Recent CAT Developments: Here’s What’s New After 11 Years

Article from TabbForum: 


While the SEC first approved the Consolidated Audit Trail (CAT) in 2012, writes Howard Meyerson, Managing Director of the Financial Information Forum, there have been a series of important recent developments relating to CAT that firms should be aware of. In this CAT update, Mr. Meyerson highlights a number of these developments that will impact firm trading, technology, operations, compliance and finance.

The SEC first approved CAT in 2012, but due to important ongoing developments CAT is still a significant focus for many industry members. Industry members should be aware of the following significant recent developments relating to CAT.

CAT Reporting for Certain Verbal Activity

In 2020 the SEC issued an exemption from reporting certain verbal activity to CAT. This exemption applies where a dealer verbally communicates a price to a customer, either on or off an exchange floor, but the dealer is required to subsequently receive an order from the customer (or generate an order based on the customer’s assent) before a trade can occur. This exemption was set to expire on July 31, 2023. Expiration of the exemption would have caused a major disruption to floor and upstairs trading activity. On July 31, 2023 the SEC extended this exemption for an additional three years, until July 31, 2026.

Read More

POSTED Aug 07,2023

SIFMA and FIF Ask SEC to Reconsider the Costs of Funding the NMS CAT

Article from Regulatory Intelligence:

SIFMA and the Financial Information Forum ("FIF") urged the SEC to better understand the "magnitude" of the costs associated with changing the funding model for the National Market System Plan Governing the Consolidated Audit Trail ("CAT NMS Plan").

The associations filed the joint comment letter in response to the SEC's June 16, 2023 Order to institute proceedings on whether to approve proposed amendments to the CAT NMS Plan filed by CAT, LLC. Under the proposal, the funding model under the CAT NMS Plan would be replaced with the executed share model.

SIFMA and FIF recommended that the SEC examine:

  • mandating public disclosure of financial terms in contracts between CAT NMS Plan participants and its cloud services provider, Amazon Web Services;
  • addressing the fact that projected operating costs far exceed the projected costs under the CAT NMS Plan;
  • directing CAT NMS participants to analyze the reasoning for operation cost increases over the past three years and expected operation costs for future years based on current CAT requirements; and
  • requiring all future reporting requirements that would "result in a significant increase in CAT costs" to undergo a cost-benefit analysis from CAT NMS Plan participants.

POSTED Aug 03,2023

Commenters Request Clarification on SEC-Proposed Cybersecurity Requirements

June 8, 2023 (Fried Frank News & Insights): 

The Financial Information Forum ("FIF"), Nasdaq, CME and the Investment Company Institute ("ICI") (collectively, the "Associations") recommended changes to the SEC's proposed rules on cybersecurity risk management practices.

Proposed Amendments to Reg S-P ("Privacy of Consumer Financial Information and Safeguarding Personal Information")

The SEC proposed to (i) require firms to implement written incident response plans, (ii) provide timely notification to affected individuals following data breaches and (iii) extend the protections of Reg S-P’s safeguards and disposal rules to cover information that a firm receives from another financial institution relating to that institution’s customers. (See previous coverage).

  • FIF. FIF proposed a minimum compliance period of two years instead of 12 months to provide a sufficient implementation period to (i) update service contracts and (ii) comply with data breach notification requirements.
  • Nasdaq. Nasdaq recommended that the SEC (i) expand the reporting exception regarding personal data incidents to "include documented requests from a competent law enforcement agency for the duration requested by such agency" and (ii) increase the implementation timeline to two years to support entities' compliance with the new requirements regarding contracting service providers.

Proposed Expansion of Reg SCI ("Regulation Systems Compliance and Integrity")

The SEC proposed amendments to Reg SCI that would expand the scope of the regulation to cover, among other entities, large broker-dealers, as defined by various measures of size. (See previous coverage.)

  • FIF. FIF recommended that the required data under the proposal to determine whether a broker-dealer has exceeded one or more of the applicable transaction activity thresholds in a given month should be calculated by the SEC or FINRA. FIF stated that this would be more efficient than broker-dealers having to perform the calculations independently, as is currently proposed.
  • Nasdaq. Nasdaq supported the proposal (i) for ensuring "like market participants are subject to the same standards" and that investors receive the same protections regardless of their regulatory classification and (ii) for providing "specific guidance" on entities’ relationships with third parties. However, Nasdaq advised the SEC to clarify its guidance regarding the use of cloud service providers.
  • CME Group. CME emphasized the "significant overlap" across its proposed amendments to Reg SCI and proposed Rule 10 and argued that adopting both rules would be "inefficient and unnecessary to achieve the resiliency and systems integrity the [SEC] seeks." CME urged the SEC to consider the "substantial costs" that would be imposed under the proposal.

Proposed Cybersecurity Risk Management Requirements

The SEC proposed new Rule 10 that would require market entities to (i) create and maintain written policies and procedures to address cybersecurity risks, (ii) annually review these policies, (iii) submit an annual review to the SEC and (iv) immediately inform the SEC of any significant cybersecurity incidents once the market entity concluded that a cybersecurity incident occurred. The proposal would also require covered entities to disclose and document through new Form SCIR (i) steps taken to remedy any significant cyber incidents and (ii) an annual summary of cybersecurity risks and incidents. (See previous coverage.)

  • FIF. FIF said that the proposal lacks steps the SEC is taking to protect the security of the SEC Electronic Data Gathering, Analysis and Retrieval System ("EDGAR"). FIF cited a hacker intrusion in 2016 as the basis for its concern.
  • Nasdaq. Nasdaq argued that the harm that could result because of entities publicly disclosing internal weaknesses, outweighs the SEC's intent to provide information to assess the effectiveness of the entities' cybersecurity preparations. Nasdaq asserted that providing information on internal weaknesses could give bad actors specific intelligence regarding an entity's infrastructure and could cause harm to the entity. Nasdaq recommended that information on entities' cybersecurity preparedness only be disclosed to the SEC.
  • CME Group. CME said the SEC should address (i) duplicative requirements in the proposal that require immediate written electronic notice of significant cyber security incidents and (ii) significant risk of "unintentionally assisting the malicious actors" by requiring entities to publicly disclose their cybersecurity vulnerabilities and incidents.
  • ICI. ICI recommended that the SEC "incorporate any cybersecurity risk management program requirements into Regulation S-P rather than adopting them as stand-alone rules."

POSTED Jun 12,2023

FIF Managing Director Quoted in Rule 605 Article

FIF Managing Director, Howard Meyerson, has been quoted in a FinOps Report article on Rule 605. Please find Rule 605 Reports: Next for Transparency Data Overhaul?, an article by Chris Kentouris, here

POSTED Apr 05,2021

© 2024 Financial Information Forum

Press enter to search
Press enter to search

Interested in joining us?

Download membership kit

Key Reasons to Join

  1. Stay informed on Current Regulatory and Market Initiatives
  2. Drive Industry Issues to Successful Resolution
  3. Impact the implementation timing and methodology of new rules
  4. Apply FIF Insight Within Your Firm