Notice2025-11427
Joint Industry Plan; Notice of Filing of Amendment No. 1, and Order Instituting Proceedings To Determine Whether To Approve or Disapprove an Amendment to the National Market System Plan Governing the Consolidated Audit Trail, as Modified by Amendment No. 1, Regarding the Customer and Account Information System
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
June 23, 2025
Issuing agencies
Securities and Exchange Commission
Full Text
<html>
<head>
<title>Federal Register, Volume 90 Issue 118 (Monday, June 23, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 118 (Monday, June 23, 2025)]
[Notices]
[Pages 26637-26656]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-11427]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-103288; File No. 4-698]
Joint Industry Plan; Notice of Filing of Amendment No. 1, and
Order Instituting Proceedings To Determine Whether To Approve or
Disapprove an Amendment to the National Market System Plan Governing
the Consolidated Audit Trail, as Modified by Amendment No. 1, Regarding
the Customer and Account Information System
June 17, 2025.
I. Introduction
On March 7, 2025, the Consolidated Audit Trail, LLC (``CAT LLC''),
on behalf of the following parties to the National Market System Plan
Governing the Consolidated Audit Trail (the ``CAT NMS Plan'' or
``Plan''): \1\ BOX Exchange LLC, Cboe BYX Exchange, Inc., Cboe BZX
Exchange, Inc., Cboe C2 Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe
EDGX Exchange, Inc., Cboe Exchange, Inc., Financial Industry Regulatory
Authority, Inc., Investors Exchange LLC, Long-Term Stock Exchange,
Inc., MEMX, LLC, Miami International Securities Exchange LLC, MIAX
Emerald, LLC, MIAX PEARL, LLC, MIAX Sapphire, LLC, Nasdaq BX, Inc.,
Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, Nasdaq PHLX LLC,
The NASDAQ Stock Market LLC, New York Stock Exchange LLC, NYSE American
LLC, NYSE Arca, Inc., NYSE Chicago, Inc., and NYSE National, Inc.
(collectively, the ``Participants'') filed with the Securities and
Exchange Commission (``Commission'') pursuant to Section 11A(a)(3) of
the Securities Exchange Act of 1934 (``Exchange Act''),\2\ and Rule 608
thereunder,\3\ a proposed amendment to the CAT NMS Plan to reduce the
amount of Customer \4\ information in the CAT Customer and Account
Information System (``CAIS'') (the ``Proposal'').\5\ The Proposal was
published for comment in the Federal Register on March 19, 2025
(``Notice'' or the ``Proposed Amendment'').\6\ The Commission has
received comments on the Proposed Amendment.\7\
---------------------------------------------------------------------------
\1\ In July 2012, the Commission adopted Rule 613 of Regulation
NMS, which required the Participants to jointly develop and submit
to the Commission a national market system plan to create,
implement, and maintain a consolidated audit trail (the ``CAT'').
See Securities Exchange Act Release No. 67457 (July 18, 2012), 77 FR
45722 (Aug. 1, 2012); 17 CFR 242.613 (``Rule 613''). On November 15,
2016, the Commission approved the CAT NMS Plan. See Securities
Exchange Act Release No. 78318 (Nov. 15, 2016), 81 FR 84696 (Nov.
23, 2016) (``CAT NMS Plan Approval Order''). The CAT NMS Plan is
Exhibit A to the CAT NMS Plan Approval Order. See CAT NMS Plan
Approval Order, at 84943-85034.
\2\ 15 U.S.C 78k-1(a)(3).
\3\ 17 CFR 242.608.
\4\ A ``Customer'' means ``the account holder(s) of the account
at a registered broker-dealer originating the order; and any person
from whom the broker-dealer is authorized to accept trading
instructions for such account, if different from the account
holder(s). See CAT NMS Plan, supra note 1, at Section 1.1.
\5\ See Letter from Brandon Becker, CAT NMS Plan Operating
Committee Chair, dated March 7, 2025.
\6\ See Securities Exchange Act Release No. 102665 (Mar. 13,
2025), 90 FR 12845 (Mar. 19, 2025).
\7\ See Letter from Benjamin L. Schiffrin, Director of
Securities Policy, Better Markets, Inc, dated April 9, 2025,
available at <a href="https://www.sec.gov/comments/4-698/4698-588955-1704442.pdf">https://www.sec.gov/comments/4-698/4698-588955-1704442.pdf</a> (``Better Markets Letter''); Letter from Howard
Meyerson, Managing Director, Financial Information Forum (``FIF''),
dated Apr. 9, 2025, available at <a href="https://www.sec.gov/comments/4-698/4698-590975-1712522.pdf">https://www.sec.gov/comments/4-698/4698-590975-1712522.pdf</a> (``FIF Letter''); Letter from Joseph
Corcoran, Managing Director and Associate General Counsel, and
Gerald O'Hara, Vice President and Assistant General Counsel,
Securities Industry and Financial Markets Association (``SIFMA''),
dated May 30, 2025, available at <a href="https://www.sec.gov/comments/4-698/4698-608327-1776534.pdf">https://www.sec.gov/comments/4-698/4698-608327-1776534.pdf</a> (``SIFMA Letter''). The Commission received
one letter advocating for full implementation of the CAT. The letter
did not otherwise address the Proposed Amendment. See Letter from Ty
Finch, dated May 16, 2025, available at <a href="https://www.sec.gov/comments/4-698/4698-1757082.htm">https://www.sec.gov/comments/4-698/4698-1757082.htm</a>. The Commission also received a
letter from certain members of the United States Senate that does
not reference the Proposed Amendment, but does express concerns that
the Commission's CAIS Exemption Order represents a weakening of CAT
and cautions against taking additional steps that might further
erode the ``critically important tool.'' See Letter from Andy Kim,
Jack Reed, Chris Van Hollen and Elizabeth Warren, Ranking Member,
Committee on Banking, Housing and Urban Affairs, dated May 19, 2025,
available at <a href="https://www.sec.gov/comments/4-698/4698-606607-1771634.pdf">https://www.sec.gov/comments/4-698/4698-606607-1771634.pdf</a>. The Commission also received a response to these
comments from CAT LLC. See Letter from Brandon Becker, CAT NMS Plan
Operating Committee Chair, dated May 28, 2025 (``CAT LLC Response
Letter'').
---------------------------------------------------------------------------
On May 28, 2025, the Participants filed Amendment No. 1 to the
Proposed Amendment (``Amendment No. 1''),\8\ as set forth in Item II.B.
The Commission is publishing this notice to solicit comments on the
Proposed Amendment, as modified by Amendment No. 1, and is instituting
proceedings, under Rule 608(b)(2)(i) of Regulation NMS,\9\ to determine
whether to disapprove the Proposed Amendment, as modified by Amendment
No. 1, or to approve the Proposed Amendment, as modified by Amendment
No. 1, with any changes or subject to any conditions the Commission
deems necessary or appropriate.
---------------------------------------------------------------------------
\8\ See CAT LLC Response Letter.
\9\ 17 CFR 242.608(b)(2)(i).
---------------------------------------------------------------------------
[[Page 26638]]
II. Proposed CAIS Amendments
A. Summary of March 7, 2025 Proposed Amendment <SUP>10</SUP>
---------------------------------------------------------------------------
\10\ See Notice, supra note 6, for a full discussion of the
Proposed Amendment.
---------------------------------------------------------------------------
On March 7, 2025, the Participants proposed to amend the CAT NMS
Plan to (i) incorporate and codify the Commission's 2020 exemptive
order relating to the reporting of Social Security Numbers (``SSNs'')/
Individual Tax ID numbers (``ITINs''), dates of birth, and account
numbers to the CAT,\11\ and (ii) eliminate requirements that Industry
Members \12\ report Customer names, Customer addresses, account names,
account addresses, years of birth, and authorized trader names
(collectively, ``Name, Address, and YOB'') to the CAT ((i) and (ii),
together, the ``Proposed Changes''). The Proposed Changes would apply
to all Customers--including all natural person Customers and all legal
entity Customers--at both the Customer and account level. The
Participants initially represented that the Proposed Changes would
allow CAT LLC to achieve an overall cost savings of approximately $12
million per year as compared to the 2024 actual budget, but the overall
cost savings estimate changed in Amendment No. 1 to $7-$9 million.\13\
---------------------------------------------------------------------------
\11\ See Securities Exchange Act Release No. 88393 (Mar. 17,
2020), 85 FR 16152 (Mar. 20, 2020), <a href="https://www.govinfo.gov/content/pkg/FR-2020-03-20/pdf/2020-05935.pdf">https://www.govinfo.gov/content/pkg/FR-2020-03-20/pdf/2020-05935.pdf</a> (``CCID Exemption Order'').
\12\ An ``Industry Member'' is a member of a national securities
exchange or a member of a national securities association. See CAT
NMS Plan, supra note 1, at Section 1.1.
\13\ See Notice, supra note 6, at 12846. See also Amendment No.
1 at 14.
---------------------------------------------------------------------------
The CCID Exemption Order that the Participants propose to
incorporate and codify into the Proposed Amendment allowed the Plan
Processor \14\ to generate a unique identifier for a Customer, called a
CAT Customer-ID (``CCID''), using a two-phase transformation process
that avoids the requirement to have SSNs/ITINs reported to the CAT as
originally contemplated by Rule 613 and the CAT NMS Plan. In addition,
instead of reporting dates of birth and account numbers, the CCID
Exemption Order permitted Industry Members to report YOB and FDIDs.\15\
The Participants stated that the Proposed Amendment would go further
than the CCID Exemption Order by also eliminating Name, Address, and
YOB from the CAT for all Customers while preserving one of the primary
objectives of the CAT, i.e., the ability for regulators to conduct
cross-market surveillance of a specific Customer.\16\
---------------------------------------------------------------------------
\14\ The Plan Processor is ``the Initial Plan Processor or any
other Person selected by the Operating Committee pursuant to SEC
Rule 613 and Sections 4.3(b)(i) and 6.1, and with regard to the
Initial Plan Processor, the Selection Plan, to perform the CAT
processing functions required by SEC Rule 613 and set for in [the
CAT NMS Plan.]'' See CAT NMS Plan, supra note 1, at Section 1.1.
\15\ The term ``Firm Designated ID'' (``FDID'') is defined in
the CAT NMS Plan as: ``(1) a unique and persistent identifier for
each trading account designated by Industry Members for purposes of
providing data to the Central Repository provided, however, such
identifier may not be the account number for such trading account if
the trading account is not a proprietary account; (2) a unique and
persistent relationship identifier when an Industry Member does not
have an account number available to its order handling and/or
execution system at the time of order receipt, provided, however,
such identifier must be masked; or (3) a unique and persistent
entity identifier when an employee of an Industry Member is
exercising discretion over multiple client accounts and creates an
aggregated order for which a trading account number of the Industry
Member is not available at the time of order origination, where each
such identifier is unique among all identifiers from any given
Industry Member.'' Section 1.1 of the CAT NMS Plan. See also Notice,
supra note 6, at 12847.
\16\ See Notice, supra note 6, at 12847.
---------------------------------------------------------------------------
The Participants stated that on February 10, 2025, the Commission
issued an exemption order \17\ sua sponte, granting exemptive relief
from certain requirements of the CAT NMS Plan related to the reporting
of names, addresses, and YOB for natural persons reported with
transformed SSNs or ITINs to CAIS.\18\ The Participants stated that
they believe there are additional steps that would reduce the amount of
Customer information in the CAT.\19\ The Participants stated that they
understand that the CAIS Exemption Order is permissive and only applies
to for natural persons reported with transformed SSNs or ITINs to CAIS,
and not to natural persons reported without transformed SSNs/ITINs,
including foreign nationals, or legal entities. According to the
Participants, the Proposed Amendment will fully and permanently
eliminate the requirement to report Names, Addresses, and YOBs for all
Customers to CAIS--including all natural person Customers and all legal
entity Customers--while also allowing the Plan Processor to eliminate
the software that is required to support regulatory queries of Name,
Address, and YOB, which would result in significant annual cost
savings.\20\ The Participants also stated that the CAIS Exemption Order
only applies to the reporting of such Customer information after of the
date of the order, and only to the extent that Industry Members choose
to discontinue reporting such exempted Customer information. The
Participants further stated that the CAIS Exemption Order does not
address the deletion of existing, previously reported Customer
information currently stored in CAIS. The Participants stated that the
Proposed Amendment would therefore build on the CAIS Exemption Order by
(1) prohibiting the submission to CAIS of Names, Addresses, and YOBs
for all natural person and legal entity Customers; and (2) requiring
CAT LLC to direct the Plan Processor to delete from CAIS all Name,
Address, and YOBs currently stored in the CAT.\21\
---------------------------------------------------------------------------
\17\ See Securities Exchange Act Release No. 102386 (Feb. 10,
2025), 90 FR 9642 (Feb. 14, 2025), <a href="https://www.sec.gov/files/rules/sro/nms/2025/34-102386.pdf">https://www.sec.gov/files/rules/sro/nms/2025/34-102386.pdf</a> (the ``CAIS Exemption Order'').
\18\ See Notice, supra note 6, at 12847.
\19\ Id.
\20\ Id.
\21\ Id.
---------------------------------------------------------------------------
B. Notice and Description of Amendment No. 1
Set forth in this Section II.B. is the description of the proposed
Amendment No. 1, along with information required by Rule 608(a) under
the Exchange Act,\22\ as prepared and submitted by the Participants to
the Commission.\23\
---------------------------------------------------------------------------
\22\ See 17 CFR 242.608(a).
\23\ See Amendment No. 1, supra note 8. Unless otherwise defined
herein, capitalized terms used herein are defined as set forth in
the CAT NMS Plan.
---------------------------------------------------------------------------
1. Revisions and Technical Changes to the Proposed Amendment
CAT LLC is proposing certain revisions and technical changes to the
Proposed Amendment based on the comments received to date and ongoing
discussions with the Plan Processor related to the Proposed Amendment.
Exhibit A sets forth the cumulative changes proposed to be made to the
existing CAT NMS Plan. Exhibit B sets forth the proposed additional
revisions against the Proposed Amendment. These revisions are described
below.
a. Renaming of the ``Customer and Account Information System''
(``CAIS'') to the ``Reference Database''; Revisions to Certain Defined
Terms to More Accurately Describe the Information Reported to CAT Under
the Proposed Amendment
As described in the Proposal, the Proposed Amendment would add a
new defined term ``CAIS'' to the CAT NMS Plan that would refer to the
existing customer and account information system of CAT. Upon further
evaluation and consideration of comments, CAT LLC has determined that
the ``CAIS'' and ``customer and account information system''
terminology would be outdated and ill-suited given the limited nature
and scope of data that would be collected under the Proposed Amendment.
This terminology was predicated on concepts relating to the
[[Page 26639]]
collection of PII that would no longer accurately describe this
database.\24\
---------------------------------------------------------------------------
\24\ For example, the CCID Exemption Order conceived of the
``customer and account information system of the CAT'' as referring
to ``the database that contains PII.'' See CCID Exemption Order,
supra note 11, at 16153 n.22 (Mar. 20, 2020).
---------------------------------------------------------------------------
Accordingly, to avoid confusion and to make very clear that the
Proposed Amendment fundamentally is intended to eliminate sensitive
customer and account information from the CAT, CAT LLC is now proposing
to change the proposed defined term ``CAIS'' to ``Reference Database,''
which more accurately describes the limited nature, scope, and function
of this database as a result of eliminating the requirement for
Industry Members to report Customer names, Customer addresses, account
names, account addresses, years of birth, and authorized trader names
(collectively, ``Name, Address, and YOB'') to CAT. CAT LLC believes
that it would be more accurate to use the term ``Reference Database''
because, while this database would continue to exist separate from the
transactional database, following the implementation of the Proposed
Amendment, its function will be to implement the core functionality
that manages the association between CCIDs and Firm Designated IDs
(``FDIDs''), which allows regulatory users to associate a unique CCID
with transaction data.
Relatedly, as originally proposed, the Proposed Amendment also
would have changed the defined terms ``Customer Account Information''
and ``Customer Identifying Information'' to ``Account Attributes'' and
``Customer Attributes,'' respectively. To align with the new defined
term ``Reference Database'' described above, CAT LLC is now proposing
to change the defined term ``Account Attributes'' to ``Account
Reference Data,'' and the defined term ``Customer Attributes'' to
``Customer Reference Data.'' CAT LLC also proposes to change the
defined term ``Customer and Account Attributes'' that is described in
the Proposal to ``Reference Data'' consistent with the change described
above.\25\ Subject to the technical change related to ``customer type''
described in Section I.B below, these changes in nomenclature are
solely to more accurately reflect the limited nature of the data that
would be reported to CAT and would not impact the substance of the
defined terms ``Account Attributes,'' ``Customer Attributes,'' and
``Customer and Account Attributes,'' as they are described in the
Proposal. As discussed below, Exhibit C to this letter identifies the
limited fields under the CAT Reporting Customer & Account Technical
Specifications for Industry Members (the ``CAIS Technical
Specifications'') that would be retained if the Proposed Amendment is
approved.\26\
---------------------------------------------------------------------------
\25\ As described in the Proposal, the Proposed Amendment
originally would have replaced the term ``PII'' with ``Customer and
Account Attributes''; as described herein, CAT LLC now proposes to
replace the term ``PII'' with the new defined term ``Reference
Data,'' subject to the specific changes described in Section I.C
below.
\26\ Material amendments to the CAIS Technical Specifications,
infra n.11, require a Supermajority Vote of the Operating Committee.
---------------------------------------------------------------------------
b. Technical Revisions to the Proposed Amendment
CAT LLC is proposing three technical revisions to the Proposed
Amendment based on further discussions with the Plan Processor.
First, CAT LLC proposes to move the reference to ``customer type''
in the definition of ``Account Reference Data'' to the definition of
``Customer Reference Data'' \27\ to more accurately reflect that
``customer type'' relates to customers as opposed to accounts, and that
under the current CAIS Technical Specifications the customerType field
is associated to the customer record as opposed to the FDID (i.e.,
account) record.
---------------------------------------------------------------------------
\27\ As described in Section I.A, CAT LLC is proposing to change
the defined terms ``Account Attributes'' and ``Customer Attributes''
as originally proposed to ``Account Reference Data'' and ``Customer
Reference Data,'' respectively, to more accurately describe the
nature of the data that would be reported to and stored in CAIS
(i.e., the Reference Database) as a result of the Proposed
Amendment's implementation.
---------------------------------------------------------------------------
Second, CAT LLC proposes to change the reference to ``Firm
Identifier Number'' in Section 9.2 of Appendix D to ``Firm Designated
ID'' (which is a defined term and does not appear anywhere else in the
CAT NMS Plan) to more accurately capture the information that this
section describes as the ``number that the CAT Reporter will supply on
all orders generated for the Account.''
Third, CAT LLC proposes to add the phrase ``including, but not
limited to'' to the proposed definition of newly proposed term
``Transformed Identifier'' to clarify that the list of input
identifiers used to identify unique customers that follows in this
definition is non-exhaustive.\28\
---------------------------------------------------------------------------
\28\ See CAT Reporting Customer & Account Technical
Specifications for Industry Members (``CAIS Technical
Specifications'') at Section 2.2.5 (dated as of Mar. 25, 2025)
(explaining that input identifiers include social security numbers,
individual taxpayer identification numbers, employer identification
numbers, and foreign identifiers), available at <a href="https://www.catnmsplan.com/sites/default/files/2025-03/03.25.25_Full_CAIS_Technical_Specifications_2.2.0_r3_CLEAN.pdf">https://www.catnmsplan.com/sites/default/files/2025-03/03.25.25_Full_CAIS_Technical_Specifications_2.2.0_r3_CLEAN.pdf</a>.
---------------------------------------------------------------------------
These technical revisions are reflected in Exhibit A and Exhibit B
to this letter.
c. Revisions to Certain Plan Requirements Following Elimination of
``PII''
As described in the Proposal, the Proposed Amendment originally
would have deleted the existing defined term ``PII'' and simply
replaced it with the new defined term ``Customer and Account
Attributes'' throughout the CAT NMS Plan. CAT LLC is proposing two
changes from this original proposal. First, as described in Section I.A
above, CAT LLC now proposes to change the defined term ``Customer and
Account Attributes'' to ``Reference Data.'' Second, based on further
discussions with the Chief Information Security Officer (``CISO'') and
the Plan Processor, in lieu of simply replacing ``PII'' with
``Reference Data'' throughout the CAT NMS Plan, CAT LLC is proposing
more targeted revisions to Sections 6.2(b)(v)(F) and 6.10(c)(ii), and
Appendix D, Sections 4.1; 4.1.2; 4.1.4; 4.1.6; 8.1.1; 8.1.3; 8.2; and
8.2.2, as summarized below.
The CAT NMS Plan generally provides that the Plan Processor is
responsible for the security and confidentiality of all CAT Data and
establishes comprehensive data security requirements. In addition, the
CAT NMS Plan distinguishes PII from other forms of CAT Data and
requires ``additional levels of protection for PII''.\29\ The CISO has
informed CAT LLC that it would be incongruent to apply these PII-
specific requirements to Reference Data given that the particularly
sensitive data that these requirements were designed to protect--e.g.,
Customer name, Customer address, account name, account address,
authorized trader names list, account number, day of birth, month of
birth, year of birth, and ITIN/SSN--would be eliminated under the
Proposed Amendment, and given the security and confidentiality
requirements that continue to apply to CAT Data in general. In
addition, existing provisions relating to general data security
requirements would continue to apply to Reference Data. The proposed
revisions are reflected in Exhibit A and Exhibit B to this letter and
are summarized below.
---------------------------------------------------------------------------
\29\ Exchange Act Release No. 78318 (Nov. 15, 2016), 81 FR
84696, 84724 (Nov. 23, 2016). See also Appendix C, Section A.4 of
the CAT NMS Plan (noting that, ``because of the sensitivity of PII,
the Participants have determined PII should be subject to more
stringent standards and requirements'').
---------------------------------------------------------------------------
<bullet> Section 6.2(b)(v)(F) would be revised to eliminate the
requirement that the CISO create and enforce
[[Page 26640]]
appropriate policies, procedures, and control structures to monitor and
address data security issues specifically with respect to ``PII data
requirements, including the standards set forth in Appendix D, PII Data
Requirements'' (without otherwise affecting general data security
requirements that would continue to apply to Reference Data).
<bullet> Section 6.10(c)(ii) would be revised to eliminate the
requirement that ``PII data shall be masked unless users have
permission to view the CAT Data that has been requested.'' This masking
restraint was designed specifically for PII data and would be
incongruent in the context of Reference Data.
<bullet> Appendix D, Section 4.1 would be revised to eliminate the
phrase ``or PII data'' from the requirement that ``[t]he Plan Processor
must have documented `hardening baselines' for systems that will store,
process, or transmit CAT Data or PII data.'' It is redundant to
specifically identify Reference Data (which is already encompassed by
the general reference to CAT Data) in this provision.
<bullet> Appendix D, Section 4.1.2 would be revised to eliminate
the following provisions: ``Storage of unencrypted PII data is not
permissible. PII encryption methodology must include a secure
documented key management strategy such as the use of HSM(s). The Plan
Processor must describe how PII encryption is performed and the key
management strategy (e.g., AES-256, 3DES).'' It is redundant to apply
these same provisions specifically to Reference Data because Section
4.1.2 separately requires that ``[a]ll CAT Data must be encrypted at
rest and in flight using industry standard best practices (e.g., SSL/
TLS) including archival data storage methods such as tape backup,'' and
this requirement would not change.
<bullet> Appendix D, Section 4.1.4 would eliminate certain express
references to PII, and would clarify that any login to the system
(without limitation to PII) must be secured via multi-factor
authentication (``MFA'').
<bullet> Appendix D, Section 4.1.6, which governs ``PII Data
Requirements,'' would be eliminated in its entirety as these provisions
would be incongruent in the context of Reference Data.
<bullet> Appendix D, Section 8.1.1 would eliminate the following
sentences: ``In addition, the online targeted query tool must not
display any PII data. Instead, it will display existing non-PII unique
identifiers (e.g., Customer-ID or Firm Designated ID). The PII
corresponding to these identifiers can be gathered using the PII
workflow described in Appendix D, Data Security, PII Data
Requirements.'' These provisions would be incongruent in the context of
Reference Data.
<bullet> Appendix D, Section 8.1.3 would delete certain express
references to PII, including the requirement that ``PII data must not
be available via the online targeted query tool or the user-defined
direct query interface.'' These provisions would be incongruent in the
context of Reference Data.
<bullet> Appendix D, Section 8.2 would be revised to eliminate the
requirement that ``Direct queries must not return or display PII data.
Instead, they will return existing non-PII unique identifiers (e.g.,
Customer-ID or Firm Designated ID). The PII corresponding to these
identifiers can be gathered using the PII workflow described in
Appendix D, Data Security, PII Data Requirements.'' These provisions
would be incongruent in the context of Reference Data.
<bullet> Appendix D, Section 8.2.2 would be revised to eliminate
the requirement that ``PII data must be masked unless users have
permission to view the data that has been requested.'' These provisions
would be incongruent in the context of Reference Data. Notably, Section
8.2.2 separately provides that ``[d]ata must be encrypted, password
protected and sent via secure methods of transmission,'' and this will
continue to apply to Reference Data.
d. Elimination of Requirement To Report Employer Identification Numbers
In addition, CAT LLC is proposing to eliminate from the definition
of ``Customer Reference Data'' the requirement to capture, with respect
to legal entities, an Employer Identification Number (``EIN'').\30\
---------------------------------------------------------------------------
\30\ An EIN is a unique nine-digit number issued by the Internal
Revenue Service to business entities operating in the United States
for tax purposes.
---------------------------------------------------------------------------
Under the CCID Exemption Order,\31\ tax identifiers provide the
basis for establishing a unique CCID for both natural person and legal
entity Customers. For natural persons, Industry Members must generate a
transformed identifier (``TID'') based on a Customer's social security
number (``SSN'') or individual taxpayer identification number
(``ITIN'') prior to submission,\32\ and only these TID values may be
reported to CAT via the CCID Subsystem.\33\ For legal entities,
however, the Industry Member must: (1) translate the EIN into a TID and
report the TID value to the CCID Subsystem; and (2) submit the actual
EIN as plain text (as required by the CAT NMS Plan) in the ein field on
the legal entity customer record.
---------------------------------------------------------------------------
\31\ CCID Exemption Order, supra note 11.
\32\ See CAIS Technical Specifications, supra n.11, at Section
3.4 (``Translation of Input Identifiers to TID Values''); see also
Section 2.2.5.2 (explaining foreign identifier values for Customers
that do not have a U.S. tax identifier).
\33\ In turn, the CCID Subsystem performs a second
transformation to create a unique CCID.
---------------------------------------------------------------------------
Because an EIN contains the same number of digits as a SSN and must
be reported as plain text, there is the risk that an Industry Member
could inappropriately report an individual's SSN in the ein field.
Eliminating the ein field would eliminate the possibility of such
improper reporting without any effect on the Plan Processor's ability
to create a unique CCID, because Industry Members would continue to
report the translated TID value (which is based on the EIN) to the CCID
Subsystem. Even if the ein field is eliminated, regulators would retain
the ability to search by EIN for a CCID value.
2. Additional Details Regarding Calculation of Estimated Cost
Savings and One-Time Implementation Costs
CAT LLC is adjusting the prior cost savings estimates as described
in the Proposal to reflect subsequent optimizations introduced by the
Plan Processor. In addition, based on discussions with the Staff, CAT
LLC is providing more detailed information regarding the calculation of
the estimated cost savings as well as the one-time implementation costs
payable to the Plan Processor.
In approving prior CAT LLC cost savings amendments, ``[t]he
Commission acknowledge[d] the necessity of using simplifying
assumptions to generate estimates and that such assumptions can affect
the precision of the estimates,'' and that, even where the Commission
identified potential issues with such assumptions that ``could affect
the magnitude of the cost estimates,'' approval was warranted because
``the cost savings will be meaningful regardless of these issues.''
\34\ CAT LLC believes that the cost savings under the Proposed
Amendment will be meaningful, even if the magnitude of the estimated
savings cannot be determined with absolute certainty.
---------------------------------------------------------------------------
\34\ Exchange Act Release No. 101901 (Dec. 12, 2024), 89 FR
103033, 103046 (Dec. 18, 2024).
---------------------------------------------------------------------------
Consistent with prior cost savings amendments, all cost savings
estimates are based on reasonable assumptions related to, among other
factors, the current state and costs of CAT operations; current CAT NMS
Plan requirements; reporting by Participants, Industry Members and
market data providers; observed data rates and volumes; current
discounts, reservations, and cost savings plans; and
[[Page 26641]]
associated cloud fees. By their nature, cost savings estimates are
subject to various assumptions and an inherent degree of uncertainty
and, as such, actual future savings could be more or less than
estimated due to changes in any of these variables. It is well
established, however, that ``[t]he Commission does not believe it is
possible for the Participants to predict with certainty how the
magnitude of each driver of CAT costs will change over time.'' \35\
---------------------------------------------------------------------------
\35\ Exchange Act Release No. 98290, 88 FR 62628, 62641 (Sept.
12, 2023).
---------------------------------------------------------------------------
CAT LLC believes that the estimates and assumptions described below
are reasonable and provide an adequate basis for the Commission to
evaluate the costs and benefits of the Proposed Amendment. More
broadly, CAT LLC believes that the cost savings are even more readily
justified in this context, given that the Proposed Amendment is
intended to codify and build on the Commission's determination in its
own Exemption Order that Names, Addresses, and YOBs should be
eliminated from the CAT.
a. Adjustments to Prior Cost Savings Estimates Due to Subsequent
Optimizations
As described in the Proposal, the 2025 budget estimates CAIS-
related costs of approximately $35.5 million, which includes: (1) $20.7
million in CAIS operating fees payable to the Plan Processor; \36\ (2)
$2.8 million in CAIS licensing fees payable to the Plan Processor; and
(3) approximately $12 million in CAIS-related cloud hosting services
fees (i.e., AWS fees). The Proposal estimated approximately $10 to $12
million in savings attributable to a $5 million reduction in operating
fees and a $5 to $7 million reduction in AWS fees. As noted in the
Proposal, all cost savings projections are the Plan Processor's best
estimates based on the current Proposed Amendment and are subject to
change based on ongoing improvements to AWS that may reduce current AWS
costs.
---------------------------------------------------------------------------
\36\ This CAIS (i.e., Reference Database) operating fee is
separate and in addition to a $30.8 million operating fee payable to
the Plan Processor to operate and maintain the transaction database
for the CAT.
---------------------------------------------------------------------------
Following the submission of the Proposal, and as part of CAT LLC's
ongoing efforts to manage costs, the Plan Processor deployed certain
optimizations related to compute, storage and search indexing that are
expected to immediately reduce existing CAIS-related cloud hosting fees
by approximately $2.5 to $3.5 million annually from the original 2025
budget of $12 million, thereby impacting the estimated cost savings
originally described in the Proposal.
As a result of these savings, the Proposed Amendment is now
expected to save approximately $2 to $4 million in incremental AWS
savings (versus $5 to $7 million as described in the Proposal prior to
the optimizations) and approximately $7 to $9 million in overall costs
(versus $10 to $12 million as described in the Proposal prior to the
optimizations).\37\ The following chart summarizes estimated CAIS
(Reference Database) costs: (1) under the original 2025 budget; (2)
following the recent optimizations recently introduced by the Plan
Processor and described above; and (3) if the Proposed Amendment is
approved:
---------------------------------------------------------------------------
\37\ The $5 million reduction in CAIS (i.e., Reference Database)
operating fees as described in the Proposal is unchanged.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Estimated CAIS costs Estimated reference database
Estimated CAIS costs following recent costs under proposed
original 2025 Budget optimizations amendment
--------------------------------------------------------------------------------------------------------------------------------------------------------
CAIS (Reference Database) Operating Fees--Plan Processor...... $20.7 million $20.7 million $15.7 million
CAIS (Reference Database) Licensing Fees--Plan Processor...... 2.8 million 2.8 million 2.8 million
CAIS- (Reference Database-) Related Cloud Hosting Services ~12 million ~8.5 to 9.5 million ~4.5 to 7.5 million
Fees.........................................................
-----------------------------------------------------------------------------------------
Total......................................................... ~35.5 million ~32 to 33 million ~23 to 26 million
--------------------------------------------------------------------------------------------------------------------------------------------------------
b. Calculation of Cost Savings Estimates and One-Time Implementation
Costs
The Staff requested that CAT LLC provide more detailed information
regarding the calculation of the estimated cost savings as well as the
one-time implementation costs payable to the Plan Processor.
As noted above, all cost savings estimates are based on reasonable
assumptions and are subject to inherent uncertainty; however, the
Commission has previously acknowledged the ``necessity of using
simplifying assumptions to generate estimates and that such assumptions
can affect the precision of the estimates.'' \38\ CAT LLC believes that
the estimates and assumptions described below are reasonable and
provide an adequate basis for the Commission to evaluate the costs and
benefits of the Proposed Amendment.
---------------------------------------------------------------------------
\38\ Exchange Act Release No. 101901 (Dec. 12, 2024), 89 FR
103033, 103046 (Dec. 18, 2024).
---------------------------------------------------------------------------
Cost Savings Estimates. As detailed in the Proposal, the Proposed
Amendment, if adopted, would reduce operating fees and cloud-hosting
services fees.
First, the Plan Processor estimated that the Proposed Amendment
could reduce its CAIS (Reference Database) operating fees by
approximately $5 million per year if the Proposed Amendment is adopted.
This $5 million reduction is based on the reduced work to operate,
maintain and improve certain functionality and related indexes. As a
result, CAIS (Reference Database) operating fees payable to the Plan
Processor would be reduced from approximately $20.7 million to $15.7
million annually.
Second, subsequent to the recent optimizations detailed above, the
Plan Processor now estimates that the Proposed Amendment would reduce
CAIS- (Reference Database-) related cloud hosting fees by approximately
$2 to $4 million annually. These cost savings are driven by eliminating
requirements to process, store, and query on Name and Address and other
free text data (e.g., match functionality), since under the Proposed
Amendment these elements will no longer be provided to the CAT. The
reduction is primarily driven by the removal of search technology that
allows regulators' searches to be ``fuzzy'' rather than exact matches,
similar to how an internet search engine ranks results through a
scoring mechanism (e.g., currently, a search for ``John'' will also
search for other variations such as ``Jon'' and ``Jonathon'', a search
for ``St.'' will also search for other permutations of
[[Page 26642]]
``Street''). Several indexes are built that include all the free text
data elements to allow for this type of searching; under the Proposed
Amendment, the cost of maintaining this functionality would be
eliminated.
In addition, the Staff asked CAT LLC to explain why the $2.8
million in CAIS licensing fees payable to the Plan Processor would be
unaffected by the Proposed Amendment. Based on discussions with the
Plan Processor, while the Proposed Amendment would eliminate certain
data attributes from CAIS (i.e., the Reference Database), the licensing
fee would be unchanged because the functionality of the licensed
software underlying CAIS (i.e., the Reference Database) would not be
eliminated.
One-Time Implementation Costs. As detailed in the Proposal, the
Plan Processor has estimated a one-time change request implementation
fee of approximately $4.5 million to $5.5 million. As noted in the
Proposal, one-time implementation costs will generally consist of Plan
Processor labor costs associated with coding and software development,
as well as any related cloud fees associated with the development,
testing, and load testing of the proposed changes. Specifically, the
Plan Processor would expect to undertake the following activities to
implement the Proposed Amendment, if adopted:
<bullet> Revise the Technical Specifications and guidance (e.g.,
FAQs) to remove the Name, Address, and YOB elements per the amendment.
<bullet> Revise and update all the data collection, validation, and
data processing to support these changes.
<bullet> Design and implement new data structures and data storage/
databases based on the changes in the amendment.
<bullet> Revise and update the CAIS (i.e., Reference Database)
portals and underlying application programming interfaces (APIs) in
support of these changes.
<bullet> Design and implement one-time data migration and
relationships between accounts and customers into the new data
structures, removing all the data elements that are to be removed per
the amendment. (Such data migration will involve multiple rounds of
testing and validation to ensure all data and relationships are
migrated correctly.)
<bullet> Remove the original data and data sets from all
environments that contained the Name, Address, and YOB fields.
All activities would comply with Plan Processor policies and
procedures including Change Management, Software Development Life Cycle
(SDLC), Testing, Security and Operations. The effort for these
activities includes data analysis, product, engineering, test,
security, operations and business operations staff. The $4.5 to $5.5
million estimate is based on the Proposed Amendment as proposed and
would be reflected in a change request that would be subject to CAT LLC
approval, if the amendment is approved.
Industry Member Implementation Costs. In addition, the Staff
requested information regarding the costs that would be borne by
Industry Members if the Proposed Amendment is approved. CAT LLC
understands that Industry Members would need to update their systems in
order to stop reporting Customer Names, Addresses, and YOBs to the CAT;
however, CAT LLC is not in a position to quantify such Industry Member
costs. The FIF letter acknowledges that ``Industry [M]embers will
require time to update their systems to cease reporting PII to CAIS,''
but nevertheless ``FIF members support the proposed amendments.'' \39\
---------------------------------------------------------------------------
\39\ FIF Letter at 2-3.
---------------------------------------------------------------------------
3. Implementation
Based on discussions with the Staff, and in response to the FIF
Letter, CAT LLC is providing more detailed information regarding how
the Proposed Amendment would be implemented, if approved.
As a general matter, CAT LLC intends that any implementation
schedule will be designed to allow the Plan Processor and Industry
Members adequate time to finalize Technical Specifications and
guidance, and to develop, test and implement the necessary changes to
firm systems in order to comply with the Proposed Amendment. At a high
level, subject to change based on discussions among the Participants,
the Plan Processor, Industry Members, and the Staff if the amendment is
approved, the Plan Processor initially contemplates a phased
implementation schedule to include the following key phases:
<bullet> Stop providing visibility to regulators of existing Names,
Addresses, and YOBs in CAT--approximately 3 months from effective date;
<bullet> Continue to accept submissions from Industry Members that
include Names, Addresses, and YOBs, but stop processing any such
information in CAT (such Customer information would remain on the as-
submitted file)--approximately 3 months;
<bullet> Reject any submissions from Industry Members that continue
to include Names, Addresses, and YOBs (i.e., Industry Members would be
prohibited from reporting these fields to CAIS)--approximately 6 months
or more depending on the amount of time required for Industry Members
to update their reporting systems;
<bullet> Delete all existing Names, Addresses, and YOBs (as well as
any other sensitive Customer data and information contemplated by the
Proposed Amendment) from the CAT--approximately 9-12 months after the
data migration is completed and verified; it will take approximately 2-
3 months to permanently remove all the old data.
4. Additional Cost Savings Opportunities; Proposals to Retire CAIS
The FIF Letter notes that the 2025 budget includes approximately
$35.5 million in total CAIS-related costs, and proposes that
transforming CAIS from a regulatory database to a process dedicated to
creating CCIDs could potentially yield additional cost savings as well
as significantly simplify the footprint and design of CAT without any
degradation in regulatory use.\40\ The NYSE Letter proposes that the
CCID could be preserved either by keeping the CCID within the CAIS
database or, alternatively, ``CAIS could be eliminated in its entirety,
provided that there is a transition period, where some form of CAIS
persisted until an alternative effective and cost-efficient solution
for CCIDs--or another unique customer identifier methodology--was
implemented.'' \41\ Separately, Nasdaq and CBOE have petitioned the
Commission to retire CAIS, noting that ``[t]here are alternative
solutions that would provide regulators with unique customer
identifiers without requiring the collection of customer and account
information.'' \42\
---------------------------------------------------------------------------
\40\ FIF Letter at 4-5.
\41\ See Letter from Jaime Klima, General Counsel, NYSE, to Paul
Atkins, Chairman, SEC dated Apr. 24, 2025 (``NYSE Letter'') at 2.
\42\ Letter from John A. Zecca, Executive Vice President, Global
Chief Legal, Risk & Regulatory Officer, Nasdaq J. Patrick Sexton,
Executive Vice President, General Counsel & Corporate Secretary,
CBOE, to Paul S. Atkins, Chairman, SEC, Petition for Rulemaking and
Exemptive Relief to Reduce the Costs of the Consolidated Audit Trail
(CAT) (Apr. 24, 2025), at 2, <a href="https://www.sec.gov/files/rules/petitions/2025/petn4-853.pdf">https://www.sec.gov/files/rules/petitions/2025/petn4-853.pdf</a>.
---------------------------------------------------------------------------
As currently designed, in addition to creating unique CCIDs, the
CAT System implements the functionality that associates unique CCIDs
with individual order events based on reported FDIDs.\43\
[[Page 26643]]
This allows regulators the ability to identify a Customer's market
activity across multiple exchanges, broker-dealers, and accounts, which
was one of the critical innovations of the CAT. This approach was
informed by significant discussion and was strongly supported by the
industry.\44\ Under the Proposed Amendment, the Reference Database
would continue to facilitate the relationship mapping of unique CCIDs
to FDIDs and would preserve the CCID enrichment of transaction data.
---------------------------------------------------------------------------
\43\ As described in the Exemption Order, the CAT NMS Plan
originally adopted the ``Customer Information Approach.'' Under this
approach, each Industry Member assigns a unique FDID to each
Customer account, which must be reported on each new order submitted
to the CAT, and separately reports account and Customer information
to the CAT. The Plan Processor then associates specific Customers
with individual order events based on the reported FDIDs.
\44\ See, e.g., Appendix C-9 of the CAT NMS Plan (``The
Customer-ID approach is strongly supported by the industry as it
believes that to do otherwise would interfere with existing business
practices and risk leaking proprietary order and customer
information into the market.'').
---------------------------------------------------------------------------
CAT LLC understands that there may be additional proposals to
eliminate the Reference Database entirely, which will require further
analysis. The Proposed Amendment was approved and continues to be
supported by a two-thirds vote of all of the Participants, as required
by Section 12.3 of the CAT NMS Plan. As always, CAT LLC will continue
to evaluate additional cost savings measures and alternatives. However,
in light of the desire of many constituencies--including Participants,
Industry Members, and the Commission itself--to eliminate Names,
Addresses, and YOBs from the CAT, and given that the Proposed Amendment
ultimately is designed to build on the Commission's own CCID Exemption
Order, CAT LLC is hopeful that it can be considered and approved
expeditiously.
III. Summary of Comments
One commenter opposes the Proposed Amendment, stating that granting
the Proposed Amendment weakens the CAT by decreasing the amount of
information it collects, therefore making it more difficult for the
Commission to detect misconduct and identify the perpetrators.\45\ This
commenter states that CAT's ability to capture a complete record of all
information about orders, including the identity of customers, is key
to its mission and removing that ability will force the Commission to
revert to the ``cumbersome process'' used before the CAT to obtain
identifying information about the parties involved in transactions.\46\
The commenter also states that the purported rationale for the Proposed
Amendment--better safeguarding the individual's personal information--
can be achieved through other means,\47\ and that eliminating personal
information from the CAT will have minimal security benefits, as bad
actors will still be able to access this information through hacks of
the banks placing the retail trades.\48\
---------------------------------------------------------------------------
\45\ See Better Markets Letter, supra note 7, at 1.
\46\ Id. at 4-5.
\47\ Id. at 5.
\48\ Id. at 5-6.
---------------------------------------------------------------------------
In response, Participants state that the Proposed Amendment would
not prevent regulators from determining the identity of persons
involved in potential security violations.\49\ According to the
Participants, the continued existence of the requirement of maintaining
FDIDs and CCIDs within CAT will allow regulators to use the FDID and
the CCID to identify the associated account, which will then allow them
to determine identities by seeking the information from Industry
Members as needed.\50\ Participants acknowledge that the speed with
which the regulators can access the identity of those involved with a
transaction at issue will be decreased, but believe that the CAIS
Exemption Order already acknowledges this delay and concludes that it
would be reasonable for regulators to rely on obtaining such
information from Industry Members rather than the CAT.\51\ Participants
further state that, based on their experience, the difference in the
amount of time it takes to access the name of an investor in CAT versus
the time to request and obtain a name from Industry Members would only
rarely be an issue and would not materially impede examinations and
investigations.\52\ Participants state that it is difficult to justify
the substantial costs to maintain the Names, Addresses and YOBs in the
CAT, as well as the security risks, for the limited regulatory utility,
and state that the commenter fails to consider entirely the millions of
dollars in cost savings by adopting the Proposed Amendment versus the
perceived benefit of retaining the information in CAT.\53\
---------------------------------------------------------------------------
\49\ See CAT LLC Response Letter at 11.
\50\ Id.
\51\ Id.
\52\ Id.
\53\ Id.
---------------------------------------------------------------------------
Another commenter supports the Proposed Amendment, stating that its
members support the deletion of previously reported personally
identifiable information (``PII''), support excluding PII for all
natural persons, including foreign natural persons who are not reported
with transformed SSNs or ITINs, support permanently eliminating and
prohibiting the reporting of PII to CAT subject to a two-phased
implementation, support excluding PII for all legal entity customers
since PII of natural persons (including names, addresses and dates of
birth) is often included in CAIS records for legal entities, and
support eliminating requirements relating to the handling of
inconsistencies.\54\ This commenter recommends a two-phase
implementation, with the first allowing Industry Members to continue to
report fields that contain PII, but the CAIS system would not record or
store those fields, and a second phase where all Industry Members would
be prohibited from reporting PII. This commenter states that this
implementation approach will give firms that need more time to update
their systems the chance to do so, while allowing firms for whom it
does not take as long to cease reporting faster.\55\ This commenter
further recommends deletion of certain additional fields from CAIS.\56\
---------------------------------------------------------------------------
\54\ See FIF Letter, supra note 7, at 2.
\55\ Id. at 3.
\56\ Id. at 3-4.
---------------------------------------------------------------------------
This commenter also requests that both Participants and the
Commission consider additional cost savings measures that could be
associated with the PII removal. Specifically, the commenter questions
whether the CAIS database could be eliminated entirely and any CAIS
processes related to creating the CCIDs could be switched to the
Transactions database, thereby eliminating potentially as much as $35.5
million in CAIS-related costs.\57\
---------------------------------------------------------------------------
\57\ Id. at 4-5. The commenter devotes the remainder of its
letter to a discussion of Electronic Blue Sheets (``EBS'') and the
Commission's purported commitment to retiring use of EBS. Because,
as the commenter notes, these issues are not directly related to the
Proposed Amendment, they will not be addressed here. Id. at 5-8.
---------------------------------------------------------------------------
Participants acknowledge these suggestions, particularly the
creation of a request and response system other than Electronic Blue
Sheets (``EBS'') to associate CAT data with specific natural persons
and legal entities.\58\ Participants state, however, that these
suggestions are outside of the scope of the Proposed Amendment, and
that the commenter's comments on EBS are better directed to the
Commission.\59\
---------------------------------------------------------------------------
\58\ See CAT LLC Response Letter at 12.
\59\ Id.
---------------------------------------------------------------------------
In addition, with respect to the commenter's discussion of an
implementation schedule, Participants provide some additional details
regarding that schedule,\60\ stating that the intent of the schedule
will be to allow the Plan Processor and Industry Members adequate time
to finalize Technical Specifications and guidance, and to develop, test
and implement the
[[Page 26644]]
necessary changes to firm system in order to comply with the Proposed
Amendment.\61\
---------------------------------------------------------------------------
\60\ Id. at 16-17 (providing a more detailed implementation
schedule).
\61\ Id. at 16-17.
---------------------------------------------------------------------------
Another commenter, who submitted their comment letter after the CAT
LLC Response Letter, also supports the Proposed Amendment. This
commenter states that the Proposed Amendment follows the CAIS Exemption
Order, which the commenter supports because they both further the goal
of eliminating the collection and storage of individual investors' PII
in the CAT.\62\ The commenter states that its members have been opposed
to the collection and storage of PII data by the CAT since its
inception due to long-standing privacy and cyber security concerns
related to CAT.\63\ The commenter also requests further guidance as to
the Commission's expectation for the CAIS database because, without the
PII stored in it, it would serve no purpose.\64\
---------------------------------------------------------------------------
\62\ See SIFMA Letter at 2.
\63\ Id. at 3.
\64\ Id. at 3-4.
---------------------------------------------------------------------------
The commenter references its own prior submissions to the
Commission suggesting development of a request-response system using
CCIDs and FDIDs to allow regulators to request directly from a firm the
identity of an investor engaged in potentially problematic trading.\65\
The commenter suggests that such a system--in which the regulator would
submit an FDID and trade date(s) request through the CAT into a secure
file transfer protocol (FTP) that would in turn direct that request to
an Industry Member acting as a CAT reporter.\66\ The Industry Member
would then retrieve the requested data and submit it, encrypted, back
into the CAT control environment for the regulatory user to analyze and
use the data.\67\ The commenter states the while the Commission noted
the potential need for a request-response system in the CAIS Exemption
Order, it did not direct its creation, and the Proposed Amendment is
similarly silent.\68\ The commenter therefore calls for further
guidance from the Commission on issues like the future of the CAIS and
the potential creation of a request and response system.\69\
---------------------------------------------------------------------------
\65\ Id. at 3.
\66\ Id.
\67\ Id. at 3, note 11.
\68\ Id. at 4.
\69\ Id.
---------------------------------------------------------------------------
The commenter states that certain of its members have raised
concerns about whether the CCID could be viewed as another form of PII
due to the current operation of the CAT system.\70\ Specifically, those
members raise concerns that once a regulator knows the identity of an
investor behind a CCID in connection with a trading review, the
regulator could keep that information and be able to know and track the
investor's trading activity in CAT, theoretically in perpetuity.\71\
The commenter does not, however, suggest any changes to the Proposed
Amendment in connection with this concern.
---------------------------------------------------------------------------
\70\ Id. at 5.
\71\ Id.
---------------------------------------------------------------------------
IV. Proceedings To Determine Whether To Approve or Disapprove the
Proposed Amendment
The Commission is instituting proceedings pursuant to Rule
608(b)(2)(i) of Regulation NMS,\72\ and Rules 700 and 701 of the
Commission's Rules of Practice,\73\ to determine whether to disapprove
the Proposed Amendment, as modified by Amendment No. 1, or to approve
the Proposed Amendment, as modified by Amendment No. 1, with any
changes or subject to any conditions the Commission deems necessary or
appropriate. The Commission is instituting proceedings to have
sufficient time to consider the issues raised by the proposal,
including comments received. Institution of proceedings does not
indicate that the Commission has reached any conclusions with respect
to any of the issues involved. Rather, the Commission seeks and
encourages interested persons to provide additional comment on the
Proposed Amendment, as modified by Amendment No. 1, to inform the
Commission's analysis.
---------------------------------------------------------------------------
\72\ 17 CFR 242.608(b)(2)(i).
\73\ 17 CFR 201.700; 17 CFR 201.701.
---------------------------------------------------------------------------
Rule 608(b)(2) of Regulation NMS provides that the Commission
``shall approve a national market system plan or proposed amendment to
an effective national market system plan, with such changes or subject
to such conditions as the Commission may deem necessary or appropriate,
if it finds that such plan or amendment is necessary or appropriate in
the public interest, for the protection of investors and the
maintenance of fair and orderly markets, to remove impediments to, and
perfect the mechanisms of, a national market system, or otherwise in
furtherance of the purposes of the [Exchange] Act.'' \74\ Rule
608(b)(2) further provides that the Commission shall disapprove a
national market system plan or proposed amendment if it does not make
such a finding.\75\ In the Notice, the Commission sought comment on the
Proposed Amendment, including whether the Proposed Amendment is
consistent with the Exchange Act.\76\ In this order, pursuant to Rule
608(b)(2)(i) of Regulation NMS,\77\ the Commission is providing notice
of the grounds for disapproval under consideration:
---------------------------------------------------------------------------
\74\ 17 CFR 242.608(b)(2).
\75\ Id.
\76\ See Notice, supra note 6, at 26997-98.
\77\ 17 CFR 242.608(b)(2)(i).
---------------------------------------------------------------------------
<bullet> Whether, consistent with Rule 608 of Regulation NMS, the
Participants have demonstrated how the Proposed Amendment, as modified
by Amendment No. 1, is necessary or appropriate in the public interest,
for the protection of investors and the maintenance of fair and orderly
markets, to remove impediments to, and perfect the mechanisms of, a
national market system, or otherwise in furtherance of the purposes of
the Exchange Act; \78\
---------------------------------------------------------------------------
\78\ 17 CFR 242.608(b)(2).
---------------------------------------------------------------------------
<bullet> Whether the Participants have demonstrated how the
Proposed Amendment, as modified by Amendment No. 1, is consistent with
Section 6(b)(5) \79\ and Section 15A(b)(6) \80\ of the Exchange Act,
which require that the rules of a national securities exchange or
national securities association be ``designed to prevent fraudulent and
manipulative acts and practices, to promote just and equitable
principles of trade, to foster cooperation and coordination with
persons engaged in regulating, clearing, settling, processing
information with respect to, and facilitating transactions in
securities, to remove impediments to and perfect the mechanism of a
free and open market and a national market system, and, in general, to
protect investors and the public interest'';
---------------------------------------------------------------------------
\79\ 15 U.S.C. 78f(b)(5).
\80\ 15 U.S.C. 78o-3(b)(6).
---------------------------------------------------------------------------
<bullet> Whether the Participants have demonstrated how the
Proposed Amendment, as modified by Amendment No. 1, is consistent with
Section 11A of the Exchange Act,\81\ which directs the Commission,
``having due regard for the public interest, the protection of
investors, and the maintenance of fair and orderly markets, to use its
authority under this chapter to facilitate the establishment of a
national market system . . . in accordance with the findings and to
carry out the objectives'' expressed by Congress, including, among
other things, that ``[i]t is in the public interest and appropriate for
the protection of investors and the maintenance of fair and orderly
markets to assure . . . (i) economically efficient execution of
securities transactions; [and] (ii) fair competition among brokers and
dealers, among exchange markets,
[[Page 26645]]
and between exchange markets and markets other than exchange markets,''
as well as ``to authorize or require self-regulatory organizations to
act jointly with respect to matters as to which they share authority
under this chapter in planning, developing, operating, or regulating a
national market system (or a subsystem thereof) or on or more
facilities thereof'';
---------------------------------------------------------------------------
\81\ 15 U.S.C. 78k-1.
---------------------------------------------------------------------------
<bullet> Whether the Participants have demonstrated how the
Proposed Amendment, as modified by Amendment No. 1, is consistent with
Section 17 of the Exchange Act \82\ and Rules 17a-1 and 17a-4,\83\
which set forth requirements for national securities exchanges,
national securities associations, brokers, and dealers related to
making, keeping, furnishing, and disseminating records;
---------------------------------------------------------------------------
\82\ 15 U.S.C. 78q.
\83\ 17 CFR 240.17a-1.
---------------------------------------------------------------------------
<bullet> Whether and if so how, the Proposed Amendment, as modified
by Amendment No. 1, would affect efficiency, competition, or capital
formation, which analysis is required by Rule 613 under the Exchange
Act; \84\ and
---------------------------------------------------------------------------
\84\ 17 CFR 242.613(a)(5).
---------------------------------------------------------------------------
<bullet> Whether modifications to the Proposed Amendment, as
modified by Amendment No. 1, or conditions to its approval, would be
necessary or appropriate in the public interest, for the protection of
investors and the maintenance of orderly markets, to remove impediments
to, and perfect the mechanisms of, a national market system, or
otherwise in furtherance of the Exchange Act.\85\
---------------------------------------------------------------------------
\85\ 17 CFR 242.608(b)(2).
---------------------------------------------------------------------------
Under the Commission's Rules of Practice, the ``burden to
demonstrate that a NMS plan filing is consistent with the Exchange Act
and the rules and regulations issued thereunder . . . is on the plan
participants that filed the NMS plan filing.'' \86\ The description of
the NMS plan filing, its purpose and operation, its effect, and a legal
analysis of its consistency with applicable requirements must all be
sufficiently detailed and specific to support an affirmative Commission
finding.\87\ Any failure of the plan participants that filed the NMS
plan filing to provide such detail and specificity may result in the
Commission not having a sufficient basis to make an affirmative finding
that the NMS plan filing is consistent with the Exchange Act and the
applicable rules and regulations thereunder.\88\
---------------------------------------------------------------------------
\86\ 17 CFR 201.701(b)(3)(ii).
\87\ Id.
\88\ Id.
---------------------------------------------------------------------------
V. Commission's Solicitation of Comments
The Commission requests that interested persons provide written
submissions of their views, data, and arguments with respect to the
issues identified above, as well as any other concerns they may have
with the Proposed Amendment, as modified by Amendment No. 1. In
particular, the Commission invites the written views of interested
persons concerning whether the Proposed Amendment, as modified by
Amendment No. 1, is consistent with the Exchange Act, the rules and
regulations thereunder, or any other provisions of the CAT NMS Plan.
The Commission asks that commenters address the sufficiency and merit
of the Participants' statements in support of the Proposed Amendment,
as modified by Amendment No. 1, in addition to any other comments they
may wish to submit about the Proposed Amendment, as modified by
Amendment No. 1.
To consider the impact of the Proposed Amendment, as modified by
Amendment No. 1, on efficiency, competition, and capital formation,\89\
the Commission requests additional information on all aspects of the
Proposed Amendment, as modified by Amendment No. 1. In particular:
---------------------------------------------------------------------------
\89\ The Commission is required to consider the impact of
amendments to the CAT NMS Plan on efficiency, competition, and
capital formation. See 17 CFR 242.613(a)(5).
---------------------------------------------------------------------------
<bullet> To understand the effect of the Proposed Amendment, as
modified by Amendment No. 1, on operational and regulatory efficiency
and/or the competitiveness of Industry Members, the Commission requests
information, for each category, regarding the costs and benefits of
ending the collection of Customer information in CAIS for: (1) natural
persons with transformed SSNs or ITINs, (2) natural persons without
transformed SSNs or ITINs, and/or (3) legal entities. For each of the
three categories:
[cir] Would ending the collection of customer information
significantly impact operational or regulatory efficiency?
[cir] Would Industry Members realize savings by no longer reporting
this data to the CAT? Would Industry Members incur costs to respond to
ad hoc requests from regulators to provide this data if it is no longer
collected by the CAT? What implementation costs would Industry Members
bear to make any necessary reporting changes to their systems to alter
data reported to the CAT and/or stop reporting data to the CAT? Please
provide estimates of annual costs and savings (if any) for Industry
Members.
[cir] Would the Participants and/or the Plan Processor incur costs
to respond to ad hoc requests from regulators to provide this data if
it is no longer collected by the CAT? What implementation costs would
the Participants bear to make any necessary reporting changes to their
systems to alter data reported to the CAT and/or stop reporting data to
the CAT? Please provide estimates of annual costs and savings (if any)
for the Participants.
[cir] Would this change generate savings for the Plan Processor?
What implementation costs would the Plan Processor bear to make this
change? Please provide estimates of annual costs and savings (if any).
[cir] Would cost savings be generated from reduced storage and/or
processing costs or any other related costs? Please provide estimates
of annual costs and savings (if any).
<bullet> To understand the effect of the Proposed Amendment, as
modified by Amendment No. 1, on operational and regulatory efficiency,
the Commission requests information, for each category, regarding the
costs and benefits of deleting historical Customer information in CAIS
for: (1) natural persons with transformed SSNs or ITINs, (2) natural
persons without transformed SSNs or ITINs, and/or (3) legal entities.
For each category:
[cir] Would deleting this historical customer information
significantly impact operational or regulatory efficiency?
[cir] Would Industry Members realize savings due to the deletion of
this data from the CAT? Would Industry Members incur costs to respond
to ad hoc requests from regulators to provide this data if it is
deleted from the CAT? Please provide estimates of annual costs and
savings (if any) for Industry Members.
[cir] Would the Participants realize savings due to the deletion of
this data from the CAT? Would the Participants incur costs to respond
to ad hoc requests from regulators to provide this data if it is
deleted from the CAT? Please provide estimates of annual costs and
savings (if any) for the Participants.
[cir] Would this change generate savings for the Plan Processor?
What implementation costs would the Plan Processor bear to make this
change? Please provide estimates of annual costs and savings (if any).
[cir] Would cost savings be generated from reduced storage and/or
processing costs or any other related costs? Please provide estimates
of annual costs and savings (if any).
[[Page 26646]]
<bullet> What impact will the Proposed Amendment, as modified by
Amendment No. 1, have on potential regulatory use?
[cir] Would any regulatory functionality enabled by the use of
CCIDs be modified or eliminated (other than linking a CCID to a
specific customer's identifying information) if the Proposed Amendment,
as modified by Amendment No. 1, is approved?
[cir] To what extent do legal entities have Legal Entity
Identifiers (``LEIs'') that are currently included in CAIS? Would the
availability of that data, or lack thereof, have any impact upon how
regulators would adapt to the changes in the Proposed Amendment, as
modified by Amendment No. 1, particularly in light of the proposed
removal of EINs from CAIS?
<bullet> Under the Proposed Amendment, as modified by Amendment No.
1, Customer data would no longer be reported to and stored in the CAT.
However, regulators may need to request such data from Industry
Members. Given this, how would the Proposed Amendment, as modified by
Amendment No. 1, affect the overall cybersecurity and privacy risks of
collecting, transmitting, and/or requesting customer data? How and to
what extent would the Proposed Amendment, as modified by Amendment No.
1, impact the costs borne by Participants and Industry Members in
relation to the security of CAT Data?
Although there do not appear to be any issues relevant to approval
or disapproval that would be facilitated by an oral presentation of
views, data, and arguments, the Commission will consider, pursuant to
Rule 608(b)(2)(i) of Regulation NMS,\90\ any request for an opportunity
to make an oral presentation.\91\
---------------------------------------------------------------------------
\90\ 17 CFR 242.608(b)(2)(i).
\91\ Rule 700(c)(2) of the Commission's Rules of Practice
provides that ``[t]he Commission, in its sole discretion, may
determine whether any issues relevant to approval or disapproval
would be facilitated by the opportunity for an oral presentation of
views.'' 17 CFR 201.700(c)(2).
---------------------------------------------------------------------------
Interested persons are invited to submit written data, views, and
arguments regarding whether the Proposed Amendment, as modified by
Amendment No. 1, should be approved or disapproved by July 14, 2025.
Any person who wishes to file a rebuttal to any other person's
submission must file that rebuttal by July 28, 2025. Comments may be
submitted by any of the following methods:
Electronic Comments
<bullet> Use the Commission's internet comment form (<a href="http://www.sec.gov/rules/sro.shtml">http://www.sec.gov/rules/sro.shtml</a>); or
<bullet> Send an email to <a href="/cdn-cgi/l/email-protection#790b0c151c541a1614141c170d0a390a1c1a571e160f"><span class="__cf_email__" data-cfemail="b9cbccd5dc94dad6d4d4dcd7cdcaf9cadcda97ded6cf">[email protected]</span></a>. Please include
file number 4-698 (CAT CAIS Amendment) on the subject line.
Paper Comments
<bullet> Send paper comments in triplicate to: Secretary,
Securities and Exchange Commission, 100 F Street NE, Washington, DC
20549-1090.
All submissions should refer to File Number 4-698 (CAT CAIS Amendment).
This file number should be included on the subject line if email is
used. To help the Commission process and review your comments more
efficiently, please use only one method. The Commission will post all
comments on the Commission's internet website (<a href="http://www.sec.gov/rules/sro.shtml">http://www.sec.gov/rules/sro.shtml</a>). Copies of the submission, all subsequent amendments,
all written statements with respect to the Proposed Amendment, as
modified by Amendment No. 1, that are filed with the Commission, and
all written communications relating to the Proposed Amendment, as
modified by Amendment No. 1, between the Commission and any person,
other than those that may be withheld from the public in accordance
with the provisions of 5 U.S.C. 552, will be available for website
viewing and printing in the Commission's Public Reference Room, 100 F
Street NE, Washington, DC 20549 on official business days between the
hours of 10:00 a.m. and 3:00 p.m. Copies of the filing also will be
available for inspection and copying at the Participants' principal
offices. Do not include personal identifiable information in
submissions; you should submit only information that you wish to make
available publicly. We may redact in part or withhold entirely from
publication submitted material that is obscene or subject to copyright
protection. All submissions should refer to File Number 4-698 (CAT CAIS
Amendment) and should be submitted on or before July 14, 2025.
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\92\
---------------------------------------------------------------------------
\92\ 17 CFR 200.30-3(a)(85).
---------------------------------------------------------------------------
Sherry R. Haywood,
Assistant Secretary.
EXHIBIT A
Cumulative Proposed Revisions to CAT NMS Plan
Additions italicized; deletions [bracketed]
* * * * *
ARTICLE I
DEFINITIONS
* * * * *
Section 1.1. Definitions.
* * * * *
``[Customer] Account Reference Data [Information]'' shall include,
but not be limited to, [account number, ]account type, [customer type,]
date account opened, and large trader identifier (if applicable)
(excluding, for the avoidance of doubt, account number); except,
however, that (a) in those circumstances in which an Industry Member
has established a trading relationship with an institution but has not
established an account with that institution, the Industry Member will
(i) provide the Account Effective Date in lieu of the ``date account
opened''; [(ii) provide the relationship identifier in lieu of the
``account number'';] and (ii[i]) identify the ``account type'' as a
``relationship''; (b) in those circumstances in which the relevant
account was established prior to the implementation date of the CAT NMS
Plan applicable to the relevant CAT Reporter (as set forth in Rule
613(a)(3)(v) and (vi)), and no ``date account opened'' is available for
the account, the Industry Member will provide the Account Effective
Date in the following circumstances: (i) where an Industry Member
changes back office providers or clearing firms and the date account
opened is changed to the date the account was opened on the new back
office/clearing firm system; (ii) where an Industry Member acquires
another Industry Member and the date account opened is changed to the
date the account was opened on the post-merger back office/clearing
firm system; (iii) where there are multiple dates associated with an
account in an Industry Member's system, and the parameters of each date
are determined by the individual Industry Member; and (iv) where the
relevant account is an Industry Member proprietary account. For the
avoidance of doubt, Industry
[[Page 26647]]
Members are required to provide a Firm Designated ID in accordance with
this Agreement.
* * * * *
``CCID Subsystem'' means the subsystem of the Reference Database
that exists solely to transform input TID values into CCID values.
* * * * *
``Customer-ID'' or ``CAT Customer-ID'' or ``CCID'' has the same
meaning provided in SEC Rule 613(j)(5).
``Customer Reference Data[Identifying Information]'' means
information [of sufficient detail to identify ]attributed to a
Customer, including, but not limited to, (a) with respect to
individuals: [name, address, date of birth, individual tax payer
identification number (``ITIN'')/social security number (``SSN''),]
TID, customer type, and the individual's role in the account (e.g.,
primary holder, joint holder, guardian, trustee, person with the power
of attorney); and (b) with respect to legal entities: [name, address,
]customer type and [Employer Identification Number (``EIN'')/] Legal
Entity Identifier (``LEI'') or other comparable common entity
identifier, if applicable; provided, however, that an Industry Member
that has an LEI for a Customer must submit the Customer's LEI [in
addition to other information of sufficient detail to identify a
Customer].
* * * * *
``Full Availability and Regulatory Utilization of Transactional
Database Functionality'' means the point at which: (a) reporting to the
Order Audit Trail System (``OATS'') is no longer required for new
orders; (b) Industry Member reporting for equities transactions and
simple electronic options transactions, excluding Customer Account
Information,\*\_Customer-ID, and Customer Identifying
Information,\*\_with sufficient intra-firm linkage, inter-firm linkage,
national securities exchange linkage, trade reporting facilities
linkage, and representative order linkages (including any equities
allocation information provided in an Allocation Report) to permit the
Participants and the Commission to analyze the full lifecycle of an
order across the national market system, from order origination through
order execution or order cancellation, is developed, tested, and
implemented at a 5% Error Rate or less; (c) Industry Member reporting
for manual options transactions and complex options transactions,
excluding Customer Account Information, Customer-ID, and Customer
Identifying Information, with all required linkages to permit the
Participants and the Commission to analyze the full lifecycle of an
order across the national market system, from order origination through
order execution or order cancellation, including any options allocation
information provided in an Allocation Report, is developed, tested, and
fully implemented; (d) the query tool functionality required by Section
6.10(c)(i)(A) and Appendix D, Sections 8.1.1-8.1.3, Section 8.2.1, and
Section 8.5 incorporates the data described in conditions (b)-(c) and
is available to the Participants and to the Commission; and (e) the
requirements of Section 6.10(a) are met. This Financial Accountability
Milestone shall be considered complete as of the date identified in a
Quarterly Progress Report meeting the requirements of Section 6.6(c).
---------------------------------------------------------------------------
\*\ Effective [DATE], ``Customer Account Information'' as used
in the Financial Accountability Milestones (Initial Industry Member
Core Equity Reporting; Full Implementation of Core Equity Reporting;
Full Availability and Regulatory Utilization of Transactional
Database Functionality; and Full Implementation of CAT NMS Plan
Requirements) is no longer a defined term and has been superseded by
the new defined term ``Account Reference Data''.
\*\ Effective [DATE], ``Customer Identifying Information'' as
used in the Financial Accountability Milestones (Initial Industry
Member Core Equity Reporting; Full Implementation of Core Equity
Reporting; Full Availability and Regulatory Utilization of
Transactional Database Functionality; and Full Implementation of CAT
NMS Plan Requirements) is no longer a defined term and has been
superseded by the new defined term ``Customer Reference Data''.
---------------------------------------------------------------------------
* * * * *
[``PII'' means personally identifiable information, including a
social security number or tax identifier number or similar information;
Customer Identifying Information and Customer Account Information.]
* * * * *
``Reference Data'' shall mean the data elements in Account
Reference Data and Customer Reference Data.
``Reference Database'' means the information system of the CAT
containing Reference Data.
* * * * *
``Transformed Identifier'' or ``TID'' means the transformed version
of the input used to identify unique Customers, including, but not
limited to individual tax payer identification number (``ITIN'') or
social security number (``SSN'') submitted by Industry Members in place
of an ITIN or SSN.
* * * * *
ARTICLE VI
FUNCTIONS AND ACTIVITIES OF CAT SYSTEM
* * * * *
Section 6.2. Chief Compliance Officer and Chief Information Security
Officer
* * * * *
(a) Chief Compliance Officer.
* * * * *
(v) The Chief Compliance Officer shall:
* * * * *
(C) in collaboration with the Chief Information Security Officer,
and consistent with Appendix D, Data Security, and any other applicable
requirements related to data security[,] and Reference Data [Customer
Account Information and Customer Identifying Information], identify and
assist the Company in retaining an appropriately qualified independent
auditor (based on specialized technical expertise, which may be the
Independent Auditor or subject to the approval of the Operating Company
by Supermajority Vote, another appropriately qualified independent
auditor), and in collaboration with such independent auditor, create
and implement an annual audit plan (subject to the approval of the
Operating Committee), which shall at a minimum include a review of all
Plan Processor policies, procedures and control structures, and real
time tools that monitor and address data security issues for the Plan
Processor and the Central Repository;
* * * * *
(b) Chief Information Security Officer.
* * * * *
(v) Consistent with Appendices C and D, the Chief Information
Security Officer shall be responsible for creating and enforcing
appropriate policies, procedures, and control structures to monitor and
address data security issues for the Plan Processor and the Central
Repository including:
* * * * *
(F) [PII data requirements, including the standards set forth in
Appendix D, PII Data Requirements] [Reserved];
* * * * *
Section 6.4. Data Reporting and Recording by Industry Members
* * * * *
(d) Required Industry Member Data.
* * * * *
(ii) Subject to Section 6.4(c) and Section 6.4(d)(iii) with respect
to Options Market Makers, and consistent with Appendix D, Reporting and
Linkage Requirements, and the Technical Specifications, each
Participant shall, through its Compliance Rule, require its Industry
Members to record and report to the Central Repository the following,
as applicable (``Received Industry Member
[[Page 26648]]
Data'' and collectively with the information referred to in Section
6.4(d)(i) ``Industry Member Data''):
* * * * *
(C) for original receipt or origination of an order, the Firm
Designated ID for the relevant Customer, and in accordance with Section
6.4(d)(iv), Reference Data [Customer Account Information and Customer
Identifying Information] for the relevant Customer; and
* * * * *
Section 6.10. Surveillance
* * * * *
(c) Use of CAT Data by Regulators.
* * * * *
(ii) Extraction of CAT Data shall be consistent with all permission
rights granted by the Plan Processor. All CAT Data returned shall be
encrypted[, and PII data shall be masked unless users have permission
to view the CAT Data that has been requested].
* * * * *
APPENDIX D
CAT NMS Plan Processor Requirements
* * * * *
4. Data Security
4.1 Overview
* * * * *
The Plan Processor must provide to the Operating Committee a
comprehensive security plan that covers all components of the CAT
System, including physical assets and personnel, and the training of
all persons who have access to the Central Repository consistent with
Article VI, Section 6.1(m). The security plan must be updated annually.
The security plan must include an overview of the Plan Processor's
network security controls, processes and procedures pertaining to the
CAT Systems. Details of the security plan must document how the Plan
Processor will protect, monitor and patch the environment; assess it
for vulnerabilities as part of a managed process, as well as the
process for response to security incidents and reporting of such
incidents. The security plan must address physical security controls
for corporate, data center, and leased facilities where Central
Repository data is transmitted or stored. The Plan Processor must have
documented ``hardening baselines'' for systems that will store,
process, or transmit CAT Data [or PII data].
* * * * *
4.1.2 Data Encryption
All CAT Data must be encrypted at rest and in flight using industry
standard best practices (e.g., SSL/TLS) including archival data storage
methods such as tape backup. Symmetric key encryption must use a
minimum key size of 128 bits or greater (e.g., AES-128), larger keys
are preferable. Asymmetric key encryption (e.g., PGP) for exchanging
data between Data Submitters and the Central Repository is desirable.
[Storage of unencrypted PII data is not permissible. PII encryption
methodology must include a secure documented key management strategy
such as the use of HSM(s). The Plan Processor must describe how PII
encryption is performed and the key management strategy (e.g., AES-256,
3DES).]
If public cloud managed services are used that would inherently
have access to the data (e.g., BigQuery, S3, Redshift), then the key
management surrounding the encryption of that data must be documented
(particularly whether the cloud provider manages the keys, or if the
Plan Processor maintains that control). Auditing and real-time
monitoring of the service for when cloud provider personnel are able to
access/decrypt CAT Data must be documented, as well as a response plan
to address instances where unauthorized access to CAT Data is detected.
Key management/rotation/revocation strategies and key chain of custody
must also be documented in detail.
* * * * *
4.1.4 Data Access
The Plan Processor must provide an overview of how access to [PII
and other] CAT Data by Plan Processor employees and administrators is
restricted. This overview must include items such as, but not limited
to, how the Plan Processor will manage access to the systems, internal
segmentation, multi-factor authentication, separation of duties,
entitlement management, background checks, etc.
* * * * *
Any login to the system [that is able to access PII data must
follow non-PII password rules and] must be [further] secured via multi-
factor authentication (``MFA''). The implementation of MFA must be
documented by the Plan Processor. MFA authentication capability for all
logins is required to be implemented by the Plan Processor.
* * * * *
4.1.6 [PII Data Requirements] [Reserved]
[PII data must not be included in the result set(s) from online or
direct query tools, reports or bulk data extraction. Instead, results
will display existing non-PII unique identifiers (e.g., Customer-ID or
Firm Designated ID). The PII corresponding to these identifiers can be
gathered using the PII workflow described in Appendix D, Data Security,
PII Data Requirements. By default, users entitled to query CAT Data are
not authorized for PII access. The process by which someone becomes
entitled for PII access, and how they then go about accessing PII data,
must be documented by the Plan Processor. The chief regulatory officer,
or other such designated officer or employee at each Participant must,
at least annually, review and certify that people with PII access have
the appropriate level of access for their role.
Using the RBAC model described above, access to PII data shall be
configured at the PII attribute level, following the ``least
privileged'' practice of limiting access as much as possible.
PII data must be stored separately from other CAT Data. It cannot
be stored with the transactional CAT Data, and it must not be
accessible from public internet connectivity. A full audit trail of PII
access (who accessed what data, and when) must be maintained. The Chief
Compliance Officer and the Chief Information Security Officer shall
have access to daily PII reports that list all users who are entitled
for PII access, as well as the audit trail of all PII access that has
occurred for the day being reported on.]
* * * * *
6.2 Data Availability Requirements
* * * * *
Figure B: [Customer and Account Information (Including PII)] Reference
Data
[[Page 26649]]
[GRAPHIC] [TIFF OMITTED] TN23JN25.000
{changes to the title of the chart: Timeline for Reference Data
[Customer and Account Information (including PII)]{time}
CAT [PII] Reference Data data must be processed within established
timeframes to ensure data can be made available to Participants'
regulatory staff and the SEC in a timely manner. Industry Members
submitting new or modified Customer information must provide it to the
Central Repository no later than 8:00 a.m. Eastern Time on T+1. The
Central Repository must validate the data and generate error reports no
later than 5:00 p.m. Eastern Time on T+1. The Central Repository must
process the resubmitted data no later than 5:00 p.m. Eastern Time on
T+4. Corrected data must be resubmitted no later than 5:00 p.m. Eastern
Time on T+3. The Central Repository must process the resubmitted data
no later than 5:00 p.m. Eastern Time on T+4. Corrected data must be
available to regulators no later than 8:00 a.m. Eastern Time on T+5.
[Customer information that includes PII] Reference [d]Data must be
available to regulators immediately upon receipt of initial data and
corrected data, pursuant to security policies for retrieving [PII]
Reference Data.
* * * * *
8. Functionality of the CAT System
8.1 Regulator Access
* * * * *
8.1.1 Online Targeted Query Tool
* * * * *
The tool must provide a record count of the result set, the date
and time the query request is submitted, and the date and time the
result set is provided to the users. In addition, the tool must
indicate in the search results whether the retrieved data was linked or
unlinked (e.g., using a flag). [In addition, the online targeted query
tool must not display any PII data. Instead, it will display existing
non-PII unique identifiers (e.g., Customer-ID or Firm Designated ID).
The PII corresponding to these identifiers can be gathered using the
PII workflow described in Appendix D, Data Security, PII Data
Requirements.] The Plan Processor must define the maximum number of
records that can be viewed in the online tool as well as the maximum
number of records that can be downloaded. Users must have the ability
to download the results to .csv, .txt, and other formats, as
applicable. These files will also need to be available in a compressed
format (e.g., .zip, .gz). Result sets that exceed the maximum viewable
or download limits must return to users a message informing them of the
size of the result set and the option to choose to have the result set
returned via an alternate method.
* * * * *
8.1.3 Online Targeted Query Tool Access and Administration
Access to CAT Data is limited to authorized regulatory users from
the Participants and the SEC. Authorized regulators from the
Participants and the SEC may access all CAT Data[, with the exception
of PII data. A subset of the authorized regulators from the
Participants and the SEC will have permission to access and view PII
data].
[[Page 26650]]
The Plan Processor must work with the Participants and SEC to implement
an administrative and authorization process to provide regulator
access. The Plan Processor must have procedures and a process in place
to verify the list of active users on a regular basis.
A two-factor authentication is required for access to CAT Data.
[PII data must not be available via the online targeted query tool or
the user-defined direct query interface.]
8.2 User-Defined Direct Queries and Bulk Extraction of Data
The Central Repository must provide for direct queries, bulk
extraction, and download of data for all regulatory users. Both the
user-defined direct queries and bulk extracts will be used by
regulators to deliver large sets of data that can then be used in
internal surveillance or market analysis applications. The data
extracts must use common industry formats.
[Direct queries must not return or display PII data. Instead, they
will return existing non-PII unique identifiers (e.g., Customer-ID or
Firm Designated ID). The PII corresponding to these identifiers can be
gathered using the PII workflow described in Appendix D, Data Security,
PII Data Requirements.]
* * * * *
8.2.2 Bulk Extract Performance Requirements
* * * * *
Extraction of data must be consistently in line with all
permissioning rights granted by the Plan Processor. Data returned must
be encrypted, password protected and sent via secure methods of
transmission. [In addition, PII data must be masked unless users have
permission to view the data that has been requested.]
* * * * *
9. CAT Reference Data [Customer and Customer Account Information]
9.1 [Customer and Customer Account Information] Reference Data Storage
The CAT must capture and store Reference Data [Customer and
Customer Account Information] in a secure database physically separated
from the transactional database. The Plan Processor will maintain
certain information [of sufficient detail to uniquely and consistently
identify] attributed to each Customer across all CAT Reporters, and
associated accounts from each CAT Reporter. [The following attributes,
a]At a minimum, the CAT must capture Transformed Identifiers. [be
captured:]
<bullet> [Social security number (SSN) or Individual Taxpayer
Identification Number (ITIN);]
<bullet> [Date of birth;]
<bullet> [Current name;]
<bullet> [Current address;]
<bullet> [Previous name; and]
<bullet> [Previous address.]
For legal entities, the CAT must capture Legal Entity Identifiers
(LEIs) (if available).[the following attributes:]
<bullet> [Legal Entity Identifier (LEI) (if available);]
<bullet> [Tax identifier;]
<bullet> [Full legal name; and]
<bullet> [Address.]
The Plan Processor must maintain valid Reference Data [Customer and
Customer Account Information] for each trading day and provide a method
for Participants' regulatory staff and the SEC to easily obtain
historical changes to that information[ (e.g., name changes, address
changes, etc.)].
[The Plan Processor will design and implement a robust data
validation process for submitted Firm Designated ID, Customer Account
Information and Customer Identifying Information, and must continue to
process orders while investigating Customer information mismatches.
Validations should:
<bullet> Confirm the number of digits on a SSN,
<bullet> Confirm date of birth, and
<bullet> Accommodate the situation where a single SSN is used by
more than one individual.]
The Plan Processor will use the [Customer information] Transformed
Identifier submitted by all broker-dealer CAT Reporters to the CCID
Subsystem to assign a unique Customer-ID for each Customer. The
Customer-ID must be consistent across all broker-dealers that have an
account associated with that Customer. This unique CAT-Customer-ID will
not be returned to CAT Reporters and will only be used internally by
the CAT.
Broker-Dealers will initially submit full account lists for all
active accounts to the Plan Processor and subsequently submit updates
and changes on a daily basis. In addition, the Plan Processor must have
a process to periodically receive full account lists to ensure the
completeness and accuracy of the account database. The Central
Repository must support account structures that have multiple account
owners and associated Customer information (joint accounts, managed
accounts, etc.), and must be able to link accounts that move from one
CAT Reporter to another (e.g., due to mergers and acquisitions,
divestitures, etc.).
* * * * *
9.2 Required Data Attributes for Customer Information Data Submitted by
Industry Members
At a minimum, the following Customer information data attributes
must be accepted by the Central Repository:
<bullet> [Account Owner Name;]
<bullet> [Account Owner Mailing Address;]
<bullet> [Account Tax Identifier (SSN, TIN, ITN)] Transformed
Identifier;
<bullet> Market Identifiers (Larger Trader ID, LEI);
<bullet> Type of Account;
<bullet> Firm [Identifier Number] Designated ID;
[cir] The number that the CAT Reporter will supply on all orders
generated for the Account;
<bullet> Prime Broker ID;
<bullet> Bank Depository ID; and
<bullet> Clearing Broker.
* * * * *
9.3 Customer-ID Tracking
The Plan Processor will assign a CAT-Customer-ID for each unique
Customer. The Plan Processor will [determine] generate and assign a
unique CAT-Customer-ID [using information such as SSN and DOB for
natural persons or entity identifiers for Customers that are not
natural persons and will resolve discrepancies] for each Transformed
Identifier submitted by broker-dealer CAT Reporters to the CCID
Subsystem. Once a CAT-Customer-ID is assigned, it will be added to each
linked (or unlinked) order record for that Customer.
Participants and the SEC must be able to use the unique CAT-
Customer-ID to track orders from any Customer or group of Customers,
regardless of what brokerage account was used to enter the order.
* * * * *
9.4 Error Resolution for Customer Data
[The Plan Processor must design and implement procedures and
mechanisms to handle both minor and material inconsistencies in
Customer information. The Central Repository needs to be able to
accommodate minor data discrepancies such as variations in road name
abbreviations in searches. Material inconsistencies such as two
different people with the same SSN must be communicated to the
submitting CAT Reporters and resolved within the established error
correction timeframe as detailed in Section 8.]
The Central Repository must have an audit trail showing the
resolution of all errors. The audit trail must, at a minimum, include
the:
[[Page 26651]]
<bullet> CAT Reporter submitting the data;
<bullet> Initial submission date and time;
<bullet> Data in question or the ID of the record in question;
<bullet> Reason identified as the source of the issue[, such as:];
[cir] [duplicate SSN, significantly different Name;]
[cir] [duplicate SSN, different DOB;]
[cir] [discrepancies in LTID; or]
[cir] [others as determined by the Plan Processor;]
<bullet> Date and time the issue was transmitted to the CAT
Reporter, included each time the issue was re-transmitted, if more than
once;
<bullet> Corrected submission date and time, including each
corrected submission if more than one, or the record ID(s) of the
corrected data or a flag indicating that the issue was resolved and
corrected data was not required; and
<bullet> Corrected data, the record ID, or a link to the corrected
data.
* * * * *
9.5 Deletion from CAIS of Certain Reported Customer Data
Notwithstanding any other provision of the CAT NMS Plan, this
Appendix D, or the Exchange Act, CAT LLC shall direct the Plan
Processor to develop and implement a mechanism to delete from CAIS, or
otherwise make inaccessible to regulatory users, the following data
attributes: Customer name, Customer address, account name, account
address, authorized trader names list, account number, day of birth,
month of birth, year of birth, and ITIN/SSN. For the avoidance of
doubt, such data attributes do not constitute records that must be
retained under Exchange Act Rule 17a-1. CAT LLC or the Plan Processor
shall be permitted to delete any such information that has been
improperly reported by an Industry Member to the extent that either
becomes aware of such improper reporting through self-reporting or
otherwise.
* * * * *
10. User Support
10.1 CAT Reporter Support
* * * * *
The Plan Processor must develop tools to allow each CAT Reporter
to:
* * * * *
<bullet> Manage Reference Data [Customer and Customer Account
Information];
* * * * *
10.3 CAT Help Desk
* * * * *
CAT Help Desk support functions must include:
* * * * *
<bullet> Supporting CAT Reporters with data submissions and data
corrections, including submission of Reference Data [Customer and
Customer Account Information];
EXHIBIT B
Proposed Additional Revisions to Changes in Proposed Amendment
Additions italicized; deletions [bracketed]
* * * * *
ARTICLE I
DEFINITIONS
* * * * *
Section 1.1. Definitions.
* * * * *
``Account Reference Data[Attributes]'' shall include, but not be
limited to, account type, [customer type,] date account opened, and
large trader identifier (if applicable) (excluding, for the avoidance
of doubt, account number); except, however, that (a) in those
circumstances in which an Industry Member has established a trading
relationship with an institution but has not established an account
with that institution, the Industry Member will (i) provide the Account
Effective Date in lieu of the `date account opened'; and (ii) identify
the `account type' as a `relationship'; (b) in those circumstances in
which the relevant account was established prior to the implementation
date of the CAT NMS Plan applicable to the relevant CAT Reporter (as
set forth in Rule 613(a)(3)(v) and (vi)), and no `date account opened'
is available for the account, the Industry Member will provide the
Account Effective Date in the following circumstances: (i) where an
Industry Member changes back office providers or clearing firms and the
date account opened is changed to the date the account was opened on
the new back office/clearing firm system; (ii) where an Industry Member
acquires another Industry Member and the date account opened is changed
to the date the account was opened on the post-merger back office/
clearing firm system; (iii) where there are multiple dates associated
with an account in an Industry Member's system, and the parameters of
each date are determined by the individual Industry Member; and (iv)
where the relevant account is an Industry Member proprietary account.
For the avoidance of doubt, Industry Members are required to provide a
Firm Designated ID in accordance with this Agreement.
* * * * *
``CCID Subsystem'' means the [isolated] subsystem of the Reference
Database[CAIS] that exists solely to transform input TID values into
CCID values.
* * * * *
``Customer Reference Data[Attributes]'' means information
attributed to a Customer, including, but not limited to, (a) with
respect to individuals: TID, customer type, and the individual's role
in the account (e.g., primary holder, joint holder, guardian, trustee,
person with the power of attorney); and (b) with respect to legal
entities: customer type and [Employer Identification Number (``EIN'')/
]Legal Entity Identifier (``LEI'') or other comparable common entity
identifier, if applicable; provided, however, that an Industry Member
that has an LEI for a Customer must submit the Customer's LEI.
* * * * *
``Full Availability and Regulatory Utilization of Transactional
Database Functionality'' means the point at which: (a) reporting to the
Order Audit Trail System (``OATS'') is no longer required for new
orders; (b) Industry Member reporting for equities transactions and
simple electronic options transactions, excluding Customer Account
Information,\*\ Customer-ID, and Customer Identifying Information,\*\
with sufficient intra-firm linkage, inter-firm linkage, national
securities exchange linkage, trade reporting facilities linkage, and
representative order linkages (including any equities allocation
information provided in an Allocation Report) to permit the
Participants and the Commission to analyze the full lifecycle of an
order across the national market system, from order origination through
order execution or order cancellation, is developed, tested, and
implemented at
[[Page 26652]]
a 5% Error Rate or less; (c) Industry Member reporting for manual
options transactions and complex options transactions, excluding
Customer Account Information, Customer-ID, and Customer Identifying
Information, with all required linkages to permit the Participants and
the Commission to analyze the full lifecycle of an order across the
national market system, from order origination through order execution
or order cancellation, including any options allocation information
provided in an Allocation Report, is developed, tested, and fully
implemented; (d) the query tool functionality required by Section
6.10(c)(i)(A) and Appendix D, Sections 8.1.1-8.1.3, Section 8.2.1, and
Section 8.5 incorporates the data described in conditions (b)-(c) and
is available to the Participants and to the Commission; and (e) the
requirements of Section 6.10(a) are met. This Financial Accountability
Milestone shall be considered complete as of the date identified in a
Quarterly Progress Report meeting the requirements of Section 6.6(c).
---------------------------------------------------------------------------
\*\ Effective [DATE], ``Customer Account Information'' as used
in the Financial Accountability Milestones (Initial Industry Member
Core Equity Reporting; Full Implementation of Core Equity Reporting;
Full Availability and Regulatory Utilization of Transactional
Database Functionality; and Full Implementation of CAT NMS Plan
Requirements) is no longer a defined term and has been superseded by
the new defined term ``Account Reference Data[Attributes]''.
\*\ Effective [DATE], ``Customer Identifying Information'' as
used in the Financial Accountability Milestones (Initial Industry
Member Core Equity Reporting; Full Implementation of Core Equity
Reporting; Full Availability and Regulatory Utilization of
Transactional Database Functionality; and Full Implementation of CAT
NMS Plan Requirements) is no longer a defined term and has been
superseded by the new defined term ``Customer Reference
Data[Attributes]''.
---------------------------------------------------------------------------
* * * * *
``Reference Data[Customer and Account Attributes]'' shall mean the
data elements in Account Reference Data[Attributes] and Customer
Reference Data[Attributes].
``Reference Database[CAIS]'' means the [customer and account
]information system of the CAT containing Reference Data.
* * * * *
``Transformed Identifier'' or ``TID'' means the transformed version
of the input used to identify unique Customers, including, but not
limited to individual tax payer identification number (``ITIN'') or
social security number (``SSN'') submitted by Industry Members in place
of an ITIN or SSN.
* * * * *
ARTICLE VI
FUNCTIONS AND ACTIVITIES OF CAT SYSTEM
* * * * *
Section 6.2. Chief Compliance Officer and Chief Information Security
Officer
* * * * *
(a) Chief Compliance Officer.
* * * * *
(v) The Chief Compliance Officer shall:
* * * * *
(C) in collaboration with the Chief Information Security Officer,
and consistent with Appendix D, Data Security, and any other applicable
requirements related to data security and Reference Data[Customer and
Account Attributes], identify and assist the Company in retaining an
appropriately qualified independent auditor (based on specialized
technical expertise, which may be the Independent Auditor or subject to
the approval of the Operating Company by Supermajority Vote, another
appropriately qualified independent auditor), and in collaboration with
such independent auditor, create and implement an annual audit plan
(subject to the approval of the Operating Committee), which shall at a
minimum include a review of all Plan Processor policies, procedures and
control structures, and real time tools that monitor and address data
security issues for the Plan Processor and the Central Repository;
* * * * *
(b) Chief Information Security Officer.
* * * * *
(v) Consistent with Appendices C and D, the Chief Information
Security Officer shall be responsible for creating and enforcing
appropriate policies, procedures, and control structures to monitor and
address data security issues for the Plan Processor and the Central
Repository including:
* * * * *
(F) [Customer and Account Attributes data requirements, including
the standards set forth in Appendix D, Customer and Account Attributes
Data Requirements] [Reserved];
* * * * *
Section 6.4. Data Reporting and Recording by Industry Members
* * * * *
(d) Required Industry Member Data.
* * * * *
(ii) Subject to Section 6.4(c) and Section 6.4(d)(iii) with respect
to Options Market Makers, and consistent with Appendix D, Reporting and
Linkage Requirements, and the Technical Specifications, each
Participant shall, through its Compliance Rule, require its Industry
Members to record and report to the Central Repository the following,
as applicable (``Received Industry Member Data'' and collectively with
the information referred to in Section 6.4(d)(i) ``Industry Member
Data''):
* * * * *
(C) for original receipt or origination of an order, the Firm
Designated ID for the relevant Customer, and in accordance with Section
6.4(d)(iv), Reference Data[Customer and Account Attributes] for the
relevant Customer; and
* * * * *
Section 6.10. Surveillance
* * * * *
(c) Use of CAT Data by Regulators.
* * * * *
(ii) Extraction of CAT Data shall be consistent with all permission
rights granted by the Plan Processor. All CAT Data returned shall be
encrypted[, and Customer and Account Attributes data shall be masked
unless users have permission to view the CAT Data that has been
requested].
* * * * *
APPENDIX D
CAT NMS Plan Processor Requirements
* * * * *
4. Data Security
4.1 Overview
* * * * *
The Plan Processor must provide to the Operating Committee a
comprehensive security plan that covers all components of the CAT
System, including physical assets and personnel, and the training of
all persons who have access to the Central Repository consistent with
Article VI, Section 6.1(m). The security plan must be updated annually.
The security plan must include an overview of the Plan Processor's
network security controls, processes and procedures pertaining to the
CAT Systems. Details of the security plan must document how the Plan
Processor will protect, monitor and patch the environment; assess it
for vulnerabilities as part of a managed process, as well as the
process for response to security incidents and reporting of such
incidents. The security plan must address physical security controls
for corporate, data center, and leased facilities where Central
Repository data is transmitted or stored. The Plan Processor must have
documented ``hardening baselines'' for systems that will store,
process, or transmit CAT Data[ or Customer and Account Attributes
data].
* * * * *
4.1.2 Data Encryption
All CAT Data must be encrypted at rest and in flight using industry
standard best practices (e.g., SSL/TLS) including archival data storage
methods such as tape backup. Symmetric key encryption must use a
minimum key size of 128 bits or greater (e.g., AES-128), larger keys
are preferable. Asymmetric key encryption (e.g., PGP) for exchanging
data between Data Submitters and the Central Repository is desirable.
[[Page 26653]]
[Storage of unencrypted Customer and Account Attributes data is not
permissible. Customer and Account Attributes encryption methodology
must include a secure documented key management strategy such as the
use of HSM(s). The Plan Processor must describe how Customer and
Account Attributes encryption is performed and the key management
strategy (e.g., AES-256, 3DES).]
If public cloud managed services are used that would inherently
have access to the data (e.g., BigQuery, S3, Redshift), then the key
management surrounding the encryption of that data must be documented
(particularly whether the cloud provider manages the keys, or if the
Plan Processor maintains that control). Auditing and real-time
monitoring of the service for when cloud provider personnel are able to
access/decrypt CAT Data must be documented, as well as a response plan
to address instances where unauthorized access to CAT Data is detected.
Key management/rotation/revocation strategies and key chain of custody
must also be documented in detail.
* * * * *
4.1.4 Data Access
The Plan Processor must provide an overview of how access to
[Customer and Account Attributes and other ]CAT Data by Plan Processor
employees and administrators is restricted. This overview must include
items such as, but not limited to, how the Plan Processor will manage
access to the systems, internal segmentation, multi-factor
authentication, separation of duties, entitlement management,
background checks, etc.
* * * * *
* * * * *
Any login to the system [that is able to access Customer and
Account Attributes data must follow password rules for data that does
not constitute Customer and Account Attributes and ]must be [further
]secured via multi-factor authentication (``MFA''). The implementation
of MFA must be documented by the Plan Processor. MFA authentication
capability for all logins is required to be implemented by the Plan
Processor.
* * * * *
4.1.6 [Customer and Account Attributes Data Requirements] [Reserved]
[Customer and Account Attributes data must not be included in the
result set(s) from online or direct query tools, reports or bulk data
extraction. Instead, results will display existing unique identifiers
(e.g., Customer-ID or Firm Designated ID) that do not constitute
Customer and Account Attributes. The Customer and Account Attributes
corresponding to these identifiers can be gathered using the Customer
and Account Attributes workflow described in Appendix D, Data Security,
Customer and Account Attributes Data Requirements. By default, users
entitled to query CAT Data are not authorized for access to Customer
and Account Attributes. The process by which someone becomes entitled
for access to Customer and Account Attributes, and how they then go
about accessing Customer and Account Attributes data, must be
documented by the Plan Processor. The chief regulatory officer, or
other such designated officer or employee at each Participant must, at
least annually, review and certify that people with access to Customer
and Account Attributes have the appropriate level of access for their
role.
Using the RBAC model described above, access to Customer and
Account Attributes data shall be configured at the Customer and Account
Attribute level, following the ``least privileged'' practice of
limiting access as much as possible.
Customer and Account Attributes data must be stored separately from
other CAT Data. It cannot be stored with the transactional CAT Data,
and it must not be accessible from public internet connectivity. A full
audit trail of access to Customer and Account Attributes (who accessed
what data, and when) must be maintained. The Chief Compliance Officer
and the Chief Information Security Officer shall have access to daily
Customer and Account Attributes reports that list all users who are
entitled for access to Customer and Account Attributes, as well as the
audit trail of all access to Customer and Account Attributes that has
occurred for the day being reported on.]
* * * * *
6.2 Data Availability Requirements
* * * * *
Figure B: Reference Data[Customer and Account Attributes]
[GRAPHIC] [TIFF OMITTED] TN23JN25.001
{changes to the title of the chart: Timeline for Reference
Data[Customer and Account Attributes]{time}
CAT Reference Data[Customer and Account Attributes] data must be
processed within established timeframes to ensure data can be made
available to Participants' regulatory staff and the SEC in a timely
manner. Industry Members submitting new or modified Customer
information must
[[Page 26654]]
provide it to the Central Repository no later than 8:00 a.m. Eastern
Time on T+1. The Central Repository must validate the data and generate
error reports no later than 5:00 p.m. Eastern Time on T+1. The Central
Repository must process the resubmitted data no later than 5:00 p.m.
Eastern Time on T+4. Corrected data must be resubmitted no later than
5:00 p.m. Eastern Time on T+3. The Central Repository must process the
resubmitted data no later than 5:00 p.m. Eastern Time on T+4. Corrected
data must be available to regulators no later than 8:00 a.m. Eastern
Time on T+5.
Reference Data[Customer information that includes Customer and
Account Attributes] data must be available to regulators immediately
upon receipt of initial data and corrected data, pursuant to security
policies for retrieving Reference Data[Customer and Account
Attributes].
* * * * *
8. Functionality of the CAT System
8.1 Regulator Access
* * * * *
8.1.1 Online Targeted Query Tool
* * * * *
The tool must provide a record count of the result set, the date
and time the query request is submitted, and the date and time the
result set is provided to the users. In addition, the tool must
indicate in the search results whether the retrieved data was linked or
unlinked (e.g., using a flag). [In addition, the online targeted query
tool must not display any Customer and Account Attributes data.
Instead, it will display existing unique identifiers (e.g., Customer-ID
or Firm Designated ID) that do not constitute Customer and Account
Attributes. The Customer and Account Attributes corresponding to these
identifiers can be gathered using the Customer and Account Attributes
workflow described in Appendix D, Data Security, Customer and Account
Attributes Data Requirements.] The Plan Processor must define the
maximum number of records that can be viewed in the online tool as well
as the maximum number of records that can be downloaded. Users must
have the ability to download the results to .csv, .txt, and other
formats, as applicable. These files will also need to be available in a
compressed format (e.g., .zip, .gz). Result sets that exceed the
maximum viewable or download limits must return to users a message
informing them of the size of the result set and the option to choose
to have the result set returned via an alternate method.
* * * * *
8.1.3 Online Targeted Query Tool Access and Administration
Access to CAT Data is limited to authorized regulatory users from
the Participants and the SEC. Authorized regulators from the
Participants and the SEC may access all CAT Data[, with the exception
of Customer and Account Attributes data. A subset of the authorized
regulators from the Participants and the SEC will have permission to
access and view Customer and Account Attributes data]. The Plan
Processor must work with the Participants and SEC to implement an
administrative and authorization process to provide regulator access.
The Plan Processor must have procedures and a process in place to
verify the list of active users on a regular basis.
A two-factor authentication is required for access to CAT Data.
[Customer and Account Attributes data must not be available via the
online targeted query tool or the user-defined direct query interface.]
8.2 User-Defined Direct Queries and Bulk Extraction of Data
The Central Repository must provide for direct queries, bulk
extraction, and download of data for all regulatory users. Both the
user-defined direct queries and bulk extracts will be used by
regulators to deliver large sets of data that can then be used in
internal surveillance or market analysis applications. The data
extracts must use common industry formats.
[Direct queries must not return or display Customer and Account
Attributes data. Instead, they will return existing unique identifiers
(e.g., Customer-ID or Firm Designated ID) that do not constitute
Customer and Account Attributes. The Customer and Account Attributes
corresponding to these identifiers can be gathered using the Customer
and Account Attributes workflow described in Appendix D, Data Security,
Customer and Account Attributes Data Requirements.]
* * * * *
8.2.2 Bulk Extract Performance Requirements
* * * * *
Extraction of data must be consistently in line with all
permissioning rights granted by the Plan Processor. Data returned must
be encrypted, password protected and sent via secure methods of
transmission. [In addition, Customer and Account Attributes data must
be masked unless users have permission to view the data that has been
requested.]
* * * * *
9. CAT Reference Data[Customer and Account Attributes]
9.1 [Customer and Account Attributes]Reference Data Storage
The CAT must capture and store Reference Data[Customer and Account
Attributes] in a secure database physically separated from the
transactional database. The Plan Processor will maintain certain
information attributed to each Customer across all CAT Reporters, and
associated accounts from each CAT Reporter. At a minimum, the CAT must
capture Transformed Identifiers.
For legal entities, the CAT must capture Legal Entity Identifiers
(LEIs) (if available).
The Plan Processor must maintain valid Reference Data[Customer and
Account Attributes] for each trading day and provide a method for
Participants' regulatory staff and the SEC to easily obtain historical
changes to that information.
The Plan Processor will use the Transformed Identifier submitted by
all broker-dealer CAT Reporters to the [isolated] CCID Subsystem to
assign a unique Customer-ID for each Customer. The Customer-ID must be
consistent across all broker-dealers that have an account associated
with that Customer. This unique CAT-Customer-ID will not be returned to
CAT Reporters and will only be used internally by the CAT.
Broker-Dealers will initially submit full account lists for all
active accounts to the Plan Processor and subsequently submit updates
and changes on a daily basis. In addition, the Plan Processor must have
a process to periodically receive full account lists to ensure the
completeness and accuracy of the account database. The Central
Repository must support account structures that have multiple account
owners and associated Customer information (joint accounts, managed
accounts, etc.), and must be able to link accounts that move from one
CAT Reporter to another (e.g., due to mergers and acquisitions,
divestitures, etc.).
* * * * *
9.2 Required Data Attributes for Customer Information Data Submitted by
Industry Members
At a minimum, the following Customer information data attributes
must be accepted by the Central Repository:
[[Page 26655]]
<bullet> Transformed Identifier[ (with respect to individuals) or
EIN (with respect to legal entities)];
<bullet> Market Identifiers (Larger Trader ID, LEI);
<bullet> Type of Account;
<bullet> Firm [Identifier Number]Designated ID;
[cir] The number that the CAT Reporter will supply on all orders
generated for the Account;
<bullet> Prime Broker ID;
<bullet> Bank Depository ID; and
<bullet> Clearing Broker.
* * * * *
9.3 Customer-ID Tracking
The Plan Processor will assign a CAT-Customer-ID for each unique
Customer. The Plan Processor will generate and assign a unique CAT-
Customer-ID for each Transformed Identifier submitted by broker-dealer
CAT Reporters to the [isolated] CCID Subsystem. Once a CAT-Customer-ID
is assigned, it will be added to each linked (or unlinked) order record
for that Customer.
Participants and the SEC must be able to use the unique CAT-
Customer-ID to track orders from any Customer or group of Customers,
regardless of what brokerage account was used to enter the order.
* * * * *
10. User Support
10.1 CAT Reporter Support
* * * * *
The Plan Processor must develop tools to allow each CAT Reporter
to:
* * * * *
<bullet> Manage Reference Data[Customer and Account Attributes];
* * * * *
10.3 CAT Help Desk
* * * * *
CAT Help Desk support functions must include:
* * * * *
<bullet> Supporting CAT Reporters with data submissions and data
corrections, including submission of Reference Data[Customer and
Account Attributes];
* * * * *
Exhibit C
Proposed Changes to CAIS Technical Specifications
Fields Currently Anticipated To Be Eliminated
------------------------------------------------------------------------
Natural person customer Legal entity customer
FDID records records records
------------------------------------------------------------------------
accountName firstName legalName
authTraderNamesList middleName addressList
authTraderName lastName addrType
authTraderNameID nameSuffix addrLine1
addressList doingBusinessAs addrLine2
addrType yearOfBirth addrLine3
addrLine1 addressList addrLine4
addrLine2 addrType city
addrLine3 addrLine1 regionCode
addrLine4 addrLine2 countryCode
city addrLine3 postalCode
regionCode addrLine4 ein
countryCode city
postalCode regionCode updateNotification
countryCode
postalCode
updateNotification
------------------------------------------------------------------------
Fields Currently Anticipated To Be Retained
------------------------------------------------------------------------
Natural person customer Legal entity customer
FDID records records records
------------------------------------------------------------------------
fdidRecordList naturalPersonCustomerLi legalEntityCustomerLis
st t
fdidRecordID customerRecordID customerRecordID
fdidCustomerList customerType customerType
customerRecordID ....................... lei
firmDesignatedID
fdidType
accountType
fdidDate
role
roleStartDate
DVPCustodianID
clearingBrokerID
branchOfficeCRD
fdidEndDate
fdidEndReason
replacedByFDID
priorCATReporterCRD
priorCATReporterFDID
largeTraderList
largeTraderRecordID
largeTraderID
ltidEffectiveDate
ltidEndDate
ltidEndReason
roleEndDate
[[Page 26656]]
roleEndReason
registeredRepCRD
------------------------------------------------------------------------
[FR Doc. 2025-11427 Filed 6-20-25; 8:45 am]
BILLING CODE 8011-01-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on June 23, 2025.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.