James Dolan, Chief Compliance Officer at Luminex Trading & Analytics LLC

This piece originally appeared in TABBForum on March 1, 2019. You can find the original post here.

Almost 10 years after the Flash Crash prompted regulators to call for the Consolidated Audit Trail, the change of CAT processors is expected to delay CAT reporting for broker-dealers to April 2020. So why should you care about the CAT? As the reporting initiative evolves, broker-dealers will be required to transmit to regulators data on who placed every order and made every trade. This, as much as anything, is why you need to pay attention.

Jim, why do I have to read this blog post?

First, thank you for reading this far! You have to read this article because you’ve heard of the CAT, you’ve seen some headlines about Thesys and FINRA, but you’ve skipped conference panel presentations about the CAT, thinking it was someone else’s problem. You’ve pretty much ignored every article written about it, and in short, you think that because you’re a trader or you’re on the asset management side of the business, you don’t need to care what happens with CAT.

You have to read this precisely because you don’t care, and for the reasons I’ll get into below, you should. We all should.

How the [bleep] did we get here?

A long time ago, in a galaxy far, far away (the summer of 2012, anyway), the SEC approved Rule 613, which required U.S. SROs to create and submit a plan that would establish a Consolidated Audit Trail, which came to be known as CAT. This development followed the Flash Crash of 2010 by two years. If you were alive then (I was), you may remember that it took regulators a significant amount of time to digest millions of trade and order records in order to come up with an explanation for the Flash Crash, and the CAT rule grew out of a recognition that regulators needed a better system to more efficiently and more quickly reconstruct market activity in order to ferret out aberrant or illegal behavior. As a former regulator myself, I greatly appreciate the desire to have “one-stop shopping” for a regulator to quickly know who did what in the marketplace in an effort to ensure market integrity and to protect investors.

Got it – thanks, Jim. Then what happened?

In 2014, about two years after the SEC charged the SROs with coming up with a CAT, the SROs submitted a plan. TWO YEARS AFTER THAT, the SEC approved it! And ONE YEAR AFTER THAT, the SROs selected Thesys Technologies to build the ambitious database. So 2010 – Flash Crash; 2012 – the SEC tells the SROs to build something. 2014 – the SROs say, “Here!” 2016 – the SEC says, OK. January 2019 – um, no CAT just yet. And then in February, what Waters Technology has called the “torturous journey,” took another twist, as the decision was made by the SROs to drop Thesys as the company building the whole darn thing. Now with the CAT effort already behind schedule, the change of CAT processors is expected to delay CAT reporting for broker-dealers to April 2020.

Still not sure about the ‘caring’ piece of this.

Previously, regulators relied on separate audit trails covering the activities of the exchanges and regulated platforms. Having a unified database such as CAT would enable the SROs and the SEC to find all exchange and OTC data in one spot. Better still, the data would contain order, trade as well as customer-specific data. Historically, regulators knew which broker-dealers bought or sold which securities, when and where. But they then had to go out to those broker-dealers to ask who their customers were. And that took a ton of time. CAT would solve this by requiring broker-dealers to provide identifying information about their customers so regulators could quickly access it.

Now, you may be rightly concerned about such a treasure trove of personally identifiable data being in one spot; and we industry types were rightly concerned about it, too. Commenters expressed their alarm, and the industry provided recommendations to address those concerns. These included implementing cybersecurity procedures to control and monitor who would have access to this data, and discussing whether the benefit of enriching this database with customer-specific information was outweighed by the risk of the CAT repository serving as a potential gold mine for hackers.

Identifying information will be provided to CAT, with a Firm Designated ID for each account being submitted to CAT in the first phase, while more specific identifying information will follow in future phases. As such, it is our expectation that the SROs’ CAT system will meet or exceed the cybersecurity standards that FINRA and the SEC rightly expect broker-dealers to have.

Oh, so all my brokers are transmitting my order and trade info to a big box? No problem!

Broker-dealers are already reporting order and trade data to regulators through systems such as FINRA’s OATS and TRFs. However, these submissions don’t identify who is doing the trading unless regulators specifically ask which customer bought or sold a particular security. As CAT evolves, broker-dealers will be required to tell regulators who placed that order and made that trade, right out of the gate.

And this, as much as anything else, is why you need to be paying attention to the CAT.

And now that you care and are paying attention, I’m sure you’re forming an opinion. We at Luminex encourage you to make your views known to the SEC and the SROs if you want them to ensure the security and integrity of the repository that will contain your data.

Fair enough. But why should we care about Luminex?

Because Luminex is working closely with industry groups to ensure that regulators and the successor to Thesys (which, as expected, will be FINRA) implement prudent protections surrounding the customer-specific data that will be submitted to CAT. We treat your order and trade information as we would our own and will continue to stay close to CAT as it evolves to insist on the data security you need and deserve.

James Dolan
Chief Compliance Officer, Chief Legal Officer and Chief Information Security Officer
Luminex Trading & Analytics LLC