have more timely access to a comprehensive set of trading data, enabling us to more efficiently and effectively conduct research, reconstruct market events, monitor market behavior, and identify and investigate misconduct.”
The NMS plan details the methods by which SROs and broker-dealers will record and report information, including the identity of the customer, resulting in a range of data elements that together provide the complete lifecycle of all orders and transactions in the U.S. equity and options markets. The NMS plan also sets forth how the data in the CAT will be maintained to ensure its accuracy, integrity and security.
The Commission modified several provisions of the NMS plan in response to public comments and recommendations from the SROs. For example:
- The Commission strengthened several of the data security requirements of the NMS plan, including with respect to personally identifiable information.
- Tightened the clock synchronization standards for SROs to within 100 microseconds of the time maintained by the National Institute of Standards and Technology to enable regulators to better sequence order events across multiple exchanges and required the SROs to assess industry standards for clock synchronization based on the type of market participant or system, rather than the industry as a whole, and reflect that refined assessment annually in a report submitted to the Commission.
- Enhanced the CAT plan governance by expanding the membership of the advisory committee to include an additional institutional investor representative and a representative of a service bureau that provides CAT reporting services.
- Accelerated the deadline for the SROs to submit proposals to retire regulatory data reporting systems that will be rendered obsolete by CAT, to reduce the burden on broker-dealers of reporting to multiple systems.
Within two months of the approval of the NMS plan the SROs must select a plan processor to build and operate the CAT. SROs will be required to begin reporting to the CAT within one year of approval, with large broker-dealers following the next year and small broker-dealers the year after.
* * *
Approval of a National Market System Plan to Create a Consolidated Audit Trail
SEC Open Meeting
Nov. 15, 2016
The Securities and Exchange Commission approved a national market system (NMS) plan to create a single, comprehensive database – a consolidated audit trail (CAT) – that would enable regulators to more efficiently and accurately track trading in equity and option securities throughout the U.S. markets. The plan, submitted jointly by the national securities exchanges and the Financial Industry Regulatory Authority (FINRA) to the Commission, would increase the effectiveness of market research and monitoring, event reconstruction, and the ability to identify and investigate market misconduct. The Commission made modifications to the original plan that would include strengthening security requirements, tightening synchronization standards and adding additional members to the governance committee.
Highlights of the Plan
Plan Processor and Central Repository
The CAT NMS plan provides that a plan processor would build a central repository that would receive, consolidate, and retain the trade and order data reported as part of the CAT. Among other things, the plan processor would be responsible for:
- Operating, maintaining, and upgrading the central repository
- Ensuring the security and confidentiality of all data reported to the central repository
- Publishing technical specifications containing detailed instructions for the submission of data by the self-regulatory organizations (SROs) and broker-dealers to the central repository
Data Recording and Reporting
The CAT NMS plan would apply to NMS securities, including options, as well as to over-the-counter equity securities. At the various stages in the lifecycle of an order—e.g., origination, routing, modification/ cancellation, and execution—the SROs and broker-dealers would be required to submit certain information about the order to the central repository, such as:
- A unique identifier, provided by the broker-dealer, for the customer submitting the order
- An identifier for the broker-dealer originating, receiving, routing, or executing the order
- The date and time of the order event
- The security symbol, price, size, order type, and other material terms of the order
Generally, the CAT NMS plan would require the data to be recorded contemporaneously with the order event and reported to the central repository by 8:00 a.m. ET on the day following the event. The CAT NMS plan would also require CAT data to be time-stamped in increments as granular as those used by the SROs and broker-dealers for their order handling or execution systems, but with a minimum time stamp granularity of one millisecond for all order events except manual order events and the time of allocations (in which case, the time stamp granularity must be a minimum of one second).
Further, the CAT NMS plan would require broker-dealers to synchronize their business clocks to within 50 milliseconds of the time maintained by the National Institute of Standards and Technology (NIST). However, business clocks used for manual orders or the time of allocation would be able to be synchronized to within one second of the time maintained by the NIST. The plan has been amended by the Commission to require SROs to synchronize their business clocks to within 100 microseconds of the time maintained by the NIST and to assess industry standards for clock synchronization based on the type of market participant or system, rather than the industry as a whole, and reflect that refined assessment annually in a report submitted to the Commission.
The CAT NMS plan would set an initial maximum error rate of five percent for data reported to the central repository, subject to quality assurance testing, adjustments at each initial launch date for CAT reporters and periodic review by the operating committee. The CAT NMS plan also discusses a phased approach to lowering the maximum error rate for data reported to the central repository.
To assist in reducing the error rate, the plan would provide that the plan processor, among other things, measure and report errors, provide reports to the SROs and other reporters, define educational and support programs, and provide error correction tools.
The CAT NMS plan would also reflect exemptive relief from certain requirements of Rule 613 that the SEC previously granted. This exemptive relief provided the SROs with the flexibility to propose approaches in the CAT NMS plan that could potentially be more efficient and cost-effective than those required by Rule 613 without adversely affecting the reliability or accuracy of CAT data. Specifically, the exemptive relief permitted the SROs to propose, that:
- Only options exchanges—but not options market makers—would be required to report information to the central repository regarding options market maker quotations
- Instead of requiring a broker-dealer to report a unique customer identifier for each customer for all orders, each broker-dealer would assign a unique firm-designated identifier (FDI) to each trading account. Broker-dealers would be permitted to use an account number or any other identifier defined by the firm as the FDI, provided each identifier is unique across the firm for each business date. Using the FDI as well as other information identifying a customer, the plan processor would then assign a unique customer identifier for each customer.
- Instead of requiring a universal identifier for each broker-dealer reporting data to the CAT, a broker-dealer could use its existing SRO-assigned market participant identifier. The plan processor would then assign a unique identifier for each reporting broker-dealer.
- Instead of requiring broker-dealers to link a particular order or execution to an allocation, a broker-dealer could provide an allocation report that focuses on the shares allocated and the FDI of the applicable accounts or subaccounts
- Instead of requiring the receipt of manual orders to be time-stamped to the millisecond, a time stamp to the nearest second would be permitted while all other orders will still be required to be time-stamped to the millisecond.
The SROs propose to conduct the activities of the CAT through a not-for-profit Delaware limited liability company, which they would own jointly. An operating committee comprised of all the SROs—each with one vote—would manage the company. In addition, an advisory committee consisting of, among others, broker-dealers of various sizes and specialties, institutional investors, a service bureau that provides CAT reporting services, an academic who is a financial economist and a person with significant regulatory experience, would provide input to the operating committee.
Regulatory Access and Use
The CAT NMS plan would provide that the SROs and the Commission would have access to the data contained in the central repository for regulatory and oversight purposes. The CAT NMS plan provides that CAT data would be stored in a way that allows regulators to perform complex queries, such as reconstructing market events and the status of order books at various time intervals. Regulators would have access to CAT data through both an online targeted query tool and user-defined direct queries and bulk extracts.
Data Security and Confidentiality
The CAT NMS plan would establish data security requirements regarding connectivity and data transfer, encryption, storage, access, breach management, and personally identifiable information (PII). For example, all CAT data would be required to be encrypted both at-rest and in-flight and all data centers housing CAT systems would be required to be certified by a qualified and unaffiliated third-party auditor.
In addition, the plan processor would be required to comply with the NIST Cybersecurity Framework and the SROs would be required to maintain information security protocols with respect to their handling of CAT data that are as rigorous as those applicable to the central repository. An annual evaluation of the information security program would be required to ensure that the program is consistent with the highest industry standards for the protection of data. Additionally, the plan processor would be responsible for:
- Requiring individuals with access to the central repository to agree to use CAT data only for appropriate surveillance and regulatory activities and to employ safeguards to protect the confidentiality of CAT data
- Developing a comprehensive information security program as well as a training program that addresses the security and confidentiality of all information accessible from the CAT
- Designating one of its employees as Chief Information Security Officer (CISO), who would be responsible for creating and enforcing appropriate policies, procedures, and control structures regarding data security. The CISO would also review the information security policies and procedures of the SROs and report, in consultation with the CISO, any deficiencies to the operating committee if the issue is not promptly addressed by the SRO.
At the Commission, a cross-divisional steering committee of senior staff is being formed to design policies and procedures regarding Commission access to, use of, and protection of CAT data that will be comparable to those applicable to the SROs and their personnel and supplement the range of existing laws and standards applicable to Commission systems and employees.
Retirement of Duplicative Rules and Systems
As required by Rule 613, the CAT NMS plan contains a framework for eliminating rules and systems that would be rendered duplicative by the CAT, including identification of such rules and systems.
The CAT NMS plan would state that the SROs have completed their analyses of systems identified for retirement and that the CAT would capture all necessary data to support the retirement of these systems. The amended plan would require the SROs to file rule change proposals to eliminate duplicative rules and systems within six months of plan approval. These proposals would provide that the retirement of any duplicative rules and systems would be effective when the CAT data meets minimum standards of accuracy and reliability.
On July 11, 2012, the SEC adopted Rule 613 of Regulation NMS under the Securities Exchange Act of 1934. Rule 613 requires the SROs to jointly submit an NMS plan to create, implement, and maintain a CAT that will capture—in a single, consolidated data source—customer and order event information for orders in NMS securities, across all markets, from the time of order inception through routing, cancellation, modification, or execution. Rule 613 outlines a broad framework for the CAT, including the minimum elements the SEC believes are necessary for an effective CAT, while allowing the SROs to draw upon their expertise to develop the details of the CAT. The SEC voted to publish the CAT NMS plan submitted by the SROs for public comment on April 27, 2016.
Within two months of SEC approval of the CAT NMS plan, the SROs would be required to select the plan processor through a two-round voting process in which each SRO has one vote.