SEC Approves Plan to Track Every Single US Securities Transaction from Start to Finish

Chris Gaetano
Published Date:
Nov 16, 2016

The Securities and Exchange Commission approved the plan for the creation of a centralized database called the Consolidated Audit Trail (CAT) that will track all activity in the U.S. equity and options market in order to better monitor and oversee transactions and investigate potential misconduct. Once implemented, it will allow the SEC to track every transaction under its jurisdiction from start to finish and know who made it and who processed it. 

“With the approval and ultimate implementation of CAT, the Commission’s regulatory capacity strongly embraces 21st century technology, enabling the Commission and the SROs to harness data and technology to more effectively oversee market participants,” said SEC Chair Mary Jo White. “Through the CAT, regulators will have more timely access to a comprehensive set of trading data, enabling us to more efficiently and effectively conduct research, reconstruct market events, monitor market behavior, and identify and investigate misconduct.”

The plan applies to both broker-dealers and the self-regulatory organizations (SROs) that oversee them. The SROs involved include a wide variety of financial organizations, like FINRA, and national exchanges, such as the NASDAQ and NYSE. Under the new regulation, both will need to record and report order information to this centralized database, including a unique identifier for the customer (provided by the broker-dealer) submitting the order and for the broker dealer (provided by the SRO) who processes it; the date and time of the order; and the security symbol, price, size, order type and other material terms of the order. This information would need to be submitted at the order's origination, routing, modification/cancellation and execution so as to allow regulators to trace a specific transaction's exact path through the markets. 

The plan released in August (page 191) estimates that setting up the CAT will incur a one-time cost of $2.4 billion, and from then on will cost about $1.7 billion annually after that. 

This data would need to be recorded contemporaneously with the order event, and would need to be reported to the central database by 8 a.m. the next day. All entries in this database, according to the new SEC rule, will need to be time-stamped with a minimum granularity of one millisecond, unless it was a manual order, in which case the minimum will be one second. In addition, the new regulation will require SROs and broker-dealers to synchronize their business clocks to within 50 milliseconds of the time kept by the National Institute of Standards and Technology (NIST). 

NIST, using the NIST-F1 atomic clock, is the basis for the U.S. time and frequency standard and determines, officially, what time it is. It's considered the world's most accurate clock

When the proposal was first released to the public in April, both Commissioner  and Chair Mary Jo White expressed worry that the timestamps could be off by 50 milliseconds, saying that the data may not be reliable with such a range. In her statement, Stein noted that the 50 millisecond range is far more forgiving than what other organizations demand: for example, the NASDAQ requires that all exchanges trading NASDAQ securities synchronize their systems to within 100 microseconds, which is 500 times more stringent. 

The CAT would be managed by an LLC jointly owned by the affected SROs, governed by an operating committee comprised of one representative from each group who would each have one vote. The company, which would be based out of Delaware, would be responsible for operating, maintaining and upgrading the central repository, ensuring the security and confidentiality of all data within it, and educating broker-dealers and SROs on how to submit the necessary data. Funding for this company will come from the SROs who will, in turn, level tiered fixed fees on CAT reporters and broker-dealers based on a combination of market share and message traffic. 

In its comment letter, the Securities Industry and Financial Markets Association heavily criticized this funding model, saying that its development was dominated by SROs with no meaningful input from broker-dealers even though, it said, nearly all of the costs will be borne by them. It also questioned the authority of the SROs to level such a fee structure, and said that there was a fundamental conflict of interest in giving them this much control. 

"At this point, we have to assume that any CAT funding model designed by the SROs themselves will be built to favor the commercial interests of one set of for-profit market participants – the exchanges – at the expense of the exchanges’ competitors – the broker-dealers," said SIFMA. 

SIFMA recommended that the SEC conduct a study on whether there is sufficient jurisdiction for the fee structure, and further requested that any fees be set by an independent third party.

Both the SEC and the various SROs would have access to the data, which would be used for regulatory and oversight purposes. The database will be set up in such a way as to allow for complex queries such as reconstructing market events and the status of order books at various time intervals. 

Several stakeholders critiqued the plan on cybersecurity grounds, expressing worry that the central database would be a tempting target for hackers. Fidelity Investments, in its own comment letter, noted that the CAT Central Repository would process more than 58 billion records, representing 13 terabytes of data, daily, making it the largest, most comprehensive data repository for securities transactions to date. Some of this information, Fidelity noted, includes confidential and sensitive personal and proprietary trading information, which it said represents an attractive opportunity for potential misuse, such as identity theft. While it noted that the rule does include certain cybersecurity provisions, it lamented a lack of specifics. 

Like Fidelity, the Financial Services Roundtable also faulted the plan for lack of specific on cybersecurity. It pointed to recent high-profile data breaches for both public and private sector entities, and said steps need to be taken to ensure proper controls are in place throughout the data's lifestyle using secure, authenticated and industry-accepted encryption mechanisms. It also said the SEC needs to consider the risk of state-based actors and make sure that those with access to the data have comprehensive background checks not just upon hire but continuously on a periodic basis to avoid insider threat concerns. 

The final rule is the culmination of a years-long process starting in 2012, with the adoption of Rule 613. This rule provided a broad framework for the CAT and required SROs to use their own expertise to work out the details of how it would be created, implemented and maintained. The plan itself was released for comment in April, and now that it has been approved, members of the public have 60 days to comment on the latest version.  

Click here to see more of the latest news from the NYSSCPA.