Skip to Content

Notice

Joint Industry Plan; Order Approving the National Market System Plan Governing the Consolidated Audit Trail

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 84696 November 15, 2016. End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Table of Contents

Supplementary Information

I. Introduction

II. Background

III. Description of the Proposed Plan

1. LLC Agreement

2. Participants

3. Management

4. Initial Plan Processor Selection

5. Functions and Activities of the CAT System

6. Financial Matters

7. Amendments

8. Compliance Rule Applicable to Industry Members

9. Plan Appendices

10. Reporting Procedures

11. Timeliness of Data Reporting

12. Uniform Format

13. Symbology

14. CAT-Reporter-ID

15. Customer-ID

16. Order Allocation Information

17. Options Market Maker Quotes

18. Primary Market Transactions, Debt Securities and Futures

19. Error Rates

20. Retirement of Existing Trade and Order Data Rules and Systems

21. Regulatory Access

22. Upgrades and New Functionalities

23. Business Continuity and Disaster Recovery

24. Records and Accounting and Dissolution and Termination of the Company

25. Security of Data

26. Governing or Constituent Documents

27. Development and Implementation Phases

28. Written Understanding or Agreements Relating To Interpretation of, or Participation in, the Plan

29. Dispute Resolution

IV. Discussion and Commission Findings

A. Definitions, Effectiveness of Agreement, and Participation (Articles I, II, and III)

B. Management of the Company (Article IV)

1. Operating Committee

2. Advisory Committee

3. Officers of the Company

4. Additional Governance Provisions

C. Plan Processor Selection (Article V)

D. Functions and Activities of the CAT System (Article VI)

1. Data Recording and Reporting Requirements

2. Format

3. Reporting Timelines

4. Data Elements

5. Symbology

6. Security of CAT Data

7. Personally Identifiable Information

8. Implementation Schedule

9. Retirement of Existing Trade and Order Data Rules and Systems

10. Primary Market Transactions and Futures

11. Error Rate

12. Business Continuity and Disaster Recovery

13. Business Clock Synchronization and Timestamp Granularity

14. Upgrades and New Functionalities

15. Technical Specifications

E. Capital Accounts, Allocations of Income and Loss, and Distributions (Articles VII and VIII)

F. Funding of the Company (Article XI)

1. Funding Model Generally

2. Funding Model's Allocation of Costs

3. Message Traffic and Market Share Distinction

4. Transparency and Alternatives to the Funding Model

5. Miscellaneous

G. Dispute Resolution

H. Written Assessments, Audits and Reports

V. Economic Analysis

A. Introduction

B. Summary of Expected Economic Effects

C. Framework for Economic Analysis

1. Economic Framework

2. Existing Uncertainties

D. Baseline

1. Current State of Regulatory Activities

2. Current State of Trade and Order Data

E. Benefits

1. Improvements in Data Qualities

2. Improvements to Regulatory Activities

3. Other Provisions of the CAT NMS Plan

F. Costs

1. Analysis of Expected Costs

2. Aggregate Costs to Industry

3. Further Analysis of Costs

4. Expected Costs of Security Breaches

5. Second Order Effects

G. Efficiency, Competition, and Capital Formation

1. Competition

2. Efficiency

3. Capital Formation

4. Related Considerations Affecting Competition, Efficiency and Capital Formation

H. Alternatives

1. Timestamp Granularity

2. Error Rate

3. Error Correction Timeline

4. Requiring Listing Exchange Symbology

5. Clock Synchronization Logging Procedures

6. Data Accessibility Standards

7. Clock Synchronization Hours

8. Primary Market Transactions

9. Periodic Updates to Customer Information

10. Bulk Data Downloads by CAT Reporters

11. Alternatives to the CAT NMS Plan

12. Alternatives Discussed in the CAT NMS Plan

VI. Paperwork Reduction Act

A. Summary of Collection of Information Under Rule 613

1. Central Repository

2. Data Collection and Reporting

3. Collection and Retention of National Best Bid and National Best Offer, Last Sale Data and Transaction Reports

4. Surveillance

5. Participant Rule Filings

6. Document on Expansion to Other Securities

7. Written Assessment of Operation of the Consolidated Audit Trail

B. Proposed Use of Information

1. Central Repository

2. Data Collection and Reporting

3. Collection and Retention of NBBO, Last Sale Data and Transaction Reports

4. Surveillance

5. Document on Expansion to Other Securities

6. Written Assessment of Operation of the Consolidated Audit Trail

C. Respondents

1. National Securities Exchanges and National Securities Associations

2. Members of National Securities Exchanges and National Securities Association

D. Total Initial and Annual Reporting and Recordkeeping Burden

1. Burden on National Securities Exchanges and National Securities Associations

2. Burden on Members of National Securities Exchanges and National Securities Associations

E. Summary of Collection of Information Under the CAT NMS Plan, as Amended by the Commission

1. One-Time Reports

2. Non-Report Commission-Created Information Collections

F. Proposed Use of Information Under the CAT NMS Plan, as Amended by the Commission

1. Independent Audit of Expenses Incurred Prior to the Effective Date

2. Review of Clock Synchronization Standards

3. Coordinated Surveillance Report

4. Assessment of Industry Member Bulk Access to Reported Data

5. Assessment of Errors in Customer Information Fields

6. Report on Impact of Tiered Fees on Market Liquidity

7. Assessment of Material Systems Change on Error Rate

8. Financial Statements

9. Background Checks

G. Total Initial and Annual Reporting and Recordkeeping Burden of Information Collection Under the CAT NMS Plan, as Amended by the Commission

1. Burden on National Securities Exchanges and National Securities Associations

2. Request for Comment

H. Collection of Information Is Mandatory

I. Confidentiality

J. Recordkeeping Requirements

VII. Conclusion

I. Introduction

On February 27, 2015, pursuant to Section 11A of the Securities Exchange Act of 1934 (“Exchange Act” or “Act”) [1] Start Printed Page 84697and Rules 608 and 613 of Regulation NMS thereunder,[2] BATS Exchange, Inc. (n/k/a Bats BZX Exchange, Inc.), BATS-Y Exchange, Inc. (n/k/a Bats BYX Exchange, Inc.), BOX Options Exchange LLC, C2 Options Exchange, Incorporated, Chicago Board Options Exchange, Incorporated, Chicago Stock Exchange, Inc., EDGA Exchange, Inc. (n/k/a Bats EDGA Exchange, Inc.), EDGX Exchange, Inc. (n/k/a Bats EDGX Exchange, Inc.), Financial Industry Regulatory Authority, Inc. (“FINRA”), International Securities Exchange, LLC, ISE Gemini, LLC, Miami International Securities Exchange LLC, NASDAQ OMX BX, Inc. (n/k/a NASDAQ BX, Inc.), NASDAQ OMX PHLX LLC (n/k/a NASDAQ PHLX LLC), The NASDAQ Stock Market LLC, National Stock Exchange, Inc., New York Stock Exchange LLC, NYSE MKT LLC, and NYSE Arca, Inc. (collectively, “self-regulatory organizations”, “SROs” or “Participants”), filed with the Securities and Exchange Commission (“Commission” or “SEC”) a National Market System (“NMS”) Plan Governing the Consolidated Audit Trail (the “CAT NMS Plan,” “CAT Plan” or “Plan”).[3] The SROs filed amendments to the CAT NMS Plan on December 24, 2015, and on February 8, 2016.[4] The CAT NMS Plan, as amended, was published for comment in the Federal Register on May 17, 2016.[5]

The Commission received 24 comment letters in response to the CAT NMS Plan.[6] On July 29, 2016, the Commission extended the deadline for Commission action on the CAT NMS Plan and designated November 10, 2016 as the new date by which the Commission would be required to take action.[7] On September 2, 2016, the Participants submitted a response to the comment letters that the Commission received in response to the CAT NMS Plan.[8] The Participants submitted additional response letters on September 23, 2016 and October 7, 2016.[9] On November 2 and 14, 2016, the Participants submitted additional letters.[10] This Order approves the CAT NMS Plan, with limited changes as described in detail below. The Commission concludes that the Plan, as amended, is necessary and appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanism of a national market system, or is otherwise in furtherance of the purposes of the Act. A copy of the CAT NMS Plan, as adopted, is attached as Exhibit A hereto.

II. Background

The Commission believes that the regulatory data infrastructure on which the SROs and the Commission currently must rely generally is outdated and inadequate to effectively oversee a complex, dispersed, and highly automated national market system. In performing their oversight responsibilities, regulators today must attempt to pull together disparate data from a variety of existing information systems lacking in completeness, accuracy, accessibility, and/or timeliness [11] —a model that neither Start Printed Page 84698supports the efficient aggregation of data from multiple trading venues nor yields the type of complete and accurate market activity data needed for robust market oversight.

Currently, FINRA and the exchanges maintain their own separate audit trail systems for trading activity, which vary in scope, required data elements and format. In performing their market oversight responsibilities, SRO and Commission Staffs must rely heavily on data from these various SRO audit trails. However, each of these systems has shortcomings in completeness, accuracy, accessibility, or timeliness. Some of these shortcomings are a result of the disparate nature of the systems, which makes it impractical, for example, to follow orders through their entire lifecycle as they may be routed, aggregated, re-routed, and disaggregated across multiple markets. These systems also lack key information useful for regulatory oversight, such as the identity of the customers who originate orders, or that two sets of orders may have been originated by the same customer.[12] Although SRO and Commission Staffs also have access to sources of market activity data other than SRO audit trails, these sources likewise suffer from their own drawbacks.[13]

Recognizing these shortcomings, on July 11, 2012, the Commission adopted Rule 613 of Regulation NMS under the Act,[14] which requires the SROs to submit an NMS plan to create, implement, and maintain a consolidated audit trail (“CAT”) that would capture customer and order event information for orders in NMS securities, across all markets, from the time of order inception through routing, cancellation, modification, or execution in a single, consolidated data source.[15] Specifically, Rule 613 requires the Participants to “jointly file . . . a national market system plan to govern the creation, implementation, and maintenance of a consolidated audit trail and Central Repository.” [16] The purpose of the Plan, and the creation, implementation and maintenance of a comprehensive audit trail for the U.S. securities markets described therein, is to “substantially enhance the ability of the SROs and the Commission to oversee today's securities markets and fulfill their responsibilities under the federal securities laws.” [17] As contemplated by Rule 613, the CAT “will allow for the prompt and accurate recording of material information about all orders in NMS securities, including the identity of customers, as these orders are generated and then routed throughout the U.S. markets until execution, cancellation, or modification. This information will be consolidated and made readily available to regulators in a uniform electronic format.” [18]

The SROs filed the CAT NMS Plan pursuant to Rule 613,[19] as modified by exemptive relief granted by the Commission, pursuant to Rule 0-12 under the Act,[20] from certain requirements of Rule 613.[21]

The CAT NMS Plan filed by the SROs incorporates the SROs' NMS plan approval process for reviewing, evaluating and ultimately selecting the Plan Processor,[22] as set forth in a separate NMS plan submitted by the SROs and approved by the Commission (the “Selection Plan”).[23] On February 26, 2013, the Participants published a request for proposal (“RFP”) soliciting Bids from parties interested in serving as the Plan Processor.[24] As of the publication date of this Order, the Participants, through the process described in the Selection Plan, have narrowed the pool of Bidders to three remaining Shortlisted Bidders.[25]

The CAT NMS Plan also includes an economic analysis that, as required by Rule 613, was conducted by the SROs. Start Printed Page 84699The Commission notes that, in the Adopting Release for Rule 613, the Commission considered the economic effects of the actions the SROs were required to undertake pursuant to Rule 613, specifically the requirement that the SROs develop an NMS plan, utilizing their own resources and undertaking their own research, that addresses the specific details, cost estimates, considerations, and other requirements of the Rule.[26] The Commission noted in the Adopting Release that Rule 613 provided the SROs with “flexibility in how they [chose] to meet the requirements of the adopted Rule,” [27] allowing the SROs to consider a number of different approaches in developing the CAT NMS Plan. The Commission also noted that “the costs and benefits of creating a consolidated audit trail, and the consideration of specific costs as related to specific benefits, is more appropriately analyzed once the SROs narrow the expanded array of choices they have under the adopted Rule and develop a detailed NMS plan.” [28] Accordingly, the Commission required the SROs to conduct an economic analysis and deferred the Commission's own economic analysis of the actual creation, implementation, and maintenance of the CAT until after submission of the required NMS plan. In accordance with this approach, the Commission included its preliminary analysis and conclusions regarding the economic effects of the CAT NMS Plan when it published the CAT NMS Plan for public comment.

III. Description of the Proposed Plan

The Commission notes that this Section III describes the CAT NMS Plan, as filed by the Participants pursuant to Rule 613 and modified by the Exemption Order,[29] that was published for public comment by the Commission.[30] Section IV, below, discusses the comments received as well as amendments that the Commission is making to the Plan in light of some of the comments; these amendments are marked against the proposed Plan in Exhibit A to this Order.

1. LLC Agreement

The Participants propose to conduct the activities related to the CAT in a Delaware limited liability company pursuant to a limited liability company agreement, entitled the Limited Liability Company Agreement (“LLC Agreement”) of CAT NMS, LLC (“Company” or “CAT LLC”).[31] The Participants will jointly own on an equal basis the Company.[32] The Company will create, implement and maintain the CAT.[33] The LLC Agreement, itself, including its appendices, is the proposed Plan, which would be a national market system plan as defined in Rule 600(b)(43) of NMS.[34]

2. Participants

Each national securities exchange and national securities association currently registered with the Commission would be a Participant in the Plan.[35] The names and addresses of each Participant are set forth in Exhibit A to the Plan.[36] Article III of the Plan provides that any entity approved by the Commission as a national securities exchange or national securities association under the Exchange Act after the Effective Date may become a Participant by submitting to the Company a completed application in the form provided by the Company and satisfying each of the following requirements: (1) Executing a counterpart of the LLC Agreement as then in effect; and (2) paying a fee to the Company in an amount determined by a Majority Vote [37] of the Operating Committee as fairly and reasonably compensating the Company and the Participants for costs incurred in creating, implementing and maintaining the CAT (including such costs incurred in evaluating and selecting the Initial Plan Processor [38] and any subsequent Plan Processor) and for costs the Company incurs in providing for the prospective Participant's participation in the Company, including after consideration of certain factors identified in Section 3.3(b) of the Agreement (“Participation Fee”).[39] Amendment of the Plan reflecting the admission of a new Participant will be effective only when: (1) It is approved by the SEC in accordance with Rule 608 or otherwise becomes effective pursuant to Rule 608; and (2) the prospective Participant pays the Participation Fee.[40]

A number of factors are relevant to the determination of a Participation Fee.[41] Such factors are: (1) The portion of costs previously paid by the Company for the development, expansion and maintenance of the CAT which, under generally accepted accounting principles (“GAAP”), would have been treated as capital expenditures and would have been amortized over the five years preceding the admission of the prospective Participant; (2) an assessment of costs incurred and to be incurred by the Company for modifying the CAT or any part thereof to accommodate the prospective Participant, which costs are not otherwise required to be paid or reimbursed by the prospective Participant; (3) Participation Fees paid by other Participants admitted as such after the Effective Date; (4) elapsed time from the Effective Date to the anticipated date of admittance of the prospective Participant; and (5) such other factors, if any, as may be determined to be appropriate by the Operating Committee and approved by the Commission.[42] In the event that the Company and a prospective Participant do not agree on the amount of the Participation Fee, such amount will be subject to review by the SEC pursuant to Section 11A(b)(5) of the Exchange Act.[43]

An applicant for participation in the Company may apply for limited access to the CAT System [44] for planning and testing purposes pending its admission as a Participant by submitting to the Company a completed Application for Limited Access to the CAT System in a Start Printed Page 84700form provided by the Company, accompanied by payment of a deposit in the amount established by the Company, which will be applied or refunded as described in such application.[45] To be eligible to apply for such limited access, the applicant must have been approved by the SEC as a national securities exchange or national securities association under the Exchange Act but the applicant has not yet become a Participant of the Plan, or the SEC must have published such applicant's Form 1 Application or Form X-15AA-1 Application to become a national securities exchange or a national securities association, respectively.[46]

All Company Interests will have the same rights, powers, preferences and privileges and be subject to the same restrictions, qualifications and limitations.[47] Once admitted, each Participant will be entitled to one vote on any matter presented to Participants for their consideration and to participate equally in any distribution made by the Company (other than a distribution made pursuant to Section 10.2 of the Plan).[48] Each Participant will have a Company Interest equal to that of each other Participant.[49]

Article III also describes a Participant's ability to Transfer a Company Interest. A Participant may only Transfer any Company Interest to a national securities exchange or national securities association that succeeds to the business of such Participant as a result of a merger or consolidation with such Participant or the Transfer of all or substantially all of the assets or equity of such Participant (“Permitted Transferee”).[50] A Participant may not Transfer any Company Interest to a Permitted Transferee unless: (1) Such Permitted Transferee executes a counterpart of the Plan; and (2) the amendment to the Plan reflecting the Transfer is approved by the SEC in accordance with Rule 608 or otherwise becomes effective pursuant to Rule 608.[51]

In addition, Article III addresses the voluntary resignation and termination of participation in the Plan. Any Participant may voluntarily resign from the Company, and thereby withdraw from and terminate its right to any Company Interest, only if: (1) A Permitted Legal Basis [52] for such action exists; and (2) such Participant provides to the Company and each other Participant no less than thirty days prior to the effective date of such action written notice specifying such Permitted Legal Basis, including appropriate documentation evidencing the existence of such Permitted Legal Basis, and, to the extent applicable, evidence reasonably satisfactory to the Company and other Participants that any orders or approvals required from the SEC in connection with such action have been obtained.[53] A validly withdrawing Participant will have the rights and obligations discussed below with regard to termination of participation.[54]

A Participant's participation in the Company, and its right to any Company Interest, will terminate as of the earliest of: (1) The effective date specified in a valid resignation notice; (2) such time as such Participant is no longer registered as a national securities exchange or national securities association; or (3) the date of termination for failure to pay fees.[55] With regard to the payment of fees, each Participant is required to pay all fees or other amounts required to be paid under the Plan within thirty days after receipt of an invoice or other notice indicating payment is due (unless a longer payment period is otherwise indicated) (the “Payment Date”).[56] If a Participant fails to make such a required payment by the Payment Date, any balance in the Participant's Capital Account will be applied to the outstanding balance.[57] If a balance still remains with respect to any such required payment, the Participant will pay interest on the outstanding balance from the Payment Date until such fee or amount is paid at a per annum rate equal to the lesser of: (1) The Prime Rate plus 300 basis points; or (2) the maximum rate permitted by applicable law.[58] If any such remaining outstanding balance is not paid within thirty days after the Payment Date, the Participants will file an amendment to the Plan requesting the termination of the participation in the Company of such Participant, and its right to any Company Interest, with the SEC.[59] Such amendment will be effective only when it is approved by the SEC in accordance with Rule 608 or otherwise becomes effective pursuant to Rule 608.[60]

From and after the effective date of termination of a Participant's participation in the Company, profits and losses of the Company will cease to be allocated to the Capital Account of the Participant.[61] A terminated Participant will be entitled to receive the balance in its Capital Account as of the effective date of termination adjusted for profits and losses through that date, payable within ninety days of the effective date of termination, and will remain liable for its proportionate share of costs and expenses allocated to it for the period during which it was a Participant, for obligations under Section 3.8(c) regarding the return of amounts previously distributed (if required by a court of competent jurisdiction), for its indemnification obligations pursuant to Section 4.1, and for obligations under Section 9.6 regarding confidentiality, but it will have no other obligations under the Plan following the effective date of termination.[62] The Plan will be amended to reflect any termination of participation in the Company of a Participant, provided that such amendment will be effective only when it is approved by the SEC in accordance with Rule 608 or otherwise becomes effective pursuant to Rule 608.[63]

3. Management

Article IV of the Plan establishes the overall governance structure for the management of the Company. Specifically, the Participants propose that the Company be managed by an Operating Committee.[64]

The Operating Committee will consist of one voting member representing each Participant and one alternate voting member representing each Participant who will have a right to vote only in the absence of the Participant's voting member of the Operating Committee.[65] Each of the voting and alternate voting members of the Operating Committee will be appointed by the Participant that he or she represents, will serve at the will of the Participant appointing such member and will be subject to the confidentiality obligations of the Start Printed Page 84701Participant that he or she represents as set forth in Section 9.6.[66] One individual may serve as the voting member of the Operating Committee for multiple Affiliated Participants, and such individual will have the right to vote on behalf of each such Affiliated Participant.[67]

The Operating Committee will elect, by Majority Vote, one of its members to act as Chair for a term of two years.[68] No Person may serve as Chair for more than two successive full terms, and no Person then appointed to the Operating Committee by a Participant that then serves, or whose Affiliate then serves, as the Plan Processor will be eligible to serve as the Chair.[69] The Chair will preside at all meetings of the Operating Committee, designate a Person to act as Secretary, and perform such other duties and possess such other powers as the Operating Committee may from time to time prescribe.[70] The Chair will not be entitled to a tie-breaking vote at any meeting of the Operating Committee.[71]

Each of the members of the Operating Committee, including the Chair, will be authorized to cast one vote for each Participant that he or she represents on all matters voted upon by the Operating Committee.[72] Action of the Operating Committee will be authorized by Majority Vote (except under certain designated circumstances), subject to the approval of the SEC whenever such approval is required under the Exchange Act and the rules thereunder.[73] For example, the Plan specifically notes that a Majority Vote of the Operating Committee is required to: (1) Select the Chair; (2) select the members of the Advisory Committee (as described below); (3) interpret the Plan (unless otherwise noted therein); (4) approve any recommendation by the Chief Compliance Officer (“CCO”) pursuant to Section 6.2(a)(v)(A); (5) determine to hold an Executive Session of the Operating Committee; (6) determine the appropriate funding-related policies, procedures and practices consistent with Article XI; and (7) act upon any other matter specified elsewhere in the Plan (which includes the Appendices to the Plan) as requiring a vote, approval or other action of the Operating Committee (other than those matters expressly requiring a Supermajority Vote or a different vote of the Operating Committee).[74]

Article IV requires a Supermajority Vote [75] of the Operating Committee, subject to the approval of the SEC when required, for the following: (1) Selecting a Plan Processor, other than the Initial Plan Processor selected in accordance with Article V of the Plan; (2) terminating the Plan Processor without cause in accordance with Section 6.1(q); (3) approving the Plan Processor's appointment or removal of the Chief Information Security Officer (“CISO”), CCO, or any Independent Auditor in accordance with Section 6.1(b); (4) entering into, modifying or terminating any Material Contract (if the Material Contract is with a Participant or an Affiliate of a Participant, such Participant and Affiliated Participant will be recused from any vote); (5) making any Material Systems Change; (6) approving the initial Technical Specifications or any Material Amendment to the Technical Specifications proposed by the Plan Processor; (7) amending the Technical Specifications on its own motion; and (8) acting upon any other matter specified elsewhere in the Plan (which includes the Appendices to the Plan) as requiring a vote, approval or other action of the Operating Committee by a Supermajority Vote.[76]

A member of the Operating Committee or any Subcommittee thereof (as discussed below) shall recuse himself or herself from voting on any matter under consideration by the Operating Committee or such Subcommittee if such member determines that voting on such matter raises a Conflict of Interest.[77] In addition, if the members of the Operating Committee or any Subcommittee (excluding the member thereof proposed to be recused) determine by Supermajority Vote that any member voting on a matter under consideration by the Operating Committee or such Subcommittee raises a Conflict of Interest, such member shall be recused from voting on such matter.[78] No member of the Operating Committee or any Subcommittee will be automatically recused from voting on any matter except matters involving Material Contracts as discussed in the prior paragraph, as otherwise specified in the Plan, and as follows: (1) If a Participant is a Bidding Participant [79] whose Bid remains under consideration, members appointed to the Operating Committee or any Subcommittee by such Participant or any of its Affiliated Participants will be recused from any vote concerning: (a) Whether another Bidder may revise its Bid; (b) the selection of a Bidder; or (c) any contract to which such Participant or any of its Affiliates would be a party in its capacity as Plan Processor; and (2) if a Participant is then serving as Plan Processor, is an Affiliate of the Person then serving as Plan Processor, or is an Affiliate of an entity that is a Material Subcontractor to the Plan Processor, then in each case members appointed to the Operating Committee or any Subcommittee by such Participant or any of its Affiliated Participants shall be recused from any vote concerning: (a) The proposed removal of such Plan Processor; or (b) any contract between the Company and such Plan Processor.[80]

Article IV also addresses meetings of the Operating Committee.[81] Meetings of the Operating Committee may be attended by each Participant's voting Representative and its alternate voting Representative and by a maximum of two nonvoting Representatives of each Participant, by members of the Advisory Committee, by the CCO, by other Representatives of the Company and the Plan Processor, by Representatives of the SEC and by such other Persons that the Operating Committee may invite to attend.[82] The Operating Committee, however, may, where appropriate, determine to meet in Executive Session during which only voting members of the Operating Committee will be present.[83] The Operating Committee, Start Printed Page 84702however, may invite other Representatives of the Participants, of the Company, of the Plan Processor (including the CCO and the CISO) or the SEC, or such other Persons that the Operating Committee may invite to attend, to be present during an Executive Session.[84] Any determination of the Operating Committee to meet in an Executive Session will be made upon a Majority Vote and will be reflected in the minutes of the meeting.[85] In addition, any Person that is not a Participant but for which the SEC has published a Form 1 Application or Form X-15AA-1 to become a national securities exchange or national securities association, respectively, will be permitted to appoint one primary Representative and one alternate Representative to attend regularly scheduled Operating Committee meetings in the capacity of a non-voting observer, but will not be permitted to have any Representative attend a special meeting, emergency meeting or meeting held in Executive Session of the Operating Committee.[86]

The Operating Committee may, by Majority Vote, designate by resolution one or more Subcommittees it deems necessary or desirable in furtherance of the management of the business and affairs of the Company.[87] For any Subcommittee, any member of the Operating Committee who wants to serve thereon may so serve.[88] If Affiliated Participants have collectively appointed one member to the Operating Committee to represent them, then such Affiliated Participants may have only that member serve on the Subcommittee or may decide not to have only that collectively appointed member serve on the Subcommittee.[89] Such member may designate an individual other than himself or herself who is also an employee of the Participant or Affiliated Participants that appointed such member to serve on a Subcommittee in lieu of the particular member.[90] Subject to the requirements of the Plan and non-waivable provisions of Delaware law, a Subcommittee may exercise all the powers and authority of the Operating Committee in the management of the business and affairs of the Company as so specified in the resolution of the Operating Committee designating such Subcommittee.[91]

Article IV requires that the Operating Committee maintain a Compliance Subcommittee for the purpose of aiding the CCO as necessary, including with respect to issues involving: (1) The maintenance of the confidentiality of information submitted to the Plan Processor or Central Repository pursuant to Rule 613, applicable law, or the Plan by Participants and Industry Members; (2) the timeliness, accuracy, and completeness of information submitted pursuant to Rule 613, applicable law or the Plan by Participants and Industry Members; and (3) the manner and extent to which each Participant is meeting its obligations under Rule 613, Section 3.11, and as set forth elsewhere in the Plan and ensuring the consistency of the Plan's enforcement as to all Participants.[92]

Article IV also sets forth the requirements for the formation and functioning of an Advisory Committee, which will advise the Participants on the implementation, operation and administration of the Central Repository, including possible expansion of the Central Repository to other securities and other types of transactions.[93]

Article IV describes the composition of the Advisory Committee. No member of the Advisory Committee may be employed by or affiliated with any Participant or any of its Affiliates or facilities.[94] The Operating Committee will select one member from representatives of each of the following categories to serve on the Advisory Committee on behalf of himself or herself individually and not on behalf of the entity for which the individual is then currently employed: (1) A broker-dealer with no more than 150 Registered Persons; (2) a broker-dealer with at least 151 and no more than 499 Registered Persons; (3) a broker-dealer with 500 or more Registered Persons; (4) a broker-dealer with a substantial wholesale customer base; (5) a broker-dealer that is approved by a national securities exchange: (a) To effect transactions on an exchange as a specialist, market maker or floor broker; or (b) to act as an institutional broker on an exchange; (6) a proprietary-trading broker-dealer; (7) a clearing firm; (8) an individual who maintains a securities account with a registered broker or dealer but who otherwise has no material business relationship with a broker or dealer or with a Participant; (9) a member of academia with expertise in the securities industry or any other industry relevant to the operation of the CAT System; (10) an institutional investor trading on behalf of a public entity or entities; (11) an institutional investor trading on behalf of a private entity or entities; and (12) an individual with significant and reputable regulatory expertise.[95] The individuals selected to represent categories (1) through (12) above must include, in the aggregate, representatives of no fewer than three broker-dealers that are active in the options business and representatives of no fewer than three broker-dealers that are active in the equities business.[96] In addition, upon a change in employment of any such Advisory Committee member, a Majority Vote of the Operating Committee will be required for such member to be eligible to continue to serve on the Advisory Committee.[97] Furthermore, the SEC's Chief Technology Officer (or the individual then currently employed in a comparable position providing equivalent services) will serve as an observer of the Advisory Committee (but not be a member).[98] The members of the Advisory Committee will have a term of three years.[99]

Members of the Advisory Committee will have the right to attend meetings of the Operating Committee or any Subcommittee, to receive information concerning the operation of the Central Repository, and to submit their views to the Operating Committee or any Subcommittee on matters pursuant to the Plan prior to a decision by the Operating Committee on such matters.[100] A member of the Advisory Committee will not have a right to vote on any matter considered by the Operating Committee or any Subcommittee.[101] In addition, the Operating Committee or any Subcommittee may meet in Executive Session if the Operating Committee or Subcommittee determines by Majority Vote that such an Executive Session is advisable.[102] The Operating Committee may solicit and consider views of other stakeholders on the operation of the Central Repository in addition to those of the Advisory Committee.[103] Although members of the Advisory Committee Start Printed Page 84703will have the right to receive information concerning the operation of the Central Repository, the Operating Committee retains the authority to determine the scope and content of information supplied to the Advisory Committee, which will be limited to that information that is necessary and appropriate for the Advisory Committee to fulfill its functions.[104] Any information received by members of the Advisory Committee will remain confidential unless otherwise specified by the Operating Committee.[105]

Article IV also describes the appointment of Officers for the Company. Specifically, the CCO and the CISO, each of whom will be employed solely by the Plan Processor and neither of whom will be deemed or construed in any way to be an employee of the Company, will be Officers of the Company.[106] Neither such Officer will receive or be entitled to any compensation from the Company or any Participant by virtue of his or her service in such capacity (other than if a Participant is then serving as the Plan Processor, compensation paid to such Officer as an employee of such Participant).[107] Each such Officer will report directly to the Operating Committee.[108] The CCO will work on a regular and frequent basis with the Compliance Subcommittee and/or other Subcommittees as may be determined by the Operating Committee.[109] Except to the extent otherwise provided in the Plan, including Section 6.2, each such Officer will have such fiduciary and other duties with regard to the Plan Processor as imposed by the Plan Processor on such individual by virtue of his or her employment by the Plan Processor.[110]

In addition, the Plan Processor will inform the Operating Committee of the individual who has direct management responsibility for the Plan Processor's performance of its obligations with respect to the CAT.[111] Subject to approval by the Operating Committee of such individual, the Operating Committee will appoint such individual as an Officer.[112] In addition, the Operating Committee by Supermajority Vote may appoint other Officers as it shall from time to time deem necessary.[113] Any Officer appointed pursuant to Section 4.6(b) will have only such duties and responsibilities as set forth in the Plan, or as the Operating Committee shall from time to time expressly determine.[114] No such Officer shall have any authority to bind the Company (which authority is vested solely in the Operating Committee) or be an employee of the Company, unless in each case the Operating Committee, by Supermajority Vote, expressly determines otherwise.[115] No person subject to a “statutory disqualification” (as defined in Section 3(a)(39) of the Exchange Act) may serve as an Officer.[116] It is the intent of the Participants that the Company have no employees.[117]

4. Initial Plan Processor Selection

Article V of the Plan sets forth the process for the Participants' evaluation of Bids and the selection process for narrowing down the Bids and choosing the Initial Plan Processor.[118] The initial steps in the evaluation and selection process were and will be performed pursuant to the Selection Plan; the final two rounds of evaluation and voting, as well as the final selection of the Initial Plan Processor, will be performed pursuant to the Plan.[119]

As discussed above, the Selection Committee has selected the Shortlisted Bids pursuant to the Selection Plan. After reviewing the Shortlisted Bids, the Participants have identified the optimal proposed solutions for the CAT and, to the extent possible, included such solutions in the Plan.[120] The Selection Committee will determine, by majority vote, whether Shortlisted Bidders will have the opportunity to revise their Bids.[121] To reduce potential conflicts of interest, no Bidding Participant may vote on whether a Shortlisted Bidder will be permitted to revise its Bid if a Bid submitted by or including the Participant or an Affiliate of the Participant is a Shortlisted Bid.[122] The Selection Committee will review and evaluate all Shortlisted Bids, including any permitted revisions submitted by Shortlisted Bidders.[123] In performing this review and evaluation, the Selection Committee may consult with the Advisory Committee and such other Persons as the Selection Committee deems appropriate, which may include the DAG until the Advisory Committee is formed.[124]

After receipt of any permitted revisions, the Selection Committee will select the Initial Plan Processor from the Shortlisted Bids in two rounds of voting where each Participant has one vote via its Voting Senior Officer in each round.[125] No Bidding Participant, however, will be entitled to vote in any round if the Participant's Bid, a Bid submitted by an Affiliate of the Participant, or a Bid including the Participant or an Affiliate of the Participant is considered in such round.[126] In the first round, each Voting Senior Officer, subject to the recusal provision in Section 5.2(e)(ii), will select a first and second choice, with the first choice receiving two points and the second choice receiving one point.[127] The two Shortlisted Bids receiving the highest cumulative scores in the first round will advance to the second round.[128] In the event of a tie, the tie will be broken by assigning one point per vote to the tied Shortlisted Bids, and the Shortlisted Bid with the most votes will advance.[129] If this procedure fails to break the tie, a revote will be taken on the tied Bids with each vote Start Printed Page 84704receiving one point.[130] If the tie persists, the Participants will identify areas for discussion, and revotes will be taken until the tie is broken.[131]

Once two Shortlisted Bids have been chosen, the Voting Senior Officers of the Participants (other than those subject to recusal) will vote for a single Shortlisted Bid from the final two to determine the Initial Plan Processor.[132] If the tie persists, the Participants will identify areas for discussion and, following these discussions, revotes will be taken until the tie is broken.[133] As set forth in Article VI of the Plan, following the selection of the Initial Plan Processor, the Participants will file with the Commission a statement identifying the Initial Plan Processor and including the information required by Rule 608.[134]

5. Functions and Activities of the CAT System

a. Plan Processor

Article VI describes the responsibilities of the selected Plan Processor. The Company, under the direction of the Operating Committee, will enter into one or more agreements with the Plan Processor obligating the Plan Processor to perform the functions and duties contemplated by the Plan to be performed by the Plan Processor, as well as such other functions and duties the Operating Committee deems necessary or appropriate.[135]

As set forth in the Plan, the Plan Processor is required to develop and, with the prior approval of the Operating Committee, implement policies, procedures, and control structures related to the CAT System that are consistent with Rule 613(e)(4), Appendix C and Appendix D.[136] The Plan Processor will: (1) Comply with applicable provisions of 15 U.S. Code § 78u-6 (Securities Whistleblower Incentives and Protection) and the recordkeeping requirements of Rule 613(e)(8); (2) consistent with Appendix D, Central Repository Requirements, ensure the effective management and operation of the Central Repository; (3) consistent with Appendix D, Data Management, ensure the accuracy of the consolidation of the CAT Data [137] reported to the Central Repository; and (4) consistent with Appendix D, Upgrade Process and Development of New Functionality, design and implement appropriate policies and procedures governing the determination to develop new functionality for the CAT including, among other requirements, a mechanism by which changes can be suggested by Advisory Committee members, Participants, or the Commission.[138] Such policies and procedures also shall: (1) Provide for the escalation of reviews of proposed technological changes and upgrades to the Operating Committee; and (2) address the handling of surveillance, including coordinated, Rule 17d-2 under the Exchange Act or Regulatory Surveillance Agreement(s) (“RSA”) surveillance queries and requests for data.[139] Any policy, procedure or standard (and any material modification or amendment thereto) applicable primarily to the performance of the Plan Processor's duties as the Plan Processor (excluding any policies, procedures or standards generally applicable to the Plan Processor's operations and employees) will become effective only upon approval by the Operating Committee.[140] The Plan Processor also will, subject to the prior approval of the Operating Committee, establish appropriate procedures for escalation of matters to the Operating Committee.[141] In addition to other policies, procedures and standards generally applicable to the Plan Processor's employees and contractors, the Plan Processor will have hiring standards and will conduct and enforce background checks (e.g., fingerprint-based) for all of its employees and contractors to ensure the protection, safeguarding and security of the facilities, systems, networks, equipment and data of the CAT System, and will have an insider and external threat policy to detect, monitor and remedy cyber and other threats.[142]

The Plan Processor will enter into appropriate Service Level Agreements (“SLAs”) governing the performance of the Central Repository, as generally described in Appendix D, Functionality of the CAT System, with the prior approval of the Operating Committee.[143] The Plan Processor in conjunction with the Operating Committee will regularly review and, as necessary, update the SLAs, in accordance with the terms of the SLAs.[144] As further contemplated in Appendix C, System Service Level Agreements (SLAs), and in Appendix D, System SLAs, the Plan Processor may enter into appropriate service level agreements with third parties applicable to the Plan Processor's functions related to the CAT System (“Other SLAs”), with the prior approval of the Operating Committee.[145] The CCO and/or the Independent Auditor will, in conjunction with the Plan Processor, and as necessary the Operating Committee, regularly review and, as necessary, update the Other SLAs, in accordance with the terms of the applicable Other SLA.[146] In addition, the Plan Processor: (1) Will, on an ongoing basis and consistent with any applicable policies and procedures, evaluate and implement potential system changes and upgrades to maintain and improve the normal day-to-day operating function of the CAT System; [147] (2) in consultation with the Operating Committee, will, on an as needed basis and consistent with any applicable operational and escalation policies and procedures, implement such material system changes and upgrades as may be required to ensure effective functioning of the CAT System; [148] and (3) in consultation with the Operating Committee, will, on an as needed basis, implement system changes and upgrades to the CAT System to ensure compliance with applicable laws, regulations or rules (including those promulgated by the SEC or any Participant).[149] Furthermore, the Plan Processor will develop and, with the prior approval of the Operating Committee, implement a securities trading policy, as well as necessary procedures, control structures and tools to enforce this policy.[150]

In addition, the Plan Processor will provide the Operating Committee regular reports on the CAT System's operation and maintenance.[151] Furthermore, upon request of the Operating Committee or any Subcommittee, the Plan Processor will attend any meetings of the Operating Committee or such Subcommittee.[152]

The Plan Processor may appoint such officers of the Plan Processor as it deems necessary and appropriate to perform its functions under the Plan and Rule 613.[153] The Plan Processor, however, will be required to appoint, at a Start Printed Page 84705minimum, the CCO, the CISO, and the Independent Auditor.[154] The Operating Committee, by Supermajority Vote, will approve any appointment or removal of the CCO, CISO, or the Independent Auditor.[155]

In addition to a CCO, the Plan Processor will designate at least one other employee (in addition to the person then serving as CCO), which employee the Operating Committee has previously approved, to serve temporarily as the CCO if the employee then serving as the CCO becomes unavailable or unable to serve in such capacity (including by reason of injury or illness).[156] Any person designated to serve as the CCO (including to serve temporarily) will be appropriately qualified to serve in such capacity based on the duties and responsibilities assigned to the CCO and will dedicate such person's entire working time to such service (or temporary service) except for any time required to attend to any incidental administrative matters related to such person's employment with the Plan Processor that do not detract in any material respect from such person's service as the CCO.[157] Article VI sets forth various responsibilities of the CCO. With respect to all of his or her duties and responsibilities in such capacity (including those as set forth in the Plan), the CCO will be directly responsible and will directly report to the Operating Committee, notwithstanding that she or he is employed by the Plan Processor.[158] The Plan Processor, subject to the oversight of the Operating Committee, will ensure that the CCO has appropriate resources to fulfill his or her obligations under the Plan and Rule 613.[159] The compensation (including base salary and bonus) of the CCO will be payable by the Plan Processor, but be subject to review and approval by the Operating Committee.[160] The Operating Committee will render the CCO's annual performance review.[161]

In addition to a CISO, the Plan Processor will designate at least one other employee (in addition to the person then serving as CISO), which employee the Operating Committee has previously approved, to serve temporarily as the CISO if the employee then serving as the CISO becomes unavailable or unable to serve in such capacity (including by reason of injury or illness).[162] Any person designated to serve as the CISO (including to serve temporarily) will be appropriately qualified to serve in such capacity based on the duties and responsibilities assigned to the CISO under the Plan and will dedicate such person's entire working time to such service (or temporary service) except for any time required to attend to any incidental administrative matters related to such person's employment with the Plan Processor that do not detract in any material respect from such person's service as the CISO.[163]

The Plan Processor, subject to the oversight of the Operating Committee, will ensure that the CISO has appropriate resources to fulfill the obligations of the CISO set forth in Rule 613 and in the Plan, including providing appropriate responses to questions posed by the Participants and the SEC.[164] In performing such obligations, the CISO will be directly responsible and directly report to the Operating Committee, notwithstanding that he or she is employed by the Plan Processor.[165] The compensation (including base salary and bonus) of the CISO will be payable by the Plan Processor, but be subject to review and approval by the Operating Committee, and the Operating Committee will render the CISO's annual performance review.[166] Consistent with Appendices C and D, the CISO will be responsible for creating and enforcing appropriate policies, procedures, standards, control structures and real-time tools to monitor and address data security issues for the Plan Processor and the Central Repository, as described in the Plan.[167] At regular intervals, to the extent that such information is available to the Company, the CISO will report to the Operating Committee the activities of the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) or comparable bodies to the extent that the Company has joined FS-ISAC or other comparable body.[168]

The Plan Processor will afford to the Participants and the Commission such access to the Representatives of the Plan Processor as any Participant or the Commission may reasonably request solely for the purpose of performing such Person's regulatory and oversight responsibilities pursuant to the federal securities laws, rules, and regulations or any contractual obligations.[169] The Plan Processor will direct such Representatives to reasonably cooperate with any inquiry, investigation, or proceeding conducted by or on behalf of any Participant or the Commission related to such purpose.[170]

The Operating Committee will review the Plan Processor's performance under the Plan at least once each year, or more often than once each year upon the request of two or more Participants that are not Affiliated Participants.[171] The Operating Committee will notify the SEC of any determination made by the Operating Committee concerning the continuing engagement of the Plan Processor as a result of the Operating Committee's review of the Plan Processor and will provide the SEC with a copy of any reports that may be prepared in connection therewith.[172]

The Operating Committee, by Supermajority Vote, may remove the Plan Processor from such position at any time.[173] However, the Operating Committee, by Majority Vote, may remove the Plan Processor from such position at any time if it determines that the Plan Processor has failed to perform its functions in a reasonably acceptable manner in accordance with the provisions of the Plan or that the Plan Processor's expenses have become excessive and are not justified.[174] In making such a determination, the Operating Committee will consider, among other factors: (1) The reasonableness of the Plan Processor's response to requests from Participants or the Company for technological changes or enhancements; (2) results of any assessments performed pursuant to Section 6.6; (3) the timeliness of preventative and corrective information technology system maintenance for reliable and secure operations; (4) compliance with requirements of Appendix D; and (5) such other factors related to experience, technological capability, quality and reliability of service, costs, back-up facilities, failure to meet service level agreement(s) and regulatory considerations as the Operating Committee may determine to be appropriate.[175]

In addition, the Plan Processor may resign upon two year's (or such other shorter period as may be determined by the Operating Committee by Start Printed Page 84706Supermajority Vote) prior written notice.[176] The Operating Committee will fill any vacancy in the Plan Processor position by Supermajority Vote, and will establish a Plan Processor Selection Subcommittee to evaluate and review Bids and make a recommendation to the Operating Committee with respect to the selection of the successor Plan Processor.[177]

b. Central Repository

The Central Repository, under the oversight of the Plan Processor, and consistent with Appendix D, Central Repository Requirements, will receive, consolidate, and retain all CAT Data.[178] The Central Repository will collect (from a Securities Information Processor (“SIP”) or pursuant to an NMS plan) and retain on a current and continuing basis, in a format compatible with the Participant Data and Industry Member Data, all data, including the following: (1) Information, including the size and quote condition, on quotes, including the National Best Bid and National Best Offer for each NMS Security; [179] (2) Last Sale Reports and transaction reports reported pursuant to an effective transaction reporting plan filed with the SEC pursuant to, and meeting the requirements of, Rules 601 and 608; [180] (3) trading halts, Limit Up-Limit Down price bands and LULD indicators; [181] and (4) summary data or reports described in the specifications for each of the SIPs and disseminated by the respective SIP.[182]

Consistent with Appendix D, Data Retention Requirements, the Central Repository will retain the information collected pursuant to paragraphs (c)(7) and (e)(7) of Rule 613 in a convenient and usable standard electronic data format that is directly available and searchable electronically without any manual intervention by the Plan Processor for a period of not less than six years. Such data, when available to the Participants' regulatory Staff and the SEC, will be linked.[183] In addition, the Plan Processor will implement and comply with the records retention policy contemplated by Section 6.1(d)(i).[184]

Consistent with Appendix D, Data Access, the Plan Processor will provide Participants and the SEC access to the Central Repository (including all systems operated by the Central Repository), and access to and use of the CAT Data stored in the Central Repository, solely for the purpose of performing their respective regulatory and oversight responsibilities pursuant to the federal securities laws, rules and regulations or any contractual obligations.[185] The Plan Processor will create and maintain a method of access to the CAT Data stored in the Central Repository that includes the ability to run searches and generate reports.[186] The method in which the CAT Data is stored in the Central Repository will allow the ability to return results of queries that are complex in nature, including market reconstructions and the status of order books at varying time intervals.[187] The Plan Processor will, at least annually and at such earlier time promptly following a request by the Operating Committee, certify to the Operating Committee that only the Participants and the SEC have access to the Central Repository (other than access provided to any Industry Member for the purpose of correcting CAT Data previously reported to the Central Repository by such Industry Member).[188]

c. Data Recording and Reporting by Participants

The Plan also sets forth the requirements regarding the data recording and reporting by Participants.[189] Each Participant will record and electronically report to the Central Repository the following details for each order and each Reportable Event,[190] as applicable (“Participant Data;” also referred to as “Recorded Industry Member Data”, as discussed in the next Section):

for original receipt or origination of an order: (1) Firm Designated ID(s) (FDIs) for each customer; [191] (2) CAT-Order-ID; [192] (3) SRO-Assigned Market Participant Identifier of the Industry Member receiving or originating the order; [193] (4) date of order receipt or origination; [194] (5) time of order receipt or origination (using time stamps pursuant to Section 6.8); [195] and (6) the Material Terms of the Order.[196]

for the routing of an order: (1) CAT-Order-ID; [197] (2) date on which the order is routed; [198] (3) time at which the order is routed (using time stamps pursuant to Section 6.8); [199] (4) SRO-Assigned Market Participant Identifier of the Industry Member or Participant routing the order; [200] (5) SRO-Assigned Market Participant Identifier of the Industry Member or Participant to which the order is being routed; [201] (6) if routed internally at the Industry Member, the identity and nature of the department or desk to which the order is routed; [202] and (7) the Material Terms of the Order.[203]

for the receipt of an order that has been routed, the following information: (1) CAT-Order-ID; [204] (2) date on which the order is received; [205] (3) time at which the order is received (using time stamps pursuant to Section 6.8); [206] (4) SRO-Assigned Market Participant Identifier of the Industry Member or Participant receiving the order; [207] (5) SRO-Assigned Market Participant Identifier of the Industry Member or Participant routing the order; [208] and (6) the Material Terms of the Order.[209]

if the order is modified or cancelled: (1) CAT-Order-ID; [210] (2) date the modification or cancellation is received or originated; [211] (3) time at which the modification or cancellation is received or originated (using time stamps pursuant to Section 6.8); [212] (4) price and remaining size of the order, if modified; [213] (5) other changes in Material Terms, if modified; [214] and (6) whether the modification or cancellation instruction was given by the Customer, or was initiated by the Industry Member or Participant.[215]

Start Printed Page 84707

if the order is executed, in whole or in part: (1) CAT-Order-ID; [216] (2) date of execution; [217] (3) time of execution (using time stamps pursuant to Section 6.8); [218] (4) execution capacity (principal, agency or riskless principal); [219] (5) execution price and size;[220] (6) the SRO-Assigned Market Participant Identifier of the Participant or Industry Member executing the order; [221] (7) whether the execution was reported pursuant to an effective transaction reporting plan or the Plan for Reporting of Consolidated Options Last Sale Reports and Quotation Information; [222] and (8) other information or additional events as may otherwise be prescribed in Appendix D, Reporting and Linkage Requirements.[223]

As contemplated in Appendix D, Data Types and Sources, each Participant will report Participant Data to the Central Repository for consolidation and storage in a format specified by the Plan Processor, approved by the Operating Committee and compliant with Rule 613.[224] As further described in Appendix D, Reporting and Linkage Requirements, each Participant is required to record the Participant Data contemporaneously with the Reportable Event.[225] In addition, each Participant must report the Participant Data to the Central Repository by 8:00 a.m. Eastern Time (“ET”) on the Trading Day following the day that the Participant recorded the Participant Data.[226] Participants may voluntarily report the Participant Data prior to the 8:00 a.m. ET deadline.[227]

Each Participant that is a national securities exchange is required to comply with the above recording and reporting requirements for each NMS Security registered or listed for trading on such exchange or admitted to unlisted trading privileges on such exchange.[228] Each Participant that is a national securities association is required to comply with the above recording and reporting requirements for each Eligible Security for which transaction reports are required to be submitted to the association.[229]

d. Data Reporting and Recording by Industry Members

The Plan also sets forth the data reporting and recording requirements for Industry Members. Specifically, subject to Section 6.4(c), and Section 6.4(d)(iii) with respect to Options Market Makers, and consistent with Appendix D, Reporting and Linkage Requirements, each Participant, through its Compliance Rule, will require its Industry Members to record and electronically report to the Central Repository for each order and each Reportable Event the information referred to in Section 6.3(d), as applicable (“Recorded Industry Member Data”)—that is, Participant Data discussed above.[230] In addition, subject to Section 6.4(c), and Section 6.4(d)(iii) with respect to Options Market Makers, and consistent with Appendix D, Reporting and Linkage Requirements, each Participant, through its Compliance Rule, will require its Industry Members to record and report to the Central Repository the following (“Received Industry Member Data” and, collectively with the Recorded Industry Member Data, “Industry Member Data”): (1) If the order is executed, in whole or in part: (a) An Allocation Report; [231] (b) SRO-Assigned Market Participant Identifier of the clearing broker or prime broker, if applicable; and (c) CAT-Order-ID of any contra-side order(s); (2) if the trade is cancelled, a cancelled trade indicator; and (3) for original receipt or origination of an order, information of sufficient detail to identify the Customer.[232]

With respect to the reporting obligations of an Options Market Maker with regard to its quotes in Listed Options, Reportable Events required pursuant to Sections 6.3(d)(ii) and (iv) will be reported to the Central Repository by an Options Exchange in lieu of the reporting of such information by the Options Market Maker.[233] Each Participant that is an Options Exchange will, through its Compliance Rule, require its Industry Members that are Options Market Makers to report to the Options Exchange the time at which a quote in a Listed Option is sent to the Options Exchange (and, if applicable, any subsequent quote modifications and/or cancellation time when such modification or cancellation is originated by the Options Market Maker).[234] Such time information also will be reported to the Central Repository by the Options Exchange in lieu of reporting by the Options Market Maker.[235]

Each Participant will, through its Compliance Rule, require its Industry Members to record and report to the Central Repository other information or additional events as prescribed in Appendix D, Reporting and Linkage Requirements.[236]

As contemplated in Appendix D, Data Types and Sources, each Participant will require its Industry Members to report Industry Member Data to the Central Repository for consolidation and storage in a format(s) specified by the Plan Processor, approved by the Operating Committee and compliant with Rule 613.[237] As further described in Appendix D, Reporting and Linkage Requirements, each Participant will require its Industry Members to record Recorded Industry Member Data contemporaneously with the applicable Reportable Event.[238] In addition, consistent with Appendix D, Reporting and Linkage Requirements, each Participant will require its Industry Members to report: (1) Recorded Industry Member Data to the Central Repository by 8:00 a.m. ET on the Trading Day following the day the Industry Member records such Recorded Industry Member Data; and (2) Received Industry Member Data to the Central Repository by 8:00 a.m. ET on the Trading Day following the day the Industry Member receives such Received Industry Member Data.[239] Each Participant will permit its Industry Members to voluntarily report Industry Member Data prior to the applicable 8:00 a.m. ET deadline.[240]

Each Participant that is a national securities exchange must require its Industry Members to report Industry Member Data for each NMS Security registered or listed for trading on such exchange or admitted to unlisted trading privileges on such exchange.[241] Each Participant that is a national securities association must require its Industry Members to report Industry Member Data for each Eligible Security for which transaction reports are required to be submitted to the association.[242]

e. Written Assessment

As described in Article VI, the Participants are required to provide the Commission with a written assessment of the operation of the CAT that meets the requirements set forth in Rule 613, Appendix D, and the Plan at least every Start Printed Page 84708two years or more frequently in connection with any review of the Plan Processor's performance under the Plan pursuant to Section 6.1(n).[243] The CCO will oversee this assessment and will provide the Participants a reasonable time to review and comment upon the written assessment prior to its submission to the SEC.[244] In no case will the written assessment be changed or amended in response to a comment from a Participant; rather any comment by a Participant will be provided to the SEC at the same time as the written assessment.[245]

f. Business Clock Synchronization and Timestamp

Section 6.8 of the Plan discusses the synchronization of Business Clocks [246] and timestamps.

Each Participant is required to synchronize its Business Clocks (other than such Business Clocks used solely for Manual Order Events) at a minimum to within 50 milliseconds of the time maintained by the National Institute of Standards and Technology (“NIST”), consistent with industry standards.[247] In addition, each Participant must, through its Compliance Rule, require its Industry Members to: (1) Synchronize their respective Business Clocks (other than such Business Clocks used solely for Manual Order Events) at a minimum to within 50 milliseconds of the time maintained by the NIST, and maintain such a synchronization; (2) certify periodically that their Business Clocks meet the requirements of the Compliance Rule; and (3) report to the Plan Processor and the Participant any violation of the Compliance Rule pursuant to the thresholds set by the Operating Committee.[248] Furthermore, each Participant is required to synchronize its Business Clocks and, through its Compliance Rule, require its Industry Members to synchronize their Business Clocks used solely for Manual Order Events at a minimum to within one second of the time maintained by the NIST, consistent with industry standards, and maintain such synchronization.[249] Each Participant will require its Industry Members to certify periodically (according to a schedule defined by the Operating Committee) that their Business Clocks used solely for Manual Order Events meet the requirements of the Compliance Rule.[250] The Compliance Rule of a Participant shall require its Industry Members using Business Clocks solely for Manual Order Events to report to the Plan Processor any violation of the Compliance Rule pursuant to the thresholds set by the Operating Committee.[251] Pursuant to Section 6.8(c) of the CAT NMS Plan, the CCO, in conjunction with the Participants and other appropriate Industry Member advisory groups, annually must evaluate and make a recommendation to the Operating Committee as to whether the industry standard has evolved such that the clock synchronization standard should be tightened.[252]

Appendix C discusses mechanisms to ensure compliance with the 50 millisecond clock offset tolerance.[253] The Participants anticipate that they and Industry Members will adopt policies and procedures to verify the required clock synchronization each trading day before the market opens, as well as periodically throughout the trading day.[254] The Participants also anticipate that they and Industry Members will document their clock synchronization procedures and maintain a log recording the time of each clock synchronization performed, and the result of such synchronization, specifically identifying any synchronization revealing any clock offset between the Participant's or Industry Member's Business Clock and the time maintained by the NIST exceeding 50 milliseconds.[255] The CAT NMS Plan states that once both large and small broker-dealers begin reporting to the Central Repository, and as clock synchronization technology matures further, the Participants will assess, in accordance with Rule 613, tightening the CAT's clock synchronization standards to reflect changes in industry standards.[256]

Each Participant shall, and through its Compliance Rule require its Industry Members to, report information required by Rule 613 and the Plan to the Central Repository in milliseconds.[257] To the extent that any Participant utilizes timestamps in increments finer than the minimum required by the Plan, the Participant is required to make reports to the Central Repository utilizing such finer increment when reporting CAT Data to the Central Repository so that all Reportable Events reported to the Central Repository could be adequately sequenced. Each Participant will, through its Compliance Rule: (1) Require that, to the extent that its Industry Members utilize timestamps in increments finer than the minimum required in the Plan, such Industry Members will utilize such finer increment when reporting CAT Data to the Central Repository; and (2) provide that a pattern or practice of reporting events outside of the required clock synchronization time period without reasonable justification or exceptional circumstances may be considered a violation of SEC Rule 613 and the Plan.[258] Notwithstanding the preceding sentences, each Participant and Industry Member will be permitted to record and report Manual Order Events to the Central Repository in increments up to and including one second, provided that Participants and Industry Members will be required to record and report the time when a Manual Order Event has been captured electronically in an order handling and execution system of such Participant or Industry Member (“Electronic Capture Time”) in milliseconds.[259] In conjunction with Participants' and other appropriate Industry Member advisory groups, the CCO will annually evaluate and make a recommendation to the Operating Committee as to whether industry standards have evolved such that the required synchronization should be shortened or the required timestamp should be in finer increments.[260] The Operating Committee will make determinations regarding the need to revise the synchronization and timestamp requirements.[261]

Start Printed Page 84709

g. Technical Specifications

Section 6.9 of the Plan establishes the requirements involving the Plan Processor's Technical Specifications. The Plan Processor will publish Technical Specifications that are at a minimum consistent with Appendices C and D, and updates thereto as needed, providing detailed instructions regarding the submission of CAT Data by Participants and Industry Members to the Plan Processor for entry into the Central Repository.[262] The Technical Specifications will be made available on a publicly available Web site to be developed and maintained by the Plan Processor.[263] The initial Technical Specifications and any Material Amendments thereto will require the approval of the Operating Committee by Supermajority Vote.[264]

The Technical Specifications will include a detailed description of the following: (1) The specifications for the layout of files and records submitted to the Central Repository; (2) the process for the release of new data format specification changes; (3) the process for industry testing for any changes to data format specifications; (4) the procedures for obtaining feedback about and submitting corrections to information submitted to the Central Repository; (5) each data element, including permitted values, in any type of report submitted to the Central Repository; (6) any error messages generated by the Plan Processor in the course of validating the data; (7) the process for file submissions (and re-submissions for corrected files); (8) the storage and access requirements for all files submitted; (9) metadata requirements for all files submitted to the CAT System; (10) any required secure network connectivity; (11) data security standards, which will, at a minimum: (a) Satisfy all applicable regulations regarding database security, including provisions of Regulation Systems Compliance and Integrity under the Exchange Act (“Reg SCI”); (b) to the extent not otherwise provided for under the Plan (including Appendix C thereto), set forth such provisions as may be necessary or appropriate to comply with Rule 613(e)(4); and (c) comply with industry best practices; and (12) any other items reasonably deemed appropriate by the Plan Processor and approved by the Operating Committee.[265]

Amendments to the Technical Specifications may be made only in accordance with Section 6.9(c).[266] The process for amending the Technical Specifications varies depending on whether the change is material. An amendment will be deemed “material” if it would require a Participant or an Industry Member to engage in significant changes to the coding necessary to submit information to the Central Repository pursuant to the Plan, or if it is required to safeguard the security or confidentiality of the CAT Data.[267] Except for Material Amendments to the Technical Specifications, the Plan Processor will have the sole discretion to amend and publish interpretations regarding the Technical Specifications; however, all non-Material Amendments made to the Technical Specifications and all published interpretations will be provided to the Operating Committee in writing at least ten days before being published.[268] Such non-Material Amendments and published interpretations will be deemed approved ten days following provision to the Operating Committee unless two or more unaffiliated Participants call for a vote to be taken on the proposed amendment or interpretation.[269] If an amendment or interpretation is called for a vote by two or more unaffiliated Participants, the proposed amendment must be approved by Majority Vote of the Operating Committee.[270] Once a non-Material Amendment has been approved or deemed approved by the Operating Committee, the Plan Processor will be responsible for determining the specific changes to the Central Repository and providing technical documentation of those changes, including an implementation timeline.[271]

Material Amendments to the Technical Specifications require approval of the Operating Committee by Supermajority Vote.[272] The Operating Committee, by Supermajority Vote, may amend the Technical Specifications on its own motion.[273]

h. Surveillance

Surveillance requirements are described in Section 6.10. Using the tools provided for in Appendix D, Functionality of the CAT System, each Participant will develop and implement a surveillance system, or enhance existing surveillance systems, reasonably designed to make use of the consolidated information contained in the Central Repository.[274] Unless otherwise ordered by the SEC, within fourteen months after the Effective Date, each Participant must initially implement a new or enhanced surveillance system(s) as required by Rule 613 and Section 6.10(a) of the Plan.[275] Participants may, but are not required to, coordinate surveillance efforts through the use of regulatory services agreements and agreements adopted pursuant to Rule 17d-2 under the Exchange Act.[276]

Consistent with Appendix D, Functionality of the CAT System, the Plan Processor will provide Participants and the SEC with access to all CAT Data stored in the Central Repository. Regulators will have access to processed CAT Data through two different methods: (1) An online targeted query tool; and (2) user-defined direct queries and bulk extracts.[277] The online targeted query tool will provide authorized users with the ability to retrieve CAT Data via an online query screen that includes the ability to choose from a variety of pre-defined selection criteria.[278] Targeted queries must include date(s) and/or time range(s), as well as one or more of a variety of fields.[279] The user-defined direct queries and bulk extracts will provide authorized users with the ability to retrieve CAT Data via a query tool or language that allows users to query all available attributes and data sources.[280]

Extraction of CAT Data will be consistent with all permission rights granted by the Plan Processor.[281] All CAT Data returned will be encrypted, and PII data [282] will be masked unless users have permission to view the PII contained in the CAT Data that has been requested.[283]

The Plan Processor will implement an automated mechanism to monitor direct query usage.[284] Such monitoring will Start Printed Page 84710include automated alerts to notify the Plan Processor of potential issues with bottlenecks or excessively long queues for queries or CAT Data extractions.[285] The Plan Processor will provide the Operating Committee or its designee(s) details as to how the monitoring will be accomplished and the metrics that will be used to trigger alerts.[286]

The Plan Processor will reasonably assist regulatory Staff (including those of Participants) with creating queries.[287] Without limiting the manner in which regulatory Staff (including those of Participants) may submit queries, the Plan Processor will submit queries on behalf of regulatory Staff (including those of Participants) as reasonably requested.[288] The Plan Processor will staff a CAT help desk, as described in Appendix D, CAT Help Desk, to provide technical expertise to assist regulatory Staff (including those of Participants) with questions about the content and structure of the CAT Data.[289]

i. Information Security Program

As set forth in Section 6.12, the Plan Processor is required to develop and maintain a comprehensive information security program for the Central Repository that contains, at a minimum, the specific requirements detailed in Appendix D, Data Security. The information security program must be approved and reviewed at least annually by the Operating Committee.[290]

6. Financial Matters

Articles VII and VIII of the Plan address certain financial matters related to the Company. In particular, the Plan states that, subject to certain special allocations provided for in Section 8.2, any net profit or net loss will be allocated among the Participants equally.[291] In addition, subject to Section 10.2, cash and property of the Company will not be distributed to the Participants unless the Operating Committee approves by Supermajority Vote a distribution after fully considering the reason that such distribution must or should be made to the Participants, including the circumstances contemplated under Section 8.3, Section 8.6, and Section 9.3.[292] To the extent a distribution is made, all Participants will participate equally in any such distribution except as otherwise provided in Section 10.2.[293]

Article XI addresses the funding of the Company. On an annual basis the Operating Committee will approve an operating budget for the Company.[294] The budget will include the projected costs of the Company, including the costs of developing and operating the CAT System for the upcoming year, and the sources of all revenues to cover such costs, as well as the funding of any reserve that the Operating Committee reasonably deems appropriate for prudent operation of the Company.[295]

Subject to certain funding principles set forth in Article XI, the Operating Committee will have discretion to establish funding for the Company, including: (1) Establishing fees that the Participants will pay; and (2) establishing fees for Industry Members that will be implemented by Participants.[296] In establishing the funding of the Company, the Operating Committee will seek to: (1) Create transparent, predictable revenue streams for the Company that are aligned with the anticipated costs to build, operate and administer the CAT and the other costs of the Company; (2) establish an allocation of the Company's related costs among Participants and Industry Members that is consistent with the Exchange Act, taking into account the timeline for implementation of the CAT and distinctions in the securities trading operations of Participants and Industry Members and their relative impact upon Company resources and operations; (3) establish a tiered fee structure in which the fees charged to: (a) CAT Reporters that are Execution Venues, including Alternative Trading Systems (“ATSs”), are based upon the level of market share, (b) Industry Members' non-ATS activities are based upon message traffic, and (c) the CAT Reporters with the most CAT-related activity (measured by market share and/or message traffic, as applicable) are generally comparable (where, for these comparability purposes, the tiered fee structure takes into consideration affiliations between or among CAT Reporters, whether Execution Venues and/or Industry Members); (4) provide for ease of billing and other administrative functions; (5) avoid any disincentives such as placing an inappropriate burden on competition and a reduction in market quality; and (6) build financial stability to support the Company as a going concern.[297] The Participants will file with the SEC under Section 19(b) of the Exchange Act any such fees on Industry Members that the Operating Committee approves, and such fees will be labeled as “Consolidated Audit Trail Funding Fees.” [298]

To fund the development and implementation of the CAT, the Company will time the imposition and collection of all fees on Participants and Industry Members in a manner reasonably related to the timing when the Company expects to incur such development and implementation costs.[299] In determining fees for Participants and Industry Members, the Operating Committee shall take into account fees, costs and expenses (including legal and consulting fees and expenses) incurred by the Participants on behalf of the Company prior to the Effective Date in connection with the creation and implementation of the CAT, and such fees, costs and expenses shall be fairly and reasonably shared among the Participants and Industry Members.[300] Consistent with Article XI, the Operating Committee will adopt policies, procedures, and practices regarding the budget and budgeting process, assignment of tiers, resolution of disputes, billing and collection of fees, and other related matters.[301] As a part of its regular review of fees for the CAT, the Operating Committee will have the right to change the tier assigned to any particular Person pursuant to this Article XI.[302] Any such changes will be effective upon reasonable notice to such Person.[303]

The Operating Committee will establish fixed fees to be payable by Execution Venues as follows. Each Execution Venue that executes transactions, or, in the case of a national securities association, has trades reported by its members to its trade reporting facility or facilities for reporting transactions effected otherwise than on an exchange, in NMS Stocks or OTC Equity Securities will pay a fixed fee depending on the market share of that Execution Venue in NMS Start Printed Page 84711Stocks and OTC Equity Securities.[304] The Operating Committee will establish at least two and no more than five tiers of fixed fees, based on an Execution Venue's NMS Stocks and OTC Equity Securities market share.[305] For these purposes, market share will be calculated by share volume.[306] In addition, each Execution Venue that executes transactions in Listed Options will pay a fixed fee depending on the Listed Options market share of that Execution Venue.[307] The Operating Committee will establish at least two and no more than five tiers of fixed fees, based on an Execution Venue's Listed Options market share, with market share calculated by contract volume.[308] Changes to the number of tiers after approval of the Plan would require a Supermajority Vote of the Operating Committee and Commission approval under Section 19(b) of the Exchange Act, as would the establishment of the initial fee schedule and any changes to the fee schedule within the tier structure.[309]

The Operating Committee also will establish fixed fees payable by Industry Members, based on the message traffic generated by such Industry Member.[310] The Operating Committee will establish at least five and no more than nine tiers of fixed fees, based on message traffic.[311] For the avoidance of doubt, the fixed fees payable by Industry Members pursuant to this paragraph will, in addition to any other applicable message traffic, include message traffic generated by: (1) An ATS that does not execute orders that is sponsored by such Industry Member; and (2) routing orders to and from any ATS system sponsored by such Industry Member.[312]

Furthermore, the Operating Committee may establish any other fees ancillary to the operation of the CAT that it reasonably determines appropriate, including: fees for the late or inaccurate reporting of information to the CAT; fees for correcting submitted information; and fees based on access and use of the CAT for regulatory and oversight purposes (and not including any reporting obligations).[313]

The Company will make publicly available a schedule of effective fees and charges adopted pursuant to the Plan as in effect from time to time.[314] Such schedule will be developed after the Plan Processor is selected.[315] The Operating Committee will review the fee schedule on at least an annual basis and will make any changes to such fee schedule that it deems appropriate.[316] The Operating Committee is authorized to review the fee schedule on a more regular basis, but will not make any changes on more than a semi-annual basis unless, pursuant to a Supermajority Vote, the Operating Committee concludes that such change is necessary for the adequate funding of the Company.[317]

The Operating Committee will establish a system for the collection of fees authorized under the Plan.[318] The Operating Committee may include such collection responsibility as a function of the Plan Processor or another administrator.[319] Alternatively, the Operating Committee may use the facilities of a clearing agency registered under Section 17A of the Exchange Act to provide for the collection of such fees.[320]

Each Participant will require each Industry Member to pay all applicable fees authorized under Article XI within thirty days after receipt of an invoice or other notice indicating payment is due (unless a longer payment period is otherwise indicated).[321] If an Industry Member fails to pay any such fee when due, such Industry Member will pay interest on the outstanding balance from such due date until such fee is paid at a per annum rate equal to the lesser of: (1) The Prime Rate plus 300 basis points; or (2) the maximum rate permitted by applicable law.[322] Each Participant will pay all applicable fees authorized under Article XI as required by Section 3.7(b).[323]

Disputes with respect to fees the Company charges Participants pursuant to Article XI will be determined by the Operating Committee or a Subcommittee designated by the Operating Committee.[324] Decisions by the Operating Committee on such matters shall be binding on Participants, without prejudice to the rights of any Participant to seek redress from the SEC pursuant to SEC Rule 608 or in any other appropriate forum.[325] The Participants will adopt rules requiring that disputes with respect to fees charged to Industry Members pursuant to Article XI be determined by the Operating Committee or a Subcommittee.[326] Decisions by the Operating Committee or Subcommittee on such matters will be binding on Industry Members, without prejudice to the rights of any Industry Member to seek redress from the SEC pursuant to SEC Rule 608 or in any other appropriate forum.[327]

7. Amendments

Section 12.3 of the CAT NMS Plan, which governs amendments to the Plan, states that, except with respect to the addition of new Participants (Section 3.3), the transfer of Company Interest (Section 3.4), the termination of a Participant's participation in the Plan (Section 3.7), amendments to the Selection Plan (Section 5.3 [sic]) and special allocations (Section 8.2), any change to the Plan requires a written amendment authorized by the affirmative vote of not less than two-thirds of all of the Participants, or with respect to Section 3.8 by the affirmative vote of all the Participants.[328] Such proposed amendment must be approved by the Commission pursuant to Rule 608 or otherwise becomes effective under Rule 608.[329] Notwithstanding the foregoing, to the extent that the Commission grants exemptive relief applicable to any provision of the LLC Agreement, Participants and Industry Members will be entitled to comply with such provision pursuant to the terms of the exemptive relief so granted at the time such relief is granted irrespective of whether the LLC Agreement has been amended.[330]

Start Printed Page 84712

8. Compliance Rule Applicable to Industry Members

Under Article III, each Participant agrees to comply with and enforce compliance by its Industry Members with the provisions of Rule 613 and the Plan, as applicable, to the Participant and its Industry Members.[331] Accordingly, the Participants will endeavor to promulgate consistent rules (after taking into account circumstances and considerations that may impact Participants differently) requiring compliance by their respective Industry Members with the provisions of Rule 613 and the Plan.[332]

9. Plan Appendices

The Plan includes three appendices.[333] Appendix A provides the Consolidated Audit Trail National Market System Plan Request for Proposal, as issued February 26, 2013 and subsequently updated. In addition, Rule 613(a)(1) requires that the Plan discuss twelve considerations that explain the choices made by the Participants to meet the requirements specified in Rule 613 for the CAT. In accordance with this requirement, the Participants have addressed each of the twelve considerations in Appendix C. Finally, Appendix D describes the technical requirements for the Plan Processor.

As mentioned, Appendix C discusses the various “considerations” regarding how the Participants propose to develop and implement the CAT required to be discussed by Rule 613.[334] These considerations, include: (i) The reporting of data to the Central Repository, including the sources of the data and the manner in which the Central Repository will receive, extract, transform, load, and retain the data; (ii) the time and method by which the data in the Central Repository will be made available to regulators; (iii) the reliability and accuracy of the data reported to and maintained by the Central Repository throughout its lifecycle; (iv) the security and confidentiality of the information reported to the Central Repository; (v) the flexibility and scalability of the systems used by the Central Repository to collect, consolidate and store CAT Data; (vi) the feasibility, benefits and costs of broker-dealers reporting certain information to the CAT in a timely manner; (vii) an analysis of expected benefits and estimated costs for creating, implementing, and maintaining the CAT pursuant to the proposed CAT NMS Plan; (viii) an analysis of the proposed CAT NMS Plan's impact on competition, efficiency, and capital formation; (ix) a plan to eliminate rules and systems that will be rendered duplicative by the CAT; (x) objective milestones to assess progress toward the implementation of the proposed CAT NMS Plan; (xi) the process by which Participants solicited views of members and other parties regarding creation, implementation, and maintenance of CAT and a summary of these views and how the Participants took them into account in preparing the CAT NMS Plan; and (xii) a discussion of reasonable alternative approaches that the Participants considered to create, implement, and maintain the CAT.[335]

The technical requirements discussed in Appendix D to the CAT NMS Plan, CAT NMS Plan Processor Requirements, include an outline of minimum functional and technical requirements established by the Participants of the CAT NMS Plan for the Plan Processor. Appendix D provides the Plan Processor with details and guidelines for compliance with the requirements contained in Article VI that are not expressly stated therein.

Appendix D also outlines technical architecture, capacity and data retention requirements for the Central Repository,[336] as well as describes the types of data that would be reported to the Central Repository and the sources of such information.[337] The Appendix outlines specific requirements relating to reporting data, linking data, validating and processing data and timing for availability to regulators.[338] Appendix D further discusses how regulators would be able to access and use the data.[339] It also provides requirements related to data security, and specific requirements governing how Customer and Customer Account Information must be captured and stored, separate from transactional data.[340] Appendix D outlines requirements for the Plan Processor's disaster recovery and business continuity plans.[341] Finally, Appendix D describes plans for technical, operational, and business support to CAT Reporters for all aspects of reporting, and describes how upgrades and new functionality would be incorporated.[342]

10. Reporting Procedures

The CAT NMS Plan requires CAT Reporters to comply with specific reporting procedures when reporting CAT Data to the Central Repository.[343] Specifically, CAT Reporters must format CAT Data to comply with the format specifications approved by the Operating Committee.[344] CAT Reporters must record CAT Data contemporaneously with the applicable Reportable Event [345] and report such data to the Central Repository by 8:00 a.m. ET on the next Trading Day.[346] The obligation to report CAT Data applies to “each NMS Security registered or listed for trading on [a national securities] exchange or admitted to unlisted trading privileges on such exchange,” and “each Eligible Security for which transaction reports are required to be submitted to such [national securities] association.” [347] Further, the Participants are required to adopt Compliance Rules [348] that require Industry Members, subject to their SRO jurisdiction, to report CAT Data.[349]

The CAT NMS Plan requires specific data elements of CAT Data that must be recorded and reported to the Central Repository upon: (i) “original receipt or Start Printed Page 84713origination of an order,” [350] (ii) “routing of an order,” [351] and (iii) “receipt of an order that has been routed.” [352] Additionally, the CAT NMS Plan requires that a CAT Reporter must record and report data related to an “order [that] is modified or cancelled,” [353] and an “order [that] is executed, in whole or in part,” [354] as well as “other information or additional events as may be prescribed in Appendix D, Reporting and Linkage Requirements.” [355] The CAT NMS Plan also requires Industry Member CAT Reporters to report additional data elements for (i) an “order [that] is executed, in whole or in part,” [356] (ii) a “trade [that] is cancelled,” [357] or (iii) “original receipt or origination of an order.” [358] Further, each Participant shall, through Compliance Rules, require Industry Members to record and report to the Central Repository information or additional events as may be prescribed to accurately reflect the complete lifecycle of each Reportable Event.[359]

11. Timeliness of Data Reporting

Section 6.3(b)(ii) of the CAT NMS Plan requires each Participant to report Participant Data to the Central Repository by 8:00 a.m. ET on the Trading Day following the day the Participant records such data.[360] Additionally, a Participant may voluntarily report such data prior to this deadline.[361] Section 6.4(b)(ii) states that each Participant shall, through its Compliance Rule, require its Industry Members to report Recorded Industry Member Data to the Central Repository by 8:00 a.m. ET on the Trading Day following the day the Industry Member records such data, and Received Industry Member Data to the Central Repository by 8:00 a.m. ET on the Trading Day following the day the Industry Member receives such data.[362] Section 6.4(b)(ii) of the CAT NMS Plan also states that each Participant shall, through its Compliance Rule, permit its Industry Members to voluntarily report such data prior to the applicable 8:00 a.m. ET deadline.[363]

12. Uniform Format

The CAT NMS Plan does not mandate the format in which data must be reported to the Central Repository.[364] Appendix D states that the Plan Processor will determine the electronic format in which data must be reported, and that the format will be described in the Technical Specifications.[365] Appendix C specifies that CAT Reporters could be required to report data either in a uniform electronic format, or in a manner that would allow the Central Repository to convert the data to a uniform electronic format, for consolidation and storage.[366] Similarly, Sections 6.3(a) and 6.4(a) of the CAT NMS Plan require that CAT Reporters report data to the Central Repository in a format or formats specified by the Plan Processor, approved by the Operating Committee, and compliant with Rule 613.[367]

The CAT NMS Plan requires that data reported to the Central Repository be stored in an electronic standard format.[368] Specifically, Section 6.5(b)(i) of the CAT NMS Plan requires the Central Repository to retain the information collected pursuant to Rule 613(c)(7) and (e)(7) in a convenient and usable standard electronic data format that is directly available and searchable electronically without any manual intervention by the Plan Processor for a period of not less than six (6) years.[369] Such data must be linked when it is made available to the Participant's regulatory Staff and the Commission.[370]

13. Symbology

The CAT NMS Plan also addresses the symbology that CAT Reporters must use when reporting CAT Data. The CAT NMS Plan requires CAT Reporters to report data using the listing exchange's symbology. The CAT NMS Plan requires the Plan Processor to create and maintain a symbol history and mapping table, as well as provide a tool to regulators and CAT Reporters showing the security's complete symbol history, along with a start-of-day and end-of-day list of reportable securities for use by CAT Reporters, in .csv format, by 6:00 a.m. on each trading day.[371] The Participants will be responsible for providing the Plan Processor with issue symbol information, and issue symbol validation must be included in the Start Printed Page 84714processing of data submitted by CAT Reporters.[372]

14. CAT-Reporter-ID

Sections 6.3 and 6.4 of the CAT NMS Plan require CAT Reporters to record and report to the Central Repository an SRO-Assigned Market Participant Identifier [373] for orders and certain Reportable Events to be used by the Central Repository to assign a unique CAT-Reporter-ID [374] for purposes of identifying each CAT Reporter associated with an order or Reportable Event (the “Existing Identifier Approach”).[375] The CAT NMS Plan requires the reporting of SRO-Assigned Market Participant Identifiers of: The Industry Member receiving or originating an order; [376] the Industry Member or Participant from which (and to which) an order is being routed; [377] the Industry Member or Participant receiving (and routing) a routed order; [378] the Industry Member or Participant executing an order, if an order is executed; [379] and the clearing broker or prime broker, if applicable, if an order is executed.[380] An Industry Member would report to the Central Repository its existing SRO-Assigned Market Participant Identifier used by the relevant SRO specifically for transactions occurring at that SRO.[381] Similarly, an exchange reporting CAT Reporter information would report data using the SRO-Assigned Market Participant Identifier used by the Industry Member on that exchange or its systems.[382] Over-the-counter (“OTC”) orders and Reportable Events would be reported with an Industry Member's FINRA SRO-Assigned Market Participant Identifier.[383]

The CAT NMS Plan requires the Plan Processor to develop and maintain the mechanism to assign (and to change, if necessary) CAT-Reporter-IDs.[384] For the Central Repository to link the SRO-Assigned Market Participant Identifier to the CAT-Reporter-ID, each SRO must submit, on a daily basis, all SRO-Assigned Market Participant Identifiers used by its Industry Members (or itself), as well as information to identify the corresponding market participant (for example, a CRD number or Legal Entity Identifier (“LEI”) to the Central Repository.[385] Additionally, each Industry Member shall be required to submit to the Central Repository information sufficient to identify such Industry Member (e.g., CRD number or LEI, as noted above).[386] The Plan Processor would use the SRO-Assigned Market Participant Identifiers and identifying information (i.e., CRD number or LEI) to assign a CAT-Reporter-ID to each Industry Member and SRO for internal use across all data within the Central Repository.[387] The Plan Processor would create and maintain a database in the Central Repository that would map the SRO-Assigned Market Participant Identifiers to the appropriate CAT-Reporter-ID.[388]

The CAT must be able to capture, store, and maintain current and historical SRO-Assigned Market Participant Identifiers.[389] The SRO-Assigned Market Participant Identifier must also be included on the Plan Processor's acknowledgment of its receipt of data files from a CAT Reporter or Data Submitter,[390] on daily statistics provided by the Plan Processor after the Central Repository has processed data,[391] and on a secure Web site that the Plan Processor would maintain that would contain each CAT Reporter's daily reporting statistics.[392] In addition, data validations by the Plan Processor must include confirmation of a valid SRO-Assigned Market Participant Identifier.[393]

15. Customer-ID

a. Customer Information Approach

Rule 613(c)(7)(i)(A) requires that for the original receipt or origination of an order, a CAT Reporter report the “Customer-ID(s) for each Customer.” [394] “Customer-ID” is defined in Rule 613(j)(5) to mean “with respect to a customer, a code that uniquely and consistently identifies such customer for purposes of providing data to the Central Repository.” [395] Rule 613(c)(8) requires that “[a]ll plan sponsors and their members shall use the same Customer-ID and CAT-Reporter-ID for each customer and broker-dealer.” [396]

In Appendix C, the Participants describe the “Customer Information Approach,” [397] an alternative approach to the requirement that a broker-dealer report a Customer-ID for every Customer upon original receipt or origination of an order.[398] Under the Customer Information Approach, the CAT NMS Plan would require each broker-dealer to assign a unique Firm Designated ID to each Customer.[399] As the Firm Designated ID, broker-dealers would be permitted to use an account number or any other identifier defined by the firm, Start Printed Page 84715provided each identifier is unique across the firm for each business date (i.e., a single firm may not have multiple separate customers with the same identifier on any given date).[400] According to the CAT NMS Plan, broker-dealers would submit an initial set of Customer information to the Central Repository, including, as applicable, the Firm Designated ID, the Customer's name, address, date of birth, individual tax payer identifier number (“ITIN”)/social security number (“SSN”), individual's role in the account (e.g., primary holder, joint holder, guardian, trustee, person with power of attorney) and LEI,[401] and/or Large Trader ID (“LTID”), if applicable, which would be updated as set forth in the CAT NMS Plan.[402]

Under the Customer Information Approach, broker-dealers would be required to report only the Firm Designated ID for each new order submitted to the Central Repository, rather than the “Customer-ID” as defined by Rule 613(c)(j)(5) and as required by Rule 613(c)(7)(i)(A), and the Plan Processor would associate specific Customers and their Customer-IDs with individual order events based on the reported Firm Designated IDs.[403] Within the Central Repository, each Customer would be uniquely identified by identifiers or a combination of identifiers such as an ITIN/SSN, date of birth, and, as applicable, LEI and LTID.[404] The Plan Processor would be required to use these unique identifiers to map orders to specific Customers across all broker-dealers.[405] To ensure information identifying a Customer is updated, broker-dealers would be required to submit to the Central Repository daily updates for reactivated accounts, newly established or revised Firm Designated IDs, or associated reportable Customer information.[406]

Appendix C provides additional requirements that the Plan Processor must meet under the Customer Information Approach.[407] The Plan Processor must maintain information of sufficient detail to uniquely and consistently identify each Customer across all CAT Reporters, and associated accounts from each CAT Reporter, and must document and publish, with the approval of the Operating Committee, the minimum list of attributes to be captured to maintain this association.[408] In addition, the Plan Processor must maintain valid Customer and Customer Account Information [409] for each trading day and provide a method for Participants and the Commission to easily obtain historical changes to that information (e.g., name changes, address changes).[410] The Plan Processor also must design and implement a robust data validation process for submitted Firm Designated IDs, Customer Account Information and Customer Identifying Information, and be able to link accounts that move from one CAT Reporter to another due to mergers and acquisitions, divestitures, and other events.[411] Under the Customer Information Approach, Industry Members will initially submit full account lists for all active accounts to the Plan Processor and subsequently submit updates and changes on a daily basis.[412] Finally, the Plan Processor must have a process to periodically receive full account lists to ensure the completeness and accuracy of the account database.[413]

b. Account Effective Date vs. Account Open Date

Rule 613(c)(7)(viii)(B) requires broker-dealers to report to the Central Repository “Customer Account Information” upon the original receipt or origination of an order.[414] The CAT NMS Plan defines “Customer Account Information” to include, in part, the Customer's account number, account type, customer type, date account opened and LTID (if applicable).[415] The Plan, however, provides that in two limited circumstances, a broker-dealer could report the “Account Effective Date” in lieu of the date an account was opened.[416] The first circumstance is where a relationship identifier—rather than an actual parent account—has been established for an institutional Customer relationship.[417] In this case, no account open date is available for the institutional Customer parent relationship because there is no parent account, and for the same reason, there is no account number or account type available.[418] Thus, the Plan provides that in this circumstance, a broker-dealer could report the “Account Effective Date” of the relationship in Start Printed Page 84716lieu of an account open date.[419] Further, the Plan provides that where such an institutional Customer relationship was established before the broker-dealer's obligation to report audit trail data, the “Account Effective Date” would be either (i) the date the broker-dealer established the relationship identifier, or (ii) the date when trading began (i.e., the date the first order was received) using the relevant relationship identifier, and if both dates are available and differ, the earlier date.[420] Where such relationships are established after the broker-dealer's obligation to report audit trail data is required, the “Account Effective Date” would be the date the broker-dealer established the relationship identifier and would be no later than the date the first order was received.[421] Regardless of when the relationship was established for such institutional Customers, the Plan provides that broker-dealers may report the relationship identifier in place of Rule 613(c)(7)(viii)(B)'s requirement to report the “account number,” and report “relationship” in place of “account type.”[422]

The second circumstance where a broker-dealer may report the “Account Effective Date” rather than the date an account was opened as required in Rule 613(c)(7)(viii)(B) is when particular legacy system data issues prevent a broker-dealer from providing an account open date for any type of account (i.e., institutional, proprietary or retail) that was established before the CAT's implementation.[423] According to the Plan, these legacy system data issues may arise because:

(1) A broker-dealer has switched back office providers or clearing firms and the new back office/clearing firm system identifies the account open date as the date the account was opened on the new system;

(2) A broker-dealer is acquired and the account open date becomes the date that an account was opened on the post-merger back office/clearing firm system;

(3) Certain broker-dealers maintain multiple dates associated with accounts in their systems and do not designate in a consistent manner which date constitutes the account open date, as the parameters of each date are determined by the individual broker-dealer; or

(4) No account open date exists for a proprietary account of a broker-dealer.[424]

Thus, when legacy systems data issues arise due to one of the four reasons above and no account open date is available, the Plan provides that broker-dealers would be permitted to report an “Account Effective Date” in lieu of an account open date.[425] When the legacy systems data issues and lack of account open date are attributable to above reasons (1) or (2), the “Account Effective Date” would be the date the account was established, either directly or via a system transfer, at the relevant broker-dealer.[426] When the legacy systems data issues and lack of account open date are attributable to above reason (3), the “Account Effective Date” would be the earliest available date.[427] When the legacy systems data issues and lack of account open date are attributable to above reason (4), the “Account Effective Date” would be (i) the date established for the proprietary account in the broker-dealer or its system(s), or (ii) the date when proprietary trading began in the account, i.e., the date on which the first order was submitted from the account.[428]

c. Modification/Cancellation

Rule 613(c)(7)(iv)(F) requires that “[t]he CAT-Reporter-ID of the broker-dealer or Customer-ID of the person giving the modification or cancellation instruction” be reported to the Central Repository.[429] Because the Customer Information Approach no longer requires, as permitted by the Exemption Order, that a Customer-ID be reported upon original receipt or origination of an order, and because reporting the Customer-ID of the specific person that gave the modification or cancellation instruction would result in an inconsistent level of information regarding the identity of the person giving the modification or cancellation instruction versus the identity of the Customer that originally received or originated an order, Section 6.3(d)(iv)(F) of the CAT NMS Plan modifies the requirement in Rule 613 and instead requires CAT Reporters to report whether the modification or cancellation instruction was “given by the Customer or was initiated by the Industry Member or Participant.”[430]

16. Order Allocation Information

Section 6.4(d)(ii)(A)(1) of the CAT NMS Plan provides that each Participant through its Compliance Rule must require that Industry Members record and report to the Central Repository an Allocation Report that includes the Firm Designated ID when an execution is allocated in whole or part.[431] The CAT NMS Plan defines an Allocation Report as “a report made to the Central Repository by an Industry Member that identifies the Firm Designated ID for any account(s), including subaccount(s), to which executed shares are allocated and provides the security that has been allocated, the identifier of the firm reporting the allocation, the price per share of shares allocated, the side of shares allocated, the number of shares allocated to each account, and the time of the allocation.” [432] The CAT NMS Plan explains, for the avoidance of doubt, that an Allocation Report shall not be required to be linked to particular orders or executions.[433]

17. Options Market Maker Quotes

Section 6.4(d)(iii) of the CAT NMS Plan states that, with respect to the reporting obligations of an Options Market Maker under Sections 6.3(d)(ii) and (iv) regarding its quotes[434] in Listed Start Printed Page 84717Options, such quotes shall be reported to the Central Repository by the relevant Options Exchange in lieu of reporting by the Options Market Maker.[435] Section 6.4(d)(iii) further states that each Participant that is an Options Exchange shall, through its Compliance Rule, require its Industry Members that are Options Market Makers to report to the Options Exchange the time at which a quote in a Listed Option is sent to the Options Exchange (and, if applicable, the time of any subsequent quote modification and/or cancellation where such modification or cancellation is originated by the Options Market Maker).[436] Such time information also shall be reported to the Central Repository by the Options Exchange in lieu of reporting by the Options Market Maker.[437]

18. Primary Market Transactions, Debt Securities and Futures

Rule 613 and the CAT NMS Plan do not require the reporting of audit trail data for Primary Market Transactions,[438] debt securities, and futures. However, Rule 613(i) requires that, within six months after the effective date of the CAT NMS Plan, the SROs shall jointly provide to the Commission “a document outlining how such exchanges and associations could incorporate into the consolidated audit trail information with respect to equity securities that are not NMS securities,[439] debt securities, primary market transactions in equity securities that are not NMS securities, and primary market transactions in debt securities, including details for each order and reportable event that may be required to be provided, which market participants may be required to provide the data, an implementation timeline, and a cost estimate.” [440]

19. Error Rates

The CAT NMS Plan defines Error Rate as “the percentage of [R]eportable [E]vents collected by the [C]entral [R]epository in which the data reported does not fully and accurately reflect the order event that occurred in the market.” [441] Under the CAT NMS Plan, the Operating Committee sets the maximum Error Rate that the Central Repository would tolerate from a CAT Reporter reporting data to the Central Repository.[442] The Operating Committee reviews and resets the maximum Error Rate, at least annually.[443] If a CAT Reporter reports CAT Data to the Central Repository with errors such that their error percentage exceeds the maximum Error Rate, then such CAT Reporter would not be in compliance with the CAT NMS Plan or Rule 613.[444] As such, “the Participants as Participants or the SEC may take appropriate action for failing to comply with the reporting obligations under the CAT NMS Plan and SEC Rule 613.” [445] The CAT NMS Plan, however, does not detail what specific compliance enforcement provisions would apply if a CAT Reporter exceeds the maximum Error Rate.[446]

The CAT NMS Plan sets the initial maximum Error Rate at 5% for any data reported pursuant to subparagraphs (3) and (4) of Rule 613(c).[447] The SROs highlight that “the Central Repository will require new reporting elements and methods for CAT Reporters and there will be a learning curve when CAT Reporters begin to submit data to the Central Repository” in support of a 5% initial rate.[448] Further, the SROs state that “many CAT Reporters may have never been obligated to report data to an audit trail.” [449] The SROs believe an initial maximum Error Rate of 5% “strikes the balance of making allowances for adapting to a new reporting regime, while ensuring that the data provided to regulators will be capable of being used to conduct surveillance and market reconstruction.” [450] In the CAT NMS Plan, the Participants compared the contemplated Error Rates of CAT Reporters to the error rates of OATS reporters in the time periods immediately following three significant OATS releases in the last ten years.[451] The Participants state that for the three comparative OATS releases [452] : An average of 2.42% of order events did not pass systemic validations; an average of 0.36% of order events were not submitted in a timely manner; an average of 0.86% of orders were unsuccessfully matched to a trade reporting facility trade report; an average of 3.12% of OATS Route Reports were unsuccessfully matched to an exchange order; and an average of 2.44% of OATS Route Reports were unsuccessfully matched to a report by another reporting entity.[453]

The Participants, moreover, anticipate reviewing and resetting the maximum Error Rate once Industry Members (excluding Small Industry Members) begin to report to the Central Repository and again once Small Industry Members report to the Central Repository.[454]

The Participants thus propose a phased approach to lowering the maximum Error Rates among CAT Reporters based on the period of time reporting to the Central Repository and whether the CAT Reporters are Participants, large broker-dealers or Start Printed Page 84718small broker-dealers.[455] The Plan sets forth a goal of the following maximum Error Rates [456] where “Year(s)” refers to year(s) after the CAT NMS Plan's date of effectiveness:

Table 1—Maximum Error Rates Schedule

One year (%)Two years (%)Three years (%)Four years (%)
Participants5111
Large Industry MembersN/A511
Small Industry MembersN/AN/A51

The CAT NMS Plan requires the Plan Processor to: (i) Measure and report errors every business day; [457] (ii) provide CAT Reporters daily statistics and error reports as they become available, including a description of such errors; [458] (iii) provide monthly reports to CAT Reporters that detail a CAT Reporter's performance and comparison statistics; [459] (iv) define educational and support programs for CAT Reporters to minimize Error Rates; [460] and (v) identify, daily, all CAT Reporters exceeding the maximum allowable Error Rate.[461] To timely correct data-submitted errors to the Central Repository, the Participants require that the Central Repository receive and process error corrections at all times.[462] Further, the CAT NMS Plan requires that CAT Reporters be able to submit error corrections to the Central Repository through a web-interface or via bulk uploads or file submissions, and that the Plan Processor, subject to the Operating Committee's approval, support the bulk replacement of records and the reprocessing of such records.[463] The Participants, furthermore, require that the Plan Processor identify CAT Reporter data submission errors based on the Plan Processor's validation processes.[464]

20. Retirement of Existing Trade and Order Data Rules and Systems

a. Duplicative or Partially Duplicative Rules and Systems

As required by Rule 613(a)(1)(ix),[465] the CAT NMS Plan provides a plan to eliminate rules and systems that will be rendered duplicative by the CAT.[466] Under the CAT NMS Plan, each Participant will initiate an analysis of its rules and systems to determine which require information that is duplicative of the information available to the Participants through the Central Repository. The CAT NMS Plan states that each Participant has begun reviewing its rulebook and is waiting for the publication of the final reporting requirements to the Central Repository to complete its analysis. According to the Plan, each Participant should complete its analysis within twelve months after Industry Members (other than Small Industry Members) are required to begin reporting data to the Central Repository (or a later date to be determined by each Participant if sufficient data is not available to complete the analysis in that timeframe).[467]

Similarly, the CAT NMS Plan provides that each Participant will analyze which of its rules and systems require information that is partially duplicative of the information available to the Participants through the Central Repository.[468] According to the CAT NMS Plan, this analysis should include a determination as to: (i) Whether the Participant should continue to collect the duplicative information available in the Central Repository; (ii) whether the Participant can use the duplicative information made available in the Central Repository without degrading the effectiveness of the Participant's rules or systems; and (iii) whether the Participant should continue to collect the non-duplicative information or, alternatively, whether it should be added to information collected by the Central Repository. The CAT NMS Plan states that each Participant has begun reviewing its rulebook and is waiting for the publication of the final reporting requirements to the Central Repository to complete its analysis. According to the Plan, each Participant should complete this analysis within eighteen months after Industry Members (other than Small Industry Members) are required to begin reporting data to the Central Repository (or a later date to be determined by each Participant if sufficient data is not available to complete the analysis in that timeframe).[469]

The CAT NMS Plan also discusses the elimination of specific trade and order data collection systems that may be duplicative or partially duplicative of CAT.[470] With respect to FINRA's OATS, the CAT NMS Plan notes that FINRA's ability to retire OATS is dependent on whether the Central Repository contains complete and accurate CAT Data that is sufficient to ensure that FINRA can effectively conduct surveillance and investigations of its members for potential violations of FINRA rules and federal laws and regulations.[471] Based on an analysis conducted by the Participants, there are 33 data elements currently captured in OATS that are not specified in SEC Rule 613. The Plan notes that the Participants believe it is appropriate to incorporate data elements into the Central Repository that are necessary to retire OATS, and that these additional data elements will increase the likelihood that the Central Start Printed Page 84719Repository will include sufficient order information to ensure that FINRA can continue to perform its surveillance with CAT Data rather than OATS data and can more quickly eliminate OATS. However, the Plan notes that OATS cannot be entirely eliminated until all FINRA members who currently report to OATS are reporting to the Central Repository, and that there will likely be some period of dual reporting until FINRA can verify that the data in the Central Repository is of sufficient quality for surveillance purposes and that data reported to the Central Repository meets the Error Rate standards set out in the CAT NMS Plan.[472] With respect to rules and systems other than OATS, the CAT NMS Plan notes that based on preliminary industry analyses, broker-dealer recordkeeping and large trader reporting requirements under SEC Rule 17h-1 could potentially be eliminated. The Plan, however, notes that large trader self-identification and reporting responsibilities on Form 13H appear not be covered by the CAT.[473]

Based on these analyses of duplicative or partially duplicative rules, the CAT NMS Plan provides that each Participant will prepare appropriate rule change filings to implement the rule modifications or deletions that can be made.[474] The rule change filings should describe the process for phasing out the requirements under the relevant rule. Under the CAT NMS Plan, each Participant will file with the SEC the relevant rule change filing to eliminate or modify its rules within six months of the Participant's determination that such modification or deletion is appropriate.[475] Similarly, the CAT NMS Plan provides that each Participant will analyze the most appropriate and expeditious timeline and manner for eliminating duplicative and partially duplicative rules and systems. Upon the Commission's approval of relevant rule changes, each Participant will implement this timeline. In developing these timelines, each Participant must consider when the quality of CAT Data will be sufficient to meet the surveillance needs of the Participants (i.e., to sufficiently replace current reporting data) before existing rules and systems can be eliminated.[476]

b. Non-Duplicative Rules and Systems

The CAT NMS Plan provides that each Participant will conduct an analysis to determine which of its rules and systems related to monitoring quotes, orders, and executions provide information that is not rendered duplicative by the CAT.[477] Under the CAT NMS Plan, each Participant must analyze: (i) Whether collection of such information remains appropriate; (ii) if still appropriate, whether such information should continue to be separately collected or should instead be incorporated into the consolidated audit trail; and, (iii) if no longer appropriate, how the collection of such information could be efficiently terminated, the steps the Participants would need to take to seek Commission approval for the elimination of such rules and systems, and a timetable for such elimination. Each Participant should complete this analysis within eighteen months after Industry Members (other than Small Industry Members) are required to begin reporting data to the Central Repository (or a later date to be determined by each Participant if sufficient data is not available to complete the analysis in that timeframe).[478]

c. Elimination of SEC Rules

In addition, to the extent that the Commission eliminates rules that require information that is duplicative of information available through the Central Repository, the CAT NMS Plan provides that each Participant will analyze its rules and systems to determine whether any modifications to such rules or systems are necessary (e.g., to delete references to outdated SEC rules) to support data requests made pursuant to such SEC rules.[479] Each Participant should complete its analysis within three months after the SEC approves the deletion or modification of an SEC rule related to the information available through the Central Repository. The CAT NMS Plan also provides that Participants will coordinate with the Commission regarding modification of the CAT NMS Plan to include information sufficient to eliminate or modify those Exchange Act rules or systems that the Commission deems appropriate.[480]

21. Regulatory Access

Under Section 6.5(c) of the CAT NMS Plan and as discussed above, the Plan Processor must provide regulators access to the Central Repository for regulatory and oversight purposes and create a method of accessing CAT Data that includes the ability to run complex searches and generate reports.[481] Section 6.10(c) requires regulator access by two different methods: (1) An online targeted query tool with predefined selection criteria to choose from; and (2) user-defined direct queries and bulk extractions of data via a query tool or language allowing querying of all available attributes and data sources.[482] Additional requirements concerning regulator access appear in Section 8 of Appendix D.[483]

The CAT NMS Plan requires that the CAT must support a minimum of 3,000 regulatory users and at least 600 such users accessing the CAT concurrently without an unacceptable decline in performance.[484] Moreover, the CAT must support an arbitrary number of user roles and, at a minimum, include defined roles for both basic and advanced regulatory users.[485]

a. Online Targeted Query Tool

Sections 8.1.1, 8.1.2, and 8.1.3 of Appendix D contain further specifications for the online targeted query tool.[486] The tool must allow for retrieval of processed and/or validated (unlinked) data via an online query screen that includes a choice of a variety of pre-defined selection criteria.[487] Targeted queries must include date(s) and/or time range(s), as well as one or more of a variety of fields listed in Section 8.1.1 (e.g., product type, CAT-Reporter-ID, and Customer-ID).[488] Targeted queries would be logged such that the Plan Processor could provide monthly reports to the SROs and the SEC concerning metrics on performance and data usage of the search tool.[489] The CAT NMS Plan further requires that acceptable response times for the targeted search be in increments of less than one minute; for complex queries scanning large volumes of data or large result sets (over one million records) response times must be available within 24 hours of the request; and queries for data within one business date of a 12-month period must return results within Start Printed Page 84720three hours regardless of the complexity of criteria.[490] Under the CAT NMS Plan, regulators may access all CAT Data except for PII data (access to which would be limited to an authorized subset of Participant and Commission employees) and the Plan Processor must work with regulators to implement a process for providing them with access and routinely verifying a list of active users.[491]

b. User-Defined Direct Queries and Bulk Extraction of Data

Section 8.2 of Appendix D outlines the requirements for user-defined direct queries and bulk extraction of data, which regulators would use to obtain large data sets for internal surveillance or market analysis.[492] Under the CAT NMS Plan, regulators must be able to create, save, and schedule dynamic queries that would run directly against processed and/or unlinked CAT Data.[493] Additionally, CAT must provide an open application program interface (“API”) that allows use of analytic tools and database drivers to access CAT Data.[494] Queries submitted through the open API must be auditable and the CAT System must contain the same level of control, monitoring, logging, and reporting as the online targeted query tool.[495] The Plan Processor must also provide procedures and training to regulators that would use the direct query feature.[496] Sections 8.2.1 and 8.2.2 of Appendix D contain additional specifications for user-defined direct queries and bulk data extraction, respectively.[497]

c. Regulatory Access Schedule

Section A.2 of Appendix C addresses the time and method by which CAT Data would be available to regulators.[498] Section A.2(a) requires that data be available to regulators any point after the data enters the Central Repository and passes basic format validations.[499] After errors are communicated to CAT Reporters on T+1, CAT Reporters would be required to report corrected data back to the Central Repository by 8:00 a.m. ET on T+3.[500] Regulators must then have access to corrected and linked order and Customer data by 8:00 a.m. ET on T+5.[501] Section A.2(b) generally describes Bidders' approaches regarding regulator access and use of CAT Data and notes that although the SROs set forth the standards the Plan Processor must meet, they do not endorse any particular approach.[502] Section A.2(c) outlines requirements the Plan Processor must meet for report building and analysis regarding data usage by regulators, consistent with, and in addition to, the specifications outlined in Section 8 of Appendix D.[503]

22. Upgrades and New Functionalities

Under Article VI of the CAT NMS Plan, the Plan Processor is responsible for consulting with the Operating Committee and implementing necessary upgrades and new functionalities. In particular, the Plan Processor would be required to, consistent with Appendix D, Upgrade Process and Development of New Functionality, design and implement appropriate policies and procedures governing the determination to develop new functionality for the CAT including, among other requirements, a mechanism by which changes can be suggested by Advisory Committee members, Participants, or the SEC.[504] The Plan Processor shall, on an ongoing basis and consistent with any applicable policies and procedures, evaluate and implement potential system changes and upgrades to maintain and improve the normal day-to-day operating function of the CAT System.[505] In consultation with the Operating Committee, the Plan Processor shall, on an as-needed basis and consistent with any applicable operational and escalation policies and procedures, implement such material system changes and upgrades as may be required to ensure effective functioning of the CAT System.[506] Also in consultation with the Operating Committee, the Plan Processor shall, on an as-needed basis, implement system changes and upgrades to the CAT System to ensure compliance with applicable laws, regulations or rules (including those promulgated by the Commission or any Participant).[507]

Appendix D provides additional detail about the obligations of the Plan Processor with respect to CAT Functional Changes, CAT Infrastructure Changes, and Testing of New Changes.[508] In particular, the Plan Processor is required to propose a process for considering new functions, which must include a mechanism for suggesting changes to the Operating Committee from Advisory Committee members, the Participants and the Commission. The process must also include a method for developing impact assessments, including implementation timelines for proposed changes, and a mechanism by which functional changes that the Plan Processor wishes to undertake could be reviewed and approved by the Operating Committee.[509]

The CAT NMS Plan also requires that the Plan Processor develop a similar process to govern the changes to the Central Repository—i.e., business-as-usual changes that could be performed by the Plan Processor with only a summary report to the Operating Committee, and infrastructure changes that would require approval by the Operating Committee.[510] Finally, a process for user testing of new changes must be developed by the Plan Processor.[511]

In addition, the CAT NMS Plan requires that the Plan Processor ensure that the Central Repository's technical Start Printed Page 84721infrastructure is scalable (to increase capacity to handle increased reporting volumes); adaptable (to support future technology developments so that new requirements could be incorporated); and current (to ensure, through maintenance and upgrades, that technology is kept current, supported, and operational).[512]

23. Business Continuity and Disaster Recovery

The CAT NMS Plan provides that the Plan Processor must develop disaster recovery and business continuity plans to support the continuation of CAT business operations.[513] The Plan Processor is required to provide the Operating Committee with regular reports on the CAT System's operation and maintenance that specifically address Participant usage statistics for the Plan Processor and the Central Repository, including capacity planning studies and daily reports called for by Appendix D, as well as business continuity planning and disaster recovery issues for the Plan Processor and the Central Repository, taking into account the business continuity planning and disaster recovery requirements in the Business Continuity Planning/Disaster Recovery (“BCP/DR”) Process set forth in Appendix D.[514]

The CAT NMS Plan requires the Business Continuity Plan to address protection of data, service for data submissions, processing, data access, support functions and operations.[515] Additionally, the Plan Processor must develop a process to manage and report breaches.[516] A secondary site that is fully equipped for immediate use must be selected to house critical staff necessary for CAT business operations, and planning should consider operational disruption and significant staff unavailability, but the Business Continuity Plan must also establish an effective telecommuting solution for critical staff which must ensure that CAT Data may not be downloaded to equipment that is not CAT-owned or compliant with CAT security requirements.[517] The Business Continuity Plan will include a bi-annual test of CAT operations from the secondary site, and CAT operations staff must maintain and annually test remote access to ensure smooth operations in case of a “site un-availability event.” [518] The Business Continuity Plan must also identify critical third-party dependencies to be involved in tests on an annual basis, and the Plan Processor will develop and annually test a crisis management plan to be invoked in specified circumstances.[519] The Plan Processor must also conduct the following: An annual Business Continuity Audit using an Independent Auditor approved by the Operating Committee; and regular third party risk assessments to verify that security controls are in accordance with NIST SP 800-53.[520] Appendix C mandates the use of a hot-warm structure for disaster recovery, where in the event of a disaster, the software and data would need to be loaded into the backup site for it to become operational.[521]

Appendix D also requires that the Plan Processor provide an industry test environment that is discrete and separate from the production environment, but functionally equivalent to the production environment. The industry test environment must have end-to-end functionality meeting the standards of the production SLA, the performance metrics of the production environment, and management with the same information security policies applicable to the production environment.[522] The industry test environment must have minimum availability of 24x6, and must support such things as: Testing of technical upgrades by the Plan Processor, testing of CAT code releases impacting CAT Reporters, testing of changes to industry data feeds, industry-wide disaster recovery testing, individual CAT Reporter and Data Submitter testing of their upgrades against CAT interfaces and functionality, and multiple, simultaneous CAT Reporter testing.[523] The Plan Processor must provide the linkage processing of data submitted during industry-wide testing, as well as support for industry testing.[524]

24. Records and Accounting and Dissolution and Termination of the Company

Article IX of the CAT NMS Plan sets forth the Company's obligations and policies related to books and records, accounting, company funds and tax matters.[525] The CAT NMS Plan provides that the Company must maintain complete and accurate books and records of the Company in accordance with Rule 17a-1.[526] The CAT NMS Plan further provides that books and records will be maintained and be made available at the office of the Plan Processor and/or such other Company designated locations.[527] The CAT NMS Plan specifies that all CAT Data and other Company books and records are the property of the Company (and not the property of the Plan Processor), and to the extent in the possession of the Plan Processor, they will be made available to the Commission upon reasonable request.[528]

Article IX also includes a confidentiality provision (subject to several express carve-outs) wherein the Receiving Party (the Company or a Participant) must hold in confidence information received from a Disclosing Party (the Company or any other Participant); and the Receiving Party may only disclose such information if prior written approval from the Disclosing Party is obtained.[529] The confidentiality provision applies to information that is disclosed in connection with the CAT NMS Plan or the CAT System but expressly carves out the following: (i) CAT Data or information otherwise disclosed pursuant to the requirements of Rule 613; [530] (ii) any information that was already lawfully in the Receiving Party's possession and, to the knowledge of the Receiving Party, free from any confidentiality obligation to the Disclosing Party at the time of receipt from the Disclosing Party; (iii) any information that is, now or in the future, Start Printed Page 84722public knowledge; (iv) any information that was lawfully obtained from a third party having the right to disclose it free from any obligation of confidentiality; or (v) any information that was independently developed by the Receiving Party prior to disclosure by a Disclosing Party.[531] Finally, the CAT NMS Plan provides that the confidentiality provision does not restrict disclosures required by: (i) Applicable laws and regulations, stock market or exchange requirements or the rules of any self-regulatory organization having jurisdiction; (ii) an order, subpoena or legal process; or (iii) for the conduct of any litigation or arbitral proceeding among the Participants (and their respective representatives) and/or the Company.[532]

The CAT NMS Plan includes provisions relating to the dissolution of the Company.[533] Any dissolution of the Company requires SEC approval and must be as a result of one of the following events (a “Triggering Event”): (i) Unanimous written consent of the Participants; (ii) an event makes it unlawful or impossible for the Company business to be continued; (iii) the termination of one or more Participants such that there is only one remaining Participant; or (iv) a decree of judicial dissolution.[534] If a Triggering Event has occurred and the SEC approves the Company's dissolution, the Operating Committee would act as liquidating trustee and liquidate and distribute the Company pursuant to the following necessary steps under the CAT NMS Plan: (i) Sell the Company's assets; and (ii) apply and distribute the sale proceeds by first, paying the Company's debts and liabilities; second, establishing reasonably necessary reserves for contingent recourse liabilities and obligations; and third, making a distribution to the Participants in proportion to the balances in their positive Capital Accounts.[535]

25. Security of Data

The CAT NMS Plan provides that the Plan Processor is responsible for the security and confidentiality of all CAT Data received and reported to the Central Repository, including during all communications between CAT Reporters and the Plan Processor, data extraction, data manipulation and transformation, loading to and from the Central Repository, and data maintenance by the Central Repository.[536] The Plan Processor must, among other things, require that individuals with access to the Central Repository agree to use CAT Data only for appropriate surveillance and regulatory activities and to employ safeguards to protect the confidentiality of CAT Data.[537]

In addition, the Plan Processor must develop a comprehensive information security program as well as a training program that addresses the security and confidentiality of all information accessible from the CAT and the operational risks associated with accessing the Central Repository.[538] The Plan Processor must also designate one of its employees as CISO; among other things, the CISO is responsible for creating and enforcing appropriate policies, procedures, and control structures regarding data security.[539] The Technical Specifications, which the Plan Processor must publish, must include a detailed description of the data security standards for CAT.[540] Appendix D of the CAT NMS Plan sets forth minimum data security requirements for CAT that the Plan Processor must meet.[541]

a. General Standards

The CAT NMS Plan provides that the data security standards of the CAT System shall, at a minimum satisfy all applicable regulations regarding database security, including provisions of Reg SCI.[542] Appendix D of the CAT NMS Plan contains a partial list of industry standards to which the Plan Processor will adhere, including standards issued by the NIST; [543] by the Federal Financial Institutions Examination Council,[544] and the International Organization for Standardization.[545]

The CAT NMS Plan specifies that the Plan Processor is responsible for the security and confidentiality of all CAT Data received and reported to the Central Repository, including during all communications between CAT Reporters and the Plan Processor, data extraction, data manipulation and transformation, loading to and from the Central Repository, and data maintenance by the Central Repository.[546] The Plan Processor must also designate one of its employees as the CISO; among other things, the CISO is responsible for creating and enforcing appropriate policies, procedures, and control structures regarding data security.[547]

b. Data Confidentiality

The CAT NMS Plan also requires that the Plan Processor must develop a comprehensive information security program, with a dedicated staff for the Central Repository, that employs state of the art technology, which program will be regularly reviewed by the CCO and CISO, as well as a training program that addresses the security and confidentiality of all information accessible from the CAT and the operational risks associated with accessing the Central Repository.[548] The Plan Processor must also implement and maintain a mechanism to confirm the identity of all individuals permitted to access the CAT Data stored in the Central Repository; maintain a record of all instances where such CAT Data was accessed; and implement and maintain appropriate policies regarding limitations on trading activities of its employees and independent contractors Start Printed Page 84723involved with all CAT Data.[549] The Technical Specifications, which will be published after the Plan Processor is selected, must include a detailed description of the data security standards for the CAT.[550]

According to the CAT NMS Plan, the Plan Processor must require that individuals with access to the Central Repository (including the respective employees and consultants of the Participants and the Plan Processor, but excluding employees and Commissioners of the SEC) to agree: (i) To use appropriate safeguards to ensure the confidentiality of the CAT Data stored in the Central Repository and (ii) to not use CAT Data stored in the Central Repository for purposes other than surveillance and regulation in accordance with such individual's employment duties.[551] A Participant, however, is permitted to use the CAT Data it reports to the Central Repository for regulatory, surveillance, commercial or other purposes as permitted by applicable law, rule, or regulation.[552] In addition, the CAT NMS Plan provides that all individuals with access to the Central Repository (including the respective employees and consultants of the Participants and the Plan Processor, but excluding employees and Commissioners of the SEC) must execute a personal “Safeguard of Information Affidavit” in a form approved by the Operating Committee providing for personal liability for misuse of data.[553]

c. Data Security

Appendix D of the CAT NMS Plan sets forth minimum data security requirements for CAT that the Plan Processor must meet, including various connectivity, data transfer, and encryption requirements.[554]

Appendix D states that the CAT Systems must have encrypted internet connectivity, and that CAT Reporters must connect to the CAT infrastructure using secure methods such as private lines or, for smaller broker-dealers, Virtual Private Network connections over public lines.[555] Remote access to the Central Repository must be limited to authorized Plan Processor Staff and must use secure “Multi-factor Authentication” (or “MFA”) that meets or exceeds Federal Financial Institutions Examination Council security guidelines surrounding authentication best practices.[556] Appendix D also notes that CAT databases must be deployed within the network infrastructure so that they are not directly accessible from external end-user networks.[557] If public cloud infrastructures are used, Appendix D states that network segments or private tenant segmentation must be used to isolate CAT Data from unauthenticated public access.[558]

Regarding data encryption, Appendix D states that all CAT Data must be encrypted in-flight using industry standard best practices (e.g., SSL/TLS).[559] Appendix D provides that symmetric key encryption must use a minimum key size of 128 bits or greater (e.g., AES-128), though larger keys are preferable.[560] Asymmetric key encryption (e.g., PGP) for exchanging data between Data Submitters and the Central Repository is desirable.[561]

Appendix D further states that CAT Data stored in a public cloud must be encrypted at-rest.[562] Non-personally identifiable information in CAT Data stored in a Plan Processor private environment is not required to be encrypted at-rest.[563] If public cloud managed services are used that would inherently have access to the data (e.g., BigQuery, S3, Redshift), then the key management surrounding the encryption of that data must be documented (particularly whether the cloud provider manages the keys, or if the Plan Processor maintains that control).[564] Auditing and real-time monitoring of the service for when cloud provider personnel are able to access/decrypt CAT Data must be documented, as well as a response plan to address instances where unauthorized access to CAT Data is detected.[565] Key management/rotation/revocation strategies and key chain of custody must also be documented in detail.[566]

Regarding CAT Data storage, the CAT NMS Plan states that data centers housing CAT Systems (whether public or private) must, at a minimum, be SOC 2 certified by an independent third-party auditor.[567] The frequency of the audit must be at least once per year.[568] Furthermore, CAT computer infrastructure may not be commingled with other non-regulatory systems (or tenets, in the case of public cloud infrastructure).[569] Systems hosting the CAT processing for any applications must be segmented from other systems as far as is feasible on a network level (firewalls, security groups, ACL's, VLAN's, authentication proxies/bastion hosts and similar).[570] In the case of systems using inherently shared infrastructure/storage (e.g., public cloud storage services), an encryption/key management/access control strategy that effectively renders the data private must be documented.[571]

Appendix D further requires that the Plan Processor must include penetration testing and an application security code audit by a reputable (and named) third party prior to the launch of CAT as well as periodically as defined in the SLAs.[572] Reports of the audit will be provided to the Operating Committee as well as a remediation plan for identified issues.[573] The penetration test reviews of the Central Repository's network, firewalls, and development, testing and production systems should help the CAT evaluate the systems' security and resiliency in the face of attempted and successful systems intrusions.[574]

The CAT NMS Plan also addresses issues surrounding access to CAT Data. Among other things, the CAT NMS Plan requires the Plan Processor to provide an overview of how access to PII and other CAT Data by Plan Processor employees and administrators is restricted.[575] This overview must include items such as, but not limited to, how the Plan Processor will manage access to the systems, internal segmentation, MFA, separation of duties, entitlement management, and background checks.[576] The Plan Processor must develop and maintain policies and procedures reasonably designed to prevent, detect, and mitigate the impact of unauthorized access or usage of data in the Central Repository.[577] The CAT NMS Plan also specifically states that a Role Based Access Control (“RBAC”) model must Start Printed Page 84724be used to permission users with access to different areas of the CAT System.[578] The Plan Processor must log every instance of access to Central Repository data by users.[579] The CAT NMS Plan also has specific provisions related to passwords and logins, particularly as these relate to accessing PII in the Central Repository.[580] Any login to the system that is able to access PII data must follow non-PII password rules and must be further secured via MFA.[581]

Appendix D also addresses what should be done in the event there is a breach in the security systems protecting CAT Data. Appendix D requires the Plan Processor to develop policies and procedures governing its responses to systems or data breaches.[582] Such policies and procedures will include a formal cyber incident response plan, and documentation of all information relevant to breaches.[583] The cyber incident response plan will provide guidance and direction during security incidents, and the plan will be subject to approval by the Operating Committee.[584]

d. Data Access and Use

The CAT NMS Plan states that the Plan Processor shall provide Participants and the Commission with access to and use of the CAT Data stored in the Central Repository solely for the purpose of performing their respective regulatory and oversight responsibilities pursuant to federal securities laws, rules and regulations or any contractual obligations.[585] The Plan specifies that Participants shall establish, maintain and enforce written policies and procedures reasonably designed to ensure the confidentiality of the CAT Data obtained from the Central Repository and limit the use of CAT Data obtained from the Central Repository to surveillance and regulatory purposes.[586] The CAT NMS Plan provides that Participants must adopt and enforce policies and procedures that implement effective information barriers between each Participant's regulatory and non-regulatory Staff with regard to CAT Data, permit only persons designated by Participants to have access to the CAT Data stored in the Central Repository; and impose penalties for Staff non-compliance with any of its or the Plan Processor's policies and procedures with respect to information security.[587] However, the Plan provides that a Participant may use the Raw Data [588] it reports to the Central Repository for “commercial or other” purposes if not prohibited by applicable law, rule or regulation.[589]

Article VI of the CAT NMS Plan requires that the Plan Processor provide regulators access to the Central Repository for regulatory and oversight purposes and create a method of accessing CAT Data that includes the ability to run complex searches and generate reports.[590] Section 6.10(c) of the CAT NMS Plan requires regulator access by two different methods: (i) An online targeted query tool with predefined selection criteria to choose from; and (ii) user-defined direct queries and bulk extractions of data via a query tool or language allowing querying of all available attributes and data sources.[591] Appendix D contains technical details and parameters for use by the Plan Processor in developing the systems that will allow regulators access to CAT Data.[592]

Appendix C addresses the time and method by which CAT Data would be available to regulators.[593] Specifically, Appendix C requires that data be available to regulators any point after the data enters the Central Repository and passes basic format validations.[594] After errors are communicated to CAT Reporters on a T+1 basis, CAT Reporters would be required to report corrected data back to the Central Repository by 8:00 a.m. ET on T+3.[595] Regulators must then have access to corrected and linked order and Customer data by 8:00 a.m. ET on T+5.[596] Appendix C further outlines requirements the Plan Processor must meet for report building and analysis regarding data usage by regulators, consistent with, and in addition to, the specifications outlined in Appendix D.[597]

e. Personally Identifiable Information

According to the CAT NMS Plan, there are two separate categories of CAT Data for data security and confidentiality purposes: (i) PII; and (ii) other data related to orders and trades reported to the CAT.[598] The Plan requires additional levels of protection for PII that is collected from Customers and reported to the Central Repository.[599] For example, the CAT NMS Plan requires that all CAT Data provided to regulators must be encrypted, but that PII data shall be masked unless users have permission to view the CAT Data that has been requested.[600] The Plan requires that all PII data must be encrypted both at-rest and in-flight, including archival data storage methods such as tape backup.[601] Storage of unencrypted PII data is prohibited.[602] The Plan Processor must describe how PII encryption is performed and the key management strategy (e.g., AES-256, 3DES).[603]

An additional protection afforded to PII concerns specific requirements for access. The CAT NMS Plan specifies that by default, users entitled to query CAT Data are not automatically authorized for PII access, and that the process by which a person becomes entitled for PII access, and how they then go about accessing PII data, must be documented by the Plan Processor.[604] Access to PII will be based on a Role Based Access Control (“RBAC”) model, and shall follow the “least privileged” practice of limiting access as much as possible.[605] In this regard, the CAT NMS Plan states that access will be limited to a “need-to-know” basis, and it is expected that the number of people given access to PII Start Printed Page 84725associated with Customers and accounts will be much lower than the number granted access to non-PII CAT Data.[606] The CAT NMS Plan further specifies that any login system that is able to access PII must follow non-PII password rules and must be further secured via MFA.[607] MFA authentication for all logins (including non-PII) is required to be implemented by the Plan Processor.[608]

The CAT NMS Plan also requires that a designated officer or employee at each Participant and the Commission, such as the chief regulatory officer, must, at least annually, review and certify that persons with PII access have appropriately been designated to access PII in light of their respective roles.[609] The CAT NMS Plan requires that a full audit trail of access to the PII collected at the Central Repository—which would include who accessed what data and when—must be maintained, and that the CCO and CISO shall have access to daily PII reports that list all users who are entitled for PII access, as well as the audit trail of all PII access that has occurred for the day being reported on.[610]

The CAT NMS Plan also restricts the circumstances under which PII can be provided to an authorized person. The CAT NMS Plan provides, for example, that PII must not be included in the result set(s) from online or direct query tools, reports or bulk data extraction.[611] Instead, the CAT NMS Plan requires any such results, reports or extractions to be displayed with “non-PII unique identifiers (e.g., Customer-ID or Firm Designated ID).” [612] The CAT NMS Plan states that the PII corresponding to these non-PII identifiers can be gathered by using a separate “PII workflow.” [613]

Finally, the CAT NMS Plan further protects PII by requiring that PII data be stored separately from other CAT Data.[614] The Plan specifies that PII cannot be stored with the transactional CAT Data, and it must not be accessible from public internet connectivity.[615]

26. Governing or Constituent Documents

Rule 608 requires copies of all governing or constituent documents relating to any person (other than a self-regulatory organization) authorized to implement or administer such plan on behalf of its sponsors.[616] The Participants will submit to the Commission such documents related to the Plan Processor when the Plan Processor is selected.[617]

27. Development and Implementation Phases

The terms of the Plan will be effective immediately upon approval of the Plan by the Commission (the “Effective Date”).[618] The Plan sets forth each of the significant phases of development and implementation contemplated by the Plan, together with the projected date of completion of each phase.[619] These include the following, each of which is subject to orders otherwise by the Commission:

Within two months after the Effective Date, the Participants will jointly select the winning Shortlisted Bid and the Plan Processor pursuant to the process set forth in Article V. Following the selection of the Initial Plan Processor, the Participants will file with the Commission a statement identifying the Plan Processor and including the information required by Rule 608;

Within four months after the Effective Date, each Participant will, and, through its Compliance Rule, will require its Industry Members to, synchronize its or their Business Clocks and certify to the Chief Compliance Officer (in the case of Participants) or the applicable Participant (in the case of Industry Members) that it has met this requirement;

Within six months after the Effective Date, the Participants must jointly provide to the SEC a document outlining how the Participants could incorporate into the CAT information with respect to equity securities that are not NMS Securities,[620] including Primary Market Transactions in securities that are not NMS Securities, which document will include details for each order and Reportable Event that may be required to be provided, which market participants may be required to provide the data, the implementation timeline, and a cost estimate;

Within one year after the Effective Date, each Participant must report Participant Data to the Central Repository;

Within fourteen months after the Effective Date, each Participant must implement a new or enhanced surveillance system(s);

Within two years after the Effective Date, each Participant must, through its Compliance Rule, require its Industry Members (other than Small Industry Members) to report Industry Member Data to the Central Repository; and

Within three years after the Effective Date, each Participant must, through its Compliance Rule, require its Small Industry Members to provide Industry Member Data to the Central Repository.[621]

In addition, Industry Members and Participants will be required to participate in industry testing with the Central Repository on a schedule to be determined by the Operating Committee. Furthermore, Appendix C, A Plan to Eliminate Existing Rules and Systems (Rule 613(a)(1)(ix)), and Appendix D, Data Types and Sources, set forth additional implementation details concerning the elimination of rules and systems.

The CCO will appropriately document objective milestones to assess progress toward the implementation of the CAT.[622]

As required by Rule 613(a)(1)(x),[623] the CAT NMS Plan also sets forth detailed objective milestones, with projected completion dates, towards CAT implementation.[624] The milestones discussed in the Plan include timeframes for when the Plan Processor will publish Technical Specifications for Participants and Industry Members to report order and market maker quote data and Customer Account Information [625] to the Central Start Printed Page 84726Repository, as well as timeframes for connectivity and acceptance testing for the reporting of this information.[626] For example, the Plan Processor will publish Technical Specifications for Industry Member submission of order data one year before Industry Members are required to begin submitting this data to the Central Repository, and the Plan Processor will begin connectivity testing and accepting order data from Industry Members for testing purposes six months before Industry Members are required to begin submitting this data to the Central Repository.[627] The Plan Processor will begin connectivity testing and accepting order and market maker quote data from Participants for testing purposes three months before Participants are required to begin reporting this data to the Central Repository and will publish Technical Specifications for Participant submission of this data six months before Participants are required to submit this data to the Central Repository.[628] The CAT NMS Plan also includes implementation timeframes for the linkage of the lifecycle of order events, regulator access to the Central Repository, and the integration of other data (such as SIP quote and trade data) into the Central Repository.[629]

28. Written Understanding or Agreements Relating to Interpretation of, or Participation in, the Plan

The Participants have no written understandings or agreements relating to interpretations of, or participation in, the Plan other than those set forth in the Plan itself.[630] For example, Section 4.3(a)(iii) states that the Operating Committee only may authorize the interpretation of the Plan by Majority Vote, Section 6.9(c)(i) addresses interpretations of the Technical Specifications, and Section 8.2 addresses the interpretation of Sections 8.1 and 8.2.[631] In addition, Section 3.3 sets forth how any entity registered as a national securities exchange or national securities association under the Exchange Act may become a Participant.[632]

29. Dispute Resolution

The Plan does not include a general provision addressing the method by which disputes arising in connection with the operation of the Plan will be resolved.[633] The Plan does, however, provide the means for resolving disputes regarding the Participation Fee.[634] Specifically, Article III states that, in the event that the Company and a prospective Participant do not agree on the amount of the Participation Fee, such amount will be subject to the review by the Commission pursuant to Section 11A(b)(5) of the Exchange Act.[635] In addition, the Plan addresses disputes with respect to fees charged to Participants and Industry Members pursuant to Article XI. Specifically, such disputes will be determined by the Operating Committee or a Subcommittee designated by the Operating Committee.[636] Decisions by the Operating Committee or such designated Subcommittee on such matters will be binding on Participants and Industry Members, without prejudice to the rights of any Participant or Industry Member to seek redress from the Commission pursuant to Rule 608 or in any other appropriate forum.[637]

IV. Discussion and Commission Findings

In 1975, Congress directed the Commission, through the enactment of Section 11A of the Act,[638] to facilitate the establishment of a national market system. Section 11A(a)(3)(B) of the Act authorizes the Commission, “by rule or order, to authorize or require self-regulatory organizations to act jointly with respect to matters as to which they share authority under this title in planning, developing, operating, or regulating a national market system (or a subsystem thereof) or one or more facilities.” [639] The Commission adopted Rule 613 of Regulation NMS under the Act,[640] requiring the SROs to submit an NMS plan to create, implement, and maintain the CAT.[641]

Rule 613 tasks the Participants with the responsibility to develop a CAT NMS Plan that achieves the goals set forth by the Commission. Because the Participants will be more directly responsible for the implementation of the CAT NMS Plan, in the Commission's view, it is appropriate that they make the judgment as to how to obtain the benefits of a consolidated audit trail in a way that is practicable and cost-effective in the first instance. The Commission's review of an NMS plan is governed by Rule 608 and, under that rule, approval is conditioned upon a finding that the proposed plan is “necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanism of, a national market system, or otherwise in furtherance of the purposes of the Act.” [642] Further, Rule 608 provides the Commission with the authority to approve an NMS plan, “with such changes or subject to such conditions as the Commission may deem necessary or appropriate.” [643] In reviewing the policy choices made by the Participants in developing the CAT NMS Plan, the Commission has sought to ensure that they are supported by an adequate rationale, do not call into question the Plan's satisfaction of the approval standard in Rule 608, and reasonably achieve the benefits of a consolidated audit trail without imposing unnecessary burdens. In addition, because of the evolving nature of the data captured by the CAT and the technology used, as well as the number of decisions still to be made in the process of implementing the CAT NMS Plan, the Commission has paid particular attention to the structures in place to guide decision-making going forward. These include the governance of the Company, the provisions made for Commission and other oversight, the standards established, and the development milestones provided for in the Plan.

The Commission received 24 comment letters on the CAT NMS Plan.[644] The commenters included, among others, national securities exchanges, technology providers, academics, broker-dealers, investors, and organizations representing industry participants. Of the comment letters received regarding the Plan, 13 Start Printed Page 84727expressed general support,[645] 3 comment letters expressed opposition to the Plan,[646] and 8 comment letters neither supported nor opposed the Plan.[647] Many of the commenters suggested modifications to certain provisions of the Plan or identified what they believed were deficiencies in the Plan.

The most significant areas raised in the comment letters pertained to: (i) The security and confidentiality of CAT Data (especially of PII); (ii) the cost and funding of the CAT; (iii) the timing of the retirement of duplicative regulatory reporting systems; (iv) the implementation time frame; (v) governance (particularly with respect to industry representation); (vi) the clock synchronization standard; (vi) error rates; and (vii) an overall lack of detail in the CAT NMS Plan.

As discussed in detail below, the Commission has determined to approve the CAT NMS Plan, as amended, pursuant to Section 11A of the Act [648] and Rule 608.[649] The Commission believes that the Plan is reasonably designed to improve the completeness, accuracy, accessibility and timeliness of order and execution data used by regulators. The Commission believes that the Plan will facilitate regulators' access to more complete, accurate and timely audit trail data. The Plan will also allow for more efficient and effective surveillance and analysis, which will better enable regulators to detect misconduct, reconstruct market events, and assess potential regulatory changes. As a result, the CAT NMS Plan should significantly improve regulatory efforts by the SROs and the Commission, including market surveillance, market reconstructions, enforcement investigations, and examinations of market participants. The Commission believes that improved regulatory efforts, in turn, will strengthen the integrity and efficiency of the markets, which will enhance investor protection and increase capital formation.

As noted, commenters raised concerns about, and suggested alternatives to, certain Plan provisions. The Participants submitted five letters which responded to the comments and provided certain suggestions for amendments to the Plan, as discussed in detail below. After considering the proposed Plan, the issues raised by commenters, and the Participants' responses, the Commission has amended certain aspects of the Plan and has determined that the proposed Plan, as amended by the Commission, satisfies the standard of Rule 608. The Commission finds that the CAT NMS Plan is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanism of a national market system, or is otherwise in furtherance of the purposes of the Act.[650] The Commission does not believe that the remaining concerns identified by commenters individually or collectively call into question the Plan's satisfaction of the approval standard in Rule 608, or otherwise warrant a departure from the policy choices made by the Participants.

A. Definitions, Effectiveness of Agreement, and Participation (Articles I, II, and III)

Article I of the CAT NMS Plan sets forth definitions for certain terms used in the CAT NMS Plan, as well as principles of interpretation. Article II of the CAT NMS Plan describes the corporate structure under which the Participants will build and maintain the CAT, and Article III addresses participation in the Plan, including admission of new Participants, resignation and termination of Participants, and the obligations and liability of Participants.[651]

The Commission did not receive any comments relating to Article II or III of the CAT NMS Plan, and is approving them as proposed, with certain technical conforming changes to reflect the Participants' proposal to treat the Company as a non-profit and certain Exchange Act obligations.[652] The Commission did receive comments on three definitions: [653] (1) Allocation Report; [654] (2) Trading Day; [655] and (3) Eligible Security.[656]

For the definition of Allocation Report,[657] one commenter stated that “allocation time is not consistently defined or captured,” and that without further guidance, CAT Reporters may have difficulties reporting this data element.[658] The Participants responded to this comment by explaining that the Participants have not yet determined how “time of the allocation” will be defined, but indicated that they would address this in the Technical Specifications.[659]

For the definition of Trading Day,[660] one commenter stated that the cut-off time for Trading Day is not defined and argued that, consistent with OATS, the cut-off time should be 4:00 p.m., ET.[661] The commenter argued a later cut-off time would compress the time CAT Reporters have to collect, validate, and report data in a timely manner.[662] The Participants responded to this comment by explaining that a universal cut-off time for Trading Day is not recommended for the CAT because cut-off times may differ based on the different types of Eligible Securities (including the potential expansion of the security types covered in Eligible Securities). Rather, the Participants stated that the Operating Committee should determine cut-off times for the Trading Day and indicated that they would address this in the Technical Specifications.[663]

For the definition of Eligible Security,[664] one commenter stated that “a full audit trail would include transactions both on and off Start Printed Page 84728exchange.” [665] The Participants noted that the CAT will capture on- and off-exchange transactions for NMS Securities and OTC Equity Securities, as the CAT would “capture orders and transactions in NMS Securities and OTC Equity Securities, even if they occur in ATSs/dark pools, other trading venues or internally within broker-dealers.” [666]

The Commission believes that the definitions and principles of interpretation set forth in Article I of the CAT NMS Plan are reasonably designed to provide clarity to the terms set forth in the CAT NMS Plan. In response to the commenters that recommended modifications to the definitions of Allocation Report and Trading Day, the Commission believes it is reasonable for the Participants to address the Allocation Report and Trading Day specifics raised by commenters in the Technical Specifications to provide the CAT with necessary flexibility during its implementation, and based on the Plan's requirement that the Technical Specifications will be published no later than one year prior to when Industry Member reporting begins.[667] With respect to Eligible Securities, the Commission believes that the commenter's concern is addressed already in the Plan.

The Commission also notes that the Participants submitted a letter to the Commission indicating that the names of certain Participants had changed and that two new exchanges have been approved by the Commission.[668] Specifically, the Participants stated that BATS Exchange, Inc. is now known as Bats BZX Exchange, Inc.; BATS Y-Exchange, Inc. is now known as Bats BYX Exchange, Inc.; EDGA Exchange, Inc. is now known as Bats EDGA Exchange, Inc.; EDGX Exchange, Inc. is now known as Bats EDGX Exchange, Inc.; NASDAQ OMX BX, Inc. is now known as NASDAQ BX, Inc.; and NASDAQ OMX PHLX LLC is now known as NASDAQ PHLX LLC.[669] In addition, the Participants stated that two new exchanges were approved by the Commission: ISE Mercury, LLC and Investors' Exchange, LLC.[670] Thus, the Participants suggested that the Commission amend the Plan to reflect that ISE Mercury, LLC and Investors' Exchange LLC are Participants to the CAT NMS Plan, and to include their names on the signature block for the CAT NMS Plan (including the Plan's appendices).[671] The Commission believes it is appropriate to amend the CAT NMS Plan to reflect the name changes of certain Participants because this will ensure that the names of those Participants are accurately reflected, and to amend the CAT NMS Plan to add ISE Mercury, LLC and Investors' Exchange, LLC as Participants to the CAT NMS Plan because all SROs are intended to be Participants to the CAT NMS Plan.[672]

B. Management of the Company (Article IV)

Article IV of the CAT NMS Plan describes the management structure of CAT NMS, LLC.[673] Many commenters raised concerns related to the governance structure set forth in the CAT NMS Plan.[674] Most of the governance comments focused on the role, composition, obligations and powers of the Operating Committee and the Advisory Committee.[675] A few commenters identified potential conflicts of interest (both with respect to the Officers and the Participants) as well as other governance concerns, including whether the CAT should be under the Commission's direct and sole control.[676]

1. Operating Committee

Article IV of the CAT NMS Plan provides that an Operating Committee will manage the CAT, where each Participant appoints one member of the Operating Committee, and each Participant appointee has one vote.[677] Article IV also sets forth certain other provisions relating to the Operating Committee, including identification of those actions requiring a Majority Vote, a Supermajority Vote, or a unanimous vote; and the management of conflicts of interest. Commenters raised concerns about the composition, voting and independence of the Operating Committee.

Some commenters argued that the composition of the Operating Committee should not be limited to the SROs,[678] arguing that non-SROs also should have full voting powers.[679] Commenters recommended that the Operating Committee should include members who are broker-dealers,[680] and other non-SRO and non-broker-dealer market participants,[681] institutional investors, broker-dealers with a substantial retail base, broker-dealers with a substantial institutional base, a data management expert, and a federal agency representative with national security cybersecurity experience.[682] Another commenter recommended including representatives of registered funds as members of the Operating Committee, noting their strong interest in ensuring the security of CAT Data and that CAT Reporter position information and trading strategies not be compromised.[683] Two commenters argued that no legal authority bars broker-dealers or other non-SROs from serving on the Operating Committee.[684]

In support of their recommendation to expand the Operating Committee's membership, commenters stressed the need for meaningful input by stakeholders with specific expertise, which they believed would improve the implementation and maintenance of the CAT.[685] One commenter described the CAT as “a uniquely complex facility” [686] and another commenter described the CAT as “a critical market utility designed to benefit the national market system and all market participants,” and stated that as such “the governance and operation of the CAT NMS Plan should be structured to obtain meaningful input from the broker-dealer community.” [687] One of these commenters noted broker-dealers would have complementary “expertise and insight” to the SROs, insofar as broker-dealers would be “providing the Start Printed Page 84729lion's share of the reported data to the CAT.” [688] This commenter clarified that, in recommending broker-dealer participation on the Operating Committee, the commenter “does not expect (or request) that broker-dealer representatives would have access to the surveillance patterns and other regulatory means by which the SROs will use the data collected by the CAT.” [689]

One commenter described the industry's experience as part of the DAG as informing its belief that full industry participation on the Operating Committee is required.[690] This commenter stated that “the SROs limited the Industry's participation in important aspects of the development process” to an extent that direct engagement with Bidders “provided a more complete and relevant picture of the proposed CAT solution than had been received through involvement in the DAG.” [691] This commenter argued the Operating Committee should include non-SRO industry participants because it would allow them to participate in selecting a Plan Processor and developing the CAT operating procedures.[692]

One commenter recommended that the allocation of voting rights among the Participants be reevaluated, noting that the Commission's Equity Market Structure Advisory Committee (“EMSAC”) provided a similar recommendation regarding plan governance generally.[693] This commenter also recommended limiting the number of Operating Committee actions that require unanimous voting.[694]

Commenters also recommended that the Operating Committee include “independent directors.” [695] One commenter recommended that these independent directors be both non-industry and non-SRO.[696] Other commenters argued that the “CAT governance structure should include independent directors, comprised of both non-[i]ndustry and [i]ndustry participants.” [697]

In response to comments regarding the composition of the Operating Committee, the Participants argued that the Operating Committee should remain as a committee solely of SROs because only SROs have a statutory obligation under the Exchange Act to create, implement and maintain the CAT and regulate securities markets, whereas broker-dealers do not.[698] The Participants also identified potential conflicts of interest if the “subjects of surveillance [are] involved in decision-making of a plan that, at its core has SEC and [SRO] regulatory surveillance as its primary objective.” [699] Finally, the Participants discussed their belief that the Advisory Committee, discussed below, is the appropriate forum for non-Participants to provide their views.[700]

In response to comments regarding the allocation of voting rights among the Participants, the Participants explained that each Participant has one vote to permit equal representation among the Participants.[701] The Participants indicated their commitment to this allocation of voting rights because each Participant independently has obligations with regard to the CAT under Rule 613, and each Participant's regulatory surveillance obligations are not constrained by revenues or market share. The Participants also noted that this voting model is common among other NMS plans.[702]

In response to the commenter suggesting that the CAT NMS Plan should limit the number of provisions requiring a unanimous vote, the Participants highlighted that only three extraordinary circumstances require a unanimous vote under the CAT NMS Plan: (i) Obligating Participants to make a loan or capital contribution to the Company;[703] (ii) dissolving the Company; [704] and (iii) acting by written consent in lieu of a meeting.[705]

In response to comments recommending the CAT governance structure include independent directors, the Participants noted that many of the Participants have independent representation on their governing boards, such that each Participant's input regarding the CAT would reflect independent views.[706]

The Commission notes that the Participants' proposed governance structure—with both an Operating Committee and an Advisory Committee—is similar to the governance structure used today by other NMS plans, and the Commission believes that this general structure is reasonably designed to allow the Participants to fulfill their regulatory obligations and, at the same time, provide an opportunity for meaningful input from the industry and other stakeholders.[707] Start Printed Page 84730The Commission believes that it is reasonable for the Operating Committee to be composed exclusively of SROs. As the Participants point out, the CAT NMS Plan is the vehicle through which they will fulfill key regulatory and oversight responsibilities. The Commission notes the Participants' statutory obligations as SROs, the opportunity for Advisory Committee input on the CAT NMS Plan decisions, the opportunity for public comment on Plan amendments, and close Commission oversight, when reaching that determination.[708]

Furthermore, the Commission notes that the current provisions, which allocate voting rights such that each Participant has one vote, is consistent with other NMS plans and recognizes that the obligations imposed by Rule 613 on the SROs are also imposed on each SRO independently. With respect to the limited use of a unanimous voting standard, the Commission believes that the Plan is reasonably designed to facilitate effective governance and notes that only the three extraordinary Operating Committee actions specified above require unanimity, whereas all other Operating Committee actions can be accomplished with either a Majority Vote or Supermajority Vote.

The Commission notes that Commission Staff may observe all meetings (regular and special), including Executive Sessions, of the Operating Committee and Advisory Committee and receive all minutes.[709] The Commission anticipates that only a few members of Commission Staff would observe any given meeting.

The Commission also notes that independent of its review of the CAT NMS Plan, the EMSAC has been reviewing, among other things, the issues surrounding NMS plan governance. On June 10, 2016, the EMSAC presented its recommendations in this area to the Commission.[710]

Finally, the Commission is amending Section 4.4(b) of the Plan to specify that the Operating Committee's discretion to deviate from the treatment, as set forth therein, of persons submitting a Form 1 application to become a national securities exchange or persons submitting a Form X-15AA-A application to become a national securities association, must be reasonable and not impose any unnecessary or inappropriate burden on competition. The Commission is also amending Section 3.3(b)(v) of the Plan to specify that the Operating Committee's discretion, in considering other factors in determining the Participation Fee of a new Participant, must be reasonable, equitable and not unfairly discriminatory. The Commission believes these amendments are appropriate because they set forth in the CAT NMS Plan specific limitations with respect to the Operating Committee's discretion that are consistent with existing SRO obligations under the Exchange Act.[711]

2. Advisory Committee

Article IV of the Plan establishes an Advisory Committee charged with advising the SROs on the implementation, operation, and administration of the Central Repository.[712] Under the Plan, the Advisory Committee has the right to attend Operating Committee and Subcommittee meetings—unless they are held in Executive Session—and submit its views prior to a decision by the Operating Committee.[713] As proposed, the composition of the Advisory Committee includes: (i) Broker-dealers of varying sizes and types of business, including a clearing firm, (ii) an individual who maintains a securities account, (iii) an academic, (iv) institutional investors, and (v) the Commission's Chief Technology Officer (or Commission equivalent), who while not formally a member of the Advisory Committee, serves as an observer.[714]

Most comments regarding the Advisory Committee recommended formalizing and expanding its role.[715] Commenters made the following recommendations: (i) Change the selection process of, and expand the membership of, the Advisory Committee; [716] (ii) form the Advisory Committee before the CAT NMS Plan is approved; [717] (iii) formalize procedures for Advisory Committee meetings, including requiring specific documentation and written correspondence; (iv) narrow the use of Operating Committee Executive Sessions, whereby the Advisory Committee is excluded from participating; and (v) adopt in the CAT NMS Plan, the EMSAC's recommendations for NMS plan advisory committees.[718]

One commenter suggested that the process for selecting Advisory Committee members should change to ensure that the Advisory Committee membership is independent of the SROs.[719] The commenter noted selection of Advisory Committee members independent from the Participants is critical in light of the inherent conflict of interest the Participants face as sponsors and overseers of a Plan that will, at the same time, impose obligations on the very same Participants.[720] This commenter also recommended that the Advisory Committee members should be selected by broker-dealer representatives—not by the SROs—and in support of this position argued that the Advisory Committee's purpose “should be to represent the interest of the industry and bring to bear the wide expertise of broker-dealers.” [721]

Those commenters that advocated expanding the membership of the Advisory Committee [722] suggested including: (i) Trade processing and order management service bureaus; (ii) registered funds; (iii) inter-dealer brokers; (iv) agency brokers; (v) retail brokers; (vi) institutional brokers; (vii) proprietary trading firms; (viii) smaller broker-dealers; (ix) firms with a floor presence; (x) and industry/trade associations.[723] One commenter recommended expanding the Advisory Committee to 20 members, with a Start Printed Page 84731minimum of 12 broker-dealers.[724] Another commenter suggested including two financial economists (preferably academic) with expertise in both econometrics and the economics of the primary market and market microstructure.[725]

Another commenter recommended forming the Advisory Committee prior to the CAT NMS Plan receiving the Commission's approval to “allow representative participation in the selection of the [Plan] Processor and in developing [o]perating procedures.” [726]

Commenters suggested increasing the governance role of the Advisory Committee, with one commenter advocating that “the Advisory Committee should be involved in every aspect of the CAT,” [727] such as budgets, fees and charges, and new requirements that may significantly burden broker-dealers.[728]

To facilitate increasing the Advisory Committee's role in the CAT's governance, a few commenters offered concrete recommendations for procedural safeguards.[729] Two commenters suggested that the Operating Committee be required to document a written rationale any time the Operating Committee rejects an Advisory Committee recommendation.[730] One of these commenters recommended that all documents prepared for or submitted to the Operating Committee by the Plan Processor also be submitted to the Advisory Committee, to keep the Advisory Committee fully informed.[731] One commenter recommended that agendas and documentation for Operating Committee meetings be distributed to Advisory Committee members in advance of meetings.[732]

A commenter also recommended that all information concerning the operation of the Central Repository be made available to the Advisory Committee, except for limited information of a confidential regulatory nature.[733] This commenter added that when information is deemed to be of a confidential regulatory nature, the SROs should maintain a written record of what is designated confidential (and excluded from the Advisory Committee) and include an explanation of such designation.[734]

Two commenters recommended revising the confidentiality policies related to the CAT to permit Advisory Committee members to “share information from the [Advisory Committee] meetings with their colleagues and with other industry participants.” [735] One commenter further suggested that an Advisory Committee member should be allowed to make other firm personnel available that may have relevant expertise if the Advisory Committee is “tasked with evaluating issues outside the members' subject matter expertise.” [736]

Two commenters suggested that the Advisory Committee should have a right to review proposed amendments to the CAT NMS Plan that would affect CAT Reporters.[737] One of these commenters noted that “[i]t may not be obvious to the Operating Committee when a change to the Plan impacts CAT [R]eporters in a material way.” [738] The other commenter suggested modifying the Plan's definition of a Material Amendment [739] to distinguish between amendments that are internal or external to the Plan Processor.[740] This commenter recommended that both internal and external material amendments to the CAT NMS Plan be reviewed by the Advisory Committee, but be designated for different levels of review. This commenter suggested that material amendments that are “internal” to the Plan Processor would only be reviewed to ensure that that they do not materially affect CAT Reporters; whereas, amendments that are “external” to the Plan Processor would require Advisory Committee consultation and an implementation plan with reasonable time for development and testing.[741]

A commenter recommended specific CAT NMS Plan governance changes to expand and clarify the role of the Advisory Committee.[742] This commenter supported: (i) Clarifying the process for selecting Advisory Committee representatives; (ii) expanding and formalizing the role of the Advisory Committee, such as providing it formal votes on matters before the Operating Committee and the ability to initiate its own recommendations; and (iii) significantly narrowing the use of Executive Sessions for the Operating Committee.[743] Moreover, a commenter recommended that when the Operating Committee meets in Executive Session, the SROs should maintain a written record including an explanation of why an Executive Session is required.[744]

One commenter, an SRO, stated that “the governance structure in the proposed CAT NMS Plan would establish an appropriate advisory role for the Advisory Committee that is consistent with the requirements specified by the Commission in Rule Start Printed Page 84732613.” [745] This commenter stressed that while the SROs have a legal obligation under Commission rules to create, implement and maintain a consolidated audit trail and central repository, non-SROs do not have this legal obligation. Accordingly, this commenter stated its belief that Advisory Committee members should not have a voting right with respect to Operating Committee actions.[746] Finally, this commenter argued that having non-SRO Advisory Committee members vote in connection with the CAT NMS Plan would be incompatible with the requirements of the Exchange Act and Commission rules that squarely place the obligations to implement and enforce “the CAT NMS Plan on the shoulders of the SROs.” [747] In this regard, the commenter highlighted the Rule 613(f) requirement that SROs “develop and implement a surveillance system, or enhance existing surveillance systems, reasonably designed to make use of the consolidated information contained in the consolidated audit trail.” [748]

Regarding the size and composition of the Advisory Committee, the Participants recommended amending the Plan to include a service bureau representative, because service bureaus “perform audit trail reporting on behalf of their customers . . . [and] would provide a valuable perspective on how the CAT and any enhancements thereto would affect the service bureau clients, which often include a number of small and medium-sized firms.” [749] The Participants also recommended augmenting the institutional investor representation on the Advisory Committee by including institutional investor representation by an adviser from registered funds, and increasing from two to three institutional investor representatives with at least one of the institutional investor representatives trading on behalf of an investment company or group of investment companies registered pursuant to the Investment Company Act of 1940.[750] The Participants also suggested removing references in the Advisory Committee eligibility requirements for those institutional investors “on behalf of a public entity . . . and on behalf of a private entity,” which is in response to a comment noting the vagueness of the terms “public” and “private” with respect to institutional investors.[751]

The Participants, however, disagreed with commenters that the academic representative of the Advisory Committee should be limited to a financial economist because a general requirement that “a member of academia with expertise in the securities industry or any other industry relevant to the operation of the CAT System,” does not preclude a financial economist serving on the Advisory Committee so long as they have the relevant expertise.[752] The Participants also disagreed with commenters that members of industry trade groups should also serve on the Advisory Committee, noting that the CAT NMS Plan includes a variety of representatives from the members of such trade groups and would provide “a meaningful opportunity for the representation of the views of industry trade groups.” [753] Furthermore, the Participants disagreed with commenters who advocated increasing the number of broker-dealer representatives on the Advisory Committee from seven to twelve, and increasing the size of the Advisory Committee from twelve to twenty members. The Participants noted that, in “balancing the goal of having a sufficient cross section of representation with the goal of having a well-run committee,” seven broker-dealers of varying sizes and business types would provide “significant opportunity to provide [broker-dealers'] views” and increasing an Advisory Committee from twelve to twenty creates a committee structure that would “likely hamper, rather than facilitate,” discussion.[754]

In response to commenters recommending a more active and participatory role in operation of the CAT for non-SRO stakeholders, the Participants stated that the Plan strikes an appropriate balance between providing the “industry with an active role in governance while recognizing the Participants' regulatory obligations with regard to the CAT.” [755] In response to a commenter recommending that Advisory Committee members be selected by broker-dealer representatives, the Participants stated their belief that the Operating Committee should select the members, but agreed with commenters that the Advisory Committee should be permitted to advise the Operating Committee regarding potential Advisory Committee members.[756] The Participants suggested that the CAT NMS Plan be amended to permit the Advisory Committee to advise the Operating Committee on Advisory Committee member selection, provided however, that the Operating Committee in its sole discretion would select members of the Advisory Committee.[757]

In response to comments recommending formalized modes of written communication between the Operating Committee and the Advisory Committee, the Participants recommended that the CAT NMS Plan remain unchanged.[758] In support, the Participants stated their belief that the proposed structure adequately addresses the commenters' concerns, while recognizing the need for the Participants to have the opportunity to discuss certain matters, particularly certain regulatory and security issues, without the participation of the industry.[759] The Participants also noted that the Advisory Committee is permitted to attend all of the non-Executive Session Operating Committee meetings, where information concerning the operation of the CAT is received (subject to the Operating Committee's authority to determine the scope and content of information supplied to the Advisory Committee).[760] Further, the Participants stated that minutes, subject to customary exceptions for confidentiality and privilege considerations, will be provided to the Advisory Committee. Finally, the Participants did not support instituting formalized modes of written communication between the Operating Committee and the Advisory Committee because such “an overly formulaic approach to [Operating Committee] interactions” would “hamper, rather than enhance, [Operating Committee] interactions with the Advisory Committee.” [761]

With respect to comments recommending narrowing the use of Operating Committee Executive Sessions, the Participants stated their belief that the Operating Committee's capabilities to meet in Executive Session are appropriate and cited the Commission's statement in the Adopting Release that: “meet[ing] in [E]xecutive [S]ession without members of the Advisory Committee appropriately balances the need to provide a mechanism for industry input into the operation of the central repository, against the regulatory imperative that the operations and decisions regarding the consolidated Start Printed Page 84733audit trail be made by SROs who have a statutory obligation to regulate the securities markets, rather than by members of the SROs, who have no corresponding statutory obligation to oversee the securities markets.” [762] The Participants represented that their intended use of an Executive Session is for limited purposes requiring confidentiality and offered four examples: Matters that present an actual or potential conflict of interest for Advisory Committee members (e.g., relating to member's regulatory compliance); discussion of actual or potential litigation; CAT security issues; and personnel issues. The Participants also noted that Executive Sessions must be called by a Majority Vote and that the meeting minutes are recorded, subject to confidentiality and attorney-client privilege considerations.[763]

Finally, in response to comments that the Advisory Committee should form before the approval of the CAT NMS Plan, the Participants noted that the Plan itself provides for the establishment of the Operating Committee and the Advisory Committee and thus cannot be formed until the Commission approves the Plan. The Participants also noted that the DAG provides the Participants with “advice regarding the development of the Plan from an industry perspective.” [764]

For reasons discussed below, the Commission finds reasonable the Participants' suggested modifications to add a service bureau representative, increase the number of institutional investor representatives on the Advisory Committee, remove terms that create vagueness for the institutional investor representative categories, and make the applicable conforming changes to Section 4.13 of the Plan. Accordingly, after considering the comments, the Commission is amending Section 4.13 of the Plan to include a service bureau representative, increase the number of institutional investor representatives from two (2) to three (3), and remove the terms that a commenter identified as creating vagueness with respect to the institutional investor category.

The Commission understands that service bureaus frequently serve a core role in reporting CAT Data on behalf of broker-dealers, and as such, the Commission finds appropriate their inclusion as an Advisory Committee member. Further, the Commission finds the increase from two to three members on the Advisory Committee representing institutional investors, as well as removing the references to “on behalf of a public entity” and “on behalf of a private entity” due to the vagueness of such terms with respect to institutional investor Advisory Committee members, to be reasonable responses to commenters seeking additional representation and clarity. The Commission also agrees with the Participants that it is reasonable to not mandate inclusion of representatives on the Advisory Committee from industry and trade associations, given the existing substantial industry representation on the Advisory Committee, which is reasonably designed to ensure a wide range of meaningful industry perspectives.

The Commission agrees with commenters who argued that the academic representative on the Advisory Committee should be a financial economist. The Commission acknowledges the Participants' response that a financial economist is not precluded from serving as the academic representative of the Advisory Committee, but the Commission believes that specifying that the academic representative must be a financial economist is appropriate to ensure the Advisory Committee and the Operating Committee have access to such expertise in assessing the CAT's operations and development. Accordingly, the Commission is amending Section 4.13(b)(ix) of the Plan to specify that the academic representative on the Advisory Committee must be a financial economist.

The Commission agrees with the Participants' suggestion, in response to commenters, to permit the Advisory Committee to recommend Advisory Committee candidates to the Operating Committee. Accordingly, the Commission is amending Section 4.13(d) of the Plan to permit the Advisory Committee to recommend Advisory Committee candidates to the Operating Committee, but notes that the Operating Committee still maintains the sole discretion to select members of the Advisory Committee.

The Commission believes the amendment is reasonably designed to ensure a robust selection process for Advisory Committee membership that identifies candidates that best represent the industry perspective. With respect to the comment suggesting that the Advisory Committee be established before the approval of the CAT NMS Plan, the Commission notes it would be premature and technically not possible to establish an advisory committee to an NMS plan before such plan has been approved by the Commission. Moreover, the Commission notes that the interests of the industry and other stakeholders have been represented through the DAG, the public comment process, and through the SROs themselves as the CAT NMS Plan has been developed.

The Commission is amending the Executive Sessions provision in Section 4.4(a) of the Plan, as well as the Advisory Committee provision in Section 4.13(b) of the Plan related to the Commission's Chief Technology Officer (or equivalent) being an observer of the Advisory Committee. As the Commission is responsible for regulatory oversight of the Participants and the CAT NMS Plan, the Commission believes that it is appropriate for the Plan to expressly provide that Commission Staff may attend all CAT NMS Plan meetings, including those held in Executive Session. Similarly, because the Commission has broad regulatory responsibility for the Plan, the Commission does not believe it is appropriate to limit to the Commission's Chief Technology Officer (or equivalent) the right to serve as an observer at Advisory Committee meetings. Accordingly, the Commission is amending Sections 4.4(a) and 4.13(b) to provide that Commission Staff may attend Executive Sessions, and to permit the Commission to select the Commission representative to observe Advisory Committee meetings. The Commission anticipates that only a few members of Commission Staff would observe any given meeting.

The Commission also is amending Section 4.13(e) of the Plan in response to comments to provide that the Advisory Committee shall receive the same documents and information concerning the operation of the Central Repository as the Operating Committee. The Operating Committee may, however, withhold such information to the extent it reasonably determines such information requires confidential treatment. Although the Plan as filed permits Advisory Committee members to attend all of the non-Executive Session Operating Committee meetings, with respect to information concerning the operation of the CAT, it allows the Operating Committee broad discretion to determine the scope and content of information supplied to the Advisory Committee. The Commission believes it is important for the Advisory Committee to fulfill its role that its members receive full information on Plan operations (other than confidential information) and that it is therefore appropriate to amend Section 4.13(e) of the Plan accordingly.Start Printed Page 84734

With respect to the other comments regarding authority, composition and role of the Advisory Committee, as well as the use of the Operating Committee Executive Sessions, the Commission notes that the Plan provisions relating to the Advisory Committee and the Operating Committee Executive Sessions are similar to those in other NMS plans and are, therefore, reasonable.[765]

3. Officers of the Company

The CAT NMS Plan requires the Company to appoint a CISO and a CCO, who shall be employees solely of the Plan Processor.[766] The Plan acknowledges that the CISO and CCO may have fiduciary and other similar duties to the Plan Processor pursuant to their employment with the Plan Processor, and the Plan, as proposed, sets forth that to the extent permitted by law, the CISO and CCO will have no fiduciary or similar duties to the Company.[767]

One commenter expressed concern that appointing a CISO and CCO who would both be officers of the Company and employees of the Plan Processor “creates a potential conflict of interest that would undermine the ability of these officers to effectively carry out their responsibilities under the CAT NMS Plan because they would owe a fiduciary duty to the Plan Processor rather than to the [Company].” [768] This commenter recommended that the officers of the Company should be required to act in the best interest of the [Company] to avoid conflicts of interest in carrying out their oversight activities.[769] In addition, this commenter suggested that the CAT NMS Plan impose a fiduciary duty on the CISO and CCO, or at a minimum require the Plan Processor to select individuals who do not have a fiduciary duty to the Plan Processor to serve in these roles.[770]

In response to these comments, the Participants suggested that the CAT NMS Plan be changed so that all Officers of the Company, including the CISO and CCO, have fiduciary duties to the Company in the same manner and extent as an officer of a Delaware corporation.[771] The Participants also represented that the Operating Committee, in an agreement with the Plan Processor, will have the Plan Processor acknowledge that the Officers of the Company will owe fiduciary duties to the Company, and to the extent that the duties owed to the Company by the Officers of the Company, including the CISO or CCO, conflict with any duties owed to the Plan Processor, the duties to the Company should control.[772]

The Commission believes that the suggested modifications by the Participants in response to comments about potential conflicts of interest are reasonable. Accordingly, the Commission is amending Section 4.7(c) of the Plan so that each Officer shall have the same fiduciary duties and obligations to the Company as a comparable officer of a Delaware corporation and in all cases shall conduct the business of the Company and execute his or her duties and obligations in good faith and in the manner that the Officer reasonably believes to be in the best interests of the Company. Furthermore, the Commission is amending Section 4.6(a) of the Plan to codify the Participants' representation that that the Operating Committee, in an agreement with the Plan Processor, will have the Plan Processor acknowledge that the Officers of the Company will owe fiduciary duties to the Company, and to the extent that the duties owed to the Company by the Officers of the Company, including the CISO or CCO, conflict with any duties owed to the Plan Processor, the duties to the Company should control.

The Commission believes that amending the CAT NMS Plan to expressly affirm the Officers' fiduciary duties or similar duties or obligations to the Company provides clarity and assurances that the Officers will act in the best interests of the Company.[773] The Commission also believes it is reasonable, as the Participants have suggested in their response to comments, to have the Company and the Plan Processor enter into an agreement that specifies not only that Officers have fiduciary duties and obligations to the Company, but that if such Officers may have competing duties and obligations owed to the Company and to the Plan Processor, the duties and obligations to the Company should control. At this time, it is unclear what competing duties and obligations Officers may owe to the Company and the Plan Processor. While in many cases, the Officers' duties towards the Plan Processor and the Company are likely to be aligned, there may be circumstances (e.g., related to the performance of the Plan Processor) where such duties may conflict and the Commission finds reasonable that in such circumstances, the duties to the Company should control in order to mitigate any conflict between the interests of the Plan Processor and those of the Company in administering the CAT. The Commission further notes that the CAT NMS Plan provides reasonable oversight of the Officers by the Operating Committee, for example, the Plan requires: (i) The Operating Committee to approve the CISO and CCO with a Supermajority Vote [774] ; (ii) the CISO and CCO to devote, with minor exceptions, their entire working time to serving as the CISO and CCO [775] ; (iii) the Operating Committee to oversee that the Plan Processor allocates appropriate resources for the CISO and CCO to fulfill their obligations [776] ; (iv) the CISO and CCO to report directly to the Operating Committee with respect to their duties [777] ; (v) the compensation of the CISO and CCO to be subject to the Operating Committee's review and approval [778] ; and (vi) an annual performance review of the CISO and CCO to be conducted by the Operating Committee.[779]

4. Additional Governance Provisions

Commenters raised additional governance concerns related to conflicts of interest for the Participants, whether there should be an audit committee, and whether the Participants should be required to coordinate the administration of the CAT from a legal, administrative, supervisory and enforcement perspective.[780]

Some commenters expressed concern that the Participants would have a conflict of interest because of the various roles they perform with respect Start Printed Page 84735to the CAT. One commenter stated that the Participants are “sponsors and overseers of the Plan, while at the same time, the Plan will impose obligations on [them].” [781] Another commenter raised concerns that the Participants would “control the [O]perating [C]ommittee for the [P]lan, use CAT [D]ata for regulatory purposes, and potentially commercialize the information that they report to the CAT.” [782] This commenter suggested that these roles may “present conflicting incentives” for Participants.[783]

One commenter argued that the Participants should not oversee and control the CAT and recommended instead that the Commission should build and host the CAT, which would then be under the Commission's direct and sole control.[784] In support of this view, the commenter stated the Commission's statutory mission to protect investors would make it better positioned to operate the CAT, as compared to for-profit SROs, who would seek to maximize profits from the CAT Data.[785] The commenter suggested that the Commission could outsource the building of the CAT and fund the CAT similar to how it funds its EDGAR system.[786] The commenter stated that CAT NMS, LLC should reorganize as a not-for-profit entity and set forth an organizational purpose aligned with the Commission's mission statement.[787] Finally, the commenter argued that the Commission solely should control access to and usage of the CAT System.[788]

Two commenters recommended that the Company governance structure include an audit committee.[789] One commenter noted that the audit committee should be comprised of mostly independent directors.[790] Another commenter stated the audit committee should be responsible for the oversight of how the CAT's revenue sources are used for regulatory purposes, and that the costs and financing of the CAT must be fully transparent and publicly disclosed in annual reports, including audited financial statements.[791]

Finally, one commenter suggested that the SROs should coordinate the administration of the CAT through a single centralized body from a legal, administrative, supervisory and enforcement perspective.[792] The commenter recommended amending the Plan to require this coordination, and suggested that such coordination could be facilitated through agreements under SEC Rule 17d-2, regulatory service agreements or some combination thereof.[793] In support of this view, the commenter noted that different CAT-related compliance requirements among the SROs might arise and subject firms to duplicative regulation and enforcement, with the accompanying inefficiencies, additional costs, and potential inconsistencies.[794]

In response to commenters suggesting the formation of an audit committee, the Participants stated that they would have the ability to review CAT-related issues objectively because “members of the Operating Committee are not employed by the [Company] and are fulfilling mandated regulatory oversight responsibilities, and that the [Company] will not operate as a profit-making company, which may need more scrutiny as compared to a company that is operating on a break-even basis.” [795] Further, the Participants noted that the CAT NMS Plan requires that a Compliance Subcommittee be established—and noted that the Operating Committee in the future could decide if an audit committee should be formed as a subcommittee.[796]

In response to commenters regarding the coordinated compliance and enforcement oversight of the CAT, the Participants acknowledged the benefits of having a single Participant be responsible for enforcing compliance with Rule 613 and the CAT NMS Plan through Rule 17d-2 agreements, regulatory services agreements or some other approach and represented that they would consider such an arrangement after the CAT NMS Plan's approval.[797] As discussed in Section IV.H, the Commission is amending Section 6.6 of the Plan to require that the Participants provide the Commission within 12 months of effectiveness of the Plan, a report detailing the Participants' consideration of coordinated surveillance (e.g., entering into 17d-2 agreements or regulatory services agreements).[798]

The Commission acknowledges the commenters' concern about the conflicts inherent in having SROs performing various roles as overseers of the Plan and at the same time enforcing compliance with Rule 613. The Commission, however, highlights that the Participants are performing roles specified pursuant to obligations under the Exchange Act and the rules thereunder and remain under the direct oversight of the Commission. With respect to comments expressing concerns that the Participants may be in a position to commercialize the respective Raw Data reported by each SRO submitting to the CAT, order and execution information is already collected by SROs from its members and they are permitted under current law to commercialize this data (e.g., direct market feeds, provided that the terms are fair and reasonable and not unreasonably discriminatory [799] ) subject to appropriate rule filings and oversight by the Commission.[800] Thus, the Plan does not expand the Participants' ability to commercialize their Raw Data beyond what is currently permitted.

With respect to comments that suggested that the Participants should not oversee and control the CAT, but that instead it should be under the Commission's direct and sole control, the Commission notes that in the Adopting Release, the Commission mandated that the Participants develop an NMS plan for the development and operation of the CAT. As such, the CAT NMS Plan, as noticed, whereby the Participants directly manage the CAT, was in furtherance of Rule 613 as adopted. Additionally, because the Participants, as SROs, currently serve as front-line regulators of many aspects of the securities markets, including Start Printed Page 84736administering the existing sources of regulatory data, the Commission believes they are well positioned to oversee the CAT. Moreover, the Commission believes that any potential conflicts arising from the status of certain Participants as for profit enterprises are reasonably addressed through the Plan provisions and Commission oversight.

The Commission concurs with the Participants that it is reasonable for the Company not to have an audit committee at this time. Further, the Participants are permitted to form an audit committee, as a subcommittee of the Operating Committee. The Commission notes that the absence of a requirement for an audit committee is consistent with other NMS plans.

Section 9.2(a) of the Plan states that the Operating Committee shall maintain a system of accounting for the Company established and administered in accordance with GAAP (or another standard if determined appropriate by the Operating Committee). Section 9.2(a) also requires, among other things, that the Company prepare and provide to each Participant an audited balance sheet, income statement and statement of cash flow, to the extent the Operating Committee deems advisable. In addition, Section 9.2(c) of the Plan states that all matters concerning accounting procedures shall be determined by the Operating Committee. The Participants recommended that the Commission amend Section 9.2(a) to eliminate the flexibility for the Company to administer a system of accounting in accordance with non-GAAP standards, thus requiring that all financial statements or information that may be supplied to the Participants shall be prepared in accordance with GAAP.[801] In addition, the Participants recommended amending the Plan to eliminate the discretion of the Operating Committee to provide financials only if it deems advisable and instead to require that the Company's audited annual balance sheet, income statement, and statement of cash flows be audited by an independent public accounting firm and made publicly available.[802] The Commission believes that the changes recommended by the Participants are reasonable because they will promote greater accuracy and transparency with respect to the Company's financial accounting and is therefore amending the Plan accordingly.

Section 6.1(o)(vi) of the Plan states that financial statements of the Plan Processor, prepared in accordance with GAAP and audited by an independent public accounting firm or certified by the Plan Processor's Chief Financial Officer, shall be provided to the Operating Committee no later than 90 days after the Plan Processor's fiscal year end. The Participants recommended that the Commission amend the Plan to change this timeframe to 180 days after the Plan Processor's fiscal year end to provide further flexibility to the Plan Processor with respect to the preparation of its financial statements.[803] The Commission believes that it is reasonable to provide this additional flexibility and is therefore amending the Plan accordingly.

The Commission also agrees with the commenters and Participants that a coordinated approach to self-regulatory oversight may have benefits, such as regulatory efficiencies and consistency, but believes that it is reasonable for such an arrangement to be considered by the Participants after the CAT NMS Plan's approval rather than mandating a specific approach for SRO coordination under the Plan at this time—as the Plan Processor has not been selected nor has the CAT System been developed. The Commission nevertheless notes that, as described above, it is amending the CAT NMS Plan to require a written assessment by the Participants within 12 months of effectiveness of the Plan, considering coordinated surveillance (e.g., entering into Rule 17d-2 agreements, regulatory services agreements or other arrangements, to facilitate regulatory coordination).[804]

Finally, the Commission notes that the CAT NMS Plan provides that books and records of the CAT LLC shall be made available to the Commission upon “reasonable request.” [805] Because the CAT LLC is a facility of the Participants, the Commission has the right to the books and records of CAT LLC “upon request” under Exchange Act Rule 17a-1,[806] and therefore is amending Section 9.1 of the Plan to delete the requirement that any request for the CAT LLC's books and records be “reasonable.”

C. Plan Processor Selection (Article V)

Article V of the CAT NMS Plan sets forth the process for selecting the Plan Processor following approval of the CAT NMS Plan.[807] The Plan Processor selection provisions in Article V are identical to the selection process set forth in the Selection Plan.[808]

The Commission received three comments suggesting that the Plan Processor selection process be accelerated,[809] with some commenters suggesting that the Selection Plan be amended to require the selection of the Plan Processor prior to the approval of the CAT NMS Plan.[810] According to one commenter, the earlier selection of a Plan Processor would advance the release and development of the Technical Specifications.[811] Another commenter offered support for a specific Bidder, noting their regulatory and technical competencies.[812] One commenter recommended that the Commission re-open the Plan Processor's agreement with CAT NMS, LLC every five years to ensure that the Plan remains state-of-the-art, and to provide a process for public input.[813] Another commenter stated that the Plan does not set forth sufficient incentives for the Plan Processor and the Participants to incorporate new technology into or to continuously innovate and strive to reduce the costs of the CAT System.[814]

In response to the comments to accelerate the Plan Processor selection process, the Participants acknowledged that the selection of the Plan Processor will likely affect implementation issues and related costs,[815] but that it is not feasible to accelerate the selection of the Plan Processor prior to the Commission's approval of the Plan. The Participants noted that until the Plan is finalized and approved by the Commission, the requirements of the CAT could change, which could impact the selection of the Plan Processor.[816] Moreover, the Participants noted that Rule 613's requirement that the Plan Processor be selected within two months after effectiveness of the Plan ensures that the selection of the Plan Start Printed Page 84737Processor will occur expeditiously once the Commission approves the Plan.[817]

In response to the comment in support for a specific Bidder, the Participants stated that they determined that utilizing a competitive bidding process to select the Plan Processor was the most appropriate way to promote an innovative and efficient CAT solution.[818] Pursuant to that process, the Participants noted that they have reduced the number of Bidders to three Shortlisted Bidders.

In response to the comment to re-open the Plan Processor's agreement with the CAT LLC every five years and to provide a process for public input on the agreement, the Participants stated that they agree that it is important to ensure that the CAT solution remains effective and efficient going forward.[819] Accordingly, the Participants noted that they have proposed a process for regularly reviewing the performance of the Plan Processor throughout the term of the Plan Processor's agreement and for modifying it if necessary to avoid an outdated CAT solution. The Participants added that, as set forth in the Plan, the Operating Committee will review the Plan Processor's performance under the Plan at least once each year, or more often than once each year upon the request of two or more Participants that are not Affiliated Participants.[820] In addition, the Participants noted that the Plan sets forth the process for removing the Plan Processor. Specifically, the Participants noted that the Operating Committee, by Supermajority Vote, may remove the Plan Processor from such position at any time, and that the Operating Committee may, by Majority Vote, remove the Plan Processor from such position at any time if it determines that the Plan Processor has failed to perform its functions in a reasonably acceptable manner in accordance with the provisions of the Plan. The Participants stated that if they were to vote to remove the Plan Processor, the Operating Committee would select a new Plan Processor through a competitive bidding process.

In approving the Selection Plan, the Commission stated that the Selection Plan is reasonably designed to achieve its objective of facilitating the development of the CAT NMS Plan and the selection of the Plan Processor.[821] The Commission also found that the Selection Plan is reasonably designed to govern the process by which the SROs will formulate and submit the CAT NMS Plan, including the review, evaluation, and narrowing down of Bids in response to the RFP, and ultimately choosing the Plan Processor that will build, operate, and maintain the consolidated audit trail.[822] The Commission believes that the process set out in the Selection Plan for selecting a Plan Processor remains a reasonable approach, which will facilitate the selection of Plan Processor through a fair, transparent and competitive process and that no modifications to the Selection Plan are required to meet the approval standard. In response to the commenters recommending that the Plan Processor selection process be accelerated, the Commission agrees with the Participants that changes to the CAT NMS Plan that are being made in this Order may be relevant to the selection of the Plan Processor. The Commission believes that selecting the Plan Processor within two months of Plan approval, rather than prior to Plan approval, will allow the remaining Bidders to consider the CAT NMS Plan, as amended and approved by the Commission, and to make any necessary modifications to their Bids, which will enable the Participants to make a more fully informed decision on the Plan Processor in light of the amended and approved CAT NMS Plan.[823] The Commission believes this timeframe to select the Plan Processor—two months following Commission approval of the Plan—will not result in the untimely release of the Technical Specifications.

In response to the comment that offered support for a specific Bidder, the Commission agrees with the Participants that the competitive bidding process to select the Plan Processor is a reasonable and effective way to choose a Plan Processor and thus believes that the process set forth in the Selection Plan should be permitted to continue. In response to the commenter that recommended that the Commission re-open the Plan Processor's agreement with the CAT LLC every five years and provide a process for public input on the agreement, the Commission believes that the CAT NMS Plan already contains provisions that permit the reevaluation—and possible replacement—of the Plan Processor. Thus, the Commission is not amending the plan to require that the Plan Processor's agreement with the CAT LLC be reevaluated every five years.

Finally, in response to the commenter that stated that the Plan does not provide sufficient incentives for the Plan Processor and the Participants to incorporate new technology, innovate and reduce the costs of the CAT System, the Commission believes that requirements for regular evaluations of the operation of the CAT, the identification of potential improvements, and the delivery of a written assessment to the Commission, as well as the Plan's provisions regarding the possible removal of the Plan Processor provide sufficient incentives for the Plan Processor and the Participants in these areas.[824]

D. Functions and Activities of the CAT System (Article VI)

Article VI of the CAT NMS Plan sets forth the functions and activities of the CAT System.[825]

1. Data Recording and Reporting Requirements

Article VI of the Plan imposes requirements regarding what data elements must be reported to the Central Repository and by when. The Commission received comments regarding to whom these requirements should apply and the appropriateness of the provisions.

One commenter recommended that firms using manual orders that are currently exempt from OATS reporting pursuant to FINRA Rule 7470 should also be exempt from the CAT reporting obligations.[826] This commenter argued that to qualify for such an exemption, a firm would need to “eliminate many practices of regulatory concern” and have a “perfect regulatory history,” and that the exemption would have little impact on the CAT because it would exclude only the reporting of events that take place prior to delivery of an order to a market venue. The commenter argued that the exemption is necessary to keep currently-exempt firms in business due to the high costs that CAT reporting would impose.[827] This commenter further argued that the requested exemption for OATS-exempt firms would not be the same as an exemption for “small firms,” and that wrongdoers would not fall within this exemption because of the limitations on the level of market activity, the Start Printed Page 84738voluntary restrictions from operations such as market making and trading with customers, the use of manual orders, and the expected high levels of compliance.[828]

Another commenter broadly stated that the data recording and reporting procedures described in the CAT NMS Plan are inappropriate and unreasonable.[829] This commenter also stated that it may be easier for the Plan Processor to work directly with service bureaus, rather than with individual CAT Reporters, on data submission.[830]

In response to the commenter's request that OATS-exempt firms also be exempted from reporting to the CAT, the Commission believes that completely exempting any group of broker-dealers from reporting requirements would be contradictory to the goal of Rule 613, which is to create an accurate, complete, accessible and timely audit trail.[831] To permit such an exemption would eliminate the collection of audit trail information from a segment of broker-dealers and would thus result in an audit trail that does not capture all orders by all participants in the securities markets. The Commission believes that the CAT should contain data from all broker-dealers, including those that may appear to be at low risk for wrong-doing based on their history of compliance or business model. Regulators will not only use the CAT for surveillance and investigations, but also for market reconstructions and market analyses. Therefore, data from all broker-dealers is necessary.[832]

The Commission believes that the data recording and reporting procedures outlined in the CAT NMS Plan meet the requirements of Rule 613 [833] and are reasonable in that they are designed to ensure that data is recorded and reported in a manner that will provide regulators access to linked CAT Data that is timely, accurate, secure, and complete.[834] Further, while under certain circumstances it might be efficient for the Plan Processor to work directly with service bureaus, the reporting requirements in the CAT NMS Plan apply to CAT Reporters, which are regulated entities, and therefore, it is necessary that the Plan Processor deal directly with CAT Reporters in determining matters related to reporting CAT Data.[835]

2. Format

The CAT NMS Plan does not mandate the format in which data must be reported to the Central Repository.[836] Rather, the Plan provides that the Plan Processor will determine the electronic format in which data must be reported, and that the format will be described in the Technical Specifications.[837]

Two commenters expressed support for allowing the Plan Processor to determine the format for reporting data.[838] One of these commenters stated that prescribing an approach in the Plan may hinder scalability and future system development.[839]

Three commenters, however, recommended that the format be specified in the Plan.[840] One commenter argued that mandating an approach in the Plan, rather than waiting for the Technical Specifications, would give the industry more time to develop approaches to reporting using that format.[841] The commenter also argued that if the format is not known until the Technical Specifications are published, this would limit the opportunity to make changes to the format, if necessary, without disrupting the implementation schedule.[842] The commenter suggested that at least guidelines for a messaging protocol be included in the Plan.[843]

Commenters also expressed opinions about whether the Plan Processor should allow CAT Reporters to use multiple formats or one uniform format to report CAT Data. Four commenters generally supported an approach that would allow CAT Reporters to report CAT Data using a non-uniform format.[844] Under such an approach, the Central Repository would be responsible for normalizing the data into a uniform format to link and store the data. These commenters noted that CAT Reporters should be permitted to use any of the currently existing industry protocols widely used by industry participants, such as OATS, SWIFT or FIX.[845] One commenter advocated for the use of its own electronic communications protocol, FIX, stating that it would result in quicker implementation times and simplify data aggregation.[846] This commenter noted that FIX is currently used by thousands of firms in the financial services industry and that it would not make sense to require firms to convert from a FIX format to a proprietary format designed by the Plan Processor and mandated for CAT reporting.[847] The commenter stated that FIX already tracks the lifecycle of an order both within an organization and across organizations, thus making it a good choice as the format for the CAT.[848] It also noted that it is used globally and can be used for products beyond listed options and equities. Finally, the commenter represented that FIX can handle any identifier, including LEI, and can support the CAT NMS Plan's use of Customer-ID, average price processing, options reporting, and the daisy chain approach for reporting.[849]

Start Printed Page 84739

One commenter stated that while mandating one uniform format would reduce the burden on the Central Repository for consolidating and storing data, it would impose a burden on CAT Reporters to accurately translate their current reporting format into a uniform CAT interface that could result in more errors than if the conversion to a uniform format occurred at the Central Repository.[850] Conversely, another commenter cautioned that requiring one uniform format would create a monopoly.[851]

One commenter argued that while data reported in a non-uniform format can be reliably converted into a uniform format, there are benefits to using a uniform format.[852] Specifically, the commenter stated that using a uniform format can reduce data integrity issues within the Plan Processor, reduce data processing times, lower error correction rates between T+1 and T+3, reduce time and resources needed to on-board participants, and improve data accuracy and consistency across broker-dealers.[853] The commenter also stated that use of a uniform format would improve data completeness because exact fields and standards would be defined.

In their response, the Participants stated that they do not believe that the Plan should mandate a specific format for reporting to the Central Repository, but rather should allow the Bidders to use discretion in selecting the format that will work most efficiently with their solution.[854] The Participants stated that the nature of data ingestion is key to the architecture of the CAT and therefore the Plan does not mandate a data ingestion format, but allows the Plan Processor to determine the format.[855] The Participants also noted that the remaining three Bidders propose accepting existing messaging protocols (e.g., FIX), rather than requiring CAT Reporters to use a new format.[856] The Participants stated that when they evaluate each Bidder's solution, they will consider whether the Bidder's proposed approach for a message format is easily understood and adoptable by the industry. The Participants also stated that they will take into consideration each Bidder's ability “to reliably and accurately convert data to a uniform electronic format for consolidation and storage, regardless of the message formats in which the CAT Reporters would be required to report data to the Central Repository.” [857]

The Commission believes it is reasonable to allow the Plan Processor to determine the electronic format in which data must be reported, and whether the format is uniform or whether multiple formats can be used to report CAT Data. The Commission recognizes that if a format were mandated in the CAT NMS Plan, CAT Reporters would have the information necessary to accommodate the format sooner than if they need to wait for the Plan Processor to choose the format. Although the Commission recognizes the benefit of early notice, mandating a particular format(s) in the Plan could limit the Plan Processor's options for designing the operation of the CAT as envisioned. Moreover, the Commission notes that the Participants have stated that they will consider whether a Bidder has proposed a format that is easily understood and adoptable by the industry.[858] Further, because the Plan contemplates there will be iterations of the Technical Specifications, as well as time between publication of the Technical Specifications and the time by which data reporting must begin, the Commission believes that Industry Members will have sufficient time to comply with the ultimate format chosen by the Plan Processor. Therefore, the Commission believes that, rather than mandating the decision regarding the format for reporting in the CAT NMS Plan, it is reasonable for the format to be determined by the Plan Processor as a component of the CAT design.

3. Reporting Timelines

The CAT NMS Plan provides that CAT Reporters must report order event and trading information into the Central Repository by 8:00 a.m. ET on the Trading Day following the day the CAT Reporter records such information.[859] A CAT Reporter must report post-trade information by 8:00 a.m. ET on the Trading Day following the day the CAT Reporter receives such information.[860] The CAT NMS Plan provides that CAT Reporters may voluntarily report Participant Data prior to the 8:00 a.m. ET deadline.[861]

Commenters expressed opinions about the timeframe in which data should be reported by CAT Reporters to the Central Repository. One commenter expressed general support for the proposed reporting deadline, but noted that without having detailed Technical Specifications and validation rules, it could not assess the feasibility of meeting this deadline.[862] The commenter stated that more information is needed regarding the CAT data reporting requirements to determine whether collating and formatting for the required data fields is achievable within the deadlines.[863]

In contrast, two commenters suggested that data should be reported in real-time, or near real-time, rather than at 8:00 a.m. ET the Trading Day following the day that the data was recorded.[864] One commenter noted under the CAT NMS Plan's reporting deadlines, if a trade were completed at 9:30 a.m. ET on a Friday on an exchange, it would not have to be reported until Monday at 8:00 a.m. ET.[865] The commenter stated that the CAT NMS Plan does not present a convincing reason for the 8:00 a.m. ET deadline given that market participants have access to the data in real-time and should be able to report it in seconds or less.[866] The commenter opined that real-time, or near real-time, reporting would allow for more robust surveillance and a “quicker reaction time.” [867] Another commenter argued that data should be reported within 50 milliseconds so that regulators can conduct real-time surveillance.[868] The commenter recommended that CAT support real-time ingestion, processing and surveillance.[869]

This commenter also questioned the Plan Processor's ability to receive data from all CAT Reporters at 8:00 a.m. ET, and suggested that receiving data in real-time would alleviate any potential Start Printed Page 84740problems in this regard.[870] Another commenter also addressed concerns regarding CAT's capacity if a significant number of CAT Reporters choose to submit data at or around the same time, and recommended that the Plan Processor model its methodology on a system that has proven it can successfully project and manage large amounts of data, such as the Options Price Reporting Authority (“OPRA”).[871]

In response to these comments, the Participants noted that the Commission considered the idea of requiring real-time reporting in Rule 613, but instead imposed a reporting deadline of 8:00 a.m. ET.[872] Therefore, the Participants are not required to file a plan containing real-time reporting.[873] Further, in response to the commenter that stated that real-time, or near real-time, reporting would assist with surveillance and early warning of market events,[874] the Participants noted that certain of them already have real-time surveillance tools in place that will not be affected by the implementation of the CAT.[875]

As the Participants noted, the Commission considered whether CAT Reporters should be required to report data in real-time when it adopted Rule 613 under Regulation NMS.[876] In response to the Proposing Release which proposed that data be collected in real-time, commenters questioned the accuracy, cost, and usability of data reported in real-time.[877] The Commission concluded that there were practical advantages to taking a more gradual approach for an undertaking such as the CAT, and acknowledged that while there might be certain advantages to receiving data intraday, the greater majority of benefits to be realized from development of the CAT do not require real-time reporting.[878] Further, the Commission recognized that not requiring real-time reporting upon implementation would result in significant cost savings for industry participants.[879] After reviewing the CAT NMS Plan and considering the commenters' statements, the Commission continues to adhere to that view.

Further, in response to the commenter that questioned the feasibility of reporting data by the 8:00 a.m. ET reporting deadline without having detailed Technical Specifications and validation rules,[880] the Commission notes that this reporting deadline is the same as that currently required for OATS reporting. Therefore, while again acknowledging the importance of timely delivery of Technical Specifications, the Commission believes many CAT Reporters already have the capability to report in compliance with the deadline proposed in the Plan and that such deadline is reasonable.

Additionally, in response to the commenter that questioned the Plan Processor's ability to simultaneously receive data from all CAT Reporters at 8:00 a.m. ET and suggested that receiving data in real-time would alleviate potential problems resulting from an influx of all the data at one time, the Commission notes that the CAT NMS Plan requires the Plan Processor to have the capacity to handle two times the historical peak daily volume to ensure that, if CAT Reporters choose to submit data all at one time, the Plan Processor can handle the influx of data.[881] Furthermore, because CAT Reporters have the option to report data throughout the day, the Commission anticipates that CAT Reporters, consistent with certain reporting practices, such as OATs reporting, will stagger their reports, thus alleviating concerns that a flurry of activity shortly before the 8:00 a.m. ET deadline would impose unnecessary burdens on the Plan Processor.

4. Data Elements

The CAT NMS Plan requires that numerous data elements be reported to the Central Repository to ensure there is sufficient information to create the lifecycle of an order, and provide regulators with sufficient detail about an order to perform their regulatory duties.

The Commission received a number of comments regarding specific data elements that CAT Reporters are required to report to the Central Repository. In addition, one commenter questioned generally if the SEC should reconsider the scope of Rule 613 and “ask whether a more broad and complete audit trail is really what regulators need to efficiently and effectively perform their duties.” [882] This commenter also questioned whether the data being captured is “relevant to achieve the SEC's goals, or whether the data is being collected for statistical purposes and would simply overwhelm usability of the audit trail.” [883]

The Commission continues to believe that the overall scope of Rule 613 is appropriate. However, the Commission has considered comments on each data element contained in the CAT NMS Plan and its necessity to achieving the goal of creating a consolidated audit trail, and has determined to amend or eliminate certain of the requirements proposed in the CAT NMS Plan as detailed below.

a. Customer-ID

(1) Customer Information Approach

Article VI of the CAT NMS Plan adopts the “Customer Information Approach” for creating and utilizing a Customer-ID and identifying a Customer, which reflects the exemptive relief granted by the Commission.[884] Several commenters expressed general support for the Customer Information Approach.[885] Two commenters, however, requested a modification to the Customer Information Approach to permit Customer Identifying Information and Customer Account Information to be reported as part of the “customer definition process” [886] instead of upon the original receipt or origination of an order.[887] One of these commenters also stated that this modification would improve the security of Customer Account Information and the CAT because sensitive customer PII data “would not need to [be] passed to order management systems or stored with the firm's CAT Reporting systems, but would remain with Customer Information Repositories which would issue the `Customer definition' CAT Report.” [888] One commenter stated that a unique identifier for every client may not be necessary and a unique identifier could be applied to only those with a Start Printed Page 84741certain threshold of trading activity.[889] Another commenter expressed general support for the Customer Information Approach, but suggested that the CAT system should tag related trade patterns with each identifiable customer and counterparties as a “fingerprint (unique ID) to a customer and/or counterparty.” [890]

Several commenters commented on the specific data elements required to be reported under the Customer Information Approach. One commenter suggested that the definition of “account type” should be consistent with existing OATS definitions.[891] Another commenter noted that it could not find the definition of “customer type” in the CAT NMS Plan or Rule 613.[892] This commenter recommended using an existing field currently reported to the SROs or the SEC for “customer type” to minimize implementation effort.[893] This commenter also stated that an individual's “role in the account,” required to be reported as part of Customer Identifying Information, may not be consistently maintained across firms and that population and maintenance of this data field may be an issue.[894] As a result, this commenter believed that the field for an individual's role in the account should only be required to be reported when firms create new accounts after the implementation of reporting under the CAT.[895]

One commenter requested clarification that Industry Members would only be required to report CAT Data for “active” accounts, and then offered that “active accounts would be defined as those with activity in CAT reportable securities.” [896] One commenter discussed whether Customer Identifying Information and Customer Account Information should be “refreshed” (i.e., updated) by an Industry Member. This commenter suggested “having the functional support for a voluntary full refresh, but . . . eliminat[ing] the mandated requirement to provide full refreshes periodically,” and stated that, “the initial load, daily updates and standard error processing should be sufficient to maintain data integrity.” [897] This commenter added that while eliminating the periodic refresh of the information used to identify a Customer “may slightly reduce the burden or cost on the broker-dealer community as well as the Plan Processor, it would eliminate the need for unneeded transmission and handling of sensitive PII data.” [898]

Another commenter noted the different data elements that identify a Customer under the Customer Information Approach and recommended that “customer information fields be categorized based on degree of importance for market surveillance and market reconstruction, so that focus can be concentrated on ensuring accuracy of the most important fields from a surveillance viewpoint.” [899] This commenter added that “[d]ifferent criteria could be established based on the customer data categorization for correction turn-around time; e.g., customer unique identifier (LTID or social security number) would be of highest priority; zip code may be of lesser importance and not impact regulators' ability to surveil the marketplace.” [900] This commenter requested clarification whether only “active” accounts are required to report customer identifying information as part of the customer definition process.[901]

One commenter opposed the Customer Information Approach. This commenter stated that the Commission should require “a universal customer ID to aid in the accuracy, integrity, and consolidation of CAT Data” and that “[f]irm-based IDs will significantly increase the complexity and fragmentation of the dataset, slowing down consolidation.” [902]

According to the Participants, the Customer Information Approach would not have an adverse effect on the various ways in which, and purposes for which, regulators would use, access, and analyze the audit trail data reported under Rule 613 nor would it compromise the linking of order events, alter the time and method by which regulators may access the data, or limit the use of the CAT audit trail data. The Participants noted the unique nature of the existing identifiers to be used under the Customer Information Approach, which would allow the Plan Processor to create customer linkages with the same level of accuracy as the Customer-ID. The Participants also stated that the reliability and accuracy of the data reported to the Central Repository under the Customer Information Approach is the same as under the approach outlined in Rule 613 with regard to Customer-IDs because the identifiers used under the proposed Customer Information Approach are also unique identifiers. In some cases, the Participants stated that the Customer Information Approach may result in more accurate data, as errors may be minimized because broker-dealers will not have to adjust their systems to capture and maintain the additional Customer-ID data element, and only a single entity will have to perform the mapping of firm-designated account information to Customer-ID. The Participants also noted that a universal identifier that is tied to personally identifiable information could create a substantial risk of misuse and of possible identify theft as the universal identifiers are passed between the Plan Processor and each CAT Reporter.

The Participants further argued that the benefits of the Customer Information Approach outweigh any potential disadvantages.[903] The Participants added that based upon their analysis of this issue and discussions with the industry, as detailed in the Exemptive Request Letter and the Plan, the Participants disagree that the Customer Information Approach will increase complexity or slow down consolidation. The Participants stated that utilizing a single Customer-ID within the CAT while allowing firms to report using existing identifiers would substantially reduce costs and speed implementation without limiting the regulatory use of the data. Indeed, the Participants noted that the additional cost required to comply with the Customer-ID approach set forth in the Rule, rather than with the Customer Information Approach as proposed in the CAT NMS Plan, would be at least $195 million for the largest CAT Reporters.[904]

The Participants clarified in their response at what point Customer Account Information and Customer Identifying Information must be reported under the Plan.[905] The Participants stated that the approach discussed in the Exemptive Request Letter was intended to require CAT Reporters to supply Customer Identifying Information and Customer Account Information as part of the customer definition process—that is, prior to the origination or original receipt of an order—rather than as information submitted with each order. The Participants noted that Section Start Printed Page 847426.4(d)(iv) of the Plan describes this customer definition process, which includes the process for submitting customer information and for assigning Customer-IDs for use within the CAT. According to the Participants, the operation of Sections 6.3(d)(i) and 6.4(d)(i) of the Plan clarify that a CAT Reporter is required to submit the Firm Designated IDs with the new order reports, but not the information to identify a Customer. The Participants recognized, however, that the language in Section 6.4(d)(ii)(C) of the Plan could be read to suggest that the customer identifying information must be provided with each new order report (i.e., that the Customer Account Information and Customer Identifying Information must be submitted contemporaneously with each order, rather than submitting such information pursuant to the customer definition process). The Participants proposed that the CAT NMS Plan be amended to make clear that customer information would be submitted pursuant to the customer definition process rather than with each original receipt or origination of an order.

The Participants also noted that they do not believe that trading activity thresholds with respect to identifiers would be consistent with the requirements of Rule 613.[906] The Participants stated that the use of unique IDs is essential to the effectiveness and usefulness of the CAT because these data elements will help regulatory users conduct surveillance across market centers and identify activity originating from multiple market participants.

In their response, the Participants stated that they have not yet determined how “account type” and “customer type” will be defined for purposes of reporting to the Central Repository and anticipate that they will be defined in the Technical Specifications.[907]

With respect to limiting the reporting of a Customer's “role in the account” on a going-forward basis (i.e., after implementation of the CAT), the Participants stated that the Plan does not distinguish between legacy and new accounts with regard to this requirement and the Participants do not believe that this change is necessary.[908]

The Participants stated in their response that the CAT NMS Plan currently anticipates that Industry Member CAT Reporters would only report information to identify a customer for “active accounts” as part of the customer definition process.[909] Specifically, the Plan states that “broker-dealers will initially submit full account lists for all active accounts to the Plan Processor and subsequently submit updates and changes on a daily basis,” [910] and defines “active accounts” as “accounts that have had activity within the last six months.” [911] Moreover, the Participants noted that the Plan states that “[t]he Participants anticipate that Customer information that is initially reported to the CAT could be limited to only customer accounts that have, or are expected to have, CAT-reportable activity. For example, accounts that are considered open, but have not traded Eligible Securities in a given timeframe may not need to be pre-established in the CAT, but rather could be reported as part of daily updates after they have CAT-reportable activity.” [912] Accordingly, the Participants suggested that the CAT NMS Plan be amended to clarify that only active accounts are required to report Customer Identifying Information during the customer definition process.

With respect to the Plan's requirement to periodically refresh Customer Identifying Information and Customer Account Information, the Participants stated in their response that they believe that maintaining the accuracy of customer information is vital to the operation of the CAT.[913] Therefore, the Participants noted that a periodic refresh of customer information is beneficial because it will help to ensure that all customer information remains accurate and up to date. The Participants further acknowledged the concern with maintaining the confidentiality of PII and other CAT Data.[914] To that end, the Participants highlighted Section 6.12 of the Plan, which requires the Plan Processor to develop and maintain a comprehensive information security program that meets certain requirements set forth in the Plan, and the fact that the information security program must be approved and reviewed at least annually by the Operating Committee. The Participants stated that they continue to assess the Bidders' proposed security solutions and believe that once the CAT is operational the information security program will address the commenters' concerns regarding data security. Finally, the Participants noted that the Plan will define the scope of a “full” customer information refresh and the extent to which inactive or other accounts would need to be reported.[915]

The Participants further stated that they do not agree that it would be appropriate to rank the importance of particular data elements reported to the Central Repository for data correction or other purposes for several reasons.[916] First, the Participants pointed out that Rule 613 does not indicate that any data elements are more or less important for market surveillance or market reconstruction purposes. The Participants noted that Rule 613(c)(7) states that the Plan “shall require each national securities exchange, national securities association, and any member of such exchange or association to record and electronically report to the central repository details for each order and each reportable event, including, but not limited to [the information set forth in Rule 613(c)(7)(i)-(viii)]” (emphasis added). Second, the Participants noted that ranking the importance of data elements for market surveillance and market reconstruction purposes might inappropriately reveal the confidential, proprietary surveillance processes used by each Participant. Third, the Participants stated that with respect to data accuracy, the Participants have included provisions in the Plan to take into account minor and major inconsistencies in Customer information. In particular, the Participants noted that Appendix D explains that “[t]he Plan Processor must design and implement procedures and mechanisms to handle both minor and material inconsistencies in Customer information.” [917] Additionally, material inconsistencies must be communicated to the submitting CAT Reporter(s) and resolved within the established error correction timeframe, as detailed in Sections 6-7 of Appendix D of the Plan.[918] The Participants stated that the Central Repository also must have an audit trail showing the resolution of all errors.[919] Finally, the Participants noted that they intend to monitor errors in the customer information fields and will consider, as appropriate, whether to prioritize the correction of certain data fields over others.

The Commission believes that the clarification provided by the Start Printed Page 84743Participants that Customer Account Information and Customer Identifying Information are reported as part of the customer definition process, rather than with each original receipt or origination of an order, is reasonable. The Commission believes that this will clarify the process for submitting information to identify a Customer under the CAT NMS Plan and will remove any ambiguity as to the reporting responsibilities of Industry Members. The Commission further believes that this clarification also will reduce the prospect of unnecessarily passing sensitive customer PII data. Accordingly, the Commission is amending Section 6.4(d)(ii)(C) of the CAT NMS Plan to clarify that Customer Identifying Information and Customer Account Information will be reported as part of the Customer definition process, rather than upon original receipt or origination of an order.

The Commission also agrees that creating a unique Customer-ID as contemplated by the CAT NMS Plan, regardless of the Customer's trading activity threshold, is reasonable. The Commission notes that surveillance and enforcement efforts are necessary, even for accounts with low levels of trading activity.

The Commission further believes that it is reasonable to allow the Plan Processor, in conjunction with the Operating Committee, to define the specific “account types” and “customer types” in the Technical Specifications for the CAT NMS Plan. This approach will allow the Plan Processor to assess the various definitions of “account type” and “customer type” that exist among the CAT Reporters, and then make a determination as to how to appropriately classify them for purposes of CAT reporting. The Commission expects the Plan Processor will define these terms with sufficient precision so that the reporting requirements will be clear.

The Commission agrees that a Customer's role in the account should be a data element that is reported as part of the customer definition process, regardless of whether the account existed prior to implementation of the CAT or was created thereafter. The CAT NMS Plan does not distinguish between legacy and new accounts, for purposes of reporting Customer Identifying Information, and the Commission believes identifying the Customer's role in the account will facilitate surveillance and enforcement efforts.

The Commission also believes that it is reasonable to limit the reporting of Customer Identifying Information and Customer Account Information to only those accounts that are “active,” defined as a Customer account that has had activity (i.e., received or originated an order), in an Eligible Security within the last six months. This will alleviate the need for CAT Reporters to update the Customer Identifying Information or Customer Account Information for accounts that have not received or originated an order for more than six months, but still ensures that the Central Repository will collect audit trail data for Customer accounts that have any Reportable Events. The Commission notes that pursuant to the Plan and the Customer Information Approach, a CAT Reporter must upload any Customer Identifying Information and Customer Account Information to the Central Repository prior to a Customer originating an order. Because of this requirement, even if a CAT Reporter has not been updating the Customer Identifying Information and Customer Account Information for a Customer with an account with no Reportable Events for six months, if the Customer decides to submit or originate an order, the CAT Reporter would upload the required information identifying the Customer on the same day the Customer submits the order, and upon submission of the order, the Central Repository will collect the audit trail data required by Section 6.4 of the Plan. Accordingly, the Commission is amending Section 1.1 of the CAT NMS Plan to add a definition of “Active Accounts” to mean an account that has received or originated an order in an Eligible Security within the last six months. In addition, the Commission will amend Section 6.4(d)(iv) of the Plan to require that Industry Members submit an initial set of Customer Identifying Information and Customer Account Information to the Central Repository only for Active Accounts; and require Industry Members to update Customer Identifying Information and Customer Account Information only for Active Accounts.

The Commission also believes that it is reasonable for the CAT NMS Plan to require the periodic refresh of such information to ensure that the Central Repository has the most current information identifying a Customer. The Commission notes that both daily updates and periodic refreshes will require the uploading of PII, along with other CAT Data, to the Central Repository, but believes that the robust information security program to be implemented and maintained by the Plan Processor should sufficiently protect all CAT Data.[920]

(2) Modification or Cancellation of an Order

In connection with their proposal to adopt the Customer Information Approach, as discussed above, the Participants also suggested modification to Rule 613(c)(7)(iv)(F), which requires that “[t]he CAT-Reporter-ID of the broker-dealer or Customer-ID of the person giving the modification or cancellation instruction” be reported to the Central Repository.[921] In the CAT NMS Plan, the Participants proposed that CAT Reporters report whether a modification or cancellation instruction was given by the Customer associated with the order, or was initiated by the broker-dealer or exchange associated with the order.[922] According to the Participants, it is most critical for regulatory purposes to ascertain whether the modification or cancellation instruction was given by the Customer or was instead initiated by the broker-dealer or exchange, rather than capturing the identity of the specific person who gave the instruction.[923]

One commenter believed that modification and cancellation instructions are as important as other Reportable Events and, therefore, the identity of the person giving such instructions is “vital information for market surveillance purpose[s].” [924] The commenter opposed the Participants' approach of permitting CAT Reporters to report whether a modification or cancellation of an order was given by a Customer or initiated by a broker-dealer or exchange, in lieu of requiring the reporting of the Customer-ID of the person giving the modification or cancellation instruction.[925]

In their response, the Participants noted that reporting a single, specific Customer-ID for all modifications and cancellations is not possible under the Customer Information Approach because broker-dealers would not maintain Customer-IDs; instead, each broker-dealer would provide Firm-Designated IDs to the Central Repository Start Printed Page 84744to identify a Customer.[926] The Participants also stated that requiring CAT Reporters to report the Customer-ID of the specific individual initiating a cancellation or modification would introduce an inconsistent level of granularity in customer information between order origination and order modifications or cancellations, because Rule 613(c)(7)(i) does not require the reporting of the specific individual originating an order.

The Commission has considered the commenter's concern and the Participants' response, and believes that requiring that CAT Reporters report whether a modification or cancellation instruction was given by the Customer associated with the order, or was initiated by the broker-dealer or exchange associated with the order, is a reasonable approach to providing useful audit trail data regarding the modification or cancellation of an order. The approach set forth in the Plan also will not result an inconsistent level of granularity between the Reportable Events of origination or receipt of an order, and the modification or cancellation of the order because it would not require the identity of the person that gave the modification or cancellation instruction—which is not required under the CAT NMS Plan nor Rule 613.

(3) Reporting an Account Effective Date

In connection with their proposal to adopt the Customer Information Approach, as discussed above, the Participants also proposed an alternative method for reporting the date an account was opened, as required by Rule 613(c)(7)(viii)(B).[927] When reporting “Customer Account Information,” an Industry Member is required to report the date an account was opened.[928] The SROs requested an exemption to allow an “effective date” be reported in lieu of an account open date in certain limited circumstances.[929] As a result, an Industry Member will report the date an account was opened; except, however, that (a) in those circumstances in which an Industry Member has established a trading relationship with an institution but has not established an account with that institution, the Industry Member will (i) provide the Account Effective Date in lieu of the “date account opened”; (ii) provide the relationship identifier in lieu of the “account number”; and (iii) identify the “account type” as a “relationship”; [930] and (b) in those circumstances in which the relevant account was established prior to the implementation date of the CAT NMS Plan applicable to the relevant CAT Reporter and no “date account opened” is available for the account, the Industry Member will provide the Account Effective Date in the following circumstances: (i) Where an Industry Member changes back office providers or clearing firms and the date account opened is changed to the date the account was opened on the new back office/clearing firm system; (ii) where an Industry Member acquires another Industry Member and the date account opened is changed to the date the account was opened on the post-merger back office/clearing firm system; (iii) where there are multiple dates associated with an account in an Industry Member's system, and the parameters of each date are determined by the individual Industry Member; and (iv) where the relevant account is an Industry Member proprietary account.[931] Several commenters supported the Participants' approach to reporting an account effective date rather than the date an account was opened, as set forth in the CAT NMS Plan, and which reflects the exemptive relief granted by the Commission.[932] The Commission believes that the CAT NMS Plan's approach to reporting an account effective date, rather than the date an account was opened, is reasonable and will not impact the quality or usefulness of the information available to regulators.

(4) Identifying a Customer Using LEI

The Commission also received several comments stating that the Commission should mandate the use of LEIs whenever applicable.[933] One commenter, also noting its support for using a global entity identifier in general and LEI specifically, stated that while it agrees that the system should provide for the capture and reporting of LEIs for customer identification, it would be appropriate to provide for a transitional approach to the collection of the LEIs. Under the commenter's recommended transitional approach, broker-dealers would provide the LEI to the CAT in each instance where the LEI is already known and collected.[934] This commenter also believed that it would be important to establish the CAT in a way that captures the LEI as part of the initial implementation of the system, rather than having to adapt the system at a future date, and that use of LEIs is important for both risk management and operational efficiency.[935] Another commenter, however, did not recommend that the LEI be mandated for use by broker-dealers and argued that mandating the use of LEIs would disadvantage small broker-dealers who have no business requirement at this time to use LEI.[936]

In their response, the Participants stated that based on discussions with the DAG, they agree with the commenters that it would be reasonable to require an Industry Member to report its LEI or the LEI of a Customer to the Central Repository as part of Customer Identifying Information if the Industry Member has or acquires an LEI.[937] The Participants added that Industry Members that report LEIs would do so in addition to, rather than in lieu of, the other Customer Identifying Information required by the Plan.[938] The Participants do not believe, however, that the Plan should require Industry Members or others to obtain an LEI for a Customer if they do not already have one.[939]

The Participants further stated that, based on discussions with the DAG, they believe that Industry Members should be permitted to provide Customer LEIs in their possession without the imposition of any due diligence obligations beyond those that may exist today with respect to information associated with an LEI.[940] The Participants noted that, although Industry Members should not be required to perform additional due diligence with regard to the LEIs for CAT purposes, Industry Members will be required to accurately provide the LEIs in their records and may not knowingly submit inaccurate LEIs to the CAT.[941] In addition, the Participants Start Printed Page 84745stated that all of the remaining Bidders have indicated that their solutions will be able to support the use of LEIs.[942] Moreover, although the Participants believed that there are costs related to requiring Industry Members to provide an LEI if they have one, the Participants believed that the benefits outweigh the costs.[943]

The Commission has considered the commenters' views on the merits of reporting an LEI to the Central Repository as part of Customer Identifying Information and the Participants' response and believes that it is reasonable to require an Industry Member to report an LEI for its Customer if the Industry Member has or acquires the LEI for its Customer. Accordingly, the Commission is amending the definition of “Customer Identifying Information” in Section 1.1 of the Plan to require that an Industry Member report an LEI to identify a Customer that is a legal entity, if the Industry Member has or acquires the LEI of such Customer. However, the Commission is also making clear that the LEI is not reported in lieu of the other Customer Identifying Information for a legal entity (e.g., name, address, or employer identification number), but must be reported along with other Customer Identifying Information.

The Commission believes use of the LEI enhances the quality of identifying information for Customers by incorporating a global standard identifier increasingly used throughout the financial markets. The Commission notes that according to the Plan, Industry Members will still be required to report other Customer Identifying Information even if the Industry Member reports an LEI to identify a Customer; thus the LEI supplements the other information that will be used by the Central Repository to identify a Customer.

The Commission further believes that it is reasonable to not require an Industry Member to obtain an LEI for its Customer or for itself if the Industry Member does not already have an LEI for its Customer or itself because such a requirement would impose an additional burden. However, the Commission believes that requiring Industry Members to accurately provide the LEIs in their records and not knowingly submit inaccurate LEIs to the CAT is reasonable, because reporting accurate information to the CAT is a fundamental requirement of the Plan.[944]

In response to the commenter that believed that such a requirement might disadvantage small broker-dealers, the Commission notes that the requirement to report LEIs does not mandate that a broker-dealer obtain an LEI to comply with the Plan; therefore, small broker-dealers that do not currently have an LEI will not be required to report one and thus will not be disadvantaged.

b. CAT-Reporter-ID

(1) Existing Identifier Approach

Article VI of the CAT NMS Plan reflects the “Existing Identifier Approach” for purposes of identifying each CAT Reporter associated with an order or Reportable Event.[945] Under the Existing Identifier Approach, CAT Reporters are required to record and report to the Central Repository an SRO-Assigned Market Participant Identifier for orders and certain Reportable Events to be used by the Central Repository to assign a unique CAT-Reporter-ID to identify CAT Reporters. An Industry Member is required to report its existing SRO-Assigned Market Participant Identifier used by the relevant SRO specifically for transactions occurring on that SRO to the Central Repository.[946] Similarly, an exchange reporting CAT Reporter information is required to report data using the SRO-Assigned Market Participant Identifier used by the Industry Member on that exchange or its systems.[947] Off-exchange orders and Reportable Events will be reported with an Industry Member's FINRA SRO-Assigned Market Participant Identifier.[948]

For the Central Repository to link the SRO-Assigned Market Participant Identifier to the CAT-Reporter-ID, each SRO will submit, on a daily basis, all SRO-Assigned Market Participant Identifiers used by its Industry Members (or itself), as well as information sufficient to identify the corresponding market participant (e.g. a CRD number or LEI) to the Central Repository.[949] Additionally, each Industry Member will be required to submit to the Central Repository information sufficient to identify such Industry Member (e.g., CRD number or LEI, as noted above).[950] The Plan Processor will use the SRO-Assigned Market Participant Identifiers and identifying information (i.e., CRD number or LEI) to assign a CAT-Reporter-ID to each Industry Member and SRO for internal use within the Central Repository.[951]

The reporting of an existing SRO-Assigned Market Participant Identifier differs from Rule 613 in that under Rule 613(c)(8), CAT Reporters would be required to report a universal CAT-Reporter-ID for certain Reportable Events.[952] In the Exemptive Request Letter, the SROs requested an exemption to permit a CAT Reporter to report an existing SRO-Assigned Market Participant Identifier in lieu of requiring the reporting of a universal CAT-Reporter-ID.[953] Specifically, the Participants stated that the Existing Identifier Approach would not negatively impact regulators' access, use, and analysis of CAT Data, and that it could allow additional levels of granularity compared to the universal CAT-Reporter-ID approach, in that SRO-Assigned Market Participant Identifiers may contain additional information not mandated by the CAT NMS Plan, such as the specific desk or department responsible for trades.[954] The Participants also stated that they believe the reliability and accuracy of CAT Data under the Existing Identifier Approach would not be undermined,[955] and represented that the Existing Identifier Approach could result in fewer errors and more reliable and accurate linkage Start Printed Page 84746of order information.[956] Further, the Participants noted their belief—based upon discussion with the DAG—that the Existing Identifier Approach would reduce the cost and implementation burdens on CAT Reporters to comply with Rule 613,[957] as it would allow them to continue using their current business practices and data flows instead of building new infrastructure to support the CAT-Reporter-ID requirement.[958]

Several commenters expressed support for the Existing Identifier Approach.[959] Two of the commenters listed benefits of the Existing Identifier Approach over the approach required in Rule 613.[960] One of the commenters stated that the Existing Identifier Approach would be more efficient and cost-effective than the Rule 613 approach.[961] The other commenter listed the following benefits: The Existing Identifier Approach would allow the industry to keep its current business processes and identifiers; coordination of a single CAT-Reporter-ID to be used across all Participants to identify broker-dealers would not be necessary; CAT Reporters would not have to expand their information repositories to store and manage a new CAT-Reporter-ID; the Plan Processor would manage the translation between the SRO-Assigned Market Participant Identifiers and the CAT-Reporter-ID; since the Plan Processor would be assigning CAT-Reporter-IDs, CAT Reporters would not be subject to errors with respect to the application of CAT-Reporter-IDs; a common information technology solution would be used; the Existing Identifier Approach would allow regulators to surveil on a more granular level; and the Existing Identifier Approach would save CAT Reporters the expense of maintaining and supplying a unique CAT-Reporter-ID for every Reportable Event.[962] Both commenters stated that the Existing Identifier Approach would not affect the accuracy, accessibility, timeliness or security and confidentiality of CAT Data over the Rule 613 approach.[963]

Three commenters offered recommendations for modifying the Existing Identifier Approach.[964] Two commenters asked that the FINRA MPID be permitted for non-execution reports.[965] One commenter stated that, regardless of whether the Existing Identifier Approach or the Rule 613 approach is used, the CAT should “tag” trade patterns with the trading desk and trader.[966]

In response to the two commenters that requested that the FINRA MPID be used for non-execution reports,[967] the Participants stated that the practices described by the two commenters would be acceptable under the Existing Identifier Approach, explaining that a broker-dealer CAT Reporter would be permitted to use any existing SRO-Assigned Market Participant Identifier (e.g., FINRA MPID, NASDAQ MPID, NYSE Mnemonic, CBOE User Acronym and CHX Acronym) when reporting order information to the Central Repository, regardless of the eventual execution venue.[968]

Based on the Participants' representations in the Plan, the Commission believes that the Existing Identifier Approach is designed to provide the same regulatory benefits in terms of identifying CAT Reporters as would be achieved under Rule 613, at a reduced cost and implementation burden on CAT Reporters.[969] The Existing Identifier Approach is designed to link, within the Central Repository, all SRO-Assigned Market Participant Identifiers to the appropriate CAT-Reporter-ID, and ultimately to the CAT Reporter, in a manner that is efficient, accurate, and reliable.

The Commission notes that one commenter recommended that the CAT be able to link trades to the responsible trading desk and trader.[970] The Commission notes that an additional benefit of the Existing Identifier Approach is that, as the Participants have represented, it may allow for the voluntary collection of additional levels of granularity, such as responsible trading desk or trader.[971]

(2) Use of LEI

Section 6.3(e)(i) of the CAT NMS Plan requires each Participant to submit, on a daily basis, all SRO-Assigned Market Participant Identifiers used by its Industry Members or itself, as well as information to identify the corresponding market participant to the Central Repository, such as a CRD number or LEI, but does not require the reporting of LEIs. Section 6.4(d)(vi) of the CAT NMS Plan requires each Industry Member to submit to the Central Repository information sufficient to identify such Industry Member, such as a CRD number or LEI, but similarly does not require the reporting of LEIs.

As discussed above in relation to the Customer-ID, several commenters recommended, or noted, the use of LEIs in lieu, or as part of the development of, a CAT-Reporter-ID.[972] One commenter stated that it supported requiring Industry Members to provide their LEIs, as long as LEIs are already being captured by their systems.[973] Another commenter supported the optional use of LEIs, believing that mandatory use of LEIs would unfairly burden small broker-dealers that may not currently accommodate LEIs in their systems.[974]

In recognition of the comments that encouraged the use of LEIs in the CAT, and based on discussions with the DAG, the Participants have recommended that Sections 6.3(e)(i) and 6.4(d)(vi) of the CAT NMS Plan be amended to require a Participant to submit an Industry Member's LEI if the Participant has (or acquires) an LEI for an Industry Member, and to require Industry Members to submit to the Central Repository their LEIs if they have LEIs.[975] This information will be Start Printed Page 84747reported to the Central Repository as part as the information the Plan Processor will use to assign CAT-Reporter-IDs.

The Commission considers the suggested modifications by the Participants to Section 6.3(e)(i) and Section 6.4(d)(vi) of the CAT NMS Plan to require the Participants and Industry Members to provide Industry Member LEIs, if known, by such Participant or Industry Member to be reasonable and an improvement in the information available in the CAT with respect to CAT Reporters. Accordingly, the Commission is amending these sections to require the Participants and Industry Members to provide Industry Member LEIs, if known, by such Participant or Industry Member; however, the Commission is also amending these sections to require the submission of Participant LEIs, if a Participant has an LEI, as well as Industry Member CRD numbers. Specifically, the amendment to Section 6.3(e)(i) would require a Participant (i) for purposes of reporting information to identify itself pursuant to Section 6.3(e)(i), to submit its LEI to the Central Repository, if the Participant has an LEI; and (ii) for purposes of reporting information to identify an Industry Member pursuant to Section 6.3(e)(i), to submit the CRD number for the Industry Member, as well as the LEI of the Industry Member if the Participant has collected such LEI of the Industry Member. The amendment to Section 6.4(d)(vi) with respect to Industry Members would require an Industry Member, for purposes of reporting information to identify itself pursuant to Section 6.4(d)(vi), to submit to the Central Repository the CRD number of the Industry Member as well as the LEI of the Industry Member (if the Industry Member has an LEI).

The Commission believes these amendments are appropriate because they may enhance the quality of identifying information by requiring the submission of the LEI—a global standard identifier increasingly used throughout the financial markets—to the extent it has otherwise been obtained. Because the amendments only impose the requirement to report an LEI on Participants and Industry Members that currently have an LEI, and which is known by the CAT Reporter, it should not impose the additional burden on them to obtain an LEI. Further, the Participants have represented that the Bidders' solutions can support the reporting of LEIs.[976] Although Section 6.3(e)(i) and Section 6.4(d)(vi) currently permit the submission of CRD numbers, the Commission believes that requiring the submission of the Industry Member CRD numbers will provide regulators with consistent identifying information about Industry Members that is useful for regulatory investigations and has significant regulatory benefit. In addition, requiring CRD numbers to be provided should not impose additional burdens on Industry Members because, as registered broker-dealers, all Industry Members currently have CRD numbers.

c. Open/Close Indicator

Rule 613 and the CAT NMS Plan require CAT Reporters to report an open/close indicator as a “Material Term” on all orders.

Three commenters objected to the requirement that CAT Reporters report an open/close indicator for equities transactions.[977] One of these commenters requested additional cost-benefit analysis on the open/close indicator.[978] Another commenter argued that the open/close indicator should be reported for options only, noting that this indicator is not currently used for equities.[979] Another commenter noted that including an open/close indicator for equities would require “significant process changes and involve parties other than CAT Reporters, such as buy-side clients, OMS/EMS vendors, and others.” [980] This commenter stated that, if the SROs and the Commission believe that there is value in obtaining the open/close indicator for surveillance purposes with respect to equities transactions, then a rule proposal covering this request and a thorough cost-benefit analysis should be filed for public comment.[981] Another commenter characterized the requirement to report an open/close indicator as a “market structure change” and likewise stated that the requirement should be subject to its own rulemaking process, including a cost-benefit analysis, and subject to a public comment period.[982]

In response, the Participants stated that they understand that Rule 613 requires that an “open/close indicator” be reported as part of the “material terms of the order” for both equities and options transactions, but recommended that CAT Reporters not be required to report an open/close indicator for equities transactions, or for options transactions, such as for market marker options transactions, in which the open/close indicator is not captured by current industry practice.[983]

The Commission notes that Rule 613(c)(2) states only that “the plan submitted pursuant to this section” (emphasis added) must require reporting of a set of “material terms of the order,” including an open/close indicator. It does not state that the Plan as approved must include that data element. Now that the Participants have submitted a plan in compliance with Rule 613, that rule does not preclude the Commission from approving a Plan that implements the Participants' recommendation to limit the set of transactions to which the requirement to report an open/close indicator would apply. After consideration, the Commission believes that limiting the requirement to provide an open/close indicator to listed options is reasonable. The open/close indicator will provide important information about whether an order is opening or increasing a position in the option, or closing or reducing a position. While this information is useful with respect to non-market maker options activity, the Commission acknowledges the concerns in other areas, including the lack of a clear definition of the term for equities transactions, and the lack of utility of that data at the time of quote entry for options market makers.

Accordingly, as recommended by the Participants, the Commission is amending the Plan to remove the requirement that an open/close indicator be reported as part of the Material Terms of the Order for equities and Options Market Maker quotations.[984]

d. Allocations

(1) Use of Allocation Reports

The CAT NMS Plan requires that broker-dealers submit an Allocation Report following the execution of an order if such order is allocated to one or more accounts or subaccounts (the “Allocation Report Approach”). An Allocation Report must contain the following information: (i) The Firm Designated ID for any account(s), including subaccount(s), to which executed shares are allocated and the security that has been allocated; (ii) the identifier of the firm reporting the allocation; (iii) the price per share of shares allocated; (iv) the side of shares allocated; (v) the number of shares Start Printed Page 84748allocated to each account; and (vi) the time of the allocation.[985]

The Allocation Report Approach differs from Rule 613 in that under Rule 613(c)(7)(vi)(A), each CAT Reporter would be required to record and report to the Central Repository “the account number for any subaccounts to which the execution is allocated (in whole or part).” [986] Under Rule 613 regulators would be able to link the subaccount to which an allocation was made to a specific order. In contrast, under the Allocation Report Approach, regulators would only be able to link an allocation to the account to which it was made, and not to a specific order.

In the Exemption Request, the Participants represented that, based on discussions with the DAG, broker-dealer systems do not presently link orders with allocations of the resulting executions, and building such functionality would be complex and costly. In addition, the Participants stated that the Allocation Report Approach would not affect the various ways in which, and purposes for which, regulators would use, access, and analyze CAT Data.[987] The Participants represented that the Allocation Report Approach would still provide regulators with the ability to associate allocations with the Customers that received them and would provide regulators with useful information without imposing undue burden on the industry.[988] The Participants also stated that they do not believe that this approach would compromise the linking of order events, alter the time and method by which regulators may access the data, or limit the use of the data as described in the use cases contained in the Adopting Release for Rule 613.[989]

Moreover, the Participants stated that they, along with the industry, believe that linking allocations to specific executions, as mandated by Rule 613, would be artificial and would not otherwise serve a legitimate purpose.[990] The Participants argued that because the Allocation Report Approach leverages existing business processes instead of creating new workflows, it could help improve the reliability and accuracy of CAT Data as well as reduce the time CAT Reporters need to comply with the CAT reporting requirements.[991] The Participants also stated that complying with the requirements of Rule 613(c)(7)(vi)(A) would require additional system and process changes which could potentially impact the reliability and accuracy of CAT Data.[992]

Four commenters expressed support for the Allocation Report Approach, noting that the approach would eliminate the need to re-engineer systems.[993] One of the commenters stated that the information reported in an Allocation Report would provide regulators with sufficient information to link allocations through reference information to the Customer that placed the order, but noted that “there may not always be sufficient linkage information to relate a specific order, execution and allocation for a customer.” [994] This commenter argued that it is not possible to link allocations to order lifecycles in the case of many-to-many orders.[995]

One commenter, however, disagreed with the Allocation Report Approach, stating that it would impact the completeness, accessibility and timeliness of CAT Data, and foreseeing challenges in linking the accounts and subaccounts to which an execution is allocated.[996] This commenter believed that broker-dealers can, and should, track order allocation information, including in the case of many-to-many orders.[997]

In response to commenters, the Participants restated their belief that the Allocation Report Approach set forth in the CAT NMS Plan appropriately weights the costs and benefits, and that “linking allocations to executions could show artificial relationships between these order events.” [998]

The Commission believes that the Plan's Allocation Report Approach will provide regulators the necessary information to detect abuses in the allocation process without imposing undue burdens on broker-dealers. The use of Allocation Reports will provide the Central Repository the ability to efficiently, accurately, and reliably link the subaccount holder to those with authority to trade on behalf of the account, which will ultimately improve regulatory efforts by SROs and the Commission, including market surveillance, market reconstructions, enforcement investigations, and examinations of market participants.[999] Additionally, by leveraging existing broker-dealer processes, the Plan's Allocation Report Approach could potentially reduce the time CAT Reporters need to comply with CAT reporting requirements and lower costs by using existing business processes.

(2) Time of Allocations

Under the CAT NMS Plan, CAT Reporters would need to submit the time of an allocation on the Allocation Report which, with the exception of Manual Orders, must be at a millisecond level of granularity.[1000]

Two commenters argued that the time of allocation should be reported with a timestamp granularity of no finer than one second.[1001] Three commenters asserted that the timestamps should not be required at all as part of the Allocation Report.[1002] One of those commenters noted that, because allocations are part of the post-trade process, the timing of such allocations is not critical, and requiring timestamps on allocations would represent “a potentially costly and misleading reporting requirement divorced from the goals of CAT.” [1003] Another commenter similarly asserted that requiring a timestamp on allocations would be costly and “will not assist the SEC in achieving the expected regulatory benefit.” [1004] This commenter explained that instructions for allocations can be communicated by phone, fax, or instant messaging or that standing instructions may be maintained for allocations.[1005] Therefore, the commenter stated, the only consistent point at which to capture a timestamp for an allocation is the time the allocation is booked into an allocation processing system.[1006]

Start Printed Page 84749

In response, the Participants stated that allocation timestamps would “be a significant tool for detecting regulatory issues associated with allocations, including allocation fraud,” and supported requiring them in the Plan.[1007] However, the Participants stated that the cost of changes that would be necessary to capture timestamps to the millisecond may not be justified, particularly in light of the fact that allocations tend to be a manual process. Therefore, the Participants suggested that Allocation Reports should have timestamps with a one second granularity, as is the case with similar Manual Order Events.[1008]

The Commission agrees with the Participants that inclusion of the time of an allocation as part of the data submitted in the Allocation Report is reasonable to help detect abuse that may occur if executions are allocated among subaccounts at the same time. For example, the Commission believes that the time of allocation will assist regulators in assessing regulatory issues that might arise in the allocation process, such as “cherry-picking” (systematically favoring one customer over another in connection with specific allocation decisions).[1009] Currently, investigations of potential cherry-picking require a manual, data-intensive process. The Commission believes that having access to data with the time of allocations should improve regulators' ability to spot potential abuses and assess the prevalence of allocation practices industry-wide.[1010] The Commission also believes that data with the time of allocations could assist in examining whether broker-dealers are making allocations in accordance with their policies and procedures.

With regard to the appropriate level of granularity for the timestamps on Allocation Reports, the Commission agrees with the Participants that, given the manual nature of the allocation process, a timestamp granularity of one second is appropriate and would not reduce the regulatory value of the information. The Commission also believes that the clock synchronization standard for Business Clocks that capture the time of an allocation need only be to the second. This approach is consistent with the approach for Manual Order Events. The Commission does not believe that the regulatory benefit of requiring allocation times to be recorded in milliseconds (compared to seconds) and clock synchronization to 50 milliseconds (compared to one second) justifies the costs at this time.[1011]

Accordingly, the Commission is amending Section 6.8(a)(ii) and (b) of the Plan to permit the Business Clocks used solely for the time of allocation on Allocation Reports to be synchronized to no less than within one second of the time maintained by the NIST and the time of allocation on an Allocation Report to the second.

e. Market Maker Quotes

Under the CAT NMS Plan, market maker quotations in Listed Options need to be reported as Reportable Events to the Central Repository only by the applicable Options Exchange [1012] and not by the Options Market Maker.[1013] However, under the Plan: (1) An Options Market Maker must submit to the relevant Options Exchange, along with any quotation, or any modification or cancellation thereof, the time it sent such message to the Options Exchange (“Quote Sent Time”); and (2) Options Exchanges must submit the Quote Sent Time received from Options Market Makers, along with the applicable message, to the Central Repository without change.[1014]

The requirements for reporting Options Market Maker quotes in the Plan differ from the requirements in Rule 613(c)(7), which provide that the CAT NMS Plan must require each CAT Reporter to record and electronically report to the Central Repository details for each order and each reportable event, including the routing and modification or cancellation of an order.[1015] Rule 613(j)(8) defines “order” to include “any bid or offer;” so that the details for each Options Market Maker quotation must be reported to the Central Repository by both the Options Market Maker and the Options Exchange to which it routes its quote.[1016]

In the Exemption Request, the Participants noted that requiring the applicable Options Exchange to report market maker quotations to the Central Repository would not degrade the reliability or accuracy of the CAT Data, or its security and confidentiality.[1017] Further, the Participants stated that the proposed approach would not have an adverse effect on the ways in which, and purposes for which, regulators would use, access, and analyze the CAT Data.[1018] The Participants included a cost-benefit analysis of options data reporting approaches in support of the Exemption Request.[1019] This analysis noted that the volume of options market maker quotes would be larger than any other category of data to be reported to the Central Repository, generating approximately 18 billion daily records, and that requiring duplicative reporting of this large amount of data would lead to a substantial increase in costs.[1020] The Participants argued in their cost-benefit analysis that eliminating the requirement of Rule 613(c)(7) that both Options Market Makers and Options Exchanges report nearly identical quotation data to the Central Repository would have the potential effect of reducing the projected capacity and other technological requirements of the Central Repository, which could result in significant cost savings.[1021]

A few commenters expressed support for the provisions of the CAT NMS Plan regarding the reporting of Market Maker Quotations in Listed Options.[1022] One of these commenters stated that permitting only Option Exchanges to report Options Market Maker quote information, instead of both Options Market Makers and Options Exchanges, would not affect the completeness, timeliness, accuracy, security or confidentiality of CAT Data, and would Start Printed Page 84750result in a cost savings.[1023] One commenter suggested that equities market maker quotes should be handled in the same manner as Options Market Maker quotes.[1024]

Another commenter, however, suggested that providing an exemption to Options Market Makers for reporting Options Market Maker quotes could be “detrimental to achieving the objective of capturing `complete audit trails' of all the market activities.” [1025] The commenter believed that exempting Options Market Makers from reporting their quotes to the CAT risked “overly discounted/distorted signals” for market surveillance and manipulation detection purposes.[1026]

In their response, the Participants disagreed that requiring only the Options Exchanges to report market maker quotations to the Central Repository would be detrimental to the CAT.[1027] The Participants noted that all data that would otherwise be reported by Options Market Makers will still be reported, including Quote Sent Time. The only difference between the requirement under Rule 613 and the approach in the Plan is the reporting party.[1028]

With regard to the commenter that suggested equities market maker quotes should be handled in the same manner as Options Market Maker quotes, the Participants explained that they focused on Options Market Makers because of the significant volume of quotes they produce.[1029] The Participants stated that the volume of equities market maker quotes is much smaller than the volume of options market maker quotes, noting that there are far fewer quote updates for every trade in the equities markets, with an approximate average ratio of quotes to trades of 18 to 1 in the equities markets as compared to ratio of 8,634 to 1 for options.[1030]

The Commission believes the proposed approach is reasonable in providing the same regulatory benefits as would be achieved under Rule 613, at a reduced cost and implementation burden on CAT Reporters. The Commission notes that the information that Options Market Makers report to Options Exchanges must be reported to the Central Repository without change, and the information that regulators would receive if Options Market Makers reported their quotation information to the Central Repository would be identical to the information that they will receive under the requirements of the CAT NMS Plan. Therefore, there will be no degradation to the audit trail. The Commission disagrees with the comment that signals for market surveillance and manipulation detection purposes could be distorted if Options Market Makers are not required to report their quotation information [1031] because the exact information that the Options Market Makers would report to the CAT will be reported on their behalf by the Options Exchanges. The Commission acknowledges the commenter who recommended that equity market makers also be exempt from reporting their quotes to the CAT, but does not believe that it is appropriate at this time to grant such an exemption. As noted above, equity market makers produce significantly fewer quotes that Options Market Makers, and the Commission has not been presented with evidence that reporting equity market maker quotes is unduly burdensome.[1032]

f. Data Elements Not Included in the CAT

One commenter recommended a re-examination of the data elements to be collected in the CAT NMS Plan, and questioned whether a “more broad and complete audit trail” is needed.[1033] This commenter recommended that the CAT include data on the settlement of securities transactions (i.e., post-execution) from the DTCC and NSCC, short sale information, including lending/borrowing information and pre-execution short sale locate data, and creation/redemption information for Exchange Traded Funds (“ETFs”).[1034]

In response to the commenter, the Participants described how the CAT NMS Plan aligns with the scope of required elements in Rule 613. The Participants generally expressed their view that the potential benefit of requiring additional elements, such as settlement information, lending/borrowing information, short sale locate data,[1035] and ETF creation/redemption data,[1036] would be outweighed by the design and implementation costs at this time.[1037] The Participants committed generally to assess whether additional information should be reported to the CAT in the future.[1038]

The Commission notes that, with regard to a locate identifier on short sales, data could be readily obtained from a follow-up request to a broker-dealer if the other data required to be reported to the CAT, particularly the information relating to the customer behind the order, is included in the consolidated audit trail.[1039] With regard to lending/borrowing information, the Commission understands that some of this data can be obtained through private sources, such as service providers. The Participants stated that they do not believe that the benefits of including this information in the CAT justify the costs for requiring them to be reported. The Commission similarly believes that it is not necessary to require this information in CAT. With regard to the inclusion of information on ETF creations and redemptions, the Commission agrees with the Participants that the relevant market participants may not be included in the current scope of CAT Reporters. Therefore, the Commission is not amending the Plan to include these data elements in the CAT at this time. Nor is it amending the Plan to include information on the settlement of securities transactions from DTCC and NSCC in the CAT, as it would require participation by entities not currently party to the CAT NMS Plan, and the regulatory benefits to the Participants and the Commission would not, at this time, justify the costs.

The Commission appreciates the commenter's perspective that additional data elements may offer some regulatory benefit. However, neither Rule 613 nor the CAT NMS Plan proposed including such data elements. After considering the comments, the Commission believes that it is reasonable to not mandate the reporting of new data elements to the Start Printed Page 84751CAT at this time. The Commission does not believe that the benefits to the Commission and Participants justify the cost for requiring additional data elements to be reported. The Commission or the Participants may consider additional data elements in the future.

5. Symbology

The CAT NMS Plan requires CAT Reporters to report data using the listing exchange's symbology. The CAT NMS Plan requires the Plan Processor to create and maintain a symbol history and mapping table, as well as provide a tool for regulators and CAT Reporters showing a security's complete symbol history, along with a start-of-day and end-of-day list of reportable securities for use by CAT Reporters.[1040]

Three commenters objected to the Plan requiring listing exchange symbology to be used by CAT Reporters.[1041] One commenter recommended that CAT Reporters be permitted to use the symbology standard they currently use and that the Central Repository should be responsible for normalizing the various standards.[1042] The commenter stated that while it does not expect that allowing CAT Reporters to use existing symbology would result in a large cost savings, it believes that use of existing symbology would reduce errors.[1043]

Another commenter expressed the view that it would be costly to use the listing exchange's symbology for reporting to the CAT and instead advocated for a standardized nomenclature or symbology across the markets, stating that without a standardized data nomenclature, the integration of a data reporting system and surveillance will be significantly more difficult.[1044] The commenter suggested use of a uniform, global, open, multi-asset identifier, such as the Financial Instrument Global Identifier (“FIGI”), a product developed by Bloomberg LP.[1045] The commenter stated that use of a standard with the characteristics of FIGI would simplify cross-asset surveillance, lower error rates and potentially lower symbology licensing costs.[1046]

The Participants responded that the Plan required CAT Reporters to submit data to the CAT using the listing exchange symbology based on their understanding of current reporting practices.[1047] The Participants noted that Industry Members use solutions and systems that allow them to translate symbology into the correct format of the listing exchange when submitting data to exchanges or regulatory reporting systems, such as OATS and Electronic Blue Sheets (“EBS”).[1048] The Participants further noted that all CAT Reporters subject to OATS or EBS reporting requirements use the symbology of the listing exchange when submitting such reports.[1049] Accordingly, the Participants did not agree with the comment that advocated adopting a new symbology approach, concluding that it would add significant cost and complexity for the industry.[1050] The Participants also noted that permitting CAT Reporters to use symbology other than the listing exchange symbology, and having the Plan Processor translate the symbology of different CAT Reporters to the listing exchange symbology, would require each CAT Reporter to submit regular mapping symbology information to the CAT, thereby increasing the complexity and the likelihood for errors in the CAT.[1051] The Participants stated that the requirement to use exchange symbology is the most efficient, cost-effective and least error-prone approach.[1052] The Participants, however, acknowledged that the Plan Processor may, in the future, determine whether the use of a standardized symbology, other than listing exchange symbology, would be appropriate.[1053]

The Commission believes that the CAT NMS Plan's requirement that CAT Reporters report data using the listing exchange's symbol is reasonable. The Commission agrees with the Participants that allowing each CAT Reporter to determine its reporting symbology would impose burdens on, and add complexity for, the Plan Processor by requiring each CAT Reporter to regularly submit to the Plan Processor symbology mappings. Additionally, the Commission believes that using existing symbology may reduce errors, as noted by the Participants. The Commission also understands, based on the Participants' representations, that CAT Reporters that report to OATS and EBS today already have the ability to translate to the listing exchange's symbology.

6. Security of CAT Data

The CAT NMS Plan requires that the Plan Processor develop and, with the prior approval of the Operating Committee, implement, policies, procedures and control structures related to the security of the CAT System.[1054] Appendices C and D describe the general security requirements for CAT data and outline minimum data security requirements that the Plan Processor must meet.[1055]

a. CAT Information Security Program Details

Several commenters believed that the CAT NMS Plan did not provide enough details regarding the security and confidentiality of CAT Data. One commenter noted that “explicit language indicating requirements for overall security of data transmission and storage, rather than suggestions, should be included in the finalized CAT requirements.” [1056] Another commenter stated that the Plan does not provide enough granular details related to actual controls, service levels, and technical support that will be implemented by the Plan Processor.[1057] Similarly, another commenter stated that the CAT NMS Plan lacks proper guidance concerning Start Printed Page 84752the requirements for security and confidentiality controls of the CAT System regarding, for example, network security, firewalls, systems management and library controls, IT personnel access to the CAT System and data, system logs and archives.[1058] One commenter “urg[ed] the SEC to require the SROs to share more detailed information on [data loss prevention, business continuity plans and cyber incident response plans] as a Plan Processor is selected and the Central Repository is built.” [1059] Other commenters suggested that certain market participants be provided another opportunity to provide feedback on the security controls, policies and procedures that will be adopted by the Plan Processor.[1060] Another commenter supported having an information security officer be responsible for regular updates of the documents and processes, breach identification, and management and processes for periodic penetration tests of all applications.[1061]

In response to commenters that requested more detail regarding the security controls for CAT Data, the Participants noted that in the Adopting Release for Rule 613, the Commission stated that “an outline or overview description of the policies and procedures that would be implemented under the NMS plan submitted to the Commission for its consideration would be sufficient to satisfy the requirement of the Rule.” [1062] The Participants also reiterated the position of the Commission at the time of adoption of Rule 613 that “it is important for the NMS plan submitted to the Commission to establish the fundamental framework of these policies and procedures, but recognizes the utility of allowing the plan sponsors flexibility to subsequently delineate them in greater detail with the ability to make modifications as needed.” [1063] The Participants noted that Section 6.12 of the CAT NMS Plan requires the Plan Processor to develop and maintain a comprehensive information security program for the Central Repository, to be approved and reviewed at least annually by the Operating Committee.[1064]

The Participants also referred to Appendix D of the Plan, which discusses the fundamental framework of this program, including: (1) Appropriate solutions and controls to ensure data confidentiality and security during all communications between CAT Reporters and Data Submitters and the Plan Processor, data extraction, manipulation and transformation, loading to and from the Central Repository and data maintenance by the CAT System; (2) security controls for data retrieval and query reports by Participants and the SEC; and (3) appropriate tools, logging, auditing and access controls for all components of the CAT System.[1065] The Participants further noted the Plan provisions addressing: (1) The physical assets and personnel of the CAT; (2) training of all persons who have access to the Central Repository; (3) encryption; (4) remote access to the CAT System; (5) the handling of PII; (6) data storage (including penetration testing and third party audits); (7) access to PII and other CAT Data; breach management; and (8) the minimum industry standards that must be followed by the Plan Processor in developing and implementing the security and confidentiality policies and procedures for the Plan.[1066] The Participants also provided a high level description of the security requirements for the CAT System, which described the architecture controls, program level controls, and data usage and regulator controls applicable to the CAT.[1067] Notably, the Participants also stated that they believe that “publicly releasing too many details about the data security and information policies and procedures of the CAT System presents its own security concerns and is not advisable.” [1068]

The Participants stated that they do not believe that market participants such as experts from Industry Members should be permitted to review and provide feedback on the security controls, policies and procedures of the Plan Processor because each Bidder already has provided information on the various security issues discussed in the Plan and as a result, the Plan Processor will have sufficient information from which to formulate appropriate data security and information policies and procedures.[1069] The Participants added that data security policies and procedures of the Plan Processor will be subject to the review and approval of the Operating Committee, which will seek the views of the Advisory Committee.[1070] Therefore, the Participants do not believe that it is necessary to allow Industry Members to separately review the security controls, policies and procedures of the Plan Processor.[1071]

The Participants also provided additional details concerning certain security controls and protocols required of the Plan Processor. Specifically, the Participants noted that the Plan Processor must establish a penetration testing protocol and that the Participants generally would expect penetration testing to occur following major changes to system architecture (e.g., changes in the network segmentation, major system upgrades, or installation of new management level applications), or when other specific new threats are identified.[1072] The Participants also provided additional detail clarifying their threat monitoring program and stated that they expect that the Plan Processor will “adhere to industry practice for an infrastructure initiative such as the CAT, and, therefore, the Plan Processor will provide 24x7 operational monitoring, including monitoring and alerting for any potential security issues across the entire CAT environment.” [1073] Related to threat monitoring, the Participants noted that the CISO also is required to establish policies and procedures to address imminent threats.[1074] Specifically, the Participants stated that they expect the CISO to establish procedures for addressing security threats that require immediate action to prevent security threats to the CAT Data.[1075]

The Commission fully recognizes the importance of maintaining the security of the CAT Data and the need to have sufficient information regarding the policies, procedures and control structures that will be adopted by the Plan Processor that will apply to the security of the CAT Data. The Commission also reiterates its view, as set forth in the Adopting Release and as noted by the Participants in their response, that an outline or overview description of the policies and procedures that would be implemented by the Plan Processor regarding data Start Printed Page 84753security satisfies the requirements of Rule 613 and that it is reasonable for additional detail about the controls, policies and procedures applicable to the CAT's information security program to be determined and published after the Plan Processor is selected, including through the CAT's Technical Specifications, which will be publicly available.[1076] The Commission also shares the concerns articulated by the Participants that publicly releasing too many details about the technical security requirements, tools and techniques of the CAT NMS Plan could invite exploitation. The Commission believes that the CAT NMS Plan must strike a balance between setting out the fundamental framework for the security of the CAT Data while maintaining the ability of the Plan Processor to adopt additional security parameters as it sees fit, some of which the Plan Processor may not want to make public.

The Commission has considered the security provisions in the CAT NMS Plan and finds that a reasonable level of detail regarding the security and confidentiality controls has been provided in the CAT NMS Plan. However, the Commission expects that the Participants will require the Plan Processor to continuously monitor the information security program of the CAT to ensure that it is consistent with the highest industry standards for the protection of data, and to proactively implement appropriate changes to the security program to guard against any unauthorized intrusions or breaches of the Plan Processor's data security protocols and protections. The Commission also expects that, when the Plan Processor is chosen, the Plan Processor will provide more detail about the specific security requirements and attendant obligations placed on the Participants, including through the issuance of Technical Specifications, which will be publicly available; more explicit language indicating requirements for overall security of data transmission and storage; more granularity related to actual controls and service levels; and more details about the technical support that will be implemented by the Plan Processor. The Commission also notes that, as discussed in Section IV.H, the Commission is amending Section 6.6 of the Plan to require that the Participants provide the Commission with an annual evaluation of the information security program to ensure that the program is consistent with the highest industry standards for the protection of data.[1077]

The Commission also believes that, based on the CAT NMS Plan and the Participants' response, a reasonable level of detail and explicit requirements regarding the overall security of data transmission, storage, service levels, and technical support has been provided.[1078] Similarly, the Commission believes that the Plan adequately addresses network security, firewalls, systems management, data loss prevention, business continuity plans and cyber incident response plans.[1079] In response to the commenters that requested that market participants such as experts from Industry Members be permitted to review and provide feedback on the security controls, policies and procedures of the Plan Processor, the Commission believes that such review and feedback is not necessary, particularly in light of input by the Advisory Committee.

In response to the commenter that supported having an information security officer be responsible for regular updates of the documents and processes, breach identification, and management and processes for periodic penetration tests of all applications, the Commission notes that the Plan provides for a CISO who has a broad range of responsibilities regarding the security of the CAT Data.

b. Security Standards for the CAT System

Several commenters put forth various industry security standards that should be adopted by the Plan Processor. One commenter stated that if the CAT System operates using a cloud infrastructure, the CAT should employ a cloud provider rated for security via the Cloud Controls Matrix from the Cloud Security Alliance.[1080] This commenter further recommended that the CAT “be subject to existing data security and privacy standards like Regulation P [Annual Privacy Notice Requirement under the Gramm-Leach-Bliley Act], FISMA [Federal Information Security Management Act] and FedRAMP [Federal Risk and Authorization Management Program].” [1081] One commenter stated that steps should be taken to ensure proper controls are in place to protect the data throughout its lifecycle using secure, authenticated and industry-accepted encryption mechanisms.[1082] Another commenter recommended the use of “pre-defined extract templates and uniform global formats such as ISO [International Organization for Standardization] 2002.” [1083] One commenter stated that at a minimum, connection to CAT infrastructure should be protected by transport layer security/secure sockets layer (“TLS/SSL”) through a secure tunnel.[1084] Another commenter suggested that the CAT NMS Plan employ the cybersecurity framework developed by NIST and the cybersecurity assessment tool created by the Federal Financial Institutions Examination Council (“FFIEC”).[1085]

One commenter noted the need for an ongoing assessment of the risks associated with the CAT System and data to meet the NIST industry standards referenced in the Plan.[1086] In discussing the confidentiality and sensitivity of CAT Data, a commenter noted that “[t]he emphasis shouldn't be favoring on [sic] a particular prescribed standard . . . but the key is: CAT needs independence [sic] privacy and security assessment at regular intervals. The assessment will include: Vulnerability scan and identifying system nuisances that can cause or already caused privacy and security issues.” [1087]

With respect to the industry standards applicable to the CAT System, in their response, the Participants noted that at the outset of operation of the CAT, the Plan Processor will adopt all relevant standards from the NIST Cyber Security Framework, NIST 800.53 or ISO 27001 that would be appropriate to apply to the Plan Processor.[1088] The Participants added that because industry standards may evolve over time, the Participants will require that the CAT's security program align with current industry standards and best practices as they evolve in the future.[1089] To this end, the Plan requires that the Plan Processor's information security program be reviewed at least annually by the Operating Committee.[1090]

Regarding security standards applicable to the Participants that access Start Printed Page 84754CAT Data, the Participants noted that the Plan requires the Participants to “establish, maintain and enforce written policies and procedures reasonably designed . . . to ensure the confidentiality of the CAT Data obtained from the Central Repository.” [1091] The Participants stated that “such policies and procedures will be subject to Reg SCI and oversight by the SEC.” [1092] Moreover, in their response, the Participants stated that “[i]n the event that relevant standards evolve, the proposed Plan also requires that “[e]ach Participant shall periodically review the effectiveness of the policies and procedures . . . and take prompt action to remedy deficiencies in such policies and procedures.” [1093]

In response to the commenters that believed that an ongoing assessment of the risks associated with the CAT System and data should meet the NIST standards in the Plan, the Participants stated that they agree that the CAT System should be regularly assessed for security risks,[1094] and that the Operating Committee must conduct an annual review of the Plan Processor's information security program.[1095] The Participants further noted that Section 6.2(a)(v)(C) of the Plan provides that the CCO, in collaboration with the CISO, will retain independent third parties with appropriate data security expertise to review and audit on an annual basis the policies, procedures, standards and real-time tools that monitor and address data security issues for the Plan Processor and the Central Repository.[1096]

In response to the commenter that believed that the Plan Processor should be FedRAMP certified, the Participants stated that they do not believe that the Plan Processor should be required to be certified FedRAMP.[1097] The Participants stated that requiring FedRAMP certification could limit the portions of each cloud provider's solutions that each Bidder may access, while also increasing costs for the CAT. The Participants stated that furthermore, FedRAMP certification itself does not provide for additional security controls beyond those contained in the NIST standards, but rather focuses on providing a certification and evaluation process for government applications.[1098] Moreover, the Participants believe that the security controls required in the Plan and proposed by the Bidders, as well as those provided by the Bidders' cloud providers, are robust and would not be materially enhanced by requiring them to be FedRAMP certified.[1099] The Participants also pointed out that regular independent third party audits, as required by the Plan, also would help to ensure the security of the CAT and any cloud solutions in use.[1100]

The Commission notes that Appendix D of the Plan addresses the security standards applicable to the CAT System. Specifically, Section 4.2 of Appendix D of the CAT NMS Plan, as proposed, states that “[t]he following industry standards, at a minimum, must be followed as such standards and requirements may be replaced by successor publications, or modified, amended, or supplemented and as approved by the Operating Committee (in the event of a conflict between standards, the more stringent standard shall apply, subject to the approval of the Operating Committee).” [1101] The Plan then lists several NIST standards (e.g., NIST 800), FFIEC's “Authentication Best Practices,” and ISO/IEC 27001's “Information Security Management. Appendix D, Section 4.2, as proposed, also states that the CAT LLC shall join the Financial Services-Information Sharing and Analysis Center (“FS-ISAC”) and comparable bodies as the Operating Committee may determine.

Moreover, in the Commission's view, the Participants' commitment in their response that, at the outset of the operation of CAT, the Plan Processor will adhere to the relevant standards from the NIST Cyber Security Framework is a reasonable step toward ensuring a robust security information program. At this time, the Commission believes that the NIST Cyber Security Framework provides a reliable and comprehensive approach to cybersecurity risks and threats, and helps to ensure that the Plan Processor will be abiding by appropriately rigorous industry standards to help identify, protect, detect, respond and recover from cyberattacks, whether internal or external, domestic or international. Accordingly, the Commission is amending Appendix D, Section 4.2 of the CAT NMS Plan to add the requirement that Plan Processor will adhere to the NIST Cyber Security Framework in its entirety.[1102] The Commission believes that adherence to the standards of the NIST Cyber Security Framework provides a reasonable approach to ensuring that security standards applicable to the CAT System will reflect high industry standards regarding the protection of CAT Data.

In light of the Participants' commitment and ongoing requirement to adhere to the NIST Cyber Security Framework—which will address the security of the CAT cloud provided by the Plan Processor—and the limitations that FedRAMP certification might impose on the cloud provider's solutions that each bidder might access should the bidder be chosen as the Plan Processor, the Commission believes that it is reasonable to not require that the Plan Processor be FedRAMP certified. In addition, the Commission believes that it is reasonable to allow the Plan Processor to evaluate whether it should adhere to the data security and privacy standards like Regulation P, FISMA and ISO 2002, and whether the connection to the CAT infrastructure should be protected by TLS/SSL.

The Commission also notes that in their response, the Participants stated that with respect to partnerships with other private or public organizations and information sharing entities, the Participants do not intend to restrict the CAT LLC's partnership only to the FS-ISAC; the Participants stated that the CAT LLC may seek to join other industry groups such as the National Cyber-Forensic & Training Alliance, the Department of Homeland Security's National Cybersecurity & Communications Integration Center, or other reputable cyber and information security alliances.[1103] The Commission believes the Participants have appropriately clarified that the provisions in Appendix D, Section 4.2 of the Plan listing the other organizations that the CAT LLC may join was not intended to be an exclusive list because the provision explicitly states that the CAT LLC shall endeavor Start Printed Page 84755to join other “comparable bodies as the Operating Committee may determine.”

c. CAT User Access Administration

Many commenters discussed issues related to the administration of CAT users. One commenter stated that “[a]ppropriate policies and procedures should be in place for user access administration, including provisioning of administrators, user data management, password management and audit of user access management.” [1104] Another commenter noted the need to train employees and contractors with access to CAT Data on how to maintain the security and confidentiality of the data,[1105] while another commenter supported the establishment of processes to prevent access to sensitive data by any individuals who have not attended compliance training.[1106] One commenter stated that persons authorized to access CAT Data should have comprehensive background checks.[1107]

Other commenters discussed the password authentication procedures in the CAT NMS Plan that are meant to ensure that CAT Data is only accessed by credentialed personnel. One commenter stated that all persons with access to the CAT System should have their access secured via multi-factor authentication as prescribed in OMB Memorandum M-06-16.[1108] Another commenter suggested leveraging any authentication procedures at the entity that employs a person seeking access to CAT Data, stating that this approach would also allow for automated deactivation of users that leave the CAT Reporter or Participant.[1109]

In its response to commenters, the Participants noted the provisions in Appendix D of the Plan that require the Plan Processor to develop and maintain policies and procedures reasonably designed to prevent, detect and mitigate the impact of unauthorized access or usage of data in the Central Repository.[1110] The Participants further noted that the Plan requires that such policies and procedures include, at a minimum, (1) information barriers governing access to and usage of data in the Central Repository; (2) monitoring processes to detect unauthorized access to or usage of data in the Central Repository; and (3) escalation procedures in the event that unauthorized access to or usage of data is detected.[1111] The Participants also note that the Plan requires that passwords be stored according to industry best practices and recovered by secure channels, and that all logins will be subject to MFA.[1112] The Participants further note that the Plan Processor will have discretion to consider additional controls on user access in formulating the data security policies and procedures for the CAT System, including, without limitation, deactivating users who have not accessed the CAT System for a specified period of time.[1113]

The Commission believes that monitoring the access to CAT to ensure that only authorized persons are allowed to access the CAT System and CAT Data is critical to ensuring the security of CAT Data. The Commission agrees with the Participants that the requirements set out in Appendix D, and other provisions of the CAT NMS Plan, provide a reasonable outline of CAT user access administration (including provisioning of administrators) in general, as well as user data management and password management.[1114]

In response to specific commenters that believed that only individuals with appropriate training should be permitted access to CAT Data, Section 6.1(m) of the Plan states that “[t]he Plan Processor shall develop and, with the prior approval of the Operating Committee, implement a training program, which will be made available to all individuals who have access to the Central Repository on behalf of the Participants or the SEC prior to such individuals being granted access to the Central Repository, that addresses the security and confidentiality of all information accessible from the CAT, as well as the operational risks associated with accessing the Central Repository.” [1115] Appendix D of the Plan also states that the Plan Processor must provide to the Operating Committee a comprehensive security plan that covers all components of the CAT System, including physical assets and personnel, and the training of all persons who have access to the Central Repository consistent with Article VI, Section 6.1(m).[1116] Thus, the Commission believes that these Plan provisions, taken together, indicate that the Plan Processor will require that all persons that have access to CAT Data will be required to complete training prior to accessing CAT Data, and expects that only those persons that have been adequately trained will have access to CAT Data.

In response to the commenter that stated that persons authorized to access CAT Data should have comprehensive background checks, the Commission notes that the Plan provides that “in addition to other policies, procedures and standards generally applicable to the Plan Processor's employees and contractors, the Plan Processor shall have hiring standards and shall conduct and enforce background checks (e.g., fingerprint-based) for all of its employees and contractors to ensure the protection, safeguarding and security of the facilities, systems, networks, equipment and data of the CAT System. . . .” [1117] While the Commission believes that this provision sets out a reasonable approach to background checks for employees and contractors of the Plan Processor, the Commission believes that such a requirement generally should extend to Participants with respect to all of their users that have access to CAT Data and therefore is amending the Plan to require that each Participant conduct background checks for its employees and contractors that will use the CAT System.[1118] The Commission believes that this amendment to the Plan is appropriate in order to ensure that only authorized and qualified persons are using the CAT System.

The Commission also notes that the Participants have represented that all logins must be secured by MFA, in response to commenters concerns that authentication procedures for CAT users should ensure that only credentialed persons are accessing the CAT Data. In addition, in response to commenters that expressed concerns about the password authentication procedures of the Plan Processor, the Commission Start Printed Page 84756notes that the Plan addresses password guidelines such as, for example, the appropriate complexity of passwords and the recovery of lost passwords.[1119] The Commission also believes that the Plan does not prohibit the Plan Processor from considering an approach to authenticating a CAT user that would leverage the authentication procedures at the entity (either a Participant or CAT Reporter) that employs a person seeking access to CAT Data, as suggested by a commenter. The Commission believes these provisions, taken together, provide reasonable protections around CAT user administration.

Finally, with respect to another aspect of CAT user access administration, in their response the Participants noted that they do not believe that memoranda of understanding or similar agreements between the CAT LLC and the Participants are necessary since the Participants will be bound by both their participation in the Plan as well as the agreement between the CAT LLC and the Plan Processor.[1120] However, the Participants stated they believe that it is important that information regarding CAT Data usage, such as contact points and escalation procedures, be shared between the Plan Processor and the Participants; therefore, the Participants state they expect to establish such information sharing agreements between the Plan Processor and the Participants once the Plan Processor is chosen. Moreover, the Participants stated, they expect that one of the CISO's responsibilities would be to make sure that this information is captured and kept up to date appropriately.[1121]

The Commission notes that the Plan Processor has not yet been chosen and thus the execution of such memoranda is not appropriate at this time. However, the Commission believes that explicitly memorializing issues relating to CAT Data usage between the Plan Processor and each Participant would be beneficial to the operation of the CAT System.

The Commission also notes that, with respect to access, the CAT NMS Plan provides that the Plan Processor will provide to the Participants and the Commission access to the Representatives of the Plan Processor as any Participant or the Commission may reasonably request solely for the purpose of performing such Person's regulatory and oversight responsibilities pursuant to the federal securities laws, rules, and regulations or any contractual obligations.[1122] The Plan also provides that the Plan Processor will direct its Representatives to reasonably cooperate with any inquiry, investigation, or proceeding conducted by or on behalf of any Participant or the Commission related to such purpose.[1123] As filed, this provision would allow the Plan Processor to refuse access to the Commission and/or Participants upon its own determination of “unreasonableness.” The Commission believes that Commission or Participant requests for access to Representatives of the Plan Processor should be considered reasonable, absent other circumstances. It is therefore amending the Plan to delete the requirement that the access to Plan Processor Representatives be “reasonable” and that the Representatives of the Plan Processor only be required to “reasonably” cooperate with any inquiry, investigation, or proceeding conducted by or on behalf of the Commission. The Commission expects that, even without the “reasonableness” qualifier, it and the Participants will be reasonable in requesting access to the Representatives of the Plan Processor.

d. Downloading CAT Data By Regulators

Several commenters discussed the security risks associated with the downloading of CAT Data by regulators. One commenter argued that CAT Data should never be extracted, removed, duplicated, or copied from the CAT, noting that such practices would introduce additional risk and render even the most advanced security measures ineffective.[1124] Instead, this commenter recommended allowing data to be imported into a CAT query sub-system if surveillance is needed in conjunction with external data.[1125] Another commenter similarly noted the security risk associated with extracting data from the Central Repository and stated its preference for an approach “where the data is accessible by the Regulators but the data is not extracted and stored outside the Central Repository, except for extraction of `comparable' data that would facilitate exemption from duplicative reporting and retirement of high priority duplicative systems.” [1126] This commenter added “if combined datasets surveillance is needed (with data external to CAT), the SROs should be allowed to upload external SRO data to a sandbox environment within CAT, in order to enable combined surveillance.” [1127]

Another commenter stated that the CAT NMS Plan's provision permitting the Commission and SROs to download entire data sets and analyze the data within the regulator's systems or the regulator's cloud, and the Plan's proposal to allow broker-dealers to “verify certain data that they have submitted to the CAT,” represent security risks to CAT Data that the SEC and SROs should avoid.[1128] This commenter further noted that having multiple points of access to CAT Data, and the ability to download CAT Data, raise “significant cybersecurity concerns and outweigh the benefit of access to processed CAT [D]ata.” [1129] Another commenter believed that CAT Data should remain in the Central Repository, but noted that if the Commission determines to permit the downloading of CAT Data, the CAT NMS Plan should only allow a user to download CAT Data if the information security measures available at the user's site equal or exceed those protecting the data at the Central Repository.[1130]

In response to commenters, the Participants noted that Rule 613 requires regulators to develop and implement a surveillance system, or enhance existing surveillance systems to make use of CAT Data.[1131] The Participants stated that regulators should have flexibility in designing such surveillance systems, including the ability to access and transfer data where necessary and consistent with appropriate data security safeguards.[1132] Such access must be via secure channels (e.g., secure FTP, API or over encrypted lines) as required in the Plan.[1133] The Participants further noted that the Plan requires that Participants have appropriate policies and procedures in place to protect such data.[1134] Specifically, the Plan requires that Participants establish, maintain and enforce written policies and procedures reasonably designed to ensure the Start Printed Page 84757confidentiality of CAT Data.[1135] The Participants also stated that they believed that all regulators, including the Commission, should be obligated to establish security measures to protect the security and confidentiality of CAT Data for security purposes.[1136]

The Participants also noted that the CAT NMS Plan requires the Plan Processor to provide regulators with the ability to perform bulk data extraction and download of CAT Data.[1137] The Participants stated they continue to believe that permitting regulators to download order/transaction data from the Central Repository for regulatory use (i.e., “bulk data extracts”) is important for their regulatory purposes, and that eliminating or limiting bulk data extracts of the CAT Data may significantly and adversely impact the Participants' ability to effectively conduct surveillance of their markets using CAT Data. The Participants stated that they also plan to enrich their existing surveillance using bulk data extracts of CAT Data.[1138]

Regarding the security of extracted CAT Data, the Participants stated that they “recognize the security concerns raised by bulk data extracts and any Participant-controlled systems (e.g., Participant sandboxes residing in the Plan Processor's cloud or a Participant's local system) used to store and analyze such data extracts, but the Participants believe that requiring the Participants to adopt and enforce policies and procedures to address these security issues appropriately addresses these concerns without diminishing the surveillance benefits of the CAT.” [1139] The Participants noted that the Plan requires the Participants to “establish, maintain and enforce written policies and procedures reasonably designed . . . to ensure the confidentiality of the CAT Data obtained from the Central Repository.” [1140] Accordingly, the Participants stated that Participants must have policies and procedures reasonably designed to ensure the confidentiality of CAT Data obtained through bulk data extracts and maintained in the Participants' systems.[1141] In their response, the Participants stated that their own security controls, not those of the Plan Processor, would apply to such systems as they would be outside the Plan Processor's control.[1142] The Participants' represented that their security controls would be consistent with industry standards, including security protocols that are compliant with Regulation SCI, and the Participants would periodically review the effectiveness of such controls pursuant to their policies and procedures addressing data security.[1143]

Regarding the Participants' security controls, the Participants stated that the CISO would be obligated to escalate issues that could represent a security threat to CAT Data.[1144] For example, the Participants stated that if the CISO observes activity from a CAT Reporter or Participant that suggests that there may be a security threat to the Plan Processor or the Central Repository, then the CISO, in consultation with the CCO, may escalate the matter to the Operating Committee.[1145] The Participants stated, however, that they do not envision, that “such policy enforcement [by the CISO] would involve a regulatory enforcement role with regard to the Participants.” [1146] The Participants further stated that “[t]he Plan does not give the CISO the authority to engage in such regulatory enforcement.[1147] Moreover, although the Plan permits the Operating Committee to impose fees for late or inaccurate reporting of information to the CAT, it does not authorize the Participants to oversee, or serve enforcement actions against, each other via the Plan Processor. Only the SEC has such authority under the Securities Exchange Act of 1934.” [1148]

The Commission believes that ensuring the security and confidentiality of CAT Data is of utmost importance, and also notes the Participants' recognition that regulators should have flexibility in designing such surveillance systems, including the ability to access and transfer data where necessary and consistent with appropriate data security safeguards. As described above, the Plan Processor has the specific responsibility to develop and implement policies, procedures and control structures related to the security of the CAT System.[1149] The Plan Processor also is responsible for the security and confidentiality of all CAT Data received and reported to the Central Repository, including during all communications between CAT Reporters and the Plan Processor, data extraction, data manipulation and transformation, loading to and from the Central Repository, and data maintenance and storage by the Central Repository.[1150] The Plan Processor also must require the establishment of secure controls for data retrieval and query reports for CAT Data reported to and stored in the Central Repository.[1151]

While the Plan Processor is responsible for the security of the CAT Data collected by and stored in the Central Repository, the Commission agrees with commenters that once CAT Data is extracted into a Participant's regulatory surveillance system, the Plan Processor can no longer assure the security of the CAT Data because the details, requirements and rigor of the policies and procedures regarding the security of CAT Data at each Participant are beyond the direct control of the Plan Processor. This is the case whether the CAT Data is downloaded to a Participant's local server, or downloaded into a dedicated sandbox within the CAT cloud—and whether the CAT Data that is downloaded is a subset of all the CAT Data collected by the Central Repository, or the entirety of the CAT Data (i.e., cloning the entire CAT database).

Therefore, the Commission believes that if a Participant chooses to extract CAT Data, whether into its own local server environment or into its own sandbox within the CAT cloud, the Participant must have policies and procedures regarding CAT Data security that are comparable to those implemented and maintained by the Plan Processor for the Central Repository, and that each Participant must certify and provide evidence to the CISO that its policies and procedures for the security of CAT Data meet the same security standards applicable to the CAT Data that is reported to, and collected and stored by, the Central Repository. Given the necessity of ensuring the security of CAT Data that is collected by and stored in the Central Repository, the Commission believes that this is a reasonable requirement that will ensure that CAT Data is subject to the same standards of security, whether the CAT Data is downloaded by Start Printed Page 84758a Participant onto the Participant's local servers, or downloaded into the Participant's sandbox within the CAT cloud,[1152] and therefore, is amending the plan accordingly.[1153]

The Commission believes that it is critical to the security of the CAT Data to assign responsibility to the CISO to review the data security policies and procedures of Participants that extract CAT Data into their own systems, whether on a local server or within a sandbox within the CAT cloud, to determine whether such policies and procedures are comparable to the data security policies and procedures applicable to the Central Repository. The Commission further believes that if the CISO, in consultation with the CCO, finds that any such information security policies and procedures of a Participant are not comparable to the policies and procedures applicable to the CAT System, and the issue is not promptly addressed by the applicable Participant, the CISO, in consultation with the CCO, will be required to provide notice of any such deficiency to the Operating Committee.[1154]

e. Use of CAT Data for Regulatory and Surveillance Purposes

One commenter stated that access to CAT Data should be restricted to Commission and SRO Staff with regulatory and oversight responsibilities.[1155] Another commenter stated that the proposed model and timeframe for regulatory access to the reported data is consistent with the Commission's broader regulatory objectives.[1156] Another commenter noted that access should not be granted to the academic community.[1157] On the other hand, one commenter believed that aggregated CAT Data should be made available to the public on a limited or time-delayed basis, so as to enable more creative approaches to market surveillance, foster industry collaboration, and augment regulatory efforts.[1158]

The Participants stated that they do not plan to make CAT Data available for use by the public (or academics or other third parties) at this time.[1159] The Participants noted that there may be certain benefits to this type of expanded access, such as promoting academic evaluations of the economic costs and benefits of regulatory policy.[1160] Nevertheless, the Participants believed that the privacy and security concerns raised by such public access would outweigh the potential benefits.[1161] The Participants stated that this conclusion is “in line with the SEC's statements in the adopting release for SEC Rule 613 that, in light of the privacy and security concerns, `it is premature to require that the NMS plan require the provision of data to third parties.' ” [1162]

The Commission agrees with the Participants and believes that it is reasonable to continue to limit access to CAT Data to regulatory authorities for regulatory and surveillance use.[1163] As previously noted, the CAT is designed to be a regulatory tool. While the Commission recognizes that there may be benefits to expanding the distribution of CAT Data, the Commission also believes that limiting the use of CAT Data for regulatory and surveillance purposes is reasonable at this time, given the vast scope of the CAT Data and need to ensure the security and confidentiality of the CAT Data.[1164]

Although not raised by commenters, the Commission emphasizes that under the Plan the CCO must develop and implement a notification and escalation process to resolve and remediate any alleged non-compliance with the rules of the CAT by a Participant or Industry Member, which shall include appropriate notification and order of escalation to a Participant, the Operating Committee, or the Commission.[1165] The Commission expects that any additional escalation procedures outlined by the CCO, once the CCO is selected, will adhere to this process.

f. Regulation SCI

Several commenters discussed the applicability of Regulation SCI to the Central Repository.[1166] One commenter stated that because the CAT is an “SCI System” and an SCI System of each of the SROs, all obligations associated with Regulation SCI must be complied with by the SROs to ensure the security and integrity of the CAT.[1167] One commenter stated that Industry Members are not subject to Regulation SCI and the CAT NMS Plan should “make clear that Regulation SCI would not be expanded to apply to an Industry Members [sic] by virtue of its reporting requirements under the CAT Plan.” [1168] Another commenter stated that because the CAT NMS Plan provides that the Plan Processor must be compliant with Regulation SCI requirements, compliance with Regulation SCI requirements should be “an explicit evaluation criterion as part of the selection process for the CAT Processor.” [1169]

The Participants noted that the Plan Processor will need to satisfy all applicable regulations involving database security, including Regulation SCI, and the Participants have discussed with the Bidders their responsibilities under Regulation SCI on numerous occasions.[1170] They added they do not believe that it is appropriate that the Plan provide details on how the Plan Processor will ensure that the Central Repository will comply with Regulation SCI.[1171]

The Central Repository, as a facility of each of the Participant SROs, is an SCI Entity [1172] and the CAT System is an SCI system, and thus it must comply with Regulation SCI.[1173] The CAT NMS Plan states that data security standards of the CAT System shall, at a minimum, satisfy all applicable regulations regarding database security, including provisions of Regulation SCI.[1174] The Plan Processor thus must establish, maintain and enforce written policies and procedures reasonably designed to ensure that the CAT System has levels of capacity, integrity, resiliency, Start Printed Page 84759availability, and security adequate to maintain its operational capability to comply with Regulation SCI.

According to Regulation SCI, the policies and procedures must require: (i) The establishment of reasonable current and future technology infrastructure capacity planning estimates; (ii) periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (iii) a program to review and keep current systems development and testing methodology for such systems; (iv) regular reviews and testing, as applicable, of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (v) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; (vi) standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and (vii) monitoring of such systems to identify potential SCI events.[1175] Compliance with Regulation SCI will also require the Plan Processor to periodically review the effectiveness of the policies and procedures and take prompt action to remedy deficiencies in such policies and procedures.[1176]

For purposes of compliance with Regulation SCI, the Commission has stated that an SCI entity's policies and procedures shall be deemed to be reasonably designed if they are consistent with current SCI industry standards, which are required to be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization, although compliance with current SCI industry standards is not the exclusive means to comply with the requirements of Regulation SCI.[1177] To assist SCI entities in developing policies and procedures consistent with “current SCI industry standards,” Staff of the Commission issued Staff Guidance which lists examples of publications describing processes, guidelines, frameworks, or standards that an SCI entity could look to in developing reasonable policies and procedures to comply with Regulation SCI.[1178] The standards under the Staff Guidance address nine subject areas, including application control; capacity planning; computer operations and production environment controls; contingency planning; information security and networking; audit; outsourcing; physical security; and systems development methodology.[1179]

The Commission believes that compliance with Regulation SCI will help to reduce the occurrence of systems issues; improve the resiliency of the technological infrastructure when systems problems do occur; and enhance the Commission's oversight of the Central Repository. In response to a concern by a commenter about the potential of the Plan to expand the scope of Regulation SCI, the Commission clarifies that Industry Members will not be subject to Regulation SCI by virtue of reporting audit trail data to the Central Repository. In addition, in response to the commenter that stated that the Participants should use compliance with Regulation SCI as an explicit evaluation criterion as part of the selection process for the CAT Processor, the Commission expects that the Participants will evaluate a Bidder's ability to comply with Regulation SCI as part of its Bidder evaluation process, as compliance with Regulation SCI is an explicit criteria of the CAT NMS Plan.

g. Physical Security of CAT Systems

The CAT NMS Plan requires the Plan Processor to provide a solution addressing physical security controls for corporate, data center and any leased facilities where any CAT Data is transmitted or stored.[1180] One commenter stated that the data centers housing the CAT System must, at a minimum, be SOC 2 certified with such certification annually attested to by a qualified third-party auditor that is not affiliated with the SROs or the Plan Processor.[1181] The Participants stated that they intended for data centers housing the CAT System to be AICPA SOC 2 certified.[1182] In addition, the Participants recommended that the auditor provision should be amended to require a qualified third-party auditor that is not an affiliate of any of the Participants or the Plan Processor.[1183]

The Commission believes that assuring the physical security of the data centers that house the CAT Data, including PII Data, is a critical component of the overall security program and the Commission believes that the Participants' recommendation to amend the standards applicable to ensure the physical security of the CAT System to reflect that it will be AICPA SOC 2 certified and audited by a qualified third-party auditor that is not an affiliate of any Participant or the Plan Processor is reasonable. The Commission therefore is amending the Plan accordingly.[1184]

h. Encryption of CAT Data

Commenters discussed the CAT NMS Plan's provisions regarding encryption of CAT Data, including CAT Data that is PII. One commenter stated that the CAT NMS Plan's data encryption requirements alone were not sufficient to protect CAT Data at-rest and PII, and that many more detailed and technical issues must be considered for the encryption requirements for the CAT System and CAT Data to be sufficient.[1185] The commenter also recommended that the CAT Plan require data to be encrypted both at-rest and in-flight, and that particularly sensitive pieces of data be isolated and compartmentalized.[1186] Another commenter highlighted specific standards for in-transit data (e.g., asymmetric encryptions and transport layer security), data at-rest (e.g., NIST Special Publication 800-57), and data in-use (e.g., implementing data protection controls such as disclosing intended use and duration).[1187]

One commenter requested that Section 4.1.2 of Appendix D of the Plan, which addresses the encryption of CAT Data, be amended to make clear that the monitoring, alerting, auditing, and any other requirements that apply with Start Printed Page 84760respect to CAT Data also apply to archival CAT Data.[1188] Another commenter opined that the encryption and decryption standards used by the Plan Processor should be continuously updated to meet the most stringent data encryption requirements possible, and designed to support end-to-end data encryption, with data decrypted at the desktop level.[1189]

Commenters also focused on the particular necessity of encrypting PII, both when in-transit and at-rest, to ensure it remains secure and confidential.[1190] One commenter noted the CAT NMS Plan's requirement that CAT Data provided to regulators that contains PII be “masked,” [1191] and stated that PII should be masked unless users have permission to view the PII contained in the CAT Data that has been requested,[1192] while another commenter believed that clarification is needed regarding the meaning of “masked” under the CAT NMS Plan.[1193]

The Participants stated that “given that all three remaining bidders propose cloud based solutions, all data will be encrypted in-flight and at-rest.” [1194]

The Commission notes that the CAT NMS Plan requires the Plan Processor to describe how PII encryption is performed and the key management strategy. The CAT NMS Plan also requires that PII encryption methods include a secure documented key management strategy such as the use of HSM(s).

The Commission agrees with commenters that encryption of CAT Data is a necessary and critically important means of protecting CAT Data, including PII. Therefore, given the role that encryption plays in maintaining the security of CAT Data, the Commission believes that all CAT Data must be encrypted and is amending the Plan accordingly.[1195]

In response to the commenter that believed that encryption alone was not sufficient to protect CAT Data at-rest and PII, the Commission notes that the CAT NMS Plan provides several means of protecting CAT Data in addition to encryption, including provisions addressing connectivity and data transfer requirements, parameters for the storage of CAT Data in general, and PII in particular, and limitations on access to CAT Data by authorized users only. In addition, the Plan states that the Technical Specifications, which will be published one year before Industry Members must report CAT Data to the Central Repository, will include more details about the data security for CAT.[1196] Thus, in response to the commenter that believed that more detailed and technical issues must be considered for the encryption requirements for the CAT System and CAT Data to be sufficient, the Commission believes that preparation and publication of the Technical Specifications referenced above commits the Participants to undertaking an analysis of security requirements, in addition to and as a supplement to, the existing encryption requirements. With respect to the issues raised by the commenter regarding the specific standards for in-transit data (including asymmetric encryptions and transport layer security), data at-rest (e.g., NIST Special Publication 800-57), and data in-use (e.g., implementing data protection controls such as disclosing intended use and duration), the Commission notes that, as amended by the Commission, the Plan requires the Participants to adhere to all relevant standards in the NIST Cyber Security Framework, which includes standards regarding encryption.[1197]

In response to the commenter that stated that encryption and decryption standards used by the Plan Processor should be continuously updated to meet the most stringent data encryption requirements possible, the Commission notes that the CAT NMS Plan provides that all CAT Data must be encrypted in-flight and at-rest using industry standard best practices, and that such industry standards may be replaced by successor publications, or modified, amended, or supplemented as approved by the Operating Committee.[1198]

In response to commenters that discussed the need that PII be “masked,” the Commission notes that the CAT NMS Plan mandates that all CAT Data that is returned in response to a regulatory inquiry will be encrypted, and that PII data returned shall be masked unless users have permission to view the CAT Data that has been requested.[1199] The Commission believes that this requirement adds an additional, reasonable requirement that protects PII from view, unless the person seeking PII is authorized to view the PII.

i. Connectivity

One commenter stated that accessing the CAT System must be done via secure methods, that the SROs should consider mandating the usage of private lines rather than encrypted internet connectivity, and that the CAT Processor's systems should be air-gapped from the internet, thereby eliminating access to the internet and/or any internal non-CAT systems used by the Plan Processor.[1200]

With respect to using private lines to connect to the CAT, the Participants stated that the Plan does not require CAT Reporters to use private lines to connect to the CAT due to cost concerns, particularly for smaller broker-dealers.[1201] Noting that the Plan requires that CAT Reporters access the CAT via a secure, encrypted connection, the Participants also cited to Appendix D which states that “CAT Reporters must connect to the CAT infrastructure using secure methods such as private lines or (for smaller broker-dealers) Virtual Private Network connection over public lines.” [1202]

The Participants noted that pursuant to the Bidders' solutions, the core CAT architecture would not be accessible via the public internet.[1203] The Participants cited to Appendix D, Section 4.1.1 of the Plan, which states that “[t]he CAT databases must be deployed within the network infrastructure so that they are not directly accessible from external end-user networks. If public cloud infrastructures are used, Virtual Private Networking and firewalls/access control lists or equivalent controls such as private network segments or private tenant segmentation must be used to isolate CAT Data from unauthenticated public access.” [1204]

The Commission believes that the CAT NMS Plan's provisions regarding connectivity to the Central Repository reflect a reasonable approach to ensuring secure access to the CAT Data residing within the Central Repository. The Commission believes that leaving Start Printed Page 84761the option for connection via Virtual Private Network for smaller broker-dealers is reasonable, given the potential cost of mandating use of a private line. The Commission also believes that prohibiting access to the CAT System via the public internet is appropriate, given the potential risk to the security of the CAT Data residing in the Central Repository that might be caused by allowing direct access into the CAT using an unsecure method by unauthenticated users.

j. Breach of CAT Security

Commenters also discussed the appropriate action to be taken in the event of a security breach. One commenter recommended that the Commission define a “reportable incident” that would trigger implementation of the cyber incident report plan.[1205] Three commenters recommended that the CAT NMS Plan's cyber incident report plan include notification procedures in the event of a cyber incident.[1206] One commenter specifically stated that the Plan should require that notice of an incident be provided to the Operating Committee, affected broker-dealers, other market participants and law enforcement within a designated period of time (e.g., 24 hours).[1207] Another commenter agreed, noting that the Plan should provide a clear mechanism for promptly notifying all victims of a CAT data breach, including Customers.[1208] Similarly, another commenter recommended that the Plan Processor “release a protocol document describing the specific procedures it will take upon a breach of CAT, including the procedure for notifying [P]articipants and allowing them to suspend CAT submissions temporarily in the event of an ongoing breach.” [1209] This commenter also requested that the data security plan include a process for reviewing data incidents to determine what corrective actions are required to reduce the likelihood of recurrence.[1210]

Some commenters discussed who should bear the cost of a data breach. One commenter stated that Industry Members should not bear the cost of a security breach that occurs on the systems of the Commission, the Participants, the Plan Processor, Central Repository, or “in-transit” amongst the various parties.[1211] Another commenter recommended that the CAT Processor, the SROs, and the Commission indemnify the broker-dealers from any and all liability in the event of a breach that is in no part the fault of the broker-dealers.[1212] Two commenters added that CAT NMS, LLC should purchase an insurance policy that covers potential breaches and extends to Industry Members and their obligations vis-à-vis their clients whose CAT Data is required to be reported by the CAT Plan.[1213]

In response to commenters, the Participants noted that the Plan Processor is required to work with the Operating Committee to develop a breach protocol in accordance with industry practices.[1214] However, the Participants also stated that they believe that providing more details on these processes or procedures raises security issues.[1215] Moreover, the Participants noted, the CAT System will be subject to applicable regulations involving database security, including Regulation SCI and its requirement to provide notice to the Commission and to disseminate information about SCI Events to affected CAT Reporters.[1216]

With respect to breaches of the CAT System and the accompanying protocols for dealing with breaches, the Commission notes that the CAT NMS Plan provides that the Plan Processor must develop policies and procedures governing its responses to systems or data breaches,[1217] and the Participants added that the Plan Processor will work with the Operating Committee to develop a breach protocol in accordance with industry practices.[1218] According to the CAT NMS Plan, such policies and procedures will include a formal cyber incident response plan and documentation of all information relevant to breaches.[1219] The cyber incident response plan will provide guidance and direction during security incidents, and may include items such as guidance on crisis communications; security and forensic procedures; Customer notifications; “playbook” or quick reference guides that allow responders quick access to key information; insurance against security breaches; retention of legal counsel with data privacy and protection expertise; and retention of a public relations firm to manage media coverage.[1220] The CAT NMS Plan further provides that documentation of information relevant to breaches should include a chronological timeline of events from the breach throughout the duration of the investigation; relevant information related to the breach (e.g., date discovered, who made the discovery, and details of the breach); response efforts, involvement of third parties, summary of meetings/conference calls, and communication; and the impact of the breach, including an assessment of data accessed during the breach and impact on CAT Reporters.[1221]

In response to commenters that requested additional detail about the CAT NMS Plan breach management protocol, such as the definition of a “reportable incident,” the Commission notes that the Plan requires the Plan Processor to develop policies and procedures to govern its responses to systems or data breaches and the Commission expects the definition of a “reportable incident” will be clearly set forth in those policies and procedures. While the Plan does not explicitly require it, in response to the commenter that requested that notice of a breach be provided to the Operating Committee, the Commission expects that the CAT NMS Plan's cyber incident response plan will incorporate notice of the breach to the Operating Committee, because the Operating Committee is the body that manages the CAT LLC. As a Regulation SCI System, the Plan Processor must also notify the Commission in the event of an SCI Event.[1222]

As for commenters that opined on the other parties that should be notified upon a breach, including affected parties such as Customers, the Commission notes that the Plan explicitly requires customer notifications to be included in the cyber incident response plan, and that the cyber incident response plan may list other market participants that will be notified upon a breach of the CAT System and the procedure for notifying Start Printed Page 84762relevant participants of the breach.[1223] In response to the commenter that requested that the breach protocol include a process for reviewing “data incidents” to determine what corrective actions are required to reduce the likelihood of recurrence, the Commission notes that the Plan requires that the impact of the breach be assessed, and the Commission expects that such assessment will also help identify the corrective actions that must be taken to reduce the likelihood of recurrence.

In response to the several commenters that discussed issues surrounding the cost of a breach, including which parties should bear the cost of a breach, and whether the Plan Processor, the Participants and the Commission should indemnify the broker-dealers from all liability in the event of a breach that is no fault of the broker, the Commission notes that the Plan requires that the Plan Processor's cyber incident response plan must address insurance issues related to security breaches and that as part of the discussions on insurance coverage and liability, further detail about the distribution of costs will be undertaken. The Commission believes that it is reasonable to require, at this stage, that the cyber incident response plan outline the key areas of breach management that must be addressed by the Plan Processor; further details on the breach management protocols, including details about who might bear the cost of a breach and under what specific circumstances, will follow once the Plan Processor is selected.

k. Use of Raw Data for Commercial or Other Purposes

Commenters also discussed the CAT NMS Plan's provision permitting a Participant to use the Raw Data [1224] it reports for commercial or other purposes as long as such use is not prohibited by applicable law, rule or regulation.[1225] One commenter believed that the Plan should be amended to state specifically when a Participant may—or more importantly, according to the commenter, may not—use Raw Data or CAT Data for commercial purposes.[1226] This commenter also noted inconsistencies in the Participants' commercial use of data.[1227] Specifically, the commenter noted that Section 6.5(f)(i)(A) of the Plan states that each SRO may use “the CAT Data it reports to the Central Repository for regulatory, surveillance, commercial or other purposes as permitted by applicable law, rule or regulation,” and Section 6.5(h) permits a Participant to “use the Raw Data it reports to the Central Repository for regulatory, surveillance, commercial or other purposes as otherwise not prohibited by applicable law, rule or regulation.” [1228] Another commenter stated that the CAT NMS Plan should be amended to clarify that Participants may not use data stored in the Central Repository—beyond the data that the SROs submit to the CAT—for their own commercial purposes.[1229] One commenter provided two recommendations designed to ensure that Participants do not use the CAT NMS Plan to “enlarge the scope of data that they commercialize.” [1230] First, the commenter believed that the Plan should specify that no Participant may commercialize customer identifying information, regardless of whether applicable law expressly prohibits its commercialization. Second, the Plan should limit the scope of data subject to commercialization by narrowing the definition of Raw Data to include only data that a Participant must report under Rule 613 or the Plan.[1231]

In response to commenters, the Participants stated that they continue to believe that it is appropriate for the CAT NMS Plan to permit the Participants to use their Raw Data for commercial or other purposes.[1232] Therefore, the Participants do not propose to prohibit such use.[1233] Nevertheless, to address the concern raised by a commenter that the CAT NMS Plan inconsistently uses the terms “Raw Data” and “CAT Data” in Sections 6.5(f)(i)(A) Section 6.5(h) of the CAT NMS Plan, the Participants recommended that the term “Raw Data” replace the term “CAT Data” in Section 6.5(f)(i)(A) of the Plan.[1234]

As an initial matter, the Commission finds that it is reasonable to amend the Plan to replace the term “CAT Data” with “Raw Data” in Section 6.5(f)(i)(A) of the Plan, to remove any inconsistency and potential confusion. The Commission also finds that the CAT NMS Plan's provisions regarding the use of Raw Data by a Participant is a reasonable approach to the use of audit trail data that is reported by the Participant itself. In response to the commenter's request that the Commission define the circumstances under which a Participant cannot use its Raw Data, the Commission finds that the CAT NMS Plan's provision that the use must not be prohibited by applicable law, rule or regulation is sufficient guidance to Participants regarding their use of the Raw Data used for commercial or other purposes.[1235] Similarly, the Commission believes that the CAT NMS Plan's definition of “Raw Data” is sufficiently clear and further addresses the comments that the Participants may expand the audit trail data that Participants may use for commercial or other purposes. The Commission notes that the CAT NMS Plan's definition of “Raw Data” limits such data to “Participant Data” or “Industry Member Data.” [1236] In this regard, in response to the commenter with concerns about a Participant commercializing customer identifying information, the Commission notes that a Participant would never be in a position to report customer identifying information itself; therefore, a Participant could not use customer identifying information for commercial or other purposes. The Commission also believes that, pursuant to the CAT NMS Plan, the Participants may not use CAT Data for commercial purposes.

l. Ownership of CAT Data

Several commenters discussed the ownership of CAT Data. Two commenters believed that the CAT NMS Plan should be amended to indicate that broker-dealers retain ownership rights in all of the data they report to the CAT.[1237] In response to commenters, Participants stated that Rule 613 does not address broker-dealer CAT Reporters' ownership rights with respect to the CAT Data, and the Participants do not believe that it is appropriate to address such ownership rights in the Plan.[1238]

The Commission believes that it is reasonable for the CAT NMS Plan not to address ownership rights to the data that broker-dealers report to the Central Repository. The resolution of legal questions regarding ownership rights to the data that is reported to the Central Start Printed Page 84763Repository by broker-dealers is not required by Rule 613; is outside the scope of Rule 613; and is not necessary to find that the Plan meets the approval standard of Rule 608.

m. Bulk Access to an Industry Member's CAT Data

A few commenters discussed whether Industry Members should be permitted access to their own reported audit trail data through bulk data exports. One commenter stated that it “would be highly beneficial for CAT Reporters to have access to their own data” to assist with error identification and correction, and stressed the importance of building such access into CAT as part of the initial design, even if CAT Reporters were not permitted such access during the initial phase of CAT.[1239] To address security concerns, the commenter suggested that retrieval of PII data should be limited to a set of CAT Reporter personnel who are responsible for entering and correcting customer information.[1240] Another commenter noted that broker-dealers should be permitted to access, export and use their data within the Central Repository at no charge and that “[a]llowing broker-dealers to access their own data will be beneficial for surveillance and internal compliance programs and may incentivize firms to make other internal improvements including, among other things, reducing potential errors.” [1241] This commenter also argued that broker-dealers should not be subject to additional fees to simply retrieve data they already submitted to the CAT, noting that CAT is the only broker-dealer regulatory reporting service for which the SROs have proposed to impose system-specific fees on broker-dealers.” [1242] Another commenter stated that “[a]llowing CAT Reporters to access their own data would be beneficial for surveillance and internal compliance programs. If data access is considered as part of the initial design of the Central Repository, we believe the benefits outweigh the cost.” [1243] One commenter argued that independent software vendors also should have fair, reasonable, and non-discriminatory access, at their client's request, to the data submitted or stored at the Central Repository on their client's behalf.[1244] In support, this commenter noted that OATS permitted access to determine reporting accuracy by “matching in both directions,” so that reporters could address matching errors.[1245]

In response to these comments, the Participants noted that during the development of the Plan, the SROs considered whether to provide Industry Members with access to their own data through bulk data exports.[1246] Based on the data security and cost considerations, the Participants stated that they determined that such access was not a cost-effective requirement for the CAT.[1247] Accordingly, the CAT NMS Plan was drafted to state that “[n]on-Participant CAT Reporters will be able to view their submissions online in a read-only, non-exportable format to facilitate error identification and correction.” [1248]

In light of the comments that the Commission received and further evaluation of the issue, however, in their response, the Participants stated that they now believe that there may be merit to providing Industry Members and their vendors with bulk access to the CAT Reporters' own unlinked CAT Data.[1249] For example, the Participants stated that such access may facilitate the CAT Reporters' error analysis and internal surveillance and that it may expedite the retirement of duplicative reporting systems.[1250] However, the Participants noted, providing bulk data access also raises a variety of operational, security, cost and other issues related to the CAT.[1251] The Participants stated that they would need to address this additional functionality with the Plan Processor; in addition, the Participants stated that inclusion of this functionality would create additional burdens on the CAT and the Plan Processor and, therefore, may require additional funding from CAT Reporters for such access to the CAT Data.[1252] Therefore, the Participants stated that they will consider this issue once the CAT is operational.[1253]

The Commission recognizes the commenters' desire for bulk access to their own data for surveillance and internal compliance purposes, as well as possible error correction purposes. The Commission also recognizes the Participants' initial approach of not permitting such access for security and cost purposes, as set forth in their response. Given the complexity of initially implementing the CAT, the Commission believes that the Participants' approach that limits Industry Members to only being able to view their submissions online in a read-only, non-exportable format to facilitate error identification and correction is a reasonable approach at the present time. The Commission notes the Participants' representation that they will consider offering bulk access to the audit trail data reported by Industry Members once CAT is operational. The Commission expects the Participants to fulfill this commitment and as part of their evaluation, the Commission expects that the Participants may consider whether a fee for such access would be appropriate and how such a fee might impact the funding of the CAT.[1254]

The Commission disagrees with the commenters that recommended providing access to CAT Data for independent software vendors.[1255] Given the highly sensitive nature of the CAT Data, the Commission believes that it is reasonable to not allow access to parties other than the SROs and the Commission. If the Participants decide to propose granting such access after gaining experience with CAT operations, and are able to ensure the security of data, the Commission will consider, based on the analysis presented, whether granting access to CAT Reporters and other non-regulator industry members is reasonable.

The Commission also notes that, as discussed in Section IV.H, the Commission is amending Section 6.6 of the Plan to require that, within 24 months of effectiveness of the Plan, the Participants provide the Commission with a report discussing the feasibility, benefits, and risks of allowing an Industry Member to bulk download the Raw Data it submitted to the Central Repository.[1256]

n. Regulator Use Cases

One commenter noted that the Plan does not provide any details on how Start Printed Page 84764regulators will be able to perform their day-to-day analysis using CAT Data.[1257] Specifically, this commenter analyzed the limitations of the CAT NMS Plan in light of the regulator use cases (“Regulator Use Cases”) contained in the Adopting Release, which provided further detail about how regulators envisioned using, accessing, and analyzing audit trail data under CAT.[1258] This commenter made three recommendations that the commenter believed would provide additional clarity to the CAT NMS Plan: (i) The Plan should clearly specify the analytical capability requirements of the CAT to inform the SROs about the level and limits of the Central Repository's analytical capabilities; (ii) the Plan should precisely describe the technology enhancements required by the SROs and the Commission to effectively and efficiently use the CAT Data; and (iii) the Regulator Use Cases should be a key criteria in the selection of the Plan Processor, which would require Bidders to prove that their solution is capable of facilitating regulators' need to extract and analyze the data.[1259]

The Commission recognizes the commenter's concerns about the lack of details in the CAT NMS Plan regarding how regulators will be able to perform their day-to-day analysis using CAT Data, in light of the Regulator Use Cases. The Commission notes, however, that in the Adopting Release the Commission stated that it was not including the Regulator Use Cases and accompanying questions to endorse a particular technology or approach to the consolidated audit trail; rather, the Regulator Use Cases and accompanying questions were designed to aid the SROs' understanding of the types of useful, specific information that the CAT NMS Plan could contain that would assist the Commission in its evaluation of the Plan.[1260] The Commission noted that its description of Regulator Use Cases includes a non-exclusive list of factors that SROs could consider when developing the NMS plan.[1261] Thus, the Commission believes that the Regulator Use Cases were not intended to serve as a list of specific requirements regarding analytical capability or technological enhancements that should be addressed by the Participants in the CAT NMS Plan. In response to the comment that the Regulator Use Cases should be a key criteria in the selection of the Plan Processor, the Commission reiterates that the Regulator Use Cases were not intended to be used as selection criteria for the Plan but were meant to elicit the types of useful information from the bidders that would assist in the Commission in its evaluation of the CAT NMS Plan.

o. Obligations on Participants and the Commission Regarding Data Security and Confidentiality

Under the CAT NMS Plan as noticed, certain obligations are imposed, or required to be imposed by the Plan Processor upon the Participants and the Commission regarding data security and confidentiality.[1262] However, Commissioners and employees of the Commission are excluded from certain of these obligations.[1263]

Two commenters opined on these provisions. One stated that “the security of the confidential data stored in the Central Repository and other CAT systems must be of the highest quality and that no authorized users with access to CAT Data should be exempt from any provisions regarding security requirements and standards set forth in the Plan.” [1264] Another commenter expressed concern that the Plan does not require Commission Staff to abide by the same security protocols for handling PII that other users of CAT Data are required to follow and urged the Commission to adopt these safeguards.[1265]

Specifically, one commenter objected to the exclusion of Commissioners and employees of the Commission from Section 6.5(f)(i)(A) of the Plan, which provides that the Plan Processor must require individuals with access to the Central Repository to use appropriate confidentiality safeguards and to use CAT Data only for surveillance and regulatory purposes.[1266] In addition, the commenter argued that Section 6.5(g) of the Plan, which requires the Participants to establish and enforce policies and procedures regarding CAT Data confidentiality, should also apply to the Commission.[1267] Similarly, another commenter sees no reason why the Commission should not have to follow the requirements of Section 6.5(g) and emphasized that the Commission needs to follow adequate policies and procedures when handling PII.[1268] However, the first commenter noted that it “do[es] not believe that individuals performing their employment duties should be subject to personal liability and that such liability would not reduce security risks,” and objected to Section 6.5(f)(i)(B) of the Plan, which requires the submission of a “Safeguard of Information Affidavit” providing for personal liability for misuse of data.[1269]

In response to these comments, the Participants stated that they agree that the Plan's security program must take into consideration all users with access to CAT Data, including the Commission, and noted that Commission Staff had requested the exclusion of Commission employees and Commissioners from subsections (A) and (B) of Section 6.5(f)(i) of the Plan.[1270] The Participants, nevertheless, recommended removing these exclusions and applying the requirements of Section 6.5(g) to the Commission.[1271]

The Commission takes very seriously concerns about maintaining the security and confidentiality of CAT Data and believes that it is imperative that all CAT users, including the Commission, implement and maintain a robust security framework with appropriate safeguards to ensure that CAT Data is kept confidential and used only for surveillance and regulatory purposes. However, the Commission is not a party to the Plan.[1272] By statute, the Commission is the regulator of the Participants, and the Commission will oversee and enforce their compliance with the Plan.[1273] To impose obligations Start Printed Page 84765on the Commission under the Plan would invert this structure, raising questions about the Participants monitoring their own regulator's compliance with the Plan.[1274] Accordingly, the Commission does not believe it is appropriate for its security and confidentiality obligations, or those of its personnel, to be reflected through Plan provisions.[1275] Rather, the obligations of the Commission and its personnel with respect to the security and confidentiality of CAT Data should be reflected through different mechanisms than those of the Participants. The Commission reiterates that in each instance the purpose of excluding Commission personnel from these provisions is not to subject the Commission or its personnel to more lenient data security or confidentiality standards. Despite these differences in the origins of their respective obligations, the rules and policies applicable to the Commission and its personnel will be comparable to those applicable to the Participants and their personnel.

The Commission and its personnel are subject to a number of existing federal and Commission rules and policies regarding the security and confidentiality of information that they encounter in the course of their employment. These rules and policies apply with equal force to data that Commission personnel can access in the CAT. For example, existing laws and regulations prohibit Commission personnel from disclosing non-public information [1276] without authorization.[1277] CAT Data available to Commission personnel will contain non-public information. Thus, Commission personnel who disclose or otherwise misuse this data would potentially be subject to criminal penalties (including fines and imprisonment), as well as disciplinary action (including termination of employment), civil injunction, and censure by professional associations (for attorneys and accountants).[1278] The Commission believes that the protections described above provide as strong a deterrent against the possible misuse of CAT Data by Commission personnel as would the submission of the “Safeguard of Information Affidavit” required by Section 6.5(f)(i)(B).[1279]

In addition, the Commission already has robust information security policies and procedures developed in accordance with federal directives and NIST standards that prohibit the unauthorized disclosure and inappropriate use of confidential data. Moreover, the Commission will review and update, as necessary, its existing confidentiality and data use policies and procedures to account for access to the CAT, and, like the Participants, will periodically review the effectiveness of these policies and procedures and take prompt action to remedy deficiencies in such policies and procedures. Like other information security controls over information resources that support federal operations and assets, the Commission's policies and procedures applicable to CAT must comply with the Federal Information Security Modernization Act of 2014 and the NIST standards required thereunder,[1280] and will be subject to audits by the SEC Office of Inspector General and the GAO.

Notwithstanding the existence of these protections, in light of the scope and nature of CAT Data, the Commission recognizes the need to ensure that it has in place a comprehensive framework for CAT data security. Accordingly, a cross-divisional steering committee of senior Commission Staff is being formed to design policies and procedures regarding Commission and Commission Staff access to, use of, and protection of CAT Data. The policies and procedures will consider, but not be limited to, access controls, appropriate background checks, usage and data protection, as well as incident response. In developing these policies and procedures, the steering committee will, of necessity, take into account how the data collection and other systems are developed in connection with the creation of the CAT. The Commission will ensure that its policies and procedures impose protections upon itself and its personnel that are comparable to those required under the provisions in the Plan from which the Start Printed Page 84766Commission and its personnel are excluded.

For these reasons, the Commission does not believe that the Plan should be amended to remove the exclusion of “employees and Commissioners of the SEC” from Section 6.5(f)(i)(A)-(B) or to extend the requirements of Section 6.5(g) to the Commission. Similarly, the Commission does not believe that the requirements in Section 6.5(g) that Participants establish and enforce policies and procedures designed to ensure the confidentiality of CAT Data obtained from the Central Repository and to limit the use of such data to surveillance and regulatory purposes can or should be extended to the Commission. Moreover, the Commission is further amending the Plan, as set forth below, to remove the Commission from certain other obligations.

First, the Commission is amending the Plan to provide that Section 6.5(f)(iii) does not apply to the Commission or its personnel. As proposed, this provision provided that the Participants and the Commission must, as promptly as reasonably practicable, but in any event within twenty-four hours, report instances of non-compliance with policies and procedures or breaches of the security of the CAT to the CCO. The Commission received no comments on this provision. The Commission notes that, consistent with presidential directives and guidance from the OMB and the Department of Homeland Security United States Computer Emergency Readiness Team (“US-CERT”), its existing incident response policies and procedures require Commission employees to promptly convey any known instances of non-compliance with data security and confidentiality policies and procedures or breaches of the security of its systems to the CISO of the Commission, and this policy will apply to any instances of non-compliance or breaches that occur with respect to the CAT. The Commission's policies and procedures regarding the CAT will also address conveying information regarding any such incidents to the CCO when appropriate.

Second, for the reasons discussed above, the Commission is amending the Plan to clarify that Section 6.5(f)(iv)(B) does not apply to the Commission or its personnel. As proposed, this provision stated that the Plan Processor must “require the establishment of secure controls for data retrieval and query reports by Participant regulatory Staff and the Commission.” [1281] The Commission received no comments on this provision. The Commission will ensure that comparable controls governing data retrieval and query reports from the CAT will be included, as applicable, in its policies and procedures.

Third, the Commission is amending the Plan to clarify that the requirement to test changes to CAT functionality in Appendix D, Section 11.3 applies only to the Participants. As proposed, this provision stated that, with respect to changes to CAT functionality and infrastructure, the Plan Processor must “[d]efine the process by which changes are to be tested by CAT Reporters and regulators.” The Commission received no comments on this provision. For the reasons discussed above, the Commission is narrowing this provision so that it is applicable only to the Participants. However, the Commission intends to take part in the testing of changes in CAT functionality or infrastructure that would affect the way Commission personnel access and use the CAT System.

Fourth, for the reasons discussed above, the Commission is amending the Plan to exclude the Commission and its personnel from certain CAT user access provisions in Appendix D, Sections 4.1.4 and 4.1.6 of the CAT NMS Plan. The Plan, as proposed, provided that the Plan Processor shall “implement and maintain a mechanism to confirm the identity of all individuals permitted to access the CAT Data stored in the Central Repository and maintain a record of all instances where such CAT Data was accessed.” [1282] Specifically, Appendix D, Section 4.1.4 of the CAT NMS Plan provides: that “[p]eriodic reports detailing the current list of authorized users and the date of their most recent access must be provided to Participants, the SEC and the Operating Committee,” that the “reports of the Participants and the SEC will include only their respective list of users,” that the “Participants and the SEC must provide a response to the report confirming that the list of users is accurate,” and that the “Plan Processor must log every instance of access to Central Repository data by users.”

In addition, the CAT NMS Plan provides that “[a] full audit trail of PII access (who accessed what data, and when) must be maintained,” that “[t]he Chief Compliance Officer and the Chief Information Security Officer shall have access to daily PII reports that list all users who are entitled for PII access, as well as the audit trail of all PII access that has occurred for the day being reported on,” and that “[t]he chief regulatory officer, or other such designated officer or employee at each Participant and the Commission must, at least annually, review and certify that people with PII access have the appropriate level of access for their role.” [1283]

For the reasons discussed above, the Commission is amending the Plan to exclude the Commission from the provisions that require the Commission to “provide a response to the report confirming that the list of users is accurate” and to “review and certify that people with PII access have the appropriate level of access for their role.” [1284] However, in accordance with Commission information security policies and procedures, the Commission will periodically review the appropriateness of CAT access by personnel and work with the Plan Processor to ensure the list of SEC users authorized to access CAT Data in the Central Repository is appropriate.

7. Personally Identifiable Information

a. Protections Around PII, Regulatory Access to PII

A number of commenters discussed the Plan Processor's provisions to protect the PII reported to and stored in the Central Repository. Two commenters noted that PII should be held to the “highest” or “most stringent” standards of information protection.” [1285] However, one commenter stated that “the protection and security of PII in CAT is “good enough.” [1286] Another commenter recommended that the Plan provide further details as to how PII data will be treated and confidentiality maintained, specifically during extraction and transmission of the data.[1287]

Commenters also discussed the Plan's provisions regarding access to PII. One commenter noted that “access to PII data should be provided only in the rarest of instances (i.e., SEC investigations for securities law Start Printed Page 84767violations), as regulators and other authorized users should be able to perform the majority, if not all, of their regulatory and oversight responsibilities by utilizing non-PII data, such as the CAT Customer-ID.” [1288] Another commenter stated that there should be controls, policies and procedures to prohibit the downloading of certain sensitive information, such as PII, and suggested limiting Participant access to sensitive data only to specific enforcement actions.[1289] One commenter recommended that PII data never be exported, extracted, copied or downloaded in any manner or form from the CAT environment.[1290] This commenter added that PII data should not be included in email or other electronic communications, and advocated for use of a special CAT information management tool.[1291] Another commenter believed the PII should be excluded from direct query tools, reports or bulk data extraction.[1292]

In their response, the Participants noted that Section 6.10(c)(i)(B) of the Plan provides that “[t]he user-defined direct queries and bulk extracts will provide authorized users with the ability to retrieve CAT Data via a query tool or language that allows users to query all available attributes and data sources.” [1293] The Participants clarified that no customer-related information, including PII, will be included in response to queries of the broader order and transaction database, nor will it be available in bulk extract form.[1294] Instead, the Participants stated that customer-related information, such as PII, will be stored in a separate database, which can be accessed only in accordance with heightened security protocols.[1295] In such case, a regulatory user would have to be specifically authorized to access the database with PII and other customer-related information.[1296] The Participants stated that they expect that the Plan Processor and the CISO will establish policies and procedures to identify abnormal usage of the database containing customer-related information, and to escalate concerns as necessary; and noted that the details regarding such policies and procedures will be determined once the Plan Processor has been selected.[1297]

With respect to the standards of protection for PII, the Commission notes that the Plan Processor must adhere to the NIST Risk Management Framework and implement baseline security controls identified in NIST Special Publication 800-53, which the Commission believes, when applied properly, are sufficiently rigorous industry standards for the protection of sensitive data such as PII.[1298] The Commission also believes that the Participants' general approach to treating PII differently—and with more stringent protections—than other CAT Data is also reasonable, given the highly sensitive nature of PII, and the risk that an individual Customer's orders and transactions could be identified should the Central Repository's data security protections be breached. Thus, the Commission believes that the Plan's provisions which limit who can access PII and how PII can be accessed are a reasonable means of ensuring the protection of PII. Specifically, the Commission believes that requiring access to PII to follow RBAC, adhering to the “least privileged” practice of limiting access,[1299] restricting access to PII to those with a “need-to-know,” and requiring that any login system that is able to access PII must be further secured via MFA, are reasonable.[1300]

The Commission also believes that the Participants' approach to the use of PII is a reasonable means of protecting PII of Customers reported to the Central Repository. Specifically, the Commission believes that the Plan's provisions setting out specific parameters applicable to the inclusion of PII in queries, as described by the Participants, is a reasonable approach to controlling the disclosure of PII and helps to ensure that PII will only be used by regulators for regulatory and surveillance purposes and, as set out in the Plan, for market reconstruction and analysis.

The Commission notes that the Plan and the Participants' response affirms that access to PII data will only be provided to a limited set of authorized individuals, and only for the limited purpose of conducting regulatory and surveillance activities.[1301] The Plan also contains an explicit prohibition on the ability to bulk download sensitive information such as PII, and this protection must be reinforced through the Plan Processor's controls, policies and procedures.

Thus, the Commission believes that the Plan's provisions addressing the protections of PII, and the limitations on its access and use, provide a reasonable framework for the protection of PII. While it is concluding that the Plan sets forth a reasonable framework for the protection of PII, the Commission notes that the Plan Processor will continually assess, and the CISO and Operating Committee will vigorously oversee, the adequacy of the security of CAT Data, and in particular PII, and will promptly and thoroughly address any deficiencies that are identified.[1302]

b. PII Scope: Customer Identifying Information and Customer Account Information

One commenter requested clarification on the scope of PII, stating “[t]he exact scope of PII should be defined, i.e., are all fields associated with a customer included as PII?” [1303] In their response, the Participants provided additional clarification on their interpretation of PII, as well as on the scope of the Plan's protections for all customer-related information.[1304] Specifically, the Participants clarified that they view all customer-related information—not only PII, but also Customer Identifying Information and Customer Account Information—as the type of highly sensitive information that requires the highest level of protection under the Plan.[1305] The Participants further stated that because there is some inconsistency in how these terms are used in the Plan, to the extent that any statement in the Plan, including Section 6.10(c) of the Plan, and Appendices C or D thereto, are inconsistent with the above description, the Participants recommend that the Commission amend Start Printed Page 84768the Plan to address any potential confusion.[1306]

The Commission agrees with the Participants and believes that the security of Customer Identifying Information and Customer Account Information, irrespective of whether it meets a common understanding of the definition of PII, should be subject to the highest standards of protection. Accordingly, the Commission is amending the definition of PII in Section 1.1 of the CAT NMS Plan to provide that PII means “personally identifiable information, including a social security number or tax identifier number or similar information; Customer Identifying Information and Customer Account Information.” The Commission believes that this amendment is reasonable in that it will ensure that all information that identifies a Customer will be afforded the same high levels of protection as data that the Participants initially defined as PII.

c. Storage of PII

Commenters also discussed the policies and procedures addressing storage of PII as a means to enhance the security and confidentiality of PII reported to the Central Repository. A few commenters stated that PII should be stored separately from other CAT Data.[1307] One commenter stated that “PII must be segregated from other transactional data that will be stored by the CAT Processor.” [1308] Another commenter opined that, while it does not believe that the CAT NMS Plan should mandate a particular storage method, it supported requiring PII to be stored separately, given its sensitive nature and the potential for identify theft or fraud.[1309]

In their response, the Participants clarified that they view all customer-related information (i.e., PII, including Customer Identifying Information and Customer Account Information) as highly sensitive information that requires the highest level of protection and, as such, all customer-related information will be stored in a different, physically separated architecture.[1310]

The Commission believes that the CAT NMS Plan's provisions regarding the storage of PII set forth a reasonable framework for the security of such data. The Plan further provides that the CAT infrastructure may not be commingled with other non-regulatory systems, including being segmented to the extent feasible on a network level, and data centers housing CAT systems must be AICPA SOC-2 certified by a qualified third party auditor that is not an affiliate of any Participant or the Plan Processor.[1311]

8. Implementation Schedule

The CAT NMS Plan sets forth timeframes for key CAT implementation events and milestones, such as when the Plan Processor will release the Technical Specifications, begin accepting data from Participants, begin accepting data from Industry Members for testing purposes, and when Industry Members must begin reporting to CAT.[1312]

a. Specificity and Timing of Implementation Milestones

One commenter stated that the CAT NMS Plan does not provide sufficient detail to allow for implementation planning.[1313] Another commenter argued that the CAT development milestones are unacceptable because they do not promote the objective of facilitating improved market surveillance.[1314]

Other commenters suggested extending the implementation schedule for CAT.[1315] One commenter suggested that there should be additional time to reassess and more carefully tailor the schedules and milestones that are included in the Plan to make the roll-out of the CAT as efficient as possible.[1316] Another commenter suggested extending the implementation schedule for a period of at least six to twelve months beyond the timeframe in the Plan as filed, particularly in light of the fact that many Industry Members will be working to comply with the Department of Labor's new fiduciary duty regulation as well as T+2 implementation during this same timeframe.[1317] This commenter noted that such an extended implementation timetable would also allow for additional testing and synchronization, which would result in a more accurate reporting environment on the “go-live” date.[1318] Another commenter noted that the CAT implementation schedule is more aggressive than the actual timeframes for implementing OATS for NMS or large trader reporting, which could lead to, among other things, poorly built systems and an inferior quality of data reporting.[1319] This commenter also presented a detailed alternative implementation and milestone schedule that provides more time for Industry Members to prepare for CAT reporting.[1320]

On the other hand, another commenter believed that the implementation schedule is too protracted, noting that the phased-in approach of requiring CAT reporting first from Participants and then from Industry Members, combined with the fact that market participants typically request additional time to create systems to comply with new recordkeeping requirements, will render the CAT system incomplete for several years.[1321]

Several commenters addressed the CAT NMS Plan's development and testing milestones. One commenter noted that a robust testing period should be included in the implementation schedule and that currently the Plan does not allow sufficient time for thorough testing for broker-dealers or third-party service providers.[1322] This commenter also suggested a trial period to permit industry-wide testing of CAT readiness to ensure that the Plan Processor is capable of meeting reporting and linkage requirements outlined in the Plan.[1323] Another Start Printed Page 84769commenter recommended that the CAT NMS Plan include “acceptance criteria” for the completion of each CAT development milestone to ensure that the implementation of the CAT and the completion of subsequent milestones are not hindered by poor quality at earlier development stages.[1324]

This commenter further supported an earlier start to the development of the Technical Specifications and stated that the six-month period contemplated by the CAT NMS Plan for the industry to test software that will interface with the Plan Processor is insufficient, particularly for third-party service providers and service bureaus.[1325] This commenter suggested, among other things, accelerating the availability of the CAT test environment to earlier in the implementation cycle and allowing a minimum of twelve months of access to the CAT test environment for the first group of Industry Member reporters.[1326] Another commenter proposed a twelve-month testing period with clear criteria established before moving into production, including coordinated testing across industry participants and the vendors that support them.[1327] This commenter also noted that the testing plans that will be used for any potential move to T+2 would be useful in developing industry testing for the CAT and that error rates should be consistent with OATS for reports that are currently reported to OATS.[1328] This commenter further suggested that robust testing that mirrors production will be necessary to ensure that the Plan Processor is capable of meeting the reporting and linkage requirements outlined in the Plan.[1329]

In response to these commenters, the Participants explained that in light of their experience with testing timelines for other system changes, discussions with the Bidders, and other considerations, they continue to believe that the Plan sets forth an achievable testing timeline.[1330] The Participants also acknowledged the importance of the development process for the Technical Specifications for all CAT Reporters and noted that they have emphasized this as a high priority with the Bidders.[1331]

The Participants stated that they “do not propose to amend the Plan to reflect an expedited schedule for the Industry Member Technical Specifications.” [1332] In addition, the Participants indicated that while strategies to mitigate any risks in meeting the implementation milestones will be a necessary part of promoting the successful implementation of the CAT, they believe that formulating specifics regarding risk mitigation strategies will depend on the selected Plan Processor and its solution.[1333] Therefore, the Participants stated their belief that such risk mitigation strategies will be addressed as a part of the agreement between the Plan Processor and the CAT LLC, and implemented thereafter.[1334]

The Commission agrees that prompt availability of Technical Specifications that provide detailed instructions on data submission and a robust period of testing CAT reporting functionality are important factors in ensuring that Industry Members are able to timely transition to CAT reporting and accurately report data to the Central Repository. In this regard, the Commission expects the Participants to ensure that the Technical Specifications will be published with sufficient time for CAT Reporters to program their systems, and strongly encourages the Participants and the Plan Processor to provide the earliest possible release of the initial Technical Specifications for Industry Member reporting and to begin accepting Industry Member data for testing purposes as soon as practicable. In addition, the Commission is amending Appendix C, Section C.10 of the Plan to ensure that the completion dates for the Technical Specifications, testing, and other development milestones designate firm outer limits, rather than “projected” completion dates, for the completion of these milestones. For example, as amended, the Plan will provide that the Plan Processor will begin developing Technical Specifications for Industry Member submission of order data no later than fifteen months before Industry Members are required to begin reporting this data, and will publish the final Technical Specifications no later than one year before Industry Members are required to begin reporting. Moreover, the Commission is amending Appendix C, Section C.10 of the Plan to clarify that the CAT testing environment will be made available to Industry Members on a voluntary basis no later than six months prior to when Industry Members are required to report data to the CAT and that more coordinated, structured testing of the CAT System will begin no later than three months prior to when Industry Members are required to report data to the CAT.

The Commission acknowledges that the transition to CAT reporting will be a major initiative that should not be undertaken hastily, that Industry Members and service bureaus will need sufficient time to make the preparations necessary to comply with the reporting requirements of the Plan and the Technical Specifications, and the importance of thorough testing. However, the Commission does not believe that the Plan's Technical Specification and testing timeframes are unachievable. Therefore, the Commission believes it is premature—one year before the Technical Specifications for Industry Members will be finalized, eighteen months before testing will begin, and before any problem with achieving these milestones has actually arisen—to consider amending the CAT NMS Plan to mandate a more protracted implementation schedule.

Similarly, the Commission continues to believe that the implementation dates that are explicitly provided in Rule 613—for example, that Industry Members and Small Industry Members will begin reporting Industry Member data to the Central Repository within two or three years, respectively, of Plan approval [1335] —are reasonable. As discussed above, the Plan provides appropriate interim milestones, such as iterative drafts of the Technical Specifications and a testing period, which will help prepare Industry Members to transition to CAT reporting pursuant to the implementation schedule set forth in the CAT NMS Plan. No issues complying with these dates have actually arisen, and the Commission is not altering these dates at this time.[1336] In addition, with Start Printed Page 84770respect to the comment that strategies to mitigate the risks imposed by an “aggressive” implementation schedule—such as delays, poorly built systems, and an inferior quality of data reporting—should be included in the Plan, the Commission agrees with the Participants that formulating detailed risk mitigation strategies will depend upon the selected Plan Processor and its specific solution and will be addressed in the agreement between the Plan Processor and CAT NMS, LLC. Therefore, the Commission is not amending the Plan to require specific risk mitigation strategies at this time.

b. Impact of Technical Specifications on Implementation Milestones

In addition, several commenters suggested that reasonable timeframes for implementing the CAT can only be established once the Plan Processor publishes—and CAT Reporters review—the Technical Specifications.[1337] Similarly, one commenter suggested that the CAT NMS Plan should establish a milestone for amending the CAT NMS Plan based on a review of the final Technical Specifications and that these amendments should set forth the CAT implementation schedule.[1338] Another commenter argued that the Plan does not currently include critical information, such as interface details and other key technical specifications, and that broker-dealers must understand these specifications in order to establish a reasonable implementation schedule.[1339]

Several commenters suggested that the implementation schedule should be designed to provide more time for iterative interactions between Industry Members and the Plan Processor in terms of developing and executing system specifications, particularly as those specifications relate to listed options transactions and customer information.[1340] In addition, one commenter suggested that a technical committee should be established to work with the Plan Processor on refining the specifications and making necessary adjustments or accommodations as the specifications are developed and implemented.[1341] Another commenter suggested including a “Specifications Date” in the NMS Plan, which would be the date by which final Technical Specifications are released, at which point the industry would work with the Plan Processor to assess implementation timeframes.[1342] This commenter also urged the Commission to take a data-driven approach to implementation timing, leveraging prior experience with OATS, EBS and large trader reporting to fashion an implementation plan that is achievable.[1343]

Two commenters suggested that the Participants and the Commission, prior to the creation of the Technical Specifications, should provide the Plan Processor with additional detail on how they intend to use trade and order data.[1344] These commenters argued that this will ensure that the CAT is designed to provide all the functionality of existing systems with the initial implementation of CAT.[1345]

In their response, the Participants explained that while the Technical Specifications will be important drivers of the implementation timeline, Rule 613 mandates certain compliance dates.[1346] According to the Participants, delaying the assessment and definition of implementation milestones until the availability of the Technical Specifications would jeopardize the ability of the Participants to meet their obligations under Rule 613.[1347] However, the Participants also explained that “the steps leading up to the compliance dates set forth in SEC Rule 613 can be tailored to the Technical Specifications” leaving room to accommodate specific developments related to the Technical Specifications.[1348] The Participants also expect the Plan Processor to provide more specific guidance as to steps toward implementation with the Technical Specifications and, to the extent that such guidance would require an amendment to the Plan's implementation timelines, the Participants will propose to amend the Plan accordingly.[1349] With respect to the comments recommending an iterative process between broker-dealers and the Plan Processor in developing final Technical Specifications, the Participants noted that the Plan, as drafted, already contemplates the publication of iterative drafts as needed before the final Technical Specifications are published.[1350]

As noted, the Commission does not believe it is necessary to tie completion dates for CAT implementation events or milestones to the release and review of Technical Specifications. The Commission believes that setting forth specific timeframes in the CAT NMS Plan for completing the various CAT implementation stages and tying these timeframes to the Effective Date rather than to subsequent events such as the release, review, or finalization of the Technical Specifications, is a reasonable approach to achieve a timely implementation of the CAT. Therefore, and the Commission is not deferring or reducing the specificity of these timeframes at this time.

In response to the comments suggesting that the Plan should provide for a more iterative process between Industry Members and the Plan Processor in the development of the Technical Specifications, as the Participants' response pointed out, the CAT NMS Plan provides that the Plan Processor will publish iterative drafts of the Technical Specifications as needed prior to the publication of the final Technical Specifications.[1351] However, the Commission recognizes the importance of workable Technical Specifications, and notes that the Plan requires the Participants and the Plan Processor to work with Industry Members in an iterative process, as necessary, to develop effective final Technical Specifications.[1352]

Regarding the comment that the Participants and the Commission should provide the Plan Processor, prior to the creation of the Technical Specifications, Start Printed Page 84771with additional details on how they use trade and order data, the Commission understands that the Participants have provided the Bidders with their use cases and those of the Commission [1353] and have indicated that they will “work with the Plan Processor and the industry to develop detailed Technical Specifications.” [1354] The Commission and its Staff will work with the Participants and the Plan Processor to facilitate the development and implementation of the Technical Specifications and the CAT System more broadly, including by providing the Plan Processor with appropriate information on its current and prospective use of trade and order data.

c. Phasing of Industry Member Reporting

The CAT NMS Plan provides that Small Industry Members—broker-dealers whose capital levels are below a certain limit defined by regulation—must report Industry Member Data to the Central Repository within three years of the Effective Date, as opposed to the two years provided to other Industry Members.[1355]

Several commenters noted the impact the CAT NMS Plan's implementation schedule would have on small broker-dealers, clearing firms, and service bureaus. One commenter emphasized the need for sufficient lead time to enable small firms previously exempt from OATS reporting to establish the internal structure, technical expertise, systems, and contractual arrangements necessary for CAT reporting.[1356] Other commenters suggested that only those firms that are exempt or excluded from OATS reporting obligations—rather than Small Industry Member firms based on capital levels as set forth in the CAT NMS Plan—should have an additional year to begin reporting to CAT, arguing that such a change would allow existing systems to be retired earlier at a significant cost savings.[1357] Similarly, another commenter noted the impact the phased implementation schedule would have upon third-party vendors, service bureaus, and correspondent clearing firms with both large and small clients, and suggested that dividing Industry Members based on whether or not they currently report to OATS is preferable to the capital level-based division proposed in the CAT NMS Plan.[1358]

In response to these comments, the Participants explained their understanding that the Commission permitted additional compliance time for smaller firms because “small broker-dealers may face greater financial constraints in complying with Rule 613 as compared to larger broker-dealers” and that the Participants have based the implementation timeline on that framework.[1359] However, the Participants explained that they believe that Rule 613 and the Plan already permit Small Industry Members to commence reporting to the CAT when large Industry Members begin reporting to the CAT on a voluntary basis.[1360] In addition, the Participants stated that accelerating the reporting requirements for all Small Industry Members that are OATS reporters to require them to begin reporting to the Central Repository two years after Plan approval, when Large Industry Members are required to report, may enable FINRA to retire OATS on a more expedited basis and that the Participants will consider including in their Compliance Rules a requirement to accelerate reporting for Small Industry Members that are OATS reporters.[1361]

The Commission acknowledges that the capital-level based definition contained in the Plan is not the only way to define Small Industry Members for the purposes of the implementation schedule. However, this definition is derived from Exchange Act Rule 0-10,[1362] which defines small entities under the Exchange Act for purposes of the Regulatory Flexibility Act, and reflects an “existing regulatory standard that is an indication of small entities for which regulators should be sensitive when imposing regulatory burdens.” [1363] In addition, the group of firms that do not currently report to OATS is diverse, and includes some large broker-dealers and entities that—although they are not FINRA members and hence do not have regular OATS reporting obligations—nevertheless engage in a significant volume of trading activity.[1364] Therefore, the Commission continues to believe, at this time, that the definition of Small Industry Member in the Plan is a reasonable means to identify market participants for which it would be appropriate to provide, and that would benefit from, an additional year to prepare for CAT reporting due to their relatively limited resources.

In addition, the Commission encourages the Participants and the Plan Processor to work with Small Industry Members that are also OATS reporters to enable them to begin reporting to CAT, on a voluntary basis, at the same time that large Industry Members are required to begin reporting, particularly if the Participants believe that this would facilitate more expeditious retirement of OATS. Accordingly, the Commission is amending Appendix C, Section C.9 of the Plan to require the Participants to consider, in their rule change filings to retire duplicative systems,[1365] whether the availability of certain data from Small Industry Members two years after the Effective Date would facilitate a more expeditious retirement of duplicative systems. In addition, the Commission notes that FINRA is considering whether it can integrate CAT Data with OATS data in such a way that “ensures no interruption in FINRA's surveillance capabilities,” and that FINRA will consider “exempting firms from the OATS Rules provided they report data to the Central Repository pursuant to the CAT NMS Plan and any implementing rules.” [1366] The Commission encourages the other Participants to consider similar measures to exempt firms from reporting to existing systems once they are accurately reporting comparable data to the CAT and to enable the usage of CAT Data to conduct their regulatory activities.[1367] The Commission believes that this approach will reduce or eliminate the duplicative reporting costs Start Printed Page 84772of Industry Members prior to the commencement of Small Industry Member reporting.

The Commission remains open to other approaches to phasing in CAT reporting obligations that will promote the earlier retirement of reporting systems that will be rendered duplicative by the CAT. However, for the reasons discussed above, the Commission believes that, at this time, the Plan's definition of Small Industry Member is reasonable, and is therefore not amending the Plan to change this definition or to otherwise change the phased approach to CAT implementation.

9. Retirement of Existing Trade and Order Data Rules and Systems

a. SRO Rules and Systems [1368]

As discussed above, the CAT NMS Plan provides that the Participants will conduct analyses of which existing trade and order data rules and systems require the collection of information that is duplicative, partially duplicative, or non-duplicative of CAT.[1369] Among other things, the Participants, in conducting these analyses, will consider whether information collected under existing rules and systems should continue to be collected or whether that information should be incorporated into CAT, and, in the case of retiring OATS, whether the Central Repository contains complete and accurate CAT Data that is sufficient to ensure that FINRA can effectively conduct surveillance and investigations of its members for potential violations of FINRA rules and federal laws and regulations.[1370] Under the Plan, as proposed, each Participant should complete its analysis of which of its systems will be duplicative of CAT within twelve months of when Industry Members are required to report to the Central Repository, and should complete its analyses of which of its systems will be partially duplicative and non-duplicative of CAT within eighteen months of when Industry Members are required to report to the Central Repository, although these timeframes could be extended if the Participants determine that more time is needed.[1371] In addition, the Plan requires each Participant to analyze the most appropriate and expeditious timeline and manner for eliminating duplicative and partially duplicative rules and systems and to prepare rule change filings with the Commission within six months of determining that an existing system or rule should be modified or eliminated.[1372]

(1) Timing

Several commenters addressed the timeframes proposed by the Participants for retiring systems that will be rendered duplicative by CAT. One commenter noted that the CAT NMS Plan does not contain a detailed approach for retiring duplicative reporting systems and thereby fails to meet the directives of Rule 613.[1373] This commenter suggested that the CAT NMS Plan should be amended to provide a detailed framework for elimination of reporting systems that will be rendered duplicative and outdated by CAT implementation, and to set forth a prioritized timetable for retirement of such duplicative systems.[1374] Similarly, another commenter expressed disappointment regarding the plan to eliminate duplicative systems, noting that the Plan merely sets forth a “loose commitment” from the Participants to complete their analyses of which rules and systems may be duplicative of CAT, rather than an actual retirement schedule.[1375]

Several commenters emphasized the importance of eliminating duplicative systems as soon as possible and suggested that the current proposal to allow up to two and a half years for the Participants to consider system elimination is too long in light of the additional expenses that will be incurred during the period of duplicative reporting.[1376] One commenter noted that without a regulatory obligation driving systems retirement, the Participants lack an incentive to retire existing systems, and that the Plan should not enable the Participants to move to planning for fixed income or primary market transaction reporting prior to mapping out the elimination of redundant systems.[1377] Another commenter presented a detailed alternative schedule—with significantly more aggressive timelines—for analyzing and retiring duplicative systems.[1378]

In addition, several commenters suggested replacing or modifying the duplicative reporting period with a “test period” or “trial period.” [1379] In this regard, one commenter suggested modifying the CAT NMS Plan to include a trial period of no more than six months, after which duplicative systems are retired or firms are exempted from duplicative reporting if they have met certain error rate requirements.[1380] Similarly, another commenter recommended replacing the duplicative reporting period with a trial period mirroring production, lasting no longer than six months, and providing that the actual launch of CAT functionality be linked to the retirement of existing systems and the end of the trial period.[1381] Other commenters suggested that the launch of CAT should be linked to the retirement of existing reporting systems, noting that it is important to maintain a single audit trail of record to avoid duplicative reporting.[1382]

One commenter suggested that the Participants should provide detailed requirements regarding retirement of existing systems to the Plan Processor after the Plan Processor is selected to ensure that the Technical Specifications include all functionality necessary to retire existing systems.[1383] Similarly, other commenters noted that the CAT should be designed in the first instance to include all data field information necessary to allow prompt elimination of redundant systems.[1384] One Start Printed Page 84773commenter noted that the CAT should be so designed even if it means that CAT includes information, products, or functionality not necessary to meet the minimum initial CAT requirements under Rule 613.[1385] This commenter also proposed that the CAT should be designed to allow the ready addition of data fields over time to enhance the ability to retire other systems and capture additional necessary information.[1386]

One commenter outlined the steps that it believes are necessary to retire OATS and COATS.[1387] This commenter stated that these systems cannot be eliminated until FINRA and CBOE can seamlessly continue performing their current surveillance on their member firms and that the relevant data elements needed by FINRA and CBOE to perform the current surveillance would need to be retained as part of CAT's Technical Specifications.[1388]

In response to the comments recommending that the Participants accelerate the timeline to identify their existing rules and systems that are duplicative of CAT requirements and that CAT should be designed in the first instance to include all data field information necessary to allow prompt elimination of such redundant systems, the Participants explained that they recognize the importance of eliminating duplicative reporting requirements as rapidly as possible.[1389] The Participants also stated that to expedite the retirement of duplicative systems, the Participants with duplicative systems have already completed gap analyses for systems and rules identified for retirement (in full or in part), and confirmed that data that would need to be captured by the CAT to support retirement of these systems will be included in the CAT.[1390] Specifically, the relevant Participants have evaluated each of the following systems/rules: FINRA's OATS Rules (7400 Series),[1391] COATS and associated rules, NYSE Rule 410(b), PHLX Rule 1022, CBOE Rule 8.9, EBS and associated rules, C2 Rule 8.7 and CHX BrokerPlex reporting (Rule 5).[1392] In addition, the Participants stated that a broader review of the Participants' rules intended to identify any other impact that the CAT may have on the Participants' rules and systems generally is ongoing.[1393] The Participants also explained that once the Plan Processor is selected, the Participants will work with the Plan Processor and the industry to develop detailed Technical Specifications that ensure that by the time Industry Members are required to report to the CAT, the CAT will include all data elements necessary to facilitate the rapid retirement of these duplicative systems.[1394]

To reflect these efforts, the Participants recommended an acceleration of the timelines for analyzing duplicative rules and systems by recommending amendments to Appendix C of the CAT NMS Plan to change the completion dates for their analyses of: (1) Duplicative rules and systems to nine to twelve months from Plan approval (rather than 12 months from the onset of Industry Member reporting) and (2) partially duplicative and non-duplicative rules and systems to nine to twelve months from Plan approval (rather than 18 months from the onset of Industry Member reporting).[1395] However, the Participants noted that these proposed timelines are based on the Plan Processor's appropriate and timely implementation of the CAT and the CAT Data being sufficient to meet the surveillance needs of each Participant.[1396]

In response to the comments recommending that duplicative systems be retired on a fixed date, the Participants explained that they cannot commit to retiring any duplicative systems by a designated date because the retirement of a system depends on a variety of factors.[1397] For example, the Participants explained that they would need to ensure that the CAT Data is sufficiently extensive and of high quality before they could rely on it for regulatory oversight purposes and that they would be unable to retire any of their duplicative systems until any rule changes related to such systems retirements are approved by the Commission.[1398] The Participants also noted that the elimination of potentially duplicative requirements established by the Commission (e.g., EBS reporting pursuant to SEC Rule 17a-25 and large trader reporting pursuant to SEC Rule 13h-1) are outside the Participants' purview.[1399] In addition, in response to the comment that the Participants lack an incentive to retire duplicative systems, the Participants explained that they are incented to eliminate systems that would be extraneous for regulatory purposes after CAT is operational due to the significant costs Participants face in running such systems.[1400]

In response to the comments suggesting the use of a trial period to transition to the CAT, the Participants stated that they recognize the concerns regarding the potential for disciplinary actions during the commencement of reporting to the CAT when, despite good faith efforts, reporting errors may develop due to the lack of experience with the CAT.[1401] Accordingly, the Participants stated that they will take into consideration the lack of experience with the CAT when evaluating any potential regulatory concerns with CAT reporting during the first months after such reporting is required.[1402] In addition, the Participants stated that they intend to work together with Industry Members to facilitate their CAT reporting; for example, the CAT's testing environments will provide an opportunity for Industry Members to gain experience with the CAT, and the Plan Processor will provide Industry Members with a variety of resources to assist them during onboarding and once CAT reporting begins, including user support and a help desk.[1403]

The Commission acknowledges that a protracted period of duplicative reporting would impose significant costs on broker-dealers and recognizes the importance of retiring duplicative rules and systems as soon as possible and of setting forth an appropriate schedule to achieve such retirement in the CAT NMS Plan. As discussed above, although a broader review of the Participants' rules intended to identify any other impact that the CAT may have on the Participants' rules and systems generally is ongoing, the Participants have completed gap analyses for Start Printed Page 84774systems and rules identified for full or partial retirement, including larger systems such as OATS and COATS. The Participants have confirmed that the data needed to support the retirement of these key systems will be included in the CAT,[1404] and have proposed to accelerate the projected dates for completing these analyses of duplicative, partially duplicative, and non-duplicative rules and systems to nine to twelve months after Plan approval.

Although the Commission appreciates these efforts to accelerate the retirement of existing data reporting rules and systems that are duplicative of the CAT, the Commission believes that stronger Plan amendments than those recommended by the Participants should be made to ensure that such rules and systems are eliminated, modified, or retired as soon as practicable after the CAT is operational so that the period of duplicative reporting is kept short. Therefore, the Commission is amending Section C.9 of Appendix C of the Plan to reflect the Participants' representation that their analyses of key duplicative systems are already complete and to provide that proposed rule changes to effect the retirement of duplicative systems, effective at such time as CAT Data meets minimum standards of accuracy and reliability, shall be filed with the Commission within six months of Plan approval.

Based on the Participants' statement in their response to comments that their gap analyses are complete with respect to the major existing trade and order data reporting systems, the Commission believes that the process of assessing which systems can be retired after CAT is operational is in an advanced stage. Rather than amending the Plan to state that these analyses for duplicative systems will be complete within nine to twelve months of the Commission's approval of the CAT NMS Plan, as recommended by the Participants, the Commission believes that the milestones listed in Appendix C should include the Participants' representation that they have completed gap analyses for key rules and systems and should enumerate those specific systems because this more accurately reflects, and more prominently and clearly conveys to market participants and the public, the status of the Participants' planning for the transition from existing systems to CAT.

For these reasons, the Commission is also amending Section C.9 of Appendix C of the Plan to require the Participants to file with the Commission rule change proposals to modify or eliminate duplicative rules and systems within six months of the Effective Date. These filings will not effectuate an immediate retirement of duplicative rules and systems—the actual retirement of such rules and systems must depend upon the availability of comparable data in CAT of sufficient accuracy and reliability for regulatory oversight purposes, as specified in the Participants' rule change proposals. The Commission also is amending the Plan to require the Participants, in their rule change proposals, to discuss specific accuracy and reliability standards that will determine when duplicative systems will be retired, including, but not limited to, whether the attainment of a certain Error Rate should determine when a system duplicative of the CAT can be retired. Although these amendments were not suggested by the Participants, the Commission believes that the rule change filing milestone should be changed to six months from Plan approval given the status of the Participants' gap analyses and because the actual retirement of rules and systems will only occur once CAT Data meets minimum standards of accuracy and reliability. In addition, the Commission believes that an explicit statement in the Appendix C milestones that the retirement of systems that are duplicative of CAT shall occur once CAT Data meets minimum standards of accuracy and reliability will provide greater clarity regarding how the transition from existing reporting systems to the CAT will proceed. In addition, these amendments will better align the systems retirement schedule with the broader CAT implementation schedule. For example, requiring rule change proposals to be submitted to the Commission within six months will ensure that public comments, and Commission review of these comments, which could inform the development of the Technical Specifications, will be in progress as the Technical Specifications for Industry Member data submission are being developed (i.e., at least fifteen months before Industry Members are required to report to CAT).

The Commission believes that, taken together, these amendments may facilitate an accelerated retirement of existing data reporting rules and systems that are duplicative of CAT and thus reduce the length of the duplicative reporting period as compared to the Plan as filed. Given that their requisite analytical work is already substantially complete, the Commission believes that the milestones, as amended, are achievable without a substantial increase in the burdens imposed on the Participants. Given the importance of retiring existing systems as rapidly as possible to reduce the substantial burdens on Industry Members that come with an extended period of duplicative reporting, the Commission believes that these amendments are appropriate. The CAT NMS Plan, as amended, recognizes that the Participants' requisite analytical work is already substantially complete and explicitly conditions the elimination of duplicative reporting only on the availability of accurate and reliable CAT Data that will enable the SROs to carry out their regulatory and oversight responsibilities. The amended Plan also accelerates the initiation of the formal process of retiring duplicative rules and systems by requiring that rule change filings be filed within six months of the Effective Date.

The Commission believes that the CAT NMS Plan, as amended, contains an appropriate level of detail regarding the process of retiring duplicative rules and systems. However, the Commission is not amending the Plan to include fixed or mandatory dates for the retirement of existing rules and systems at this time. As the Participants noted in their response to comments, retiring a system depends upon many factors, including the availability of sufficiently extensive and high quality CAT Data.[1405] The Commission and the SROs will continue to rely on the information collected through existing regulatory reporting systems to reconstruct market events, conduct market analysis and research in support of regulatory decision-making, and conduct market surveillance, examinations, investigations, and other enforcement functions until sufficiently complete, accurate, and reliable data is available through CAT. Therefore, precise dates for retiring these rules and systems cannot be determined prospectively. However, the Commission agrees with the Participants that they have incentives to retire extraneous systems after CAT is operational due to the desire to avoid the costs associated with maintaining such systems; the Commission believes that these incentives will mitigate any delay that would otherwise result from the difficulty of setting forth specific system retirement dates in advance.

As discussed above, the gap analyses completed by the Participants regarding the key existing trade and order data systems have confirmed that the CAT contains the data fields necessary to retire these systems, and the Start Printed Page 84775Commission has amended the Plan to ensure that any additional analysis related to duplicative rule and system retirement is completed in a timely manner. The Participants also explained that once the Plan Processor is selected, the Participants will work with the Plan Processor and Industry Members to develop detailed Technical Specifications that ensure that by the time Industry Members are required to report to the CAT, the CAT will include all data elements necessary to facilitate the rapid retirement of duplicative systems.[1406] The Commission agrees that the Participants should work with the Plan Processor and Industry Members in this manner and provide appropriate information about how they use trade and order data collected through existing rules and systems to ensure that the Technical Specifications are developed with these requirements in mind. In addition, with respect to the comment that CAT should be designed to permit the inclusion of additional data fields, the Commission notes that the Plan contains provisions regarding periodic reviews and upgrades to CAT that could lead to proposing additional data fields that are deemed important,[1407] and does not believe any changes to the Plan are necessary.

(2) Proposed Alternative Approaches to Systems Retirement

Several commenters suggested linking the retirement of duplicative systems to the error rate or quality of data reported to CAT. For example, one commenter suggested that the CAT NMS Plan should be amended to include an exemption from duplicative reporting obligations for individual broker‐dealers based on meeting certain CAT reporting quality metrics.[1408] Similarly, another commenter suggested that a “Retirement Error Rate” should be defined as the acceptable error rate for discontinuing reporting to a duplicative system, and that the Retirement Error Rate should be based on comparable data in CAT (e.g., OATS equivalent data reported to CAT should meet the reporting and quality criteria required by FINRA, but higher error rates associated with data elements that are outside the scope of existing systems should not prevent the retirement of such systems).[1409] One commenter suggested reducing the error rate as quickly as possible to facilitate the elimination of duplicative systems by including a test period to bring reporting near a 1% error rate when CAT is launched in production.[1410] This commenter also noted that disparities in error rate tolerance between CAT and other existing regulatory reporting systems should not serve as a pretext for prolonging the lifespan of those legacy systems.[1411] Several commenters suggested that the error rates used for elimination of duplicative systems should be post-correction error rates and that when a firm meets the necessary standards, the Plan should allow for individual firm exemptions from duplicative reporting.[1412]

One commenter also noted that the Participants have not adequately incorporated the 14-month milestone associated with the requirement that they enhance their surveillance systems [1413] into their milestones for the retirement of existing systems, noting that if the Participants are prepared to use CAT Data after 14 months, there should be no obstacles to retiring existing systems once the Retirement Error Rates are met.[1414] If the 14-month milestone is insufficient to obligate the Participants to use CAT Data in place of existing systems, this commenter would recommend a new milestone be created such that by the end of a trial period, the Participants must use CAT Data in place of existing systems.[1415]

Several commenters expressed support for the Plan's exemption from OATS reporting for CAT Reporters as long as there would be no interruption in FINRA's surveillance capabilities and urged the SROs to consider a similar approach for firms that meet certain error rate thresholds.[1416]

Similarly, one commenter suggested a “principles-based framework” for eliminating potentially duplicative systems.[1417] This framework would include: (i) A “phased” elimination program in which reporters that have achieved sufficient accuracy in CAT reporting can individually retire their systems; (ii) designing the Central Repository from the outset to include the ability to implement all of the surveillance methods and functions currently used by SROs; (iii) rather than relying on a simple field-mapping exercise to determine which systems can be eliminated, considering whether all the data elements currently reported under existing systems are really needed for the types of surveillance and other analyses typically undertaken by the Participants, whether the Central Repository can use alternative methods of surveillance or analysis that do not rely on those data elements, and whether data elements currently collected by an existing reporting system that are not available in the Central Repository could be derived or computed from data that is in the Central Repository; and (iv) requiring that questions to broker-dealers regarding their reported data should be directed though the process created for the Central Repository, not through previously-established channels based on legacy systems.[1418]

Several commenters suggested that the Commission should impose a moratorium on changes to existing systems to coincide with the launch of CAT to enable firms to dedicate resources to the successful launch and operation of CAT rather than the maintenance of legacy systems.[1419] In addition, several commenters suggested that the Plan should allow for elimination of individual systems as they become redundant or unnecessary once production commences in CAT.[1420]

In response to the comments recommending that exemptions be granted for individual Industry Member CAT Reporters from duplicative reporting obligations if they meet a Start Printed Page 84776specified data reporting quality threshold, the Participants explained that this would implicate the rules of the individual Participants and would be dependent upon the availability of extensive and high quality CAT Data, as well as Commission approval of rule change proposals by the Participants and the elimination of Commission data reporting rules such as Rules 17a-25 and 13h-1.[1421] Therefore, the Participants did not recommend an amendment to the Plan to incorporate such an exemption from the individual Participants' rules.[1422]

Nevertheless, the Participants explained that they have been exploring whether the CAT or the duplicative systems would require additional functionality to permit cross-system regulatory analyses that would minimize the duplicative reporting obligations.[1423] The Participants stated that FINRA remains committed to working with the Plan Processor to integrate CAT Data with data collected by OATS if it can be accomplished in an efficient and cost effective manner.[1424] However, the Participants stated that FINRA anticipates that CAT Reporters who are FINRA members and report to OATS will need to report to both OATS and the CAT for some period until FINRA can ensure that CAT Data is of sufficient quality for surveillance purposes and FINRA is able to integrate CAT Data with the remaining OATS data in a way that permits it to continue to perform its surveillance obligations.[1425] In addition, the Participants stated that FINRA believes that requiring all current OATS reporters to submit data to the Central Repository within two years after the Commission approves the Plan may reduce the amount of time that OATS and CAT will need to operate concurrently and may help facilitate the prompt retirement of OATS.[1426]

In response to the comment that the CAT should be designed from the outset to include the ability to implement all of the surveillance methods and functions currently used by the Participants, the Participants explained that CAT is not intended to be the sole source of surveillance for each Participant, and, therefore, would not cover all surveillance methods currently employed by the Participants.[1427] However, the Participants stated that, with the goal of using the CAT rather than duplicative systems for surveillance and other regulatory purposes, the Participants have provided the Bidders with specific use cases that describe the surveillance and investigative scenarios that the Participants and the Commission would require for the CAT, and that during the bidding process each Bidder has been required to demonstrate its ability to meet these criteria.[1428] In addition, the Participants noted that they have had multiple discussions with the Bidders regarding the query capabilities that each Bidder would provide, and the Participants believe that the selected Plan Processor will have the capability to provide the necessary surveillance methods and functions to allow for the retirement of duplicative systems.[1429] The Participants also stated that the Plan Processor will provide support, including a trained help-desk staff and a robust set of testing, validation, and error correction tools, to assist CAT Reporters as they transition to CAT reporting.[1430]

In response to comments concerning a moratorium on changes to new systems, the Participants explained that they plan to minimize the number of changes that are rolled out to duplicative systems to the extent possible.[1431] The Participants, however, cannot commit to making no changes to the duplicative systems as some changes may be necessary before these systems are retired—for example, changes to these duplicative systems may need to be made to address Commission initiatives, new order types or security-related changes.[1432]

The Commission agrees with the commenters that the accuracy of the data reported to CAT, as in part measured by CAT Reporters' Error Rate, should be a factor in determining whether and when duplicative trade and order data rules and systems should be eliminated. As discussed above, the rule change proposals regarding duplicative systems retirement that the Participants will file with the Commission within six months of the Effective Date must condition the elimination of existing data reporting systems on CAT Data meeting minimum standards of accuracy and reliability. The Commission believes that this approach may incentivize accurate CAT reporting because it could potentially allow Industry Members to retire redundant, and costly to maintain, systems sooner. The Commission believes that any such improvements in accuracy, together with the amended Plan's reduction of the period for the Participants to complete their analyses of duplicative, partially duplicative, and non-duplicative rules and its acceleration of the requirement to file system elimination rule change proposals, should facilitate an earlier retirement of duplicative systems. However, the Commission does not believe that a specific Error Rate that would automatically trigger the elimination of the collection of data through an existing, duplicative system can be set in advance, through a Plan amendment at this time. Rather, the more flexible standard set forth in the Plan, as amended—that duplicative systems will be retired as soon as possible after data of sufficient accuracy and reliability to ensure that the Participants can effectively carry out their regulatory obligations is available in CAT—recognizes the primacy of ensuring that CAT Data can be used to perform all regulatory functions before existing systems are retired, and is therefore more appropriate.

In response to the comments regarding individual exemptions from reporting to duplicative systems for Industry Members whose CAT reporting meets certain quality thresholds, the Commission supports the Participants' efforts to explore whether this can be feasibly accomplished by adding functionality to permit cross-system regulatory analyses that would minimize duplicative reporting obligations or, in the case of OATS, integrating CAT Data with data collected by OATS. Accordingly, the Commission is amending Section C.9 of Appendix C of the Plan to require that the Participants consider, in their rule filings to retire duplicative systems, whether individual Industry Members can be exempted from reporting to duplicative systems once their CAT reporting meets specified accuracy standards, including, but not limited to, ways in which establishing cross-system regulatory functionality or integrating data from existing systems and the CAT would facilitate such individual Industry Member exemptions. However, the Commission does not believe that it would be appropriate, at this time, to amend the Plan to require the Participants to grant such individual Start Printed Page 84777exemptions because, as noted by the Participants, it may not be feasible to implement the technological and organizational mechanisms that would obviate the need for duplicative reporting by ensuring that the Participants can effectively carry out their regulatory obligations using CAT Data.

In response to the comment that the CAT should be designed from the outset to include the ability to implement all of the surveillance methods and functions currently used by the Participants, the Commission notes that the Participants have indicated that they have provided the Bidders with their surveillance and investigative use cases, that each Bidder has been required to demonstrate its ability to meet these criteria, and that the selected Plan Processor will have the capability to provide the necessary surveillance methods and functions to allow for the retirement of duplicative systems. Therefore, the Commission believes that the CAT is being designed to include the ability to implement all of the surveillance methods and functions currently used by the Participants, and is not amending the Plan in response to this comment.

In response to the commenter that suggested a specific principles-based framework for retiring duplicative systems,[1433] the Commission believes that, in general, the principles outlined in the CAT NMS Plan for retiring potentially duplicative rules and systems are reasonable. The principles outlined in the Plan recognize that the Participants and the Commission will continue to rely on information collected through existing regulatory reporting systems to reconstruct market events, conduct market analysis and research in support of regulatory decision-making, and conduct market surveillance, examinations, investigations, and other enforcement functions until analogous information is available through CAT. Some period of duplicative reporting may be necessary to ensure that regulators can obtain accurate and reliable information through CAT to carry out these functions. However, the Commission also agrees that the CAT Reporter support, testing, and validation tools created for the CAT—rather than similar tools associated with legacy reporting systems—should be used to assist Industry Members as they transition to CAT reporting.[1434]

The Commission agrees with the Participants that there cannot be a moratorium on changes to existing systems in connection with the launch of CAT. As discussed above, the Commission and the SROs use the information collected through existing regulatory reporting systems to carry out a variety of regulatory functions. Until these systems are fully retired, the Commission and the SROs will continue to rely upon these systems to obtain the information they need to perform these functions. Therefore, because changes to these systems may be necessary for the Commission or the SROs to obtain such information, the Commission does not believe a moratorium should be imposed on changes to these systems. However, the Commission supports the Participants' commitment to minimizing changes to existing systems and encourages the Participants to consider the necessity of any such changes and any additional burden such changes would impose on their members during the period in which members are transitioning to CAT reporting. Accordingly, the Commission is amending Section C.9 of Appendix C of the Plan to state that between the Effective Date and the retirement of the Participants' duplicative systems, each Participant, to the extent practicable, will attempt to minimize changes to those duplicative systems.

b. Retirement of Systems Required by SEC Rules

The CAT NMS Plan also discusses specific Commission rules that potentially can be eliminated in connection with CAT implementation. Specifically, the Plan states that, based on preliminary industry analyses, large trader reporting requirements under SEC Rule 13h-1 could be eliminated. In contrast, the Plan states that “[l]arge trader reporting responsibilities on Form 13H and self-identification would not appear to be covered by the CAT.” [1435]

One commenter suggested that the Commission should eliminate requirements such as Rule 13h-1 and Form 13H regarding large trader filings, noting that Commission Staff will have access to the same information that they are receiving through Form 13H through CAT.[1436] Another commenter recommended the elimination of the EBS system, under SEC Rule 17a-25,[1437] with respect to equity and option data.[1438]

In their response, the Participants noted that “the elimination of potentially duplicative requirements established by the SEC (e.g., SEC Rule 17a-25 regarding electronic submission of securities transactions [the EBS system] and SEC Rule 13h-1 regarding large traders) are outside the Participants' purview.” [1439]

The Commission acknowledges that duplicative reporting will impose significant burdens and costs on broker-dealers, that certain SEC rules require the reporting of some information that will also be collected through CAT, and that certain SEC rules may need to be modified or eliminated in light of CAT. Specifically, the Commission believes that, going forward, CAT will provide Commission Staff with much of the equity and option data that is currently obtained through equity and option cleared reports [1440] and EBS,[1441] including the additional transaction data captured in connection with Rule 13h-1 concerning large traders.[1442] Accordingly, Commission Staff is directed to develop a proposal for Commission consideration, within six months of the Effective Date, to: (i) Amend Rule 17a-25 to eliminate the components of EBS that are redundant of CAT, and (ii) amend Rule 13h-1,[1443] the large trader Rule, to eliminate its transaction reporting requirements, in each case effective at such time as CAT Data meets minimum standards of accuracy and reliability. In addition, as part of this proposal, Commission Staff will recommend whether there will continue to be any need for the Start Printed Page 84778Commission to make requests for equity and option cleared reports, except for historical data, once CAT is fully operational and CAT Data meets minimum standards of accuracy and reliability.[1444] The Commission notes that the EBS system will still be used to collect historical equity and options data—i.e., for executions occurring before CAT is fully operational—and data on asset classes not initially covered by CAT, such as fixed income, municipal, or other government securities, and that the components of the EBS system necessary to enable such usage will need to be retained. However, to the extent that CAT is expanded to include data on additional asset classes, the Commission will consider whether the components of the EBS system related to the retention and reporting of data on these asset classes can also be eliminated.[1445]

The Commission does not agree with the comment that SEC Staff will have access through CAT to the “same information” that it receives through Form 13H.[1446] Form 13H collects information to identify a large trader, its securities affiliates, and its operations, and does not collect audit trail data on effected transactions. The self-identification and other Form 13H filing requirements of Rule 13h-1 will not be duplicated by or redundant of CAT.

c. Record Retention

The CAT NMS Plan states that certain broker-dealer recordkeeping requirements could be eliminated once the CAT is operational.[1447] The Plan also requires that information reported to the Central Repository be retained in a convenient and usable standard electronic data format that is directly available and searchable electronically without any manual intervention by the Plan Processor for a period of not less than six years.[1448]

One commenter suggested that record retention by the CAT should be established for periods long enough to satisfy regulatory requirements associated with other regulatory systems (e.g., the seven year record retention requirement for EBS) and that the Commission should consider the extent to which CAT reporting could fulfill recordkeeping obligations for a CAT Reporter.[1449]

The Participants explained that the Plan's six-year retention period exceeds the record retention period applicable to national securities exchanges and national securities associations under SEC Rules 17a-1(b) and 17a-6(a),[1450] which require that documents be kept for at least five years.[1451] The Participants further explained that they do not believe that the Plan's record retention requirements should be expanded beyond six years since such expansion would impact Bidder solutions and the maintenance costs associated with the CAT.[1452] With respect to the comment regarding CAT Reporters using the CAT to satisfy their recordkeeping obligations, the Participants maintained that it would be inappropriate for CAT Reporters to fulfill their recordkeeping obligations by relying on the Central Repository in the initial phase of CAT reporting because permitting this use of the Central Repository would impose additional regulatory and resource obligations on the Central Repository.[1453] In the longer term, the Participants recognized that the Central Repository could be a useful tool to assist CAT Reporters in satisfying their recordkeeping and record retention obligations, and stated that after the implementation of CAT, the Operating Committee will review whether it may be possible for CAT Reporters to use the CAT to assist in satisfying certain recordkeeping and record retention obligations.[1454]

The Commission disagrees with the suggestion from commenters that the CAT NMS Plan should be amended to extend its six-year record retention timeframe to satisfy the requirements of existing reporting systems. In addition to exceeding the five year retention period applicable to national securities exchanges and associations under Rules 17a-1(b) and 17a-6(a), as pointed out by the Participants, the Commission notes that the six-year timeframe set forth in the CAT NMS Plan reflects the six-year data retention requirement of Rule 17a-4(a).[1455] The Commission does not anticipate that any variation between the retention periods for existing systems and the CAT system will hinder the potential retirement of existing systems that are duplicative of CAT. In addition, while the Commission believes it is important to implement the initial phases of CAT reporting first, once CAT is fully operational, the Participants, the Plan Processor, and the Commission can consider further enhancements to the CAT system, including enhancements that could potentially enable the Central Repository to satisfy certain broker-dealer recordkeeping requirements, such as those set forth in Rules 17a-3 and 17a-4.[1456]

10. Primary Market Transactions and Futures

a. Primary Market Transactions

The CAT NMS Plan provides that the Participants jointly, within six months of the CAT NMS Plan's approval by the Commission, will provide a document (the “Discussion Document”) to the Commission that will include a discussion of how Primary Market Transactions could be incorporated into the CAT.[1457] In Appendix C of the CAT NMS Plan, the Participants conclude that the Discussion Document should be limited to sub-account allocations for Primary Market Transactions.[1458] Moreover, the CAT NMS Plan does not require any specific timetable for Primary Market Transaction data to be reported to the CAT.

The Participants explained that for Primary Market Transactions there are generally two key phases: A “book building” phase and an allocation phase (which includes top-account allocations and sub-account allocations).[1459] According to the Participants, the “book building phase involves the process by which underwriters gather and assess investor demand for an offering of securities and seek information important to their determination as to the size and pricing of an issue. Using this and other information, the underwriter will then decide how to allocate IPO shares to purchasers.” [1460] The Participants' understanding is “that these are so-called `top account' allocations—allocations to institutional clients or retail broker-dealers, and that such allocations are conditional and may fluctuate until the offering Start Printed Page 84779syndicate terminates. Sub-account allocations occur subsequently, and are made by top-account institutions and broker-dealers prior to settlement.” [1461]

In reaching their decision to limit Primary Market Transactions data for CAT reporting to sub-account allocations, the Participants noted that sub-account allocations are “maintained by broker-dealers in a manner that would allow for reporting to the Central Repository without unreasonable costs and could assist the Commission and the Participants in their regulatory obligations.” [1462] The Participants argued, however, that because top-account allocations are not firm and may fluctuate, reporting this information to the Central Repository “would involve significantly more costs which, when balanced against the marginal benefit, is not justified at this time.” [1463]

The Commission received two comments advocating for delaying the inclusion of all Primary Market Transactions data in the CAT (and for excluding top-account allocation data),[1464] and one comment supporting the inclusion of Primary Market Transaction data in the CAT, for both top-account and sub-account allocation data.[1465] Specifically, the two commenters who advocated that Primary Market Transactions should be delayed until OATS and other regulatory reporting systems are retired cited “mounting regulatory expenses” and limited and different resources being required to address this element.[1466] These commenters added that regulatory and surveillance requirements should be defined before adding Primary Market Transaction data to the CAT and disputed the Commission's assessment in the Notice of the CAT NMS Plan that top-account allocation should be a CAT data element.[1467] One of these commenters noted that significant analysis and data modelling would be required to effectively and efficiently include Primary Market Transaction data.[1468] The other commenter cited a DAG recommendation that if Primary Market Transaction data were required that only sub-account allocation data should be included due to operational feasibility.[1469] The same commenter also requested clarification as to what is meant by Primary Market Transaction “allocations,” and described its understanding that “allocations” under Rule 613(a)(1)(vi) only apply to the final step in the allocation process (i.e., not the preliminary book building allocations but the actual placement into a customer's account).[1470]

The third commenter, however, advocated for including Primary Market Transaction data (both top-account and sub-account) in the CAT.[1471] The commenter believed that regulators would benefit from having both sub-account and top-account Primary Market Transaction data, noting that such data would help regulators understand the economics of the offering process and could promote efficient capital formation.[1472] The commenter reviewed academic literature related to the book building allocation process and suggested that the collection and analysis of Primary Market Transaction data could address open questions as to potential capital formation inefficiencies, including potential manipulation and/or violations of Rule 105 and fund manipulation.[1473] The commenter stated that Form 13F data cannot fully capture primary market allocations because it is limited to institutional investment managers with investment discretion over $100 million, and because secondary market transactions may occur before the filing of Form 13F is required.[1474] The commenter also recommended that the SROs and the Commission require indications of interest during preliminary book building to be made available in an easily accessible format for both regulators and academics outside of CAT.[1475]

The commenter advocating for the inclusion of both top-account and sub-account allocation Primary Market Transaction data also cited and disputed a FIF estimate that it would cost broker-dealers approximately $704,200 per firm to provide initial allocation information, stating that “manually entering top-account allocation information into CAT (if available) should cost substantially less than estimated.” [1476] The commenter estimated costs to be $2,400 per offering for providing top-account allocation information, and argued such costs would be “de minimis with respect to the overall cost of issuance.” [1477] The commenter also contested FIF's cost estimate of $58.7 million for providing sub-account information, noting that if CAT were to replace EBS [1478] then the incremental cost of providing sub-account allocation information should also be de minimis.[1479]

In response to commenters, the Participants maintained their support for including in the CAT sub-account allocations but did not support reporting, or discussing in the Discussion Document, top-account allocations.[1480] The Participants reiterated that top-account allocation reporting for Primary Market Transactions would “likely impose significant costs to CAT Reporters while only providing a marginal additional regulatory benefit over sub-account allocation data.” [1481] The Participants further stated that they have not determined a timeline for reporting Primary Market Transaction allocations, but have committed to not require it during the initial implementation phase of CAT.[1482]

Consistent with the reasoning stated in the adoption of Rule 613, the Commission believes that the Discussion Document should discuss the potential costs and benefits of expansion of CAT to include both top-account and sub-account allocations for Primary Market Transactions. At the Start Printed Page 84780same time, the Commission acknowledges that mandating the inclusion of Primary Market Transaction data, either top-account or sub-account, would require Commission action following public notice and comment. The Commission discusses the Primary Market Transaction cost comments in its economic analysis below.[1483]

b. Futures

Rule 613 and the CAT NMS Plan do not require the reporting of audit trail data on the trading of futures. One commenter, noting that the CAT NMS Plan does not require any information about stock index futures or options on index futures, stated that incorporating futures data into CAT would “create a more comprehensive audit trail, which would further enhance the SROs' and Commission's surveillance programs.” [1484]

As noted above, the Participants, within six months of the CAT NMS Plan's approval by the Commission, will provide the Discussion Document that will include a discussion of how additional securities and transactions could be incorporated into CAT.[1485] In their response, the Participants recognized that “the reporting of additional asset classes and types of transactions is important for cross-market surveillance.” [1486] Further, the Participants stated their belief that the Commission also recognizes “the importance of gradually expanding the scope of the CAT,” and cited the Adopting Release, wherein the Commission directed the Commission Staff “to work with the SROs, the CFTC staff, and other regulators and market participants to determine how other asset classes, such as futures, might be added to the consolidated audit trail.” [1487] Accordingly, the Participants stated that they intend to assess whether it would be appropriate to expand the scope of the CAT to include futures, at a later date.

The Commission believes that the omission of futures data from the CAT NMS Plan is reasonable, particularly in light of limitations on the Commission's jurisdiction.

11. Error Rate

CAT Data reported to the Central Repository must be timely, accurate and complete.[1488] The CAT NMS Plan specifies the maximum Error Rate for CAT Reporters.[1489] As noted in Section III.19, the term Error Rate is defined as “the percentage of [R]eportable [E]vents collected by the [C]entral [R]epository in which the data reported does not fully and accurately reflect the order event that occurred in the market.” [1490] The Error Rate will apply to CAT Data as it is initially submitted to the Central Repository, before it has undergone the correction process.[1491]

a. Definition of Error

Some commenters sought additional information about the meaning of the term “Error Rate” and how Error Rates would be calculated. One commenter suggested that there should be clarification as to whether all errors would be treated equally.[1492] Another commenter questioned whether there would be a minimum number of reports submitted before Error Rate calculations would take place, and whether all data submissions would be covered.[1493] One commenter suggested that Error Rates be calculated daily on a rolling average, comparing a CAT Reporter's error rate to an aggregate Error Rate, so as to take into account daily fluctuations in Error Rates.[1494] One commenter did not believe that all errors should be treated with the same severity, noting that some errors can be auto-corrected by CAT, and some errors (such as late reporting) can be immediately resolved, while other errors, such as linkage errors, are more problematic.[1495] Three commenters suggested that the Error Rate should apply only to post-correction, not pre-correction, data.[1496] One of these commenters expressed support for the eventual goal of a de minimis post-correction Error Rate, but could not predict how long this would take to be achieved.[1497]

The Participants responded by explaining that the CAT NMS Plan adopted the definition of Error Rate from Rule 613, which does not distinguish among order events and focuses on cases where data “does not fully and accurately reflect the order event that occurred in the market.” [1498] The Participants stated that they believe this definition is appropriate.[1499] The Participants disagreed with commenters who suggested that the maximum Error Rate should be based on post-correction data,[1500] and noted that a maximum Error Rate based on pre-corrected data is intended to encourage CAT Reporters to submit accurate data initially and to reduce the need for error corrections, as well as allow regulators more timely access to accurate data.[1501]

The Commission believes that the proposed, uniform definition of Error Rate is reasonable. The Commission also agrees with the Participants that Error Rates should be calculated based on pre-correction, and not post-correction, data. The Commission believes that assessing Error Rates on a pre-correction basis is important to ensure that CAT Reporters submit CAT Data in compliance with the Plan and applicable rules of the Participants, and develop and maintain their reporting systems in a way that minimizes errors. In addition, focusing on Error Rates for pre-corrected data should reduce reliance on the error correction process, and improve the accuracy of the “uncorrected” CAT Data available to regulators in circumstances where immediate action is required. The Commission also believes it critical that the error correction process be effective, so that errors in post-correction CAT Data will be de minimis, as contemplated by the Participants.

b. Maximum Error Rate

Several commenters expressed opinions regarding the initial maximum Error Rate. Two commenters supported Start Printed Page 84781a 5% initial maximum Error Rate.[1502] One of these commenters believed that a 5% Error Rate would permit an appropriate level of flexibility for CAT Reporters while still ensuring that CAT Data would be useable for market reconstructions.[1503] Another commenter, however, disagreed and argued that, given the industry's experience with OATS, the maximum Error Rates should be lower than those proposed by the Participants.[1504]

Several commenters expressed views on how the initial maximum Error Rate should be adjusted over time.[1505] Two commenters supported the Plan's requirement to evaluate Error Rates at least annually.[1506] One of these commenters also believed that lowering the maximum Error Rate to 1% after one year of reporting was acceptable based on the current OATS error rates and the commenter's own experience with regulatory reporting.[1507] Another commenter stated that it was difficult to assess whether a maximum Error Rate of 1% after one year of reporting was appropriate, and indicated that it would prefer a more gradual rate decrease.[1508] The commenter recommended that the Operating Committee establish maximum Error Rates for the second and third years of reporting after reviewing the first year's Error Rate data.[1509] Two commenters recommended that the maximum Error Rate be reviewed whenever there are significant changes to the CAT (e.g., the addition of security classes) [1510] or applicable regulations.[1511]

In response to concerns that the Participants do not have sufficient information or experience to determine the initial maximum Error Rate,[1512] the Participants explained that they established this maximum Error Rate after performing a detailed analysis of OATS error rates over time, and believed that such analysis provided a sound basis for their determination.[1513] The Participants stressed the importance of evaluating a CAT Reporter's actual experience, in setting an appropriate maximum Error Rate, and noted that the CAT NMS Plan requires the Operating Committee to review the maximum Error Rate at least annually.[1514]

With respect to the comments recommending that the maximum Error Rate also be reviewed upon significant changes to the CAT or regulations, the Participants noted that the required testing and other management processes surrounding CAT systems changes should mitigate concerns about their impact on Error Rates, and that the periodic updates on Error Rates provided to the Operating Committee should alert them if there is a need to change the maximum Error Rate.[1515]

The Commission believes that the proposed 5% initial maximum Error Rate is reasonable and strikes an appropriate balance between: (1) Ensuring that the initial submissions to the Central Repository by CAT Reporters are sufficiently accurate for regulatory use; and (2) providing CAT Reporters with time to adjust to the new more comprehensive regulatory reporting mechanism. The Commission understands that the Participants considered relevant historical information related to OATS reporting error rates, particularly when new reporting requirements were introduced, and believes this is a reasonable basis for setting the initial maximum Error Rates for CAT Data.[1516] The Commission understands that CAT Reporters who currently report to OATS report with a significantly lower Error Rate, but recognizes that more flexibility may be necessary during the transition, and notes the 1% maximum Error Rate applicable to each CAT Reporter one year after their reporting obligation has begun is comparable to current OATS reporting error rates.[1517]

The Commission also believes that the process established by the CAT NMS Plan for reducing the maximum Error Rate over time is reasonable, and emphasizes the important roles of both the Plan Processor and the Operating Committee in ensuring that Error Rates are steadily reduced over time. The Plan requires the Plan Processor regularly to provide information and recommendations regarding Error Rates to the Operating Committee,[1518] and requires the Operating Committee to review and reset the maximum Error Rate at least on an annual basis.[1519] Given the importance to regulators of audit trail information that meets high standards of accuracy, the Commission expects the Plan Processor and Participants to closely monitor Error Rates, particularly in the early stages of CAT implementation, so that steps can be taken to reduce the maximum Error Rate as promptly as possible. The Commission also encourages the Plan Processor and Participants to assess the impact of significant changes to the CAT or applicable regulations on the maximum Error Rate, at least on a transitional basis, and provide additional flexibility as warranted. As described in Section IV.H, the Commission is amending Section 6.6 of the Plan to require that, prior to the implementation of any Material Systems Change, the Participants provide the Commission with an assessment of the projected impact of any Material Systems Change on the maximum Error Rate.

c. Different Error Rates for Different Products and Data Elements

The CAT NMS Plan imposes the same Error Rate on all products and data elements. Commenters suggested differentiation in this area. One commenter recommended that the Error Rate only apply to equities.[1520] Another commenter suggested that Error Rates for equities, options and customer data should be calculated separately.[1521] A third commenter expressed the view that, as new products are covered by CAT, they should be subject to a more liberal Error Rate for an appropriate transition period.[1522] Two commenters did not believe there is enough information to set an appropriate maximum Error Rate for options market making, customer information or allocations, given that there is little or Start Printed Page 84782no reporting history for them, and suggested applying the Error Rate on a post-correction basis for these products and data elements, at least for a transitional period.[1523]

In response, the Participants stated that they continue to believe that a single overall Error Rate for all products and data elements is appropriate.[1524] They acknowledged the importance of gathering more granular information about Error Rates, including differences among products, and noted that the CAT NMS Plan requires the Plan Processor to provide the Operating Committee with regular reports that show more detailed Error Rate data.[1525]

The Commission believes that it is reasonable, at this time, to apply the same maximum Error Rate to all products and data elements, in the Plan filed by the Participants. The Commission notes that the initial 5% maximum Error Rate, which substantially exceeds the OATS error rates, was established in recognition of the fact that certain products (e.g., options) and data elements (e.g., market maker quotes, customer information) had not previously been reported in OATS. The Commission, however, notes that the Participants may assess, as the CAT is developed and implemented, whether it is appropriate to impose Error Rates that vary depending on the product, data element, or other criteria.[1526] As discussed in Section IV.H, the Commission is amending the Plan to require that the Participants provide the Commission with an annual evaluation that addresses the application of Error Rates based on product, data elements or other criteria.

d. Compliance With Maximum Error Rate During the Initial Implementation Period

Two commenters suggested that CAT Reporters not be required to comply with the maximum Error Rate during the initial implementation period for the CAT.[1527] One of these commenters explained that this would provide CAT Reporters a window of time to better understand the types of errors that are being returned by the CAT, and adjust their processes accordingly, without incurring liability for exceeding the maximum Error Rate.[1528] Another commenter stressed the importance of receiving feedback from the Plan Processor so that CAT Reporters can identify weaknesses and improve the accuracy of their CAT reporting.[1529] This commenter recommended that the Plan Processor provide CAT Reporters with a detailed daily error report, as well as monthly report cards.[1530]

The Participants responded by noting that Rule 613(g) requires the Participants to enforce compliance by their members with the provisions of the Plan at all times it is in effect.[1531] The Participants also pointed out that the Plan provides that CAT Reporters will be provided tools to facilitate testing and error correction, as well as have access to user support. With respect to the importance of feedback from the Plan Processor,[1532] the Participants noted that the Plan requires the Plan Processor to provide CAT Reporters with error reports, including details on the reasons for rejection, as well as daily and monthly statistics from which CAT Reporters can compare their performance with their peers.[1533] As discussed in Section IV.H, the Commission is amending the Plan to require that the Participants provide the Commission with an annual evaluation of how the Plan Processor and the Participants are monitoring Error Rates.

The Commission believes that the implementation period for Error Rates is reasonable and that it is not necessary to establish a grace period, as suggested by commenters, during which Error Rates would not apply. Ensuring the accuracy of CAT Data is critical to regulators and, as noted above, the initial maximum Error Rates have been set at levels to accommodate the fact that CAT Reporters will be adjusting to a new regulatory reporting system.[1534] In addition, the Commission notes that the CAT NMS Plan provides for testing periods,[1535] as well as tools and other support, to facilitate initial compliance by CAT Reporters. As noted by the Participants, the Plan Processor will provide regular feedback to CAT Reporters with respect to their reporting weaknesses to assist them in reducing their Error Rates.[1536]

e. Error Correction Timeline

The CAT NMS Plan sets forth a timeline with deadlines for providing raw data and corrected data to the CAT. CAT Reporters must submit data to the CAT by 8:00 a.m. ET on T+1.[1537] By 12:00 p.m. ET on T+1, the CAT must perform checks for initial validations and lifecycle linkages, and communicate errors to CAT Reporters.[1538] CAT Reporters must resubmit corrected data to the CAT by 8:00 a.m. ET on T+3.[1539] The Plan Processor must ensure that regulators have access to corrected and linked order and Customer data by 8:00 a.m. ET on T+5.[1540]

Two commenters believed the error correction timeline was too aggressive, and that at least initially, the CAT should use the current error correction timelines for systems such as OATS, which is T+5.[1541] One commenter specifically suggested that the timeline for error corrections should remain at T+5 for the first year of CAT reporting.[1542] This commenter also noted that, because the Plan Processor is required to communicate errors to CAT Reporters by 5:00 p.m. ET on T+1, Start Printed Page 84783staffing adjustments may be necessary to ensure that the appropriate personnel are available after 5:00 p.m. ET to analyze and correct data, and if communications with a customer were necessary to correct an error, the CAT Reporter could not satisfy the 8:00 a.m. ET T+2 timeline for providing corrected data.[1543] This commenter also recommended that the Plan Processor identify errors in customer information data by noon on T+1, the same time as the Plan Processor identifies errors in transaction reports, instead of by 5:00 p.m. ET on T+1, to assist with prompt analysis of linking errors.[1544] Another commenter suggested that the use of “pre-validation checks,” prior to the formal submission of data to the CAT, could enhance the accuracy and integrity of the CAT Data.[1545]

In response to commenters who believed the timeframe for correction of CAT Data was too short, the Participants stressed the importance to regulators of the prompt availability of accurate data.[1546] The Participants stated that the three day window for correction provided in the CAT NMS Plan appropriately balances the need for regulators to have prompt access to accurate data with the burdens imposed on the industry by the shorter error correction timeframe.[1547] The Participants noted that the shorter three-day error correction timeframe would allow better regulatory surveillance and market oversight in accordance with Rule 613.[1548] In response to the commenter that requested additional time to correct errors in customer data, the Participants expressed the view that the two-day timeframe provided by the Plan is sufficient to accommodate any communications with customers that might be necessary to correct errors in customer data.[1549] With respect to the suggestion to use pre-validation checks, the Participants acknowledged their value, and stated that they have discussed with the Bidders making tools, such as pre-validation checks, available to CAT Reporters to assist with data submission.[1550]

The Commission believes that the error correction timeline set forth in the CAT NMS Plan is reasonable. Improved accuracy and timeliness of regulatory data are key goals of Rule 613 and the CAT NMS Plan.[1551] In response to commenters that suggested that the error correction timeline is too aggressive, the Commission believes that the error correction tools and processes to be established by the Plan Processor, and the accommodations to facilitate the use of existing systems by CAT Reporters, should ease the burden of complying with shorter error correction timelines than exist today in OATS.[1552] The Commission believes any incremental compliance burden in this area is offset by the benefits of faster availability to regulators of corrected CAT Data for important regulatory purposes, such as surveillance, oversight and enforcement, as well as market reconstructions, in today's high-speed electronic markets.

In response to the commenter that stated that additional staffing may be needed to assist in addressing error correction information that is received from the Plan Processor at 5:00 p.m. ET on T+1, the Commission believes, as noted above, the regulatory benefits of a shorter error correction timeframe justify the incremental compliance costs, including the potential hiring of additional staff in some cases.[1553] The Commission also believes that CAT Reporters would have sufficient time to contact customers in the event customer feedback was necessary to correct errors.[1554] In this regard, the Commission notes that the CAT NMS Plan provides that corrected order data is not required to be reported until 8:00 a.m. ET on T+3, and corrected Customer data is not required to be reported until 5:00 p.m. ET on T+3.[1555]

12. Business Continuity and Disaster Recovery

The CAT NMS Plan requires the Plan Processor to implement efficient and cost-effective business continuity and disaster recovery capabilities that will ensure no loss of data and will support the data availability requirements and anticipated volumes of the Central Repository.[1556]

Commenters discussed the CAT NMS Plan's provisions regarding business continuity and disaster recovery for the CAT.[1557] One commenter noted that the Plan does not include an explanation of how the primary and the secondary sites will remain synchronized at all times to provide a seamless transition from primary site to secondary site in the event of a failure.[1558] This commenter suggested that the Plan should specify additional details regarding the expected elapsed time for the secondary site to become live if the primary site goes down due to a technical failure or a disaster.[1559] The commenter also noted that the requirement for disaster recovery plans does not address whether regulators will have uninterrupted access to the CAT Data, although the commenter acknowledged that it can be inferred that the secondary site should provide all the functionalities of the primary site in the event of primary site outage.[1560] Further, the commenter recommended that while the CAT NMS Plan states that the goal of disaster recovery is to achieve next day recovery after an event, the Plan should provide a list of scenarios and the expectation of the recovery times for each scenario.[1561]

Start Printed Page 84784

One commenter recommended that the CAT NMS Plan state that the Plan Processor must support 24x7 production and test environments, provide test and validation tools to result in a higher quality audit trail, provide a consistent and comprehensive data security program, and provide an adequate level of help desk staffing, especially during industry testing and when Industry Members are being on-boarded.[1562] This commenter also stated that large firms that already have the staffing capability for a 24x7 operating schedule could benefit from 24x7 production support, explaining that it would permit added flexibility in error processing or recovery scenarios, as well as the use of off-shore staffing.[1563] Another commenter recommended that the CAT NMS Plan should not mandate a particular industry testing process, stating that “appropriate management flexibilities/discretions are needed.” [1564]

The Participants argued that the Plan provisions with respect to business continuity and disaster recovery are appropriate, but did note that they intend to discuss with the Bidders requiring test environments to be available 24x7 instead of 24x6.[1565]

The Commission has considered the business continuity and disaster recovery requirements set forth in the CAT NMS Plan, as well as the comments received addressing these requirements and believes that the Participants' approach is reasonable. The Commission believes that the CAT NMS Plan's business continuity and disaster recovery provisions establish a framework that is reasonably designed to ensure that the CAT business processes can continue despite a failure or disaster scenario.[1566] In particular, the CAT will be subject to all applicable requirements of Regulation SCI, as it will be an “SCI system” [1567] of each of the Participants, and the Participants, as “SCI entities,” [1568] are required to establish, maintain and enforce written policies and procedures for their SCI systems that comply with the technology standards and other requirements of Regulation SCI, including with respect to the business continuity and disaster recovery plans for the CAT.[1569] In addition, the CAT will be subject to certain additional requirements with respect to business continuity and disaster recovery that are set forth in the CAT NMS Plan.[1570]

With respect to the commenter that noted that the Plan does not explain how the primary and the secondary sites will remain synchronized,[1571] and that additional detail should be provided regarding the failover times between primary and secondary sites,[1572] the CAT NMS Plan expressly requires recovery and restoration of services within 48 hours, but with a goal of next-day recovery. While data will not be synchronized in real time, sufficient synchronization will be maintained to support these recovery timeframes. Although, as noted above, the Commission believes the Participants' approach is reasonable, the Commission encourages the Plan Processor and Participants to strive to reduce the time it will take to restore and recover CAT Data at a backup site. As discussed in Section IV.H., the Commission is amending the Plan to require the Participants to submit to the Commission an annual evaluation of the time necessary to restore and recover CAT Data at a back-up site.

With respect to the commenter that recommended that the Plan Processor support 24x7 testing and production environments,[1573] the Commission recognizes that this could facilitate disaster recovery and other important processes by Industry Members, and believes that the Participants' commitment to discuss requiring test environments to be available 24x7 with the Bidders is reasonable.[1574]

13. Business Clock Synchronization and Timestamp Granularity

a. Business Clock Synchronization

(1) Industry Standard

Rules 613(d)(1) and (2) require CAT Reporters to synchronize their Business Clocks [1575] to the time maintained by NIST, consistent with industry standards. In the CAT NMS Plan, the Participants determined that the industry standard for the synchronization of Business Clocks is within 50 milliseconds of the time maintained by NIST, except for Manual Order Events.[1576] For Business Clocks used solely for Manual Order Events, the Participants determined that the industry standard for clock synchronization is within one second of NIST. To ensure that clock synchronization standards remain consistent with industry standards, as they evolve, the CAT NMS Plan requires the Operating Committee to annually review the clock synchronization standard to determine whether it should be shortened.

In determining the current industry standard for clock synchronization, the Participants and Industry Members reviewed their respective clock synchronization technology practices,[1577] and the results of a clock synchronization survey conducted by FIF.[1578] After completing these reviews, the Participants concluded that a 50 millisecond clock synchronization standard represented an aggressive, but achievable, standard.[1579]

The Commission received a number of comments on the CAT NMS Plan's provisions relating to clock synchronization. Several commenters agreed with the Participants that 50 milliseconds was a reasonable standard.[1580] Four commenters specifically recommended that the clock synchronization standard for OATS—also 50 milliseconds—and CAT should be aligned for regulatory reporting purposes.[1581] One commenter argued for a finer standard for Industry Members, noting that they accept data Start Printed Page 84785feeds from exchanges that have more precise clock synchronization, some to the microsecond.[1582]

Other commenters opposed mandating a standard finer than the 50 millisecond clock synchronization standard.[1583] One commenter argued that a finer synchronization standard could not be met without dramatically increasing costs,[1584] and expressed the view that the 50 millisecond standard is reasonable given the geographically dispersed market.[1585] In particular, this commenter believed that, while a finer standard may create the illusion of a more accurate time sequence of events, in practice geographically dispersed market events could still be sequenced incorrectly.[1586] This commenter stated that it is better to allow for clock synchronization standards to be tightened voluntarily, based on business needs rather than regulatory requirements.[1587] Finally, one commenter expressed the view that clock synchronization was less important for certain types of orders, and suggested that the clock synchronization standard for manual orders, orders that have both a manual and electronic component, and orders that are not time-critical (e.g., post-trade events such as allocations) should be one second rather than 50 milliseconds.[1588]

One commenter noted that stricter clock synchronization standards are already in place at exchanges and ATSs.[1589] Another commenter stated that, if exchanges maintained finer clock synchronization standards than currently required by the CAT NMS Plan, the ability to sequence Reportable Events that occur across markets could be improved.[1590]

In their response, the Participants stated that they continue to believe that the clock synchronization standard for Industry Members should be within 50 milliseconds of the time maintained by NIST, except for with regard to Manual Order Events.[1591] The Participants noted that they discussed this topic with Industry Members and conducted a survey of Industry Members to better understand current clock synchronization practices.[1592] The Participants represented that they considered various clock synchronization options, which ranged from microseconds to one second, before settling on a 50 millisecond standard, which they believe represents the current industry standard for Industry Members.[1593] The Participants stated that, based on their analysis, imposing a finer clock synchronization standard for Industry Members as part of the initial implementation of the CAT would significantly increase the cost of compliance for some segments of the industry,[1594] but emphasized that the Operating Committee will be reviewing the synchronization standard annually and will reduce the standard as appropriate.[1595]

The Participants, however, represented that they all currently operate pursuant to a clock synchronization standard that is within 100 microseconds of the time maintained by NIST, at least with respect to their electronic systems. Accordingly, the Participants recommended that the Commission amend the Plan to require that Participants adhere to the 100 microsecond standard of clock synchronization with regard to their electronic systems, but not their manual systems, such as the manual systems operated on the trading floor, manual order entry devices, and certain other systems.[1596]

After reviewing the CAT NMS Plan, and considering the commenters' statements and the Participants' response thereto, the Commission believes that it is appropriate for the Participants to consider the type of CAT Reporter (e.g., Participant, Industry Member), the type of Industry Member (e.g., ATS, small broker-dealer), and type of system (e.g., order handling, post-execution) when establishing appropriate industry standards. The Commission does not believe that one industry standard should apply across all CAT Reporters and systems. Therefore, the Commission is amending Section 6.8(c) of the Plan to state that industry standards for purposes of clock synchronization should be determined based on the type of CAT Reporter, type of Industry Member and type of system.

For the initial implementation of the CAT, however, the Commission believes a 50 millisecond clock synchronization standard for Industry Members is reasonable at this time. While the Commission believes that regulators' ability to sequence orders accurately in certain cases could improve if the clock synchronization for Industry Members were finer, the Commission is sensitive to the costs associated with requiring a finer clock synchronization for Industry Members at this time, and believes that a standard of 50 milliseconds for Industry Members will allow regulators to sequence orders and events with a level of accuracy that is