Compromised CAT: The SEC Seeks a “Big Brother” of “Real Time” Market Information
On Wednesday, Sept. 6, 2023, The U.S. Securities and Exchange Commission (“SEC”) issued its 221-page “Joint Industry Plan: Order Approving an Amendment to the National Market System Plan Governing the Consolidated Audit Trail” (the Order”). The Consolidated Audit Trail (or “CAT”) is intended to give the SEC and any other authorized OR unhindered, unauthorized “user” of the CAT a report of (according to the SEC’s Sept. 6, 2023 Press Release) “every order, cancellation, modification and trade execution for all exchange-listed equities and options across all U.S. markets.”
The Order adopted an amended funding model for the National Market System (“NMS”) governing the CAT incorporating the so-called “Executed Share Model” for the CAT and allocating responsibility for the costs associated with CAT. Basically, the securities exchanges that participate in CAT (termed “Participants” in the relevant orders and comments) are responsible for one-third of operating costs, while the broker/dealers and other users of the NMS (known as “CAT Members”) will pay two-thirds. Of the two-thirds to be funded by CAT Members, one-half is to be paid by selling CAT Members, and the other half paid by buying CAT Members. This is the substantial compromise discussed at length in my March 6, 2023 Blog “Who Pays and How Much? Consolidated Audit Trail Funding.” The original proposed cost allocation was 25% on Participants and 75% on CAT Members. CAT Members had also objected to the allocation of the costs of developing the CAT system, as the CAT Members had relatively little impact on the actual course of development, including the creation and then scrapping of the original information system and the termination of its computer designer (known as the “Plan Processor”) and replacement with another outside firm.
THE BACKGROUND
It’s worth taking a moment to recap the checkered history of CAT. The SEC had long sought to improve the accuracy, completeness, and timing of its effort to monitor and regulate the operations of America’s capital markets, much like an Orwellian Big Brother. Those efforts had been hobbled in part by the variety of trading platforms for securities transactions. After the so-called Flash Crash in 2010, Congress directed the SEC to institute a real time data gathering system, so that market gyrations could be addressed as they happened, and so that market participants who bore responsibility for market anomalies could be identified and, as appropriate, sanctioned. The Congressional action did not address the implications of a universal investment surveillance system and the Congressional direction led to the SEC’s promulgation on July 11, 2012, of Rule 613 under the Securities Exchange Act of 1934, as amended, pursuant to which the Commission, by administrative fiat, created the NMS. Now all that was necessary was to create mechanisms to collect, organize, and report the consolidated data on the trading activity of all investors in NMS securities in as close to real time as possible.
In 2016 the Commission proposed a Consolidated Audit Trail National Market System Master Plan (the “Master Plan”). The entire Master Plan was scrapped in 2019, after three years of expenditures and fruitless efforts, and an entity known as CAT LLC was founded to design and implement the CAT. CAT LLC had its own fits and starts, especially in data security. Entities participating in CAT design were particularly worried about what might happen to the data to be collected. First, the personally identifiable information (“pii”) of individual investors might be obtained by unauthorized players, possibly resulting in abusive acts against the investors and liability for failing to protect their pii. Second, participating entities might learn information about the trading activity of other entities, which would give them a competitive advantage in the securities market.
In Aug. 2020, the SEC instituted an initiative to identify data security shortcomings and adopt comprehensive corrective system designs. See, in that regard, my Sept. 8, 2020 Blog “SEC Seeks to Increase the Security of Data on the Consolidated Audit Trail.” The SEC proposed complex amendments encompassing 15 key initiatives to enhance the cybersecurity of the CAT. Those proposed amendments were supposed to extinguish the fire of criticisms about the potential misuse of data collected on the CAT, but those amendments have never been adopted. Having proposed steps to improve the security of data collected on the CAT, the SEC turned its focus to costs and their allocation, with serious and continuing opposition from market participants to the funding plans.
Eventually, on June 1, 2022, CAT LLC replaced its original funding plan, which had relied on counting the number of electronic messages received in trading activity, with a plan where fees were based on transaction volume. In the continuing discussions and communications, it became apparent that there was still very substantial opposition from the broker/dealers and others who would be CAT Members. In an Aug. 30, 2022 Release, the Commission reported that the opposition focused on the following:
- Lack of transparency of costs of operation;
- Arbitrary cost allocations; and
- Arbitrary allocation of responsibility for past development costs.
ISSUES ADDRESSED IN THE ORDER
Among the dissenting voices, the Securities Industry and Financial Markets Association (“SIFMA”) raised, on behalf of its many members, a fundamental objection to the allocation of cost responsibility for the operations of the Financial Industry Regulatory Authority (“FINRA”) to the regulated community. On Nov. 16, 2022, the Operating Committee of CAT LLC proposed to partially amend the June 1, 2022 funding plan to change the cost allocations from 25% / 75%; to one-third each for the Participants, the selling CAT Members, and the buying CAT Members; and to make other changes somewhat responsive to SIFMA and market participant objections.
After entertaining many very substantial comments and objections, the Order focuses primarily on the Amendment proposals, especially the funding of the CAT. In issuing the Order, the SEC has put the CAT into operation. The Order addresses several issues, including clarifying that Alternative Trading Systems (“ATS”) are included as “Execution Venues” for purposes of assessing fee responsibility. Similarly, the Order imposes target deadlines for Participants to fully implement CAT NMS Plan Requirements and reduces the amount of costs Participants may recover if those targets are missed (i.e., CAT Members are partially relieved of responsibility for operating costs to the extent the Participants are slow in implementing the CAT). The Order, in any event, expressly finds that “[t]he Participants have sufficiently demonstrated that the proposed allocation of fees is reasonable.” Responding to many comments about future costs the Order finds:
“…these costs will not be unchecked. The Participants must file their proposed rule changes relating to fees with the Commission. Those proposed rule changes are published by the Commission and there is an opportunity for public comment. CAT fees…must be consistent with applicable statutory standards under the Exchange Act, including being reasonable, equitable and not discriminatory. We also conclude that the use of executed equivalent share volume provides a reasonable basis for the calculation of these fees. Executed equivalent share volume is readily determinable and… provides a reasonable proxy for the costs to CAT…”
The SEC position on CAT operating costs is echoed throughout the Order. When SIFMA asserted that “the industry [i.e., CAT Members] would be allocated most of the CAT costs in perpetuity without a mechanism to limit the budget,” the SEC again responded, “there is a statutory process for notice and comment and Commission review…”
“In addition… [the Order] requires that the Fee Rate calculated by the Operating Committee [of CAT LLC] twice per year be based on ‘reasonable budgeted CAT costs’ and that such budgeted CAT costs be composed of ‘all reasonable fees, cost and expenses reasonably budgeted to be incurred by or for the … [CAT LLC] in connection with the development, implementation and operation of the CAT. The Operating Committee must demonstrate that their proposed budget and associated fees are reasonable, and the Participants must provide support for such reasonableness in their associated fee filings.”
Citadel Securities, LLC, one of the world’s largest securities market-makers, objected mightily to the allocation of costs based on trading activity (as Citadel, along with one or two other aggregator firms, has the vast majority of both the purchases and the sales of equivalent shares, so it would bear a “disproportionate” share of fees). Indeed, Citadel claimed that costs would be mostly allocated to “an extremely small group of broker-dealers” which would unduly burden competition. CAT LLC rebuffed that criticism, noting that the costs were allocated in accordance with usage, a view endorsed by the Commission. FINRA objected to its treatment as “a market center for CAT funding purposes … because FINRA is not treated as a market center for governance purposes under the… [NMS Consolidated Equity Market Data Plan] (“CT Plan”).” CAT LLC rejected that argument, pointing out “the CT Plan governs the public dissemination of real-time consolidated equity market data for NMS stocks.” Whereas, CAT LLC emphasized, “the CAT is solely for regulatory purposes, providing a regulatory system to facilitate the performance of the self-regulatory obligations of all of the Participants, including the exchanges and FINRA.”
Another area of significant comment is the allocation of past development costs (“Historical CAT Costs” or “HCC”). Many commenters objected to the assessment of fees to reimburse CAT LLC for the HCCs. Not least of the objections was over the duplicated effort incurred in scrapping of the first computer designer and replacing it with a new Plan Processor. CAT LLC notes that almost $64 million in costs related to the initial Plan Processor and its termination (out of all Plan Processor-related costs included in HCC) is being borne solely by the Participants. In addition, of the $518 million in HCC through the end of 2022, only 45% would be used to set the fees for reimbursement by the CAT Members. In the Order, the SEC makes quick work of these objections, noting:
“First, current Industry Members are actively reporting to the CAT and therefore receive the benefits from the CAT. The CAT provides more effective market oversight … , which could increase investor confidence, resulting in expanded investment opportunities and increased trading activity. Second, it would be difficult to impose fees on Industry Members for their activity in the past because some Industry Members may no longer be in business and such Industry Members would not have taken into consideration the Historical CAT Assessment when entering into the past transactions.”
The SEC went on to find that the Order “sets forth a process that the Commission believes will offer an appropriate level of transparency into Historical CAT Costs.”
SIFMA again objected that the CAT is solely a “Commission tool used for enforcement,” implying that the costs of operating the CAT should be borne by the SEC. The SEC strongly resisted, noting:
“…these comments misunderstand …[the] purpose of CAT. CAT serves multiple regulatory purposes for both …[the Participants] and the Commission. …[Participants] have long had audit trail systems and the…[Participants] themselves, have long used market data from those systems to oversee the securities markets and fulfill their responsibilities under Federal securities laws. …the Commission [in CAT] sought to address shortcomings in those existing systems and create an audit trail system that would provide both the… [Participants] and the Commission with timely access to a comprehensive set of trading data sufficient to oversee modern markets.”
At last, on page 181 of the 221-page Order, one commenter (once again Citadel Securities, LLC) urged the SEC to “address data security concerns associated with the CAT,” and indeed, suggested that the SEC “prioritize proposed amendments [i.e., those proposed in Aug. 2020] to the CAT NMS Plan to enhance data security.” CAT LLC responded that “security concerns should not be used to prevent appropriate funding of the CAT.” The SEC gave two answers: first, “CAT data security issues… are beyond the scope of … [the Order]” and second, “the Commission’s ability to consider… proposed amendments to the CAT NMS Plan is not impacted by… [the Order], as… [the data security proposals will be] considered in due course.” However, the SEC did not disclose when it might adopt the already long-delayed cybersecurity amendments to the CAT or whether any of the 2020 proposed amendments should be modified or new ones added in light of experience gained in dealing with data security issues.
THE SEC ACTS AND THE COMISSIONERS AND OTHERS COMMENT
On Sept. 6, the Commission, in a 4-1 vote (Commissioner Peirce dissenting), approved the issuance of the Order. It is not insignificant that Chairman Gensler’s Sept. 6, 2023 Statement is titled “Statement on CAT Funding,” in which he asserted after reviewing something of the history of the development of the CAT:
“The …filing we are considering today addresses an important but narrow issue: the allocation of funding of recoverable costs for CAT. While it addresses the cost allocations, it leaves in place the rest of the 2016 NMS plan as amended in 2020 [a reference to the June 2020 amendment which revised the CAT Master Plan].”
He then emphasized that “[m]arket regulators … already have benefitted from CAT in surveillance and enforcement work. For example…, CAT data was beneficial for [the SEC’s] staff’s GameStop report from 2021 [and] for our analysis of insider trading.”
Similarly, Commissioner Caroline Crenshaw’s Sept. 6 Statement noted:
“We expect CAT to serve as one such tool in our regulatory arsenal by improving the completeness, accuracy, accessibility and timeliness of order and execution data used by regulators.”
Yet even Commissioner Jaime Lizarraga, typically supportive of SEC regulatory initiatives, said in his Sept. 6 “Statement on Order Approving CAT Revised Funding Model:” “I support today’s order but with reservations.” Commissioner Mark Uyeda, in his Sept. 6 “Statement on Consolidated Audit Trail Revised Funding Model,” first expressed his hope that “the costs do not ultimately outweigh the benefits” and then warned that major issues remain, including:
“…whether the Commission has appropriately addressed issues regarding personally-identifiable information and the protection of CAT from a cybersecurity perspective [In August 2023], the Commission adopted specific rules for cybersecurity risk management, strategy, governance, and incident disclosure for public companies. Yet the Commission benchmarks its own cybersecurity efforts on CAT to none of those standards or to the proposed cybersecurity requirements for brokers, dealers, investment advisers, and Regulation SCI entities.”
Commissioner Uyeda’s comments were underscored by the SEC’s Sept. 12, 2023 Complaint (the “Virtu Complaint”) filed in the U.S. District Court for the Southern District of New York against broker/dealer Virtu Americas LLC and its parent, Virtu Financial Inc. (as stated in the SEC’s Press Release of that date) “for making false and misleading statements and omissions regarding information barriers to prevent the misuse of sensitive customer information.” Virtu, much like Citadel Securities, is a major market-maker and aggregator of purchase and sale transactions. There is no allegation in the Virtu Complaint that any “sensitive customer information,” such as pii, had in fact been misused, only that it could have been because the Virtu entities did not adequately protect it.
Commissioner Uyeda went on to cite with approval one of the CAT comment letters (from SIFMA and another trade group), which stated:
“CAT operating costs projected for 2023 are approximately 5.2 … times [original CAT cost projections]. The annual increases in CAT operating costs during the past three years of 73.2%, 27.3%, and 27.0%, respectively, are not sustainable over the long term.”
He concluded by noting that the “cumulative costs for CAT may soon be approaching a billion dollars.” He is joined in his concerns about the CAT and its costs by Commissioner Peirce in her Sept. 6 “Who’s Paying: Statement on the CAT’s Funding Model,” in which, among MANY comments, she noted that the Commission failed “to grapple with the need to establish a realistic constraint on CAT costs – costs that come in the form of dollars, time, and lost financial privacy. Investors, the people with the most to lose, have had and will continue to have a limited voice in shaping CAT’s operations, reach, and costs.” She then pointed out:
“The Commission does not foot any of the CAT bill…so while the Commission is instinctively inclined to expand its data demands, it has little if any incentive to take CAT costs into account… the Commission – enthused by the prospect of real-time, granular data at no cost to itself – is unlikely to carefully balance the real cost against the perceived benefits.”
Commissioner Peirce next focused on the cybersecurity issues raised by Citadel Securities and by Commissioner Uyeda:
“Recognizing the vulnerability of the CAT and hence the retail investors whose information it collects, in August 2020 the Commission proposed amendments to the national market system plan governing the CAT to bolster data security. We have not yet adopted these amendments, even though the CAT is vacuuming mountains of investor information and thus putting Americans at risk to malicious hacker[s] that might seek to mine the data. More fundamentally, we have completely ignored the more difficult, but essential discussion about whether a comprehensive surveillance system designed to monitor Americans suspected of no wrongdoing is consistent with our American ideals.”
She concluded her relatively lengthy Statement with seven questions for her colleagues on the Commission and, more generally, for all investors and capital market participants. Number 7 inquires:
“Does the Commission have the authority to fund its primary market surveillance tool with money that does not run through the Congressional appropriations process?”
And it is not just CAT Members and Members of the SEC who have material concerns about the CAT and its costs, both in dollars and in privacy. In the Wall Street Journal for Monday, Sept. 25, 2023, on page A-19, col. 5, appeared an Op-Ed titled “The SEC Want to Spy on Your Portfolio,” written by Warren Stephens, the Chairman, President and CEO of Stephens, Inc., a large mid-Western broker-dealer, and Paul C. Reilly, Chairman of the American Securities Institute, a trade organization that trains and examines persons desiring to become professionals in the securities industry. The authors assert:
“As an American, you have a right to privacy-unless you own stock. The Securities and Exchange Commission has created a centralized database to track the personal and financial information of every U.S. investor…The scope of the Consolidated Audit Trail, or CAT, a regulation the SEC issued in 2016 but implemented only recently, is breathtaking and unprecedented. In the words of the SEC press release, the regulation instructs regulated financial institutions to identify ‘every order, cancellation, modification and trade execution for all exchange-listed equities and options across all U.S. markets…’ We objected to this expansion of the database, and so did many others, including the American Civil Liberties Union. Why should the government, without any evidence of wrongdoing, surveil Americans’ balances to see every trade they make? Before CAT, regulators needed legal cause and a subpoena to force a financial firm to divulge a customer’s personal and financial information…We also share SEC Commissioner Hester Peirce’s concern that hackers may try to exploit the CAT ‘for their nefarious ends.’ The urgency of this threat is clear from the repeated cyberattacks on numerous U.S. government institutions in recent years by hackers backed by China, Russia and North Korea... The SEC is a securities regulator… It doesn’t have the legal authority to supersede the Constitution and spy on ordinary Americans’ portfolios...Our customers have a right to invest without fear – and without the SEC peering into their portfolios whenever it feels like it.”
CONCLUDING OBSERVATIONS
That the CAT is at best a temporary and haphazard compromise of competing interests and ideals seems clear from the following:
- the difficult history in putting the CAT together;
- the material objections (and not only due to costs) to its implementation and operation;
- the unresolved proposals to enhance data security for both the entities participating in the CAT and the investors subject to it; and
- the absence of a fundamental examination (as called for both by Commissioner Peirce and by Messrs. Stephens and Reilly) of whether investing in the American capital markets should automatically subject one to Federal surveillance.
In the end, the CAT may fail due to its own expenses, or its own abuses. That we cannot know; but we can hope that better ideas may come along to help protect the American capital markets AND the persons who invest in them.
If you have any questions or concerns on the future of CAT, please do not hesitate to reach out to me at pdhutcheon@norris-law.com.