In 2016, the SEC voted to create a comprehensive, consolidated audit trail (“CAT”) designed to allow regulators to efficiently and accurately track activity throughout the U.S. markets in National Market System (“NMS”) securities. Initially, market participants subject to CAT reporting obligations (the “Participants”) were to begin recording and reporting data to the Central Repository by November 15, 2017. However, there have been a number of delays in CAT implementation. In order to decrease the likelihood of further delays, the SEC recently voted to propose an amendment (the “Proposed Amendment”) to the NMS plan governing CAT (the “CAT NMS Plan”). In introducing the Proposed Amendment, SEC Chairman Jay Clayton committed the SEC to CAT implementation without further delays.
The Proposed Amendment requires, among other things, that Participants file with the SEC and publish on their own websites complete implementation plans, as well as quarterly progress reports (the “Reports”). The Reports must be approved by both the Participant’s management and a supermajority of an operating committee established by the CAT NMS Plan. Further, if a Participant’s Reports do not garner the appropriate approvals, the Participant must separately file with the SEC and make publicly available a statement identifying itself and explaining why the Participant’s Report was not approved. Additionally, the Proposed Amendment sets out the following four (4) critical implementation milestones:
- April 30, 2020: Initial Industry Member Core Equity Reporting;
December 31, 2020: Full Implementation of Core Equity Reporting Requirements;
December 31, 2021: Full Availability and Regulatory Utilization of Transactional Database Functionality; and
December 31, 2022: Full Implementation of CAT plan requirements.
As part of the reporting requirements, the security of data submitted to CAT is of paramount importance due to the nature and scope of the data, which might include personal identifying information (“PII”), such as social security numbers.  The SEC and other government agencies continue to prioritize and conduct targeted cyber security examinations. In light of the examinations and uncertainty, Participants need to have robust systems and processes in place to store, regulate access to, and securely transmit PII.
While there has been considerable criticism of CAT, upon full implementation Participants likely will benefit from reduced time and resources devoted to: (1) maintaining multiple, disparate databases with disjointed reporting systems; (2) investigating and reconciling disparities across various reporting regimes; (3) oversight measures to ensure timely and accurate reporting; and (4) internal data analysis (e.g., best execution analysis).
The requirements have implications across the industry as even small industry members (i.e., broker-dealers with less than $500,000 in total capital) are required to comply with CAT. As CAT implementation progresses, impacted broker-dealers should consider their regulatory reporting obligations under CAT, which may be extensive and complex. Experienced service providers understand the complexities of Participants’ obligations across disparate regulatory regimes with respect to reporting obligations, data management, and cyber security, and can provide insight into evolving industry practices and practical guidance to reduce the time and resources spent on compliance.