Tips to Achieve Consolidated Audit Trail (CAT) Compliance

How to Overcome Technological Roadblocks

What a time to work in the GRC field: new technologies are constantly emerging to help companies meet their regulatory obligations. At the same time, many fragmented requirements have piled up over time. Chris Ekonomidis, Head of U.S. Business Consulting at Synechron, discusses the three main hurdles organizations must overcome to ensure Consolidated Audit Trail (CAT) compliance.

In order to keep track of the plethora of data generated every day across different trading markets, many exchanges and self-regulatory organizations (SROs) each keep their own order and trade audit trail systems, which differ by instrument. These distinct audit trails result in significant variances in reporting types, formats and data elements. Some of these differences exist for valid reasons (e.g., different fields are needed for different instruments), but some are the result of fragmented requirements that have built up over time. On May 6, 2010, the Flash Crash resulted in a 9 percent drop within minutes. Analyzing the order and trade flows from across the various audit trails to accurately recreate what happened brought these differences to light.

To address these inconsistencies, the U.S. Securities and Exchange Commission (SEC) approved the Consolidated Audit Trail (CAT) National Market System (NMS) plan proposed by the SROs to assist with data quality and transparency of equity and options market activities. Increased data reporting requirements across the entire order and trade lifecycle would be reported completely and accurately. A central repository would store this streamlined data to make it available for compliance measures in one place and format. SROs began reporting their data to a CAT processor in November 2017, and now there is just about a year left until large broker-dealers must report and two years for smaller broker-dealers. Firms must focus their attention on short-term plans to aggregate and report their data correctly in time to meet their respective deadlines.

As data begins to feed into the CAT processor, market participants reporting this data must address technology challenges associated with implementation of the systems required to meet regulatory deadlines. To fully adhere to CAT obligations, there are three primary hurdles that organizations must overcome: data, time-stamping and technology offerings.

Managing CAT Data and Reports

Before CAT, there were large variances in data quality, organization and management, leading to sizeable risks and an inability to compare the audit trails against one another. When the SEC used these separate reports for investigations and enforcing compliance, it took much more time and effort to sift through the data of each SRO and organize it, and there was the possibility of discontinuities in the data between sources.

Under CAT, one major question will be how current reporting requirements, Order Audit Trail System (OATS), Electronic Blue Sheets (EBS) and Large Trader Reporting (LTR), for example, fit into the CAT system. With adequate time and planning, CAT reporting would involve analyzing these existing reports, understanding the new reporting requirements and designing new systems to source and report. The reality for firms with only months to spare and tight deadlines ahead of them is to analyze how they are already collecting data for these regulations and fill the gaps in data so that an adequate picture can be submitted to the CAT processor. However, this approach (and the less-than-ideal processes and systems behind it) could still miss information or be formatted incorrectly, returning the submissions back to the firm to handle reconciliation and resubmission until it is correct. This process will strain existing operational and reporting pressures. The reality is that OATS, EBS and LTR will not disappear immediately. Multiple reporting formats will exist until regulators have proof that prior formats are no longer needed. Until then, firms will need to dual report, which will increase their burdens.

And, of course, there’s still the question about what customer or PII data will eventually be required for reporting and how this will be enacted.

Timestamping Challenges

Under CAT, SROs and their members will be required to synchronize the business clocks they use to record the date and time of any reported event and for each event to have a timestamp for the central repository in increments to the millisecond or even more accurately for electronic flows but with less granularity for manual trades. This can be quite difficult to enable in practice when looking at orders, trades and allocations across multiple desks, servers, locations and exchanges, and it may be vulnerable to errors.

By utilizing time and clock synchronization solutions, organizations can ensure that even with a number of machines running in different time zones, communicating to different networks and protocols and any possible lag or errors, their clocks will still be synchronized and, in turn, report properly to the CAT central repository. Vendors exist that give firms access to reliable reference time and are designed for the extreme requirements associated with high-frequency trading. This means that reporting can be synchronized within a few microseconds or nanoseconds or better. As mentioned, time at this granularity is not necessary in all cases, but it’s handy when needed.

Latest Technologies

As deadlines approach, new independent projects with longer pipelines will have to be tabled until after they have met initial Day 1 compliance to make processes easier and more efficient. Though longer-vision projects may be on the horizon in the next few years that utilize emerging technologies and different use cases, technology can help firms get ready for CAT. Seeing that many firms are lagging in their preparations for the fast-approaching CAT deadline, vendors and technology providers are announcing regulatory reporting tools to assist firms with CAT compliance.

Accelerators of this nature will be presented over the next year as firms rush to achieve compliance and fill the gaps in their data. Artificial intelligence and machine learning technologies will likely play the most influential role in analyzing and assessing a firm’s data quickly to highlight where gaps are, and in more mature systems, they may also be able to pull the data from the correct sources to fill in these gaps.

What’s Next for CAT?

The CAT processor built by Thesys is a big data solution utilizing cloud technology. The CAT processor will use these innovative technologies to store and share the data from SROs so the SEC can perform their market surveillance mandates. Many questions remain on how the vast amounts of data collected into the CAT processor will be used, synchronized and protected. With the recent Equifax hack and last year’s SEC hack, many firms have reservations about the vast amounts of data – including a large amount of personal and sensitive information – being fed into the CAT processor, not to mention the security around it. While the cloud is very secure, longer-term projects for firms might incorporate other technologies to consolidate, share and protect their data.  Know your customer (KYC) use cases are emerging that involve digital identity and leverage blockchain because of its secure and immutable nature. However, industrywide change at this level will take years. As fintech and regtech mature, firms should review these innovative technologies for how they can assist in meeting regulatory reporting obligations and consolidating efforts for multiple regulations and repetitive data reporting requirements.

Innovative technologies are emerging every day, and new use cases materialize all the time. The main focus for firms today is very similar to how reporting mandates have been met since the financial crisis.  Meet Day 1 compliance with the system you need, then plan for the system you want on Day 2 – a concrete plan of how to consolidate and aggregate multiple data feeds into one cohesive format to meet the regulatory deadlines for CAT while always looking toward how regulatory reporting can be made easier and improved using technology tools.