SEC Approves National Market System Plan to Implement the Consolidated Audit Trail
Equity Markets Advisory Committee
ICI Global Trading & Markets Committee
SEC Rules Committee SUBJECTS: Cybersecurity
Trading and Markets RE: SEC Approves National Market System Plan to Implement the Consolidated Audit Trail
The Securities and Exchange Commission (“SEC”) recently approved a national market system (“NMS”) plan to create a consolidated audit trail (“CAT”) designed to allow regulators to track all trading activity in the US equity and options markets.[1] The adopted plan details the methods by which self-regulatory organizations (“SROs”) and their members (i.e., broker-dealers) will record and report information to the CAT. The plan also sets forth information about how the central processor for the CAT will maintain data accuracy, integrity, and security. This memorandum summarizes the key aspects of the adopted CAT NMS plan and explains how the final plan addresses ICI’s comments on the proposed plan.[2]
CAT Framework
The final CAT NMS plan provides that the SROs will select a plan processor that will build a central repository to receive, consolidate, and retain the trade and order data reported to the CAT.[3] The plan processor must operate, maintain, and upgrade the central repository, ensure the security and confidentiality of all data reported to the central repository, and publish technical specifications containing detailed instructions for the submission of data to the central repository. The final plan requires the SROs to select the plan processor by mid-January.[4]
The final CAT NMS plan specifies how SROs and broker-dealers must report various events in the lifecycle of an order, including origination, routing, modification/cancellation, and execution. The plan requires SROs and broker-dealers to submit certain information about each of these order events to the central repository, including:
- A unique identifier for the order and for the customer submitting the order (including the customer’s legal entity identifier (“LEI”), if available;
- An identifier for the broker-dealer receiving, originating, routing, or executing the order;
- The date and time of the event; and
- The symbol, price, size, order type, and other material terms of the order.[5]
The CAT NMS plan generally requires the data to be recorded contemporaneously with the order event and reported to the central repository by 8 a.m. on the day following the event.[6] The CAT NMS plan requires the SROs and broker-dealers to synchronize their business clocks to within 100 microseconds of the time maintained by the National Institute of Standards and Technology (“NIST”).[7] Automated order events must be time-stamped with a minimum granularity of one millisecond, while manual order events must be time-stamped to the second.[8]
Data Confidentiality
The CAT NMS plan makes the plan processor responsible for the security and confidentiality of all CAT data received by and reported to the central repository. The plan requires the processor to ensure that individuals—other than SEC Commissioners and employees—with access to the central repository agree to use the data held in the central repository only for appropriate surveillance and regulatory purposes and to employ safeguards to protect the confidentiality of CAT data.[9] The CAT NMS plan also requires the SROs to adopt and enforce policies and procedures to implement effective information barriers between their regulatory and non-regulatory staff with regard to access and use of CAT data. The final plan gives the plan processor broad discretion to establish an appropriate data security and confidentiality program. In response to comments from ICI and others recommending that the final plan include more robust information security measures, the SEC amended the plan to require the plan processor to adhere to the cyber security framework developed by the NIST.[10] The SEC did not amend the final plan to impose security and confidentiality obligations on itself or its staff because of the Commission’s role as regulator of the plan participants. Instead, the SEC will form a cross-divisional steering committee of senior staff to design policies and procedures regarding Commission and its staff access to, use of, and protection of CAT data.[11]
CAT NMS Plan Governance
The activities of the CAT will be conducted through a Delaware limited liability company controlled solely by the SROs.[12] An operating committee composed only of the SROs—each with one vote—will manage the company. An advisory committee consisting of, among others, broker-dealers, investors, and a person with significant regulatory experience, will provide informal input to the operating committee. Advisory committee members, however, will have no right to vote on plan decisions.
ICI urged the Commission to amend the plan to provide advisers to registered funds with at least one vote on the operating committee. The Commission declined to grant this request, but it did amend the membership of the advisory committee to include three institutional investors—rather than two—and to specify that at least one of the institutional investors must be “an individual trading on behalf of an investment company or group of investment companies” registered under the Investment Company Act of 1940.[13] In addition, as requested by ICI, the Commission amended the plan to provide that the advisory committee will receive the same documents and information concerning the operation of the CAT as the operating committee.[14]
Use of CAT Data
The final CAT NMS plan provides the SROs and the Commission access to the data contained in the central repository for regulatory and oversight purposes. The plan also permits SROs to use the raw data that they report to the central repository for commercial or other purposes not prohibited by applicable law, rule, or regulation.[15]
Implementation Schedule
The CAT NMS plan will fully implement the CAT over a three-year period according to the following schedule:
- Within one year of approval of the plan, the SROs must begin reporting data to the central repository;
- Within two years of approval of the plan, large broker-dealers must begin reporting data to the central repository;
- Within three years of approval of the plan, small broker-dealers must begin reporting data to the central repository.[16]
In an appendix to the CAT NMS plan, the SROs set forth a plan to eliminate existing reporting rules and systems that are rendered duplicative by the CAT. Efforts are already underway to identify these rules and systems and the SROs have committed to “analyze the most appropriate and expeditious timeline and manner” for retiring them.[17]
Jennifer S. Choi
Associate General Counsel
George M. Gilbert
Counsel
endnotes
[1] See Order Approving the National Market System Plan Governing the Consolidated Audit Trail, Securities Exchange Act Release No. 79318 (Nov. 15, 2016), 81 FR 84696 (Nov. 23, 2016), available at https://www.gpo.gov/fdsys/pkg/FR-2016-11-23/pdf/2016-27919.pdf (“CAT Approval Order”).
[2] See Letter from David W. Blass, General Counsel, ICI, to Brent J. Fields, Secretary, SEC, dated Jul. 18, 2016, available at https://www.ici.org/pdf/30042.pdf.
[3] See CAT Approval Order at 84957.
[4] See CAT Approval Order at 84963. Three bidders are vying to become the plan processor: (1) the Financial Industry Regulatory Authority, which has partnered with Amazon; (2) Sungard, which has partnered with Google; and (3) Thesys.
[5] See CAT Approval Order at 84960. ICI’s comment letter on the proposed CAT NMS plan explained that the plan processor should accept reports of this information in existing data formats to reduce costs to market participants. The final CAT NMS plan does not prescribe a particular format for reporting required data, but the Commission notes that each of the remaining bidders to operate the plan processor propose to accept exiting messaging protocols (e.g., FIX). See CAT Approval Order at 84739.
[6] See CAT Approval Order at 84960-61.
[7] See CAT Approval Order at 84963. This is a more rigorous synchronization requirement than the 50 millisecond requirement that was contained in the proposed CAT NMS plan.
[8] See CAT Approval Order at 84963.
[9] See CAT Approval Order at 84962.
[10] See CAT Approval Order at 84754. Unfortunately, the Commission did not modify the plan to address most of ICI’s other suggestions to improve the CAT’s information security program. The Commission did, however, modify the plan in response to ICI’s recommendation that the Commission not permit plan participants to download CAT data. Rather than forbidding this practice entirely, as ICI would have preferred, the final plan requires a participant that extracts data from the CAT to have policies and procedures for the security of CAT data that meet the same standards applicable to the data when it is stored in the CAT.
[11] See CAT Approval Order at 84765.
[12] The final plan specifies that the limited liability company intends to operate in a manner that will allow it to quality as a non-profit organization under Section 501(c)(6) of the Internal Revenue Code. This change was made to address concerns that the SROs might attempt to turn the CAT into a profitable enterprise at the expense of other market participants. See CAT Approval Order at 84792.
[13] See CAT Approval Order at 84954. The Commission also made certain other changes to the composition of the advisory committee, including requiring the committee to include a representative of a service bureau that provides reporting services to one or more SROs or broker-dealers.
[14] The operating committee may, however, withhold from the advisory committee information that requires confidential treatment.
[15] The Commission did not accept ICI’s suggestion to amend this provision to ensure that the plan does not inadvertently enlarge the scope of data that SROs can commercialize.
[16] See CAT Approval Order at 84963.
[17] See CAT Approval Order at 85008-10.