Notice2026-00762
Joint Industry Plan; Order Approving an Amendment to the National Market System Plan Governing the Consolidated Audit Trail, as Modified by Amendment Nos. 1 and 2 and by the Commission, Regarding the Customer and Account Information System
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
January 16, 2026
Issuing agencies
Securities and Exchange Commission
Full Text
<html>
<head>
<title>Federal Register, Volume 91 Issue 11 (Friday, January 16, 2026)</title>
</head>
<body><pre>
[Federal Register Volume 91, Number 11 (Friday, January 16, 2026)]
[Notices]
[Pages 2164-2193]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2026-00762]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-104586; File No. 4-698]
Joint Industry Plan; Order Approving an Amendment to the National
Market System Plan Governing the Consolidated Audit Trail, as Modified
by Amendment Nos. 1 and 2 and by the Commission, Regarding the Customer
and Account Information System
January 13, 2026.
I. Introduction
On March 7, 2025, and pursuant to section 11A(a)(3) of the
Securities Exchange Act of 1934 (the ``Exchange Act'') \1\ and Rule 608
of Regulation NMS thereunder,\2\ the Consolidated Audit Trail, LLC
(``CAT LLC''), on behalf of the following parties to the National
Market System Plan Governing the Consolidated Audit Trail (the ``CAT
NMS Plan'' or ``Plan''): \3\ BOX Exchange LLC, Cboe BYX Exchange, Inc.,
Cboe
[[Page 2165]]
BZX Exchange, Inc., Cboe C2 Exchange, Inc., Cboe EDGA Exchange, Inc.,
Cboe EDGX Exchange, Inc., Cboe Exchange, Inc., Financial Industry
Regulatory Authority, Inc., Investors Exchange LLC, Long-Term Stock
Exchange, Inc., MEMX, LLC, Miami International Securities Exchange LLC,
MIAX Emerald, LLC, MIAX PEARL, LLC, MIAX Sapphire, LLC, Nasdaq BX,
Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, Nasdaq PHLX
LLC, The NASDAQ Stock Market LLC, New York Stock Exchange LLC, NYSE
American LLC, NYSE Arca, Inc., NYSE National, Inc., and NYSE Texas,
Inc. (f/k/a NYSE Chicago, Inc.) (collectively, the ``Participants'')
filed with the Securities and Exchange Commission (``Commission'') a
proposed amendment to the CAT NMS Plan to reduce the amount of Customer
\4\ information in the CAT Customer and Account Information System
(``CAIS'') (the ``Proposed Amendment'').\5\ The Proposed Amendment was
published for comment in the Federal Register on March 19, 2025
(``Notice'').\6\
---------------------------------------------------------------------------
\1\ 15 U.S.C 78k-1(a)(3).
\2\ 17 CFR 242.608.
\3\ In July 2012, the Commission adopted Rule 613 of Regulation
NMS, which required the Participants to jointly develop and submit
to the Commission a national market system plan to create,
implement, and maintain a consolidated audit trail (the ``CAT'').
See Securities Exchange Act Release No. 67457 (July 18, 2012), 77 FR
45722 (Aug. 1, 2012) (``Rule 613 Adopting Release''); 17 CFR 242.613
(``Rule 613''). On November 15, 2016, the Commission approved the
CAT NMS Plan. See Securities Exchange Act Release No. 78318, 81 FR
84696 (Nov. 23, 2016) (``CAT NMS Plan Approval Order''). The CAT NMS
Plan is Exhibit A to the CAT NMS Plan Approval Order. See CAT NMS
Plan Approval Order, at 84943-85034.
\4\ A ``Customer'' means ``the account holder(s) of the account
at a registered broker-dealer originating the order; and any person
from whom the broker-dealer is authorized to accept trading
instructions for such account, if different from the account
holder(s).'' See CAT NMS Plan, supra note 3, at section 1.1.
\5\ See Letter from Brandon Becker, CAT NMS Plan Operating
Committee Chair, dated Mar. 7, 2025. On August 6, 2025, 24 National
Exchange LLC became a Participant. See Securities Exchange Act
Release No. 103702 (Aug. 13, 2025), 90 FR 40092 (Aug. 18, 2025).
\6\ See Securities Exchange Act Release No. 102665 (Mar. 13,
2025), 90 FR 12845. Comments received in response to the Notice can
be found on the Commission's website at <a href="https://www.sec.gov/comments/4-698/4-698-f.htm">https://www.sec.gov/comments/4-698/4-698-f.htm</a>.
---------------------------------------------------------------------------
On May 28, 2025, the Participants filed Amendment No. 1 to the
Proposed Amendment (``Amendment No. 1'').\7\ On June 17, 2025, the
Commission noticed Amendment No. 1 for comment and instituted
proceedings to determine whether to approve or disapprove the Proposed
Amendment, as modified by Amendment No. 1, with any changes or subject
to any conditions the Commission deems necessary or appropriate after
considering public comment (the ``OIP'').\8\
---------------------------------------------------------------------------
\7\ See Letter from Brandon Becker, CAT NMS Plan Operating
Committee Chair, dated May 28, 2025 (``CAT LLC May Response
Letter'').
\8\ See Securities Exchange Act Release No. 103288, 90 FR 26637
(June 23, 2025). Comments received in response to Amendment No. 1
can be found on the Commission's website at <a href="https://www.sec.gov/comments/4-698/4-698-f.htm">https://www.sec.gov/comments/4-698/4-698-f.htm</a>.
---------------------------------------------------------------------------
On September 11, 2025, to provide sufficient time to consider the
changes set forth in Amendment No. 1 and any comments received on
Amendment No. 1, the Commission designated a longer period within which
to conclude proceedings.\9\ On November 14, 2025, the Commission
extended the period within which to conclude proceedings regarding the
Proposed Amendment, as modified by Amendment No. 1, to January 13,
2026.\10\ On December 1, 2025, the Participants filed Amendment No. 2
to the Proposed Amendment (``Amendment No. 2'').\11\ On December 5,
2025, Amendment No. 2 was published in the Federal Register.\12\
---------------------------------------------------------------------------
\9\ See Securities Exchange Act Release No. 103946, 90 FR 44734
(Sept. 16, 2025).
\10\ See Securities Exchange Act Release No. 104179, 90 FR 51801
(Nov. 18, 2025).
\11\ See Letter from Robert Walley, CAT NMS Plan Operating
Committee Chair, to Vanessa Countryman, Secretary, Commission, dated
Dec. 1, 2025 (``CAT LLC December Response Letter'').
\12\ See Securities Exchange Act Release No. 104290 (Dec. 2,
2025), 90 FR 56224 (``Notice of Amendment No. 2''). Comments
received in response to Amendment No. 2 can be found on the
Commission's website at <a href="https://www.sec.gov/comments/4-698/4-698-f.htm">https://www.sec.gov/comments/4-698/4-698-f.htm</a>.
---------------------------------------------------------------------------
The Commission is approving the Proposed Amendment, as modified by
Amendment Nos. 1 and 2 (hereinafter, the ``Proposed Amendment'' unless
otherwise noted), and as modified by the Commission. For the reasons
discussed below, the Commission finds that the Proposed Amendment, as
modified by Amendment Nos. 1 and 2, and as modified by the Commission,
is appropriate in the public interest, for the protection of investors
and the maintenance of fair and orderly markets, to remove impediments
to, and perfect the mechanism of a national market system, or is
otherwise in furtherance of the purposes of the Exchange Act.
II. Background
On July 11, 2012, the Commission adopted Rule 613 of Regulation
NMS, which required the SROs to submit a national market system
(``NMS'') plan to create, implement and maintain a consolidated audit
trail that would capture customer and order event information for
orders in NMS securities.\13\ The Commission had found that the prior,
fragmented regulatory data infrastructure had become outdated and
inadequate to effectively oversee a complex, dispersed, and highly
automated national market system.\14\ In performing their oversight
responsibilities before CAT, the SROs and the Commission pulled
disparate data from a variety of existing information systems lacking
in completeness, accuracy, accessibility, and/or timeliness.\15\ That
model neither supported the efficient aggregation of data from multiple
trading venues nor yielded complete and accurate market activity
data.\16\ In particular, the shortcomings of the disparate systems on
which the Commission and the SROs previously relied made it impractical
to follow orders through their entire lifecycle as they may be routed,
aggregated, re-routed, and disaggregated across multiple markets.\17\
CAT was designed to address those concerns by consolidating customer
and order event data previously available from disparate sources into a
single audit trail system that would facilitate cross-market oversight
of the national market system.
---------------------------------------------------------------------------
\13\ 17 CFR 242.613; Rule 613 Adopting Release.
\14\ See Rule 613 Adopting Release, at 45723-36.
\15\ Id. at 45723.
\16\ Id.
\17\ See CAT NMS Plan Approval Order, at 84698.
---------------------------------------------------------------------------
On November 15, 2016, the Commission approved the CAT NMS Plan,
and, among other things, concluded that the CAT would improve the
completeness, accuracy, accessibility, and timeliness of the data
available to regulators, and that these improvements would
significantly improve regulatory efforts by the SROs and the
Commission, including market surveillance, market reconstructions,
enforcement investigations, and examinations of market participants,
thereby strengthening the integrity and efficiency of the markets.\18\
---------------------------------------------------------------------------
\18\ See id. at 84727, 84800.
---------------------------------------------------------------------------
At the inception of CAT, customer information was considered
important to enable regulators to more quickly and reliably identify
the customers associated with potentially unlawful trading activity and
to facilitate the reconstruction of important market events.\19\ At the
same time, the Commission has sought to balance these benefits against
the risks associated with collecting and storing personally
identifiable investor information. From the start, for example,
personal customer information in CAT has been stored separately from
transaction data. The transaction database contains only anonymized
order and event data, including anonymized customer identifiers. The
CAT NMS Plan contains a number of provisions designed to mitigate the
risks of a security breach of personally identifying information
(``PII'') data.\20\
---------------------------------------------------------------------------
\19\ See Rule 613 Adopting Release, at 45731, 45772.
\20\ See, e.g., Section 6.5(f) of the CAT NMS Plan (requirements
relating to, among other things, CAT data security, access, and
logging).
---------------------------------------------------------------------------
In 2020, in light of concerns raised by market participants,
industry representatives and the Participants, the Commission granted
exemptive relief that limited the personal customer information that
must be reported to CAT to name, address, and birth year
[[Page 2166]]
(``CCID Exemption Order'').\21\ The CCID Exemption Order also permitted
the Participants to implement the CCID alternative or CCID process.
Under the CCID alternative, the Plan Processor generates a unique CAT
Customer-ID, or CCID, using a two-phase transformation process that
avoids having individual social security numbers or tax-payer
identification numbers (``SSNs/ITINs'') reported to or stored in the
CAT. In the first transformation phase, a CAT Reporter transforms the
SSN/ITIN into an interim transformed value. This transformed value, and
not the SSN/ITIN, is submitted to a separate system within the CAT
(``CCID Subsystem''). The transformed value is sent to the CAT separate
and apart from the other customer and account information.\22\ The CCID
Subsystem then performs a second transformation to create the globally
unique CCID for each Customer that is unknown to, and not shared with,
the original CAT Reporter. The CCID is then sent to the customer and
account information system (``CAIS'') of the CAT, where it is linked
with the other customer and account information. The CCID may then be
used by the Participants' regulatory staff and Commission staff in
queries and analysis of CAT data.
---------------------------------------------------------------------------
\21\ See Securities Exchange Act Release No. 88393 (Mar. 17,
2020), 85 FR 16152, 16156 (Mar. 20, 2020), <a href="https://www.govinfo.gov/content/pkg/FR-2020-03-20/pdf/2020-05935.pdf">https://www.govinfo.gov/content/pkg/FR-2020-03-20/pdf/2020-05935.pdf</a> (``CCID Exemption
Order'').
\22\ See CCID Exemption Order, at 16153.
---------------------------------------------------------------------------
In February 2025, the Commission provided an exemption from the
requirement to report other personal customer information not covered
by the CCID Exemption Order (collectively, ``Name, Address, and YOB'')
for natural persons with social security numbers or tax-payer
identification numbers (the ``CAIS Exemption Order'').\23\ The CAIS
Exemption Order did not extend this relief to the reporting of customer
information to foreign natural persons and legal entities. The
Commission explained that it weighed the benefits of maintaining
certain PII in the CAT differently in light of both the heightened
security risks posed by the increased sophistication of bad actors and
the prospect of relatively efficient indirect access to customer
information.\24\ The Commission concluded that the regulatory benefit
of collecting the names, addresses and years of birth for natural
persons reported with transformed SSNs no longer justified the
associated risks.\25\ The Commission emphasized, however, that the
system of generating reliable CCIDs--the anonymized, unique customer
identifiers contained in the CAT that are linked to each order event
captured in the transaction database--would not be impacted.\26\ Thus,
if a regulator needs to determine the identity of the individual behind
a particular CCID, the regulator would be able to use one or more of
the Firm Designated IDs (``FDIDs'') associated with the CCID and
contact the broker-dealer(s) who reported the FDID(s) and request the
name, address and/or year of birth for the individual Customer.\27\
---------------------------------------------------------------------------
\23\ See Securities Exchange Act Release No. 102386 (Feb. 10,
2025), 90 FR 9642, 9643 (Feb. 14, 2025), <a href="https://www.sec.gov/files/rules/sro/nms/2025/34-102386.pdf">https://www.sec.gov/files/rules/sro/nms/2025/34-102386.pdf</a> (``CAIS Exemption Order'').
\24\ Id. at 9644.
\25\ Id. at 9644-45.
\26\ Id. at 9645.
\27\ Id.
---------------------------------------------------------------------------
The Participants now propose to amend the CAT NMS Plan to: (i)
incorporate and codify the CCID Exemption Order; (ii) incorporate and
codify the CAIS Exemption Order; (iii) expand upon the CAIS Exemption
Order's relief by eliminating the reporting requirements relating to
Names, Addresses, and YOBs for all customers, including foreign natural
persons and legal entities; (iv) make other modifications related to
the elimination of personally identifying information from the CAT; and
(v) and require CAT LLC to direct the Plan Processor to delete from
CAIS previously reported customer data currently stored in the CAT.
These amendments would have the effect of eliminating all CAT NMS Plan
requirements to report Names, Addresses, YOBs, SSNs/ITINs, and EINs to
the CAT and to remove such previously reported customer information
stored in the CAT, as well as codify the Participants' current method
of generating anonymized customer identifiers without requiring the
receipt or storage of individual SSNs/ITINs in the CAT.
III. Discussion and Commission Findings
Section 11A of the Exchange Act authorizes the Commission, by rule
or order, to authorize or require the self-regulatory organizations to
act jointly with respect to matters as to which they share authority
under the Exchange Act in planning, developing, operating, or
regulating a facility of the national market system.\28\ Rule 608(a) of
Regulation NMS states that any two or more self-regulatory
organizations, acting jointly, may file a national market system plan
or may propose an amendment to an effective national market system plan
by submitting the text of the plan or amendment to the Commission by
email, together with a statement of the purpose of such plan or
amendment and, to the extent applicable, the documents and information
required by paragraphs (a)(4) and (5) of Rule 608.\29\ Under Rule
608(b)(2) of Regulation NMS, the Commission shall approve a national
market system plan or proposed amendment to an effective national
market system plan, with such changes or subject to such conditions as
the Commission may deem necessary or appropriate, if it finds that such
plan or amendment is necessary or appropriate in the public interest,
for the protection of investors and the maintenance of fair and orderly
markets, to remove impediments to, and perfect the mechanisms of, a
national market system, or otherwise in furtherance of the purposes of
the Exchange Act.\30\ The Commission shall disapprove a national market
system plan or proposed amendment if it does not make such a
finding.\31\
---------------------------------------------------------------------------
\28\ See 15 U.S.C. 78k-1(a)(3)(B).
\29\ 17 CFR 242.608(a).
\30\ 17 CFR 242.608(b)(2).
\31\ See id. Approval or disapproval of a national market system
plan, or an amendment to an effective national market system plan
(other than an amendment initiated by the Commission), shall be by
order. Id. In addition, Rule 700(b)(3)(ii) of the Commission's Rules
of Practice states that ``[t]he burden to demonstrate that a NMS
plan filing is consistent with the Exchange Act and the rules and
regulations issued thereunder that are applicable to NMS plans is on
the plan participants that filed the NMS plan filing.'' 17 CFR
201.700(b)(3)(ii). ``Any failure of the plan participants that filed
the NMS plan filing to provide such detail and specificity may
result in the Commission not having a sufficient basis to make an
affirmative finding that a NMS plan filing is consistent with the
Exchange Act and the rules and regulations issued thereunder that
are applicable to NMS plans.'' Id.
---------------------------------------------------------------------------
For the reasons described below, the Commission finds that the
Proposed Amendment, as modified by Amendment Nos. 1 and 2, and by the
Commission as described below in Part III.C, meets the required
standard.\32\
---------------------------------------------------------------------------
\32\ 17 CFR 242.608(b)(2).
---------------------------------------------------------------------------
A. Codification of the CCID Exemption Order and CCID Alternative
The Proposed Amendment codifies the CCID Exemption Order, which, as
described above, allows the Participants to implement a two-phase CCID
creation process and also provided exemptive relief from CAT NMS Plan
requirements related to the reporting of SSNs/ITINs, dates of birth,
and account numbers to the CAT.\33\ Under the CCID creation
[[Page 2167]]
process, unique CCIDs are created using a two-phase transformation
process that avoids having SSNs/ITINs reported to or stored in the CAT.
---------------------------------------------------------------------------
\33\ Among other changes to the CAT NMS Plan discussed below in
Part III.B, the Participants propose to revise Section 9.3 of
Appendix D to incorporate the existing process under the CCID
Exemption Order by which the Plan Processor determines a unique CCID
for each Customer, a process which is described in further detail
above in Part II. See Notice, supra note 6, at 12848.
---------------------------------------------------------------------------
To effectuate this change, the Proposed Amendment adds several new
defined terms in section 1.1 of the CAT NMS Plan: ``CCID Subsystem,''
\34\ ``Reference Data,'' \35\ ``Reference Database,'' \36\ and
Transformed Identifier (``TID'').\37\ ``CCID Subsystem'' means the
subsystem of the Reference Database that exists solely to transform
input TID values into CCID values. ``Reference Data'' shall mean the
data elements in Account Reference Data and Customer Reference Data.
``Reference Database'' means the information system of CAT containing
Reference Data. TID means the transformed version of the input used to
identify unique Customers, including, but not limited to ITIN or SSN
submitted by Industry Members in place of an ITIN or SSN.
---------------------------------------------------------------------------
\34\ See proposed Section 1.1.
\35\ See proposed Section 1.1.
\36\ See proposed Section 1.1.
\37\ See proposed Section 1.1. The Participants originally
proposed a defined term ``CAIS,'' but modified that to ``Reference
Database,'' in Amendment No. 1, as ``CAIS'' and ``customer and
account information system'' terminology would no longer apply given
the limited nature and scope of data that would be collected under
the Proposed Amendment, and that the terminology was predicated on
concepts relating to the collection of PII that would no longer
accurately describe the database. See OIP, supra note 8, at 26637,
39.
---------------------------------------------------------------------------
Commenters discussed the CAIS database \38\ (which was later
proposed to be renamed as the Reference Database, as discussed above)
and the CCID creation process. One commenter suggests it may be
possible for the CAIS database to be eliminated entirely and any CAIS
processes related to creating the CCIDs to be switched to the
Transactions database.\39\ Another commenter states that market
participants have raised questions about whether the Commission expects
the SROs to retain either or both of the CAIS database and CCID
functionality, and asks for ``SEC guidance on its future plans for CAIS
and potential use of the CCID.'' \40\ This commenter states that absent
PII, its members have questioned the continuing need for the CAIS
database.\41\ This commenter ``calls on the Commission to provide
further, explicit guidance on its expectations for the future direction
of the CAT.'' \42\
---------------------------------------------------------------------------
\38\ In Amendment No. 1 the Participants modified the Proposed
Amendment to rename ``CAIS'' to the ``Reference Database,'' but
several commenters use the term CAIS and CAIS database both prior
and after the publication of Amendment No. 1. For purposes of this
Order, references to ``CAIS database'' apply to the ``Reference
Database'' as defined by the Proposed Amendment.
\39\ See Letter from H. Meyerson, Managing Director, Financial
Information Forum (``FIF'') to Secretary, Commission, dated Apr. 9,
2025 (``FIF April Letter''), at 4-5. The commenter states that the
Participants have stated that the CAT operating budget for 2025
includes approximately $35.5 million in CAIS-related costs and asks
for further information to determine the potential for additional
cost savings beyond the $12 million in cost savings projected from
the Proposed Amendment. Id. This commenter also expresses support
for consideration of a Petition for Rulemaking and Exemptive Relief
submitted by certain Participants that would, among other things,
retire the CAIS system, but asks for additional detail before they
could meaningfully comment on such a proposal. See Letter from H.
Meyerson, Managing Director, FIF, to Secretary, Commission, dated
July 14, 2025 (``FIF July Letter''), at 12.
\40\ See Letter from J. Corcoran, Managing Director and
Associate General Counsel, and G. O'Hara, Vice President and
Assistant General Counsel, SIFMA, to Vanessa Countryman, Secretary,
Commission, dated May 30, 2025 (``SIFMA Letter''), at 2-4. The
commenter states that the Commission indicated in the CAIS Exemption
Order that CCID functionality should be retained, but it did not
explicitly tell the SROs to do so. Id. at 4.
\41\ Id. at 3-4.
\42\ Id. at 4.
---------------------------------------------------------------------------
One commenter, representing a group of Participants, states that
CCIDs are needed for the Participants to comply effectively with their
SRO obligations, and that transitioning to a CAT without CCIDs would
bring further increased costs to both the SROs and the industry to
allow for changes to the CAT system and to meet new reporting
requirements.\43\ The commenter states that the removal of CCIDs would
increase costs, because without CCIDs, the burden and costs of
responding to blue sheet requests would increase for broker-dealers, as
well as increase burdens and costs to SROs.\44\ However, this commenter
states that CAIS could be eliminated in its entirety, but only if some
form of CAIS persists until an alternative effective and cost-efficient
solution for CCIDs--or another unique customer identifier methodology--
is implemented.\45\
---------------------------------------------------------------------------
\43\ See Letter from Jaime Klima, General Counsel, NYSE, to
Vanessa Countryman, Secretary, Commission, dated July 22, 2025
(``NYSE Letter''), at 2.
\44\ Id. at 2-3; see also FIF July Letter, at 6 (stating that
electronic blue sheets does not include FDIDs or CCIDs and therefore
it cannot be used to link CAT transactional data with customer
information)
\45\ Id. at 2.
---------------------------------------------------------------------------
The Participants state that under the Proposed Amendment, as
currently designed, the Reference Database would be maintained to
facilitate the mapping of unique CCIDs to FDIDs and would preserve the
CCID enrichment of transaction data.\46\ The Participants state that
this functionality allows regulators the ability to identify a
customer's market activity across multiple exchanges, broker-dealers,
and accounts, which was one of the critical innovations of the CAT.\47\
The Participants state that this approach was informed by significant
discussion and was strongly supported by industry.\48\ However, the
Participants state that there may be additional proposals to eliminate
the Reference Database entirely, which will require further analysis,
but that they hope that the Proposed Amendment could be considered and
approved expeditiously as they continue to evaluate additional cost
savings measures and alternatives.\49\
---------------------------------------------------------------------------
\46\ See CAT LLC May Response Letter, at 17-18. The Participants
also represent that regulatory users would still be able to query
transaction data by CCID, and the Proposal would not impact
reciprocal functionality allowing regulatory users with access to
SSNs and/or EINs to input those values into the query tool to
identify associated CCIDs. See id. at 7 n.19.
\47\ Id. at 17-18.
\48\ Id. at 18.
\49\ Id. at 18.
---------------------------------------------------------------------------
One commenter raises potential security and privacy concerns with
the retention of TID values, which the commenter understands is
retained by the Plan Processor.\50\ The commenter states that it
believes a TID for a U.S. natural person could be reverse engineered to
obtain the underlying SSN used to generate a TID, and asks for
clarification as to whether TID values are retained by the Plan
Processor and if so, requests that they be removed after the generation
of an associated CCID.\51\ The commenter continues to state that its
members are concerned that the ``cybersecurity threat landscape has
significantly changed since 2020, when the CCID alternative was devised
and the process of creating CCIDs was put in place.'' \52\ The
commenter states that maintaining TIDs means that the Proposed
Amendment does not fully achieve the objective of removing PII from
CAT, since TIDs are vulnerable to a ``rainbow table attack.'' \53\ The
commenter specifically states that the Commission should still approve
the rule filing, but states that CAT LLC could modify the CAT system in
a manner that would not require the retention of TIDs in their current
form, as a future enhancement to CAT to
[[Page 2168]]
protect personally identifiable information.\54\
---------------------------------------------------------------------------
\50\ See FIF July Letter, at 9-10.
\51\ Id.
\52\ See Letter from Howard Meyerson, Managing Director, FIF, to
Secretary, Commission, dated Aug. 21, 2025 (``FIF August Letter''),
at 7.
\53\ See also FIF July Letter, at 9 (stating that because there
are a finite number of SSNs (equal to one billion), any TID for a
U.S. natural person could be reverse engineered to the underlying
SSN through applying the SHA-256 hash to each of the one billion
potential SSNs).
\54\ FIF August Letter, at 8.
---------------------------------------------------------------------------
In response, the Participants state that if TIDs were not retained,
the CCID could not be used for its intended purpose of conducting
cross-market, cross-broker, and cross-account surveillance of a single
customer's trading activity, nor could it even be used for surveillance
of the same broker or same account.\55\ The Participants state that
without TIDs, there would be no mapping of TIDs to CCIDs; if there is
no mapping of TIDs to CCIDs, there would be no way to ascertain if a
reported TID already has a designated CCID, so every reported TID would
be assigned a new CCID, even if the TID had previously been reported by
the same broker-dealer and associated with the same FDID.\56\ The
Participants note that the process for creating CCIDs has been in place
since 2020 and the concern raised by the commenter was taken into
account when the CCID alternative was ultimately proposed, and states
that TIDs are reported and stored in an isolated, secure database
called the CCID Subsystem, separate from other information reported to
CAIS and with very limited access by Plan Processor staff.\57\
---------------------------------------------------------------------------
\55\ See Letter from Robert Walley, CAT NMS Plan Operating
Committee Chair, to Vanessa Countryman, Secretary, Commission, dated
Sept. 16, 2025 (the ``CAT LLC September Response Letter''), at 8
n.30.
\56\ Id.
\57\ Id.
---------------------------------------------------------------------------
Another commenter stated that its members have raised concerns
about whether CCID could be viewed as another form of PII due to the
current operation of the CAT system.\58\ Specifically, the commenter
states that once a regulator establishes a link between an investor and
a CCID, it is able to know and track that investor's trading activity
in CAT theoretically in perpetuity--even in the absence of any evidence
of wrongdoing.\59\ In addition, because CAT captures all of an
investor's trading activity in equities and listed options, once a
regulator knows the identity of an investor behind a CCID, the
regulator has the ability see all of that investor's trading activity
across markets and brokers even if this activity falls outside of the
scope of the regulator's purpose for requesting the investor's
identity.\60\ Another commenter, who recommends disapproval of the
Proposed Amendment, states that they are suspicious about CCID and how
it may be misused, asking if CCID, non-public data and PII report logs
offer valuable insights to help exchanges target and attract order
flow.\61\ A different commenter, representing a group of Participants,
states that ``CCIDs contain no personally identifiable information and
therefore pose no cybersecurity or privacy risk.'' \62\
---------------------------------------------------------------------------
\58\ See SIFMA Letter, at 5.
\59\ Id.
\60\ See SIFMA Letter, at 5.
\61\ See Letter from Kelvin To, Founder and President, Data
Boiler Technologies, LLC, to Vanessa Countryman, Secretary,
Commission, dated Dec. 26, 2025, at 4 (``Data Boiler Letter'').
\62\ See NYSE Letter, at 2.
---------------------------------------------------------------------------
It is appropriate for the Proposed Amendment to incorporate the
relief granted in the CCID Exemption Order into the CAT NMS Plan,
which, among other things, codifies the current CCID creation process
into the CAT NMS Plan. As described above in Part II, the CCID process
(or CCID alternative) allows the Participants to generate a unique CCID
using a two-phase transformation process that avoids having SSNs/ITINs
reported to or stored in the CAT. This process was the product of
coordination between the Participants and security experts from member
firms of SIFMA,\63\ and has been implemented successfully by the
Participants since the Commission issued the CCID Exemption Order.
---------------------------------------------------------------------------
\63\ See CCID Exemption Order, at 16152.
---------------------------------------------------------------------------
The Commission agrees that the CCID process should be maintained
and codified in the Plan. The proposed modifications to the CAT NMS
Plan, including the proposed new definitions to be added to the CAT NMS
Plan, are reasonably designed to codify this existing process. The
ability to link information about order events throughout the national
market system to a unique customer identifier is one of the core
regulatory advances of the CAT over the fragmented regulatory data
sources that preceded it.\64\ The CCID process makes that possible,
allowing for the tracking of a specific order of a Customer throughout
its entire lifecycle without the reporting or storage of social
security numbers in the CAT. In doing so, the CCID process greatly
facilitates the regulatory and surveillance efforts of the Participants
and the Commission by, among other things, enabling regulators to
detect potentially unlawful trading activity and to identify those
responsible for or victims of it.\65\ Codification of the CCID process,
combined with the further elimination of PII reporting as described in
Part III.B. below, preserves the regulatory benefits of the CAT while
addressing the privacy, security, and other risks associated with
capturing and storing personal customer information in the CAT.
---------------------------------------------------------------------------
\64\ See CCID Exemption Order, at 16156 n.78. See also CAT LLC
September Response Letter, at 3-4 (stating that the Plan Processor
would continue to create a unique CCID and provide CCID enrichment
of transaction data in the same way that it does today under the
Proposed Amendment, allowing regulators to conduct cross-market,
cross-broker, and cross-account surveillance--and preserving the
core regulatory goals of SEC Rule 613).
\65\ See CCID Exemption Order, at 16156 & n.78.
---------------------------------------------------------------------------
In addition, the CAT NMS Plan imposes numerous requirements related
to data security, access, and logging, that are reasonably designed to
prevent a regulator from using CCIDs for non-regulatory purposes.\66\
The Commission continues to believe that the CCID process provides CAT
the ability to provide customer attribution of order and trade activity
even if such trading activity spans multiple broker-dealers, and
without this ability, the value and usefulness of the CAT would be
significantly diminished.\67\
---------------------------------------------------------------------------
\66\ See, e.g., Section 6.5(f) of the CAT NMS Plan.
\67\ See CCID Exemption Order, at 16156 n.78.
---------------------------------------------------------------------------
The Commission also agrees with the Participants' approach with
respect to the TID and maintenance of TID information in an isolated,
secure database within the CCID Subsystem.\68\ As explained by the
Participants, without retaining TIDs the CCID process could not work,
because without the ability to map TIDs to CCIDs there would be no way
to ascertain if a reported TID has already been assigned a CCID,
meaning that each TID would be assigned a new CCID.\69\ This would make
CCIDs substantially less useful for regulators, as certain customers
could have multiple CCIDs and cross-market, cross-broker, and cross-
account surveillance of a single customer's trading activity would be
impractical. As noted by the Participants, TID information is subject
to substantial protection, as it is reported and stored in an isolated,
secure database, the CCID Subsystem, separate from any other
information reported to CAIS, and only a very limited, defined, and
pre-approved set of Plan Processor staff may be assigned temporary
access to this database strictly for operational issues.\70\
---------------------------------------------------------------------------
\68\ See CAT LLC September Response Letter, at 8 n.30.
\69\ Id.
\70\ Id.
---------------------------------------------------------------------------
With respect to questions about the future of the Reference
Database (formerly the CAIS system), CCID functionality, and the CAT
more generally,\71\ approval of the Proposed Amendment today will
codify the CCID alternative into the CAT NMS Plan. The Proposed
Amendment does not propose
[[Page 2169]]
to move the process of creating CCIDs to the Transactions database and
to eliminate the CAIS system, as one commenter suggested, and the
Commission declines to decide that issue in this Order. The Commission
is engaged in a comprehensive review of the CAT,\72\ and as part of
this process the Commission expects to engage with the Participants,
Industry Members, and the public more broadly on issues relating to the
future of CAT, the CCID creation process, functionality and security,
and the Reference Database, among other things.
---------------------------------------------------------------------------
\71\ See, supra, notes 39-42, and accompanying text.
\72\ See Securities Exchange Act Release No. 104144 (Sept. 30,
2025), 90 FR 47853, 47854 (Oct. 2, 2025) (stating that ``the
Chairman of the Commission instructed the staff to undertake a
comprehensive review of the CAT'' and citing Prepared Remarks Before
SEC Speaks, Chairman Paul S. Atkins, May 19, 2025, available at
<a href="https://www.sec.gov/newsroom/speeches-statements/atkins-prepared-remarks-sec-speaks-051925">https://www.sec.gov/newsroom/speeches-statements/atkins-prepared-remarks-sec-speaks-051925</a>). See also SIFMA Letter, at 2 (stating
that the commenter ``wholeheartedly'' supports the announced
comprehensive review of the CAT and is submitting a separate letter
with several high-level recommendations).
---------------------------------------------------------------------------
Large Trader and Legal Entity Identifiers
One commenter states that the Proposed Amendment also should
eliminate reporting requirements for a large trader field on FDID
records, stating that it is unnecessary because the Commission can
track activity based on CCID, and should also eliminate the existing
requirement to report legal entity identifiers (``LEIs'') for legal
entities.\73\ One commenter, representing a group of Participants,
states that there would be no impact to regulatory functionality for
that group of Participants if legal entity identifiers were removed
from CAIS.\74\ The Participants state that while legal entity names are
eliminated from the CAT pursuant to the Proposed Amendment (discussed
below in Part III.B), FDIDs would be associated with valid LEIs and, if
applicable, large trader identifiers, allowing regulators to use this
information to identify the name of a legal entity associated with a
particular FDID.\75\
---------------------------------------------------------------------------
\73\ See FIF April Letter, at 3; FIF July Letter, at 12.
\74\ See NYSE Letter, at 2.
\75\ See CAT LLC May Response Letter, at 10. The Participants
also, in the context of removing the reporting of EINs, discussed in
Part III.B. below, provide statistics on the number of customers
with LEIs and EINs. See CAT LLC September Response Letter, at 6. The
Participants state that there are approximately 4,243,672 U.S. legal
entity Customers and 143,793 foreign legal entity Customers in CAIS.
Id. Of the U.S. legal entity Customers, 37,627 have both LEIs and
EINs; none have only an LEI; and 4,206,045 have only EINs. Id. With
respect to foreign legal entity Customers, 2,391 have both an LEI
and EIN, 33,730 have only an LEI, 169 have only an EIN, and 107,503
have neither an LEI nor EIN. Id. The Participants state that all
such customers have a CCID in CAIS and it is anticipated that
regulators will be able to continue to perform cross-market, cross
broker, and cross-account surveillance of both U.S. and foreign
legal entities as they will for natural persons. Id.
---------------------------------------------------------------------------
While there may be further cost savings that could be achieved with
the elimination of large trader and LEI reporting, the Proposed
Amendment does not propose to eliminate the reporting requirements
associated with large trader and LEI, and the Commission declines to
decide that issue in this Order. The Proposed Amendment retains such
reporting requirements, which is reasonable, as large trader and LEI
reporting could allow regulators to more easily identify legal entities
in CAT in the absence of a legal entity name, especially in the context
of legal entities with multiple sub-accounts and sub-entities.
In addition, a commenter suggests that the Commission should
provide exemptive relief from large trader requirements, or otherwise
evaluate large trader reporting requirements generally in light of the
existence of CAT and CAIS, which should allow regulators to determine
the activity level of any CCID across accounts at the same broker-
dealer and across accounts at different broker dealers.\76\ The
commenter specifically requests exemptive relief from requirements
relating to unidentified large traders, arguing that since CAIS is in
operation, the current requirements relating to unidentified large
traders are redundant and should be retired. The request for exemptive
relief related to large traders is beyond the scope of the Proposed
Amendment and outside the purview of the Participants, but the
Commission welcomes further discussion and comment on the potential
elimination of large trader requirements made possible by CAT.
---------------------------------------------------------------------------
\76\ See FIF August Letter, at 4-6.
---------------------------------------------------------------------------
Request-Response System and Retirement of EBS
Two commenters call for the retirement of electronic blue sheets
(``EBS''), and replacement of the system with a request-response system
using CCIDs and FDIDs.\77\ Both commenters provide some details on how
such a request-response system might work, involving the submission of
FDIDs by regulators through an automated system to request data fields
that are no longer going to be reported to CAIS or the CAT.\78\ One of
these commenters describes deficiencies of EBS, including the fact that
EBS contains large amounts of PII, including plaintext SSNs, and
shortcomings with respect to transaction and customer and account data,
necessitating ``a proactive and expedited focus on retiring EBS as soon
as possible.'' \79\
---------------------------------------------------------------------------
\77\ See SIFMA Letter, at 14 (calling the retirement of EBS
``one of the promises of the CAT''); FIF April Letter, at 5-8
(stating, among other things, that the Commission as ``previously
committed'' to retiring EBS); FIF July Letter, at 10; FIF August
Letter, at 6. In addition, one commenter, a Participant, quotes a
FINRA CEO blogpost stating that ``over the years there have been
concerns about the efficiency and design of Blue Sheets, and
consideration could be given to creating a new request and response
utility operated in conjunction with CAT to facilitate and
streamline the information collection process for both regulators
and the impacted broker-dealers.'' See Letter from Marcia E.
Asquith, Corporate Secretary, EVP, Board and External Relations, to
Vanessa Countryman, Secretary, Commission, dated July 25, 2025 (the
``FINRA Letter''), at 3 n.9.
\78\ See SIFMA Letter, at 3 n.11; FIF April Letter, at 6-7.
\79\ See FIF July Letter, at 4-6.
---------------------------------------------------------------------------
CAT LLC states that whether or not a request-response system is
appropriate or desirable is outside the scope of the Proposed Amendment
and outside the purview of CAT LLC.\80\ The comment letters raise
several thoughtful potential modifications to the CAT Plan and other
regulatory reporting obligations.\81\ With respect to the creation of a
request-response system, Commission agrees that it is beyond the scope
of the Proposed Amendment. However, such a system could decrease
regulators' reliance on EBS, which could facilitate the eventual
elimination of EBS and could reduce the cost and burdens to Industry
Members and increase efficiencies. Accordingly, as stated in the CAIS
Exemption Order,\82\ the Commission continues to urge the Participants
to work with industry members to establish such a request-response
system by taking advantage of the systems industry members have already
established to format and submit customer information consistent with
CAT specifications.\83\
---------------------------------------------------------------------------
\80\ See CAT LLC May Response Letter, at 12; CAT LLC September
Response Letter, at 16.
\81\ One commenter asks the Commission to remove PII from other
reporting systems that include PII, such as the Large Options
Positions Reporting System. See FIF April Letter, at 8. The Proposed
Amendment does not propose changes to other reporting systems and
such changes are beyond the scope of the Proposed Amendment.
\82\ See CAIS Exemption Order, at 9645 n.52.
\83\ An efficient electronic means of requesting and providing
targeted subsets of customer identifying information from industry
members benefits all market participants. In connection with the
relief provided by this Order, the Commission urges the Participants
to work with industry members to establish these means by taking
advantage of the systems industry members have already established
to format and submit customer information consistent with CAT
specifications.
---------------------------------------------------------------------------
[[Page 2170]]
B. Permanent Elimination of the Reporting of Names, Addresses, and YOBs
The Proposed Amendment codifies and expands upon the CAIS Exemption
Order, which provides exemptive relief from the reporting of Name,
Address, and YOB for certain natural person Customers to the CAT.\84\
Specifically, pursuant to the Proposed Amendment, the exemptive relief
in the CAIS Exemption Order would be expanded to apply to all
Customers, including foreign nationals and legal entities, and not be
limited to natural persons with transformed SSNs or ITINs. Pursuant to
the Proposed Amendment, the reporting requirements relating to Name,
Address, and YOBs would be eliminated for all natural persons and legal
entities, at both the Customer and account level. In addition, the
proposed amendment would remove the requirement to report Employer
Identification Numbers (``EINs'') as part of legal entities' customer
reference data.
---------------------------------------------------------------------------
\84\ In the Notice, the Participants stated that they understand
the CAIS Exemption Order to be ``permissive at the discretion of
Industry Members (meaning that Industry Members may choose to take
advantage of the exemptive relief or choose to continue reporting
names, addresses, and years of birth for natural persons reported
with transformed SSNs or ITINs to CAIS).'' See Notice at 12847.
References to the CAIS Exemption Order that the Participants propose
to incorporate and codify in the CAT NMS Plan refer to the CAIS
Exemption Order as understood by the Participants.
---------------------------------------------------------------------------
The Participants propose the deletion of the definition of the term
``PII,'' and modification of numerous provisions of the CAT NMS Plan to
replace references to ``PII'' or ``Customer Account Information and
Customer Identifying Information'' to references to ``Reference Data,''
or otherwise remove the concept of ``PII'' from relevant portions of
the CAT NMS Plan.\85\ The Participants state that while the CAT NMS
Plan distinguishes PII from other forms of CAT Data and requires
``additional levels of protection for PII,'' it would be incongruent to
apply these PII-specific requirements to Reference Data given that the
particularly sensitive data that these requirements were designed to
protect--e.g., Customer name, Customer address, account name, account
address, authorized trader names list, account number, day of birth,
month of birth, year of birth, and ITIN/SSN--would be eliminated under
the Proposed Amendment, and given the security and confidentiality
requirements that continue to apply to CAT Data in general.\86\
---------------------------------------------------------------------------
\85\ See proposed Sections 6.2(a)(v)(C), 6.2(b)(v)(F),
6.4(d)(ii), and 6.10(c)(ii), and Appendix D, Sections 4.1; 4.1.2;
4.1.4; 4.1.6; 6.2, 8.1.1; 8.1.3; 8.2; 8.2.2; 9.1 and 10.1.
\86\ See CAT LLC May Response Letter, at 4-5.
---------------------------------------------------------------------------
The Participants also propose revising certain definitions in the
CAT NMS Plan. The definition of ``Customer Account Information'' would
be modified to be ``Account Reference Data,'' and specifically remove
account number and customer type as elements of Customer Account
Information.\87\ The definition of ``Customer Identifying Information''
would be modified to ``Customer Reference Data,'' and references to
name, address, date of birth, ITIN, SSN would be removed for
individuals, while name, address, EIN, and ``other information of
sufficient detail to identify a Customer'' would be removed for legal
entities.\88\ The revised definition adds, for individuals, TID and
customer type, and for legal entities, customer type only.\89\ The
Participants state that because an EIN contains the same number of
digits as a SSN and must be reported as plain text, there is the risk
that an Industry Member could inappropriately report an individual's
SSN in the EIN field.\90\ The Participants maintain that eliminating
the EIN field would eliminate the possibility of such improper
reporting without any effect on the Plan Processor's ability to create
a unique CCID, because Industry Members would continue to report the
translated TID value (which is based on the EIN) to the CCID Subsystem,
and that even if the EIN field is eliminated, regulators would retain
the ability to search by EIN for a CCID value.\91\
---------------------------------------------------------------------------
\87\ See proposed Section 1.1. The provision would also state
that for the avoidance of doubt, Industry Members are required to
provide a Firm Designated ID in accordance with the CAT NMS Plan.
Id.
\88\ Id.
\89\ See proposed Section 1.1. In addition, ``CAT Customer-ID''
or ``CCID'' would be defined to have the same meaning as the
existing definition ``Customer-ID,'' which has the same meaning
provided in SEC Rule 613(j)(5). See proposed Section 1.1.
\90\ See CAT LLC May Response Letter, at 6.
\91\ See id.
---------------------------------------------------------------------------
The Participants also propose additional modifications to the
definition of ``Full Availability and Regulatory Utilization of
Transactional Database Functionality,'' to add footnotes to make clear
that the Proposed Amendment is not meant to change the meaning of
defined terms that are being modified by the Proposed Amendment for
purposes of the Financial Accountability Milestones (``FAM'').\92\ The
Participants state that CAT LLC does not intend to change the meaning
of the defined term ``in any way,'' and the footnotes are designed to
``avoid retroactively changing the meaning of a FAM-related defined
term.'' \93\
---------------------------------------------------------------------------
\92\ See proposed section 1.1. See also Securities Exchange
Release No. 88890, 85 FR 31322 (May 22, 2020) (adopting, among other
changes, financial accountability provisions called ``Financial
Accountability Milestones'').
\93\ See CAT LLC December Response Letter, at 2-3.
---------------------------------------------------------------------------
Certain provisions of Appendix D of the CAT NMS Plan would be
revised to incorporate the CAIS Exemption Order, CCID Exemption Order,
and to remove references to Name, Address, and YOB.\94\ Proposed
section 9.1 of Appendix D would require CAT to capture and store
Reference Data that at a minimum, includes TIDs and for legal entities,
Legal Entity Identifiers (LEIs) if available, and remove references to
the eliminated Customer information and the validation process for SSNs
and DOBs.\95\ Section 9.2 of Appendix D would be revised to eliminate
the requirement to accept data attributes related to an account owner's
name, mailing address, or tax identifier, and now state that TIDs must
be accepted by the CAT.\96\ In addition, the term ``Firm Identifier
Number'' would be modified to ``Firm Designated ID,'' which the
Participants state more accurately captures the information that this
section describes as the ``number that the CAT Reporter will supply on
all orders generated for the Account.'' \97\
---------------------------------------------------------------------------
\94\ See Notice, supra note 6, at 12848.
\95\ See proposed section 9.1 of Appendix D.
\96\ See proposed section 9.2 of Appendix D.
\97\ See OIP, supra note 8, at 26639.
---------------------------------------------------------------------------
In addition, the Participants propose to modify section 4.1.4 of
Appendix D of the CAT NMS Plan to state that the Plan Processer must
record all access to, and all queries of, data stored in the Reference
Database and generate periodic reports of all access to, and all
queries of, data stored in the Reference Database.\98\ The Participants
explain that this modification is to clarify that the Plan Processor
will record all access to, and all queries of, data stored in the
Reference Database in a series of logs that can be used to generate
periodic reports in the same way that the Plan Processor currently
records and tracks access to the broader CAT System.\99\ The
Participants state that Reference Data, which shall mean the data
elements in the new terms Account Reference Data and Customer Reference
Data, would continue to be subject to existing provisions relating to
general data security requirements.\100\ In addition, the Participants
state that FDID validations will not change as a result of implementing
the Proposed Amendment, and the Plan Processor
[[Page 2171]]
would continue to perform the same consistency checks that it currently
performs today to confirm that all FDIDs reported to the transaction
database exist in the Reference Database and were active on the
relevant transaction date.\101\
---------------------------------------------------------------------------
\98\ See proposed section 4.1.4 of Appendix D.
\99\ See CAT LLC December Response Letter, at 4.
\100\ See CAT LLC May Response Letter, at 4.
\101\ See CAT LLC December Response Letter, at 4.
---------------------------------------------------------------------------
Proposed section 9.1 of Appendix D would state that the Plan
Processor ``will design and implement a robust data validation process
for submitted Firm Designated IDs and must continue to process orders
while investigating Firm Designated ID mismatches,'' which the
Participants state is to confirm that the Proposed Amendment is making
no change to current FDID validation procedures.\102\
---------------------------------------------------------------------------
\102\ See CAT LLC May Response Letter, at 4.
---------------------------------------------------------------------------
In addition, section 9.4 of Appendix D would be revised to
eliminate the requirement that the Plan Processor design and implement
procedures and mechanisms to handle minor and material inconsistencies
in Customer information. The Participants state that the Plan Processor
currently validates whether a TID value is associated with different
years of birth, and the query tool currently accounts for minor
inconsistencies in how CAT Reporters report data to the CAT; for
example, a query including the word ``Street'' would include results
including both ``Street'' and ``St.,'' but because the Proposed
Amendment would eliminate Customer addresses and years of birth, the
proposed change to section 9.4 of Appendix D is appropriate.\103\
---------------------------------------------------------------------------
\103\ See id. at 9.
---------------------------------------------------------------------------
The Participants state that the Proposed Amendment would allow CAT
LLC to achieve an overall cost savings of between $7 million and $9
million per year as compared to the 2024 actual budget.\104\ The
Participants state that these cost savings would not be achieved if
Names, Addresses, and YOBs were required to be reported and stored for
certain categories of Customers.\105\ Additionally, the Participants
state that the Plan Processor has estimated a one-time implementation
cost of approximately $4.5 million to $5.5 million.\106\ The
Participants acknowledge that there would be Industry Member
implementation costs for the Proposed Amendment, and while they
understand that Industry Members would need to update their systems in
order to stop reporting Customer Names, Addresses, and YOBs to the CAT,
they were not in a position to quantify such Industry Member
costs.\107\
---------------------------------------------------------------------------
\104\ See OIP, supra note 8, at 26637.
\105\ See CAT LLC September Response Letter, at 3.
\106\ See OIP, supra note 8, at 26642. The Participants state
that one-time implementation costs will generally consist of Plan
Processor labor costs associated with coding and software
development, as well as any related cloud fees associated with the
development, testing, and load testing of the proposed changes. Id.
\107\ Id.
---------------------------------------------------------------------------
Several commenters support the Proposed Amendment and the
elimination of the reporting requirements for Names, Addresses, and
YOBs from the CAT.\108\ One of these commenters supports the Proposed
Amendment,\109\ highlighting in particular the proposed changes: (1)
excluding PII for all natural persons, including foreign natural
persons who are not reported with transformed SSNs or ITINs; \110\ (2)
permanently eliminating the reporting of PII to CAT; (3) excluding PII
for all legal entity customers since PII of natural persons (including
names, address and dates of birth) is often included in CAIS records
for legal entities; and (4) eliminating requirements relating to the
handling of inconsistencies.\111\
---------------------------------------------------------------------------
\108\ See FIF April Letter; FIF July Letter; FIF August Letter;
SIFMA Letter; NYSE Letter; FINRA Letter. Some commenters also
acknowledged the direct cost impact of the Proposed Amendment and
reduction in CAT operating costs. See SIFMA Letter, at 3 (stating
that the Participants represent that the Proposed Amendment would
achieve ``significant annual savings in CAT operating costs); FINRA
Letter, at 4 (stating that the Proposed Amendment would ``yield
material cost savings'').
\109\ See FIF April Letter; FIF July Letter; FIF August Letter.
\110\ See FIF July Letter, at 10 (stating that the policy
objective of removing PII from CAT would not be achieved unless the
elimination of reporting PII applied to all types of customers).
\111\ See FIF April Letter, at 2.
---------------------------------------------------------------------------
This commenter explains that the security benefits of removing PII
from the CAT outweigh the costs based on several considerations.\112\
Specifically, the commenter states that: (1) data breaches involving
PII can result in significant financial losses from legal fines,
penalties, and loss of business, as well as damage to an organization's
reputation; (2) protecting PII helps organizations comply with relevant
global, U.S. Federal and U.S. state data protection laws and
regulations such as General Data Protection Regulation (GDPR), the
Personal Information Protection and Electronic Documents Act (PIPEDA),
and the California Consumer Privacy Act (CCPA), avoiding regulatory
consequences and significant fines; (3) Industry Members could be
subject to legal costs and resulting damages resulting from PII data
breaches; (4) the removal of PII from CAIS demonstrates a commitment to
data privacy, which enhances customer trust; (5) data breaches (even
where the data is not within an Industry Members' control) can disrupt
the Industry Member's operations, potentially requiring costly and
time-consuming system overhauls to restore security; the CAT system
would also incur disruption and costs resulting from a data breach, and
any costs would be passed-through to market participants and, in many
cases, to customers; and (6) the alternative to the removal of PII from
CAIS is the continued implementation of measures to strengthen PII
protection in response to evolving threats; these measures could
include additional encryption and other enhanced security measures to
proactively identify and mitigate vulnerabilities and prevent future
data leaks and associated risks; any costs to implement heightened
security controls in response to evolving threats would be passed
through to market participants and, in many cases, to customers.\113\
---------------------------------------------------------------------------
\112\ See FIF July Letter, at 11.
\113\ Id.
---------------------------------------------------------------------------
Another commenter states that it supported the CAIS Exemption Order
and similarly support the Proposed Amendment as it furthers the goal of
eliminating the collection and storage of individual investors' PII in
the CAT.\114\ The commenter explains that it has long-standing privacy
and cyber security concerns regarding the CAT, and has opposed the
collection and storage of PII data by the CAT since its inception.\115\
The commenter believes that codification of the CCID Exemption and CAIS
Exemption would ``seem to effectively eliminate the reporting and
storage of individual investors' PII within the CAT.'' \116\
---------------------------------------------------------------------------
\114\ See SIFMA Letter, at 2.
\115\ See id. at 3.
\116\ See id. at 3.
---------------------------------------------------------------------------
Another commenter, a Plan Participant, states that it approves of
the passage of the Proposed Amendment because the systemic and
prospective collection of names, addresses, and years of birth for all
customers is not necessary for effective oversight of the securities
markets.\117\ The commenter states that approval of the Proposed
Amendment would ``reduce CAT costs without unduly compromising
regulatory effectiveness and would further privacy considerations,''
adding that regulators have alternative mechanisms available to obtain
the identity of market participants on an as-needed basis.\118\ This
commenter additionally states that the Proposed Amendment's
modifications to relief granted in the CAIS Exemption are important to
resolve remaining gaps in
[[Page 2172]]
balancing privacy concerns with regulatory effectiveness and
costs.\119\ This commenter states that the continued collection of PII
for any person or legal entity involves risks and costs that are not
outweighed by any regulatory benefit.\120\ The commenter states that it
is able to maintain effective oversight in the absence of the
collection of this customer information in CAIS as the primary benefits
of consolidating market trading data in a standardized manner are
provided by the Transaction Database, which would be unaffected by the
approval of the Proposed Amendment.\121\
---------------------------------------------------------------------------
\117\ See FINRA Letter, at 2.
\118\ Id. at 1-3.
\119\ Id. at 2.
\120\ Id. at 4.
\121\ Id. at 3.
---------------------------------------------------------------------------
In contrast to the commenters above, one commenter opposes the
Proposed Amendment, stating that it would frustrate the purposes of the
CAT and make it harder for the SEC to detect misconduct and identify
the perpetrators.\122\ This commenter states that issuance of the CAIS
Exemption Order was ``a mistake,'' and that the Commission should not
compound its mistake by approving the Proposed Amendment to further
reduce the information in CAT.\123\ This commenter states that CAT is
designed to enable the SEC to not only reduce, manage, and better
understand market disruptions and crashes but also to identify, deter,
and punish illegal manipulations and other trading abuses to better
protect investors.\124\ The commenter states that the Proposed
Amendment would hinder the SEC's ability to accomplish these goals
because the SEC will not be able to quickly spot illegal and
manipulative trading and identify the parties responsible for market
disruptions, manipulations, and other abuses if the CAT does not
collect or retain customer identifying information such as names,
addresses, and years of birth.\125\ The commenter states that the
Proposed Amendment would make it harder for the SEC to determine the
identities of customers, which is one of the fundamental purposes of
the CAT.\126\ This commenter states that legitimate privacy concerns
can be addressed in ways that do not ``needlessly'' prevent the SEC
from policing the markets and increase the chances of lawbreakers
escaping detection.\127\ The commenter also argues that the Proposed
Amendment would do little to safeguard customers' personal information,
as bad actors could hack personal information from checking accounts,
credit card accounts, or brokerage accounts that are placing retail
trades.\128\
---------------------------------------------------------------------------
\122\ See Letter from B. Schiffrin, Director of Securities
Policy, Better Markets, Inc., to Vanessa Countryman, Secretary,
Commission, dated Apr. 9, 2025 (``Better Markets Letter''), at 1-2.
\123\ Id. at 1.
\124\ Id. at 2.
\125\ Id. at 4.
\126\ Id. at 5.
\127\ Id. at 5.
\128\ Id. at 5-6.
---------------------------------------------------------------------------
Another commenter ``strongly'' recommends that the Proposed
Amendment be disapproved for different reasons.\129\ This commenter
states that the Proposed Amendment would not ``achieve its stated `cost
savings and efficiency.' '' \130\ This commenter also states that it is
``unjust'' for CAT LLC to retain Account Reference Data and Customer
Reference Data information because Exchange Act Rule 17a-1 record
retention requirements are obligations of the SROs and this is an
attempt to ``cross-subsidize SROs in fulfillment of obligations that
deviate from the CAT project's original purposes.'' \131\ This
commenter also states that neither the SEC nor the SROs have rights
above the U.S. Constitution, referencing the Fourth Amendment and
stating that the right to be free of unwarranted search or seizure is
recognized by the Supreme Court as protecting a general right to
privacy.\132\ The commenter also states that, ``[c]aptioned releases of
CAT NMS Plan amendment proposals are inconsistent with Sec. 11A of the
Exchange Act, the Fourth Amendment of US Constitution, the Department
of Justice's latest edition of the Privacy Act of 1974.'' \133\
---------------------------------------------------------------------------
\129\ See Data Boiler Letter.
\130\ See Data Boiler Letter, at 5. The commenter continues to
state that certain concerns and/or questions relating to CAT costs
are unaddressed as of today, including: ``Bifurcated Cost Allocation
is Inequitable and Proposed Minimum for Industry Members,'' ``[t]he
allocation and minimum are undue burden on Industry Members,'' and
``[p]roposed CAT Participants allocation versus Our Counter
Suggestions,'' which are beyond the scope of the Proposed Amendment.
Id. The Commission notes that the Participants have separately filed
a proposed amendment to implement a revised funding model for the
CAT and establish a fee schedule for Participant CAT fees in
accordance with that proposed amendment. See Securities Exchange Act
Release No. 103960 (Sept. 12, 2025), 90 FR 44910
\131\ See Data Boiler Letter, at 2.
\132\ See Data Boiler Letter, at 1. See also Data Boiler Letter
at 5 (stating that ``[n]ational security and privacy ordinance
matters are Outside Jurisdiction of the SEC and the SROs to make
sole determination''). This commenter also states that ``[u]nlike
the census,'' collection of non-public and PII by CAT for all trade
activities without express consent by the investors is an intrusion
of one's privacy, and that ``Congress confers the authority to the
Department of Commerce to conduct census, NOT the SEC.'' Id. at 2.
\133\ See Data Boiler Letter, at 4.
---------------------------------------------------------------------------
This commenter also raises various issues that are beyond the scope
of the Proposed Amendment. This commenter broadly recommends changes to
the structure of CAT, stating that they suggest a ``more effective and
efficient real-time analytics approach,'' that refusal to ``make a
concrete and complete overhaul to the out-of-date technical design of
CAT since 2012'' means that the ``CAT project is and will continue to
be a Money Pit,'' and that ``trade reporting'' is ``outdated.'' \134\
The commenter also objects to various aspects of the regulatory use of
CAT, stating that there should be no access to CAT for ``market
surveillance'' purposes prior to ``identifying symptoms of irregularity
that are substantiated by data at Securities Information Processors/
Competing Consolidators and/or analytical procedures at SROs/the SEC,''
\135\ and that the defined purposes of accessing CAT should be much
narrower than the broadly defined ``regulatory purposes.'' \136\ The
commenter also suggests adopting principle-based rules for security and
privacy.\137\ This commenter also makes statements regarding the
availability of information of securities holdings of institutional
investors in section 13(f) filings,\138\ and the ability to perform a
broker search for underlying beneficial shareholders information,\139\
which are
[[Page 2173]]
both beyond the scope of the Proposed Amendment and misunderstand the
purposes and functionality of the CAT.\140\
---------------------------------------------------------------------------
\134\ See Data Boiler Letter, at 1, 3. The commenter also states
that ``CAT has an Outdated Design, is an Outsized Elephant,'' and
that the ``unbearable building and on-going operating costs of CAT
Outweigh its Benefits.'' Id. at 5.
\135\ See Data Boiler Letter, at 3.
\136\ See Data Boiler Letter, at 3.
\137\ See Data Boiler Letter, at 4 (citing Letter from Kelvin
To, Founder and President, Data Boiler Technologies, LLC to Vanessa
Countryman, Secretary, Commission, dated November 30, 2020,
available at: <a href="https://www.sec.gov/comments/s7-10-20/s71020-8068693-225956.pdf">https://www.sec.gov/comments/s7-10-20/s71020-8068693-225956.pdf</a>). In addition, this commenter states that they ``envisage
a crowd model to reduce unknown unknowns while enhancing security of
CAT,'' identifying several benefits of this suggested approach. See
Data Boiler Letter, at 4 (citing Letter from Kelvin To, Founder and
President, Data Boiler Technologies, LLC to Vanessa Countryman,
Secretary, Commission, dated January 27, 2021, available at: <a href="https://www.sec.gov/comments/4-698/4698-8311309-228460.pdf">https://www.sec.gov/comments/4-698/4698-8311309-228460.pdf</a>). The commenter
also states that the CAT NMS Plan fails to address certain causes
for potential information leaks, and that CAT is ``vulnerable to
internal compromise and external hackers' attacks.'' See Data Boiler
Letter at 3. The Commission believes that this is outside the scope
of the Proposed Amendment, but the Proposed Amendment would reduce
the amount of information stored in the CAT, including the storage
of certain Customer information, and as discussed below, the
security benefits of eliminating the requirement to report PII
justifies approval of the Proposed Amendment.
\138\ See Data Boiler Letter, at 2 (stating that if policy
makers want to collect additional investor information beyond
Section 13(f) filings, then Section 13(f) requirements should be
updated through ``proper law-making procedures'').
\139\ See Data Boiler Letter, at 2 (stating that if the SEC and
SROs want to develop their own similar capabilities instead of
paying or partnering with a private vendor, then an appropriate
costs-benefits justification and separate apportioning of Federal
funding are required).
\140\ The CAT is designed to provide a comprehensive audit trail
for U.S. securities markets, and thus is designed to provide
regulators different information than what is contained within
section 13(f) filings or underlying beneficial shareholder
information.
---------------------------------------------------------------------------
In addition, one commenter, who generally supports the Proposed
Amendment,\141\ expresses concerns about the impact of approval of the
Proposed Amendment on costs that would be incurred by Industry Members
if there is an increase in ad hoc EBS inquiries.\142\ The commenter
states that removal of PII from CAIS ``could result in a significant
increase in the volume of EBS requests.'' Its members still support the
Proposed Amendment, but believe that this necessitates a proactive and
expedited focus on retiring EBS.\143\ The commenter acknowledges that
with the removal of PII from CAIS, the Commission and SROs can no
longer access the CAIS system to link transaction data to customer
PII.\144\ However, the commenter states that it does not agree with the
Participants' representation that, at least in the near term, the
current EBS system provides an appropriate mechanism for obtaining
identifying information for natural persons and legal entities if the
Proposed Amendment were approved.\145\
---------------------------------------------------------------------------
\141\ See FIF April Letter; FIF July Letter; FIF August Letter.
\142\ See FIF July Letter, at 10.
\143\ See FIF July Letter, at 4; see also FINRA July Letter, at
3 (stating that the solution to this issue is not to disapprove the
rule filing, rather, the solution is to retire EBS and implement the
commenter's proposed request-response system). See supra Part III.A
for a discussion on commenters' requests for a request-response
system and retirement of EBS.
\144\ See FIF July Letter, at 4-5.
\145\ See id. at 8 (citing CAT LLC May Response Letter, at 12).
---------------------------------------------------------------------------
Another commenter, representing a group of Participants, states
that since the issuance of the CAIS Exemption, the exchanges have
reverted to using blue sheet requests to broker-dealers to obtain
customer data for regulatory purposes.\146\ This commenter states that
as part of these requests, the exchanges use CCIDs to identify the
correct broker-dealers and provide broker-dealers with corresponding
firm account identifiers to more efficiently produce customer data to
the exchanges, and without CCIDs, the burden and costs of responding to
blue sheet requests would increase for broker-dealers, as would the
burdens and costs for SROs.\147\ One commenter, a Participant, states
that FINRA and other regulators use alternative mechanisms to obtain
information regarding the identity of market participants on an as-
needed basis, quoting a FINRA CEO blogpost stating that EBS and other
existing systems work adequately.\148\ This commenter states that, as a
Participant, FINRA would neither realize direct cost savings from the
implementation of the CAIS Amendment nor incur additional expenses
related to fulfilling ad hoc regulatory data requests related to
customer information.\149\ As noted by the commenter above, CAT LLC
states that, at least in the near term, the current EBS system provides
an appropriate mechanism for obtaining identifying information for
natural persons and legal entities if the Proposed Amendment were
approved.\150\
---------------------------------------------------------------------------
\146\ See NYSE Letter, at 3.
\147\ See id. at 3.
\148\ See FINRA Letter, at 3.
\149\ See id. at 4 n.10.
\150\ See CAT LLC May Response Letter, at 12.
---------------------------------------------------------------------------
In response to a commenter that objects to the Proposed
Amendment,\151\ the Participants state that the Proposed Amendment
would not prevent regulators from determining the identity of persons
involved in potential violations of the securities laws.\152\ According
to the Participants, the continued existence of the requirement of
maintaining FDIDs and CCIDs within CAT will allow regulators to use the
FDID and the CCID to identify the associated account, which will then
allow them to determine identities by seeking the information from
Industry Members as needed.\153\ The Participants acknowledge that the
speed with which regulators can access the identity of those involved
with a transaction at issue will decrease, but believe that the CAIS
Exemption Order already acknowledges this delay and concludes that it
would be reasonable for regulators to rely on obtaining such
information from Industry Members rather than the CAT.\154\ The
Participants further state that, based on their experience, the
difference in the amount of time it takes to access the name of a
customer in CAT versus the time to request and obtain a name from
Industry Members would only rarely be an issue and would not materially
impede examinations and investigations.\155\ Because of this, the
Participants state that it is difficult to justify the ``substantial
costs'' related to the collection and storage of Names, Address, and
YOBs for all Customers, as well as security concerns, for the
convenience of regulators having direct access to such personal
information in the CAT for limited regulatory circumstances.\156\
---------------------------------------------------------------------------
\151\ See Better Markets Letter.
\152\ See CAT LLC May Response Letter, at 11. See also id. at 10
(stating that the Proposed Amendment would not impact the ability of
regulators to perform cross-market surveillance via the unique CCID
or to otherwise use the CAT for its intended regulatory purposes).
\153\ See id. at 11.
\154\ Id.
\155\ Id.
\156\ Id.
---------------------------------------------------------------------------
The Participants state that the Proposed Amendment would have ``no
impact on the creation or regulatory function of the CCID.'' \157\ They
state that the Plan Processor would continue to create a CCID for each
unique TID the same way as it does today, provide a daily mapping of
CCID to FDID to the transaction database by the CAT System to provide
CCID enrichment of transaction data.\158\ The Participants state that,
``[i]n short, because the Plan Processor would continue to provide CCID
enrichment of transaction data, the Proposed Amendment would preserve
regulators' ability to perform cross-market, cross-broker, and cross-
account surveillance, while achieving approximately $7 million to $9
million in annual cost savings and furthering the Commission's goal of
reducing unnecessary Customer information in the CAT.'' \159\
---------------------------------------------------------------------------
\157\ See CAT LLC September Response Letter, at 5.
\158\ Id. at 6. See also CAT LLC May Response Letter, at 7
(stating that the Proposed Amendment would require the Plan
Processor to continue creating a unique CCID in the same way that it
does today).
\159\ See CAT LLC September Response Letter, at 6.
---------------------------------------------------------------------------
The Participants state that in their view, the Commission already
considered the issue of requesting Customer information directly from
Industry Members in the CAIS Exemption Order and concluded that
requesting such information from Industry Members would pose less risk
than collecting, transmitting, and/or requesting such information via
the CAT.\160\ In addition, the Participants state that it is difficult
to justify the substantial monetary costs to maintain the collection
Names, Addresses and YOBs in the CAT for certain categories of
Customers, because it would add operational complexity and prevent CAT
LLC from achieving approximately $7 million to $9 million in annual
cost savings.\161\ However, the Participants acknowledge that this
could lead to some increased costs for Industry
[[Page 2174]]
Members who receive blue sheet requests for the data, the Participants
state that any associated cost would be significantly outweighed by the
cost savings that the Proposed Amendment would allow CAT LLC to achieve
each year.\162\
---------------------------------------------------------------------------
\160\ Id. at 7.
\161\ Id. at 3.
\162\ Id. at 4 n.14.
---------------------------------------------------------------------------
For reasons discussed in greater detail below, the proposed
modifications to the CAT NMS Plan to eliminate the reporting of Names,
Addresses, and YOBs for all customers is reasonable and appropriate.
The Commission acknowledges that there are some regulatory benefits
that will be lost by ending the collection and storage of customer
names, addresses, and birth years in the CAT. However, the Commission
no longer believes that the collection and storage of this information
is justified in light of heightened security risks and the prospect of
relatively efficient indirect access to customer information, which
could mitigate at least some of the loss in regulatory efficiency, and
that the Proposed Amendments preserve the CAT's ability to advance the
key regulatory objectives for which it was intended.
As discussed in greater detail below, the Proposed Amendment
codifies and expands upon the relief granted by the CAIS Exemption
Order. The CAIS Exemption Order granted exemptive relief from certain
sections of the CAT NMS Plan relating to the reporting of Name, Address
and YOB from natural persons with transformed CCIDs, but it did not
require that such information no longer be reported and did not apply
to all Customers. The Proposed Amendment would go further and eliminate
the reporting requirements for natural persons with transformed CCIDs
and would also eliminate the reporting requirements for all natural
persons and entities, instead of just U.S. natural persons. Unlike the
relief provided in the CAIS Exemption Order, which was optional so
broker-dealers could choose not to take advantage of it and continue
reporting the customer information, the Proposed Amendment would result
in the CAT system no longer including fields for reporting these data
points.\163\
---------------------------------------------------------------------------
\163\ See Notice, at 12846 n.12 (stating that the Plan Processor
would make conforming changes to the CAT Reporting Customer &
Account Technical Specifications for Industry Members to eliminate
any fields related to the Proposed Amendment).
---------------------------------------------------------------------------
Importantly, the Proposed Amendment would preserve key elements of
the CAT as it currently functions. In particular, it would not impact
the creation of CCIDs for most CAT customers, which are identifiers
that have proven to be an effective means of uniquely and consistently
identifying customers. The Commission stated, in approving the CAT NMS
Plan, the importance of the CCID approach, as it ``constitutes a
significant improvement relative to the Baseline because it would
consistently identify the Customer responsible for market activity,
obviating the need for regulators to collect and reconcile Customer
Identifying Information from multiple broker-dealers.'' \164\ This
Order generally preserves this benefit of the CCID process, thereby
preserving one of the critical innovations of the CAT, the ability to
track one Customer's market activity across multiple exchanges.
---------------------------------------------------------------------------
\164\ See CAT NMS Plan Approval Order, at 84827.
---------------------------------------------------------------------------
The Commission disagrees that the Proposed Amendment would
``frustrate the purposes of the CAT,'' or unduly hinder the
Commission's ability to accomplish the goals of CAT.\165\ The Proposed
Amendment preserves key CAT functionality on which the Participants and
the Commission rely to understand market disruptions and identify
illegal manipulations and other trading abuses, including access to
more accurate, complete, and timely order information from across the
national market system and the ability to track a specific order of a
Customer throughout its entire lifecycle.
---------------------------------------------------------------------------
\165\ See Better Markets Letter.
---------------------------------------------------------------------------
The Commission acknowledges, however, that removing additional PII
from the CAT will negatively impact regulatory efficiency.\166\
Pursuant to the Proposed Amendment, regulators, using the CAT alone,
will not be able to determine the identity of the individual behind a
CCID or FDID. It will take additional time and effort to identify the
individual or entity behind any specific CCID or FDID which will
necessitate contacting Industry Members directly to provide regulators
with this information.\167\ Also, the Proposed Amendment could result
in regulators needing to contact Industry Members for Customer
information in situations where previously they may have received
sufficient information to conclude their examination or investigative
activities with the Customer information in CAIS. In addition, the
Proposed Amendment would reduce the number of fields by which
regulators could search CAT for Customer information. For example,
regulators will not be able to narrow the scope of search results from
the CAT based on certain name or address information, which could
result in additional inquiries to Industry Members or potentially the
cessation or modification of certain regulatory functions due to an
impractical amount of time and effort that could be required to obtain
information from Industry Members. However, regulators' use of CCIDs,
along with FDIDs, will allow regulators to determine which Industry
Members to contact for additional information about the persons or
entities behind CCIDs.
---------------------------------------------------------------------------
\166\ See CAIS Exemption Order, at 9645.
\167\ In Commission staff's experience, there can be a material
difference in the amount of time it takes to access the name of a
customer in CAT versus the time to request and obtain a name from
Industry Members. However, this additional time generally does not
materially impede examinations and investigations. See also CAT LLC
May Response Letter, at 11 (stating that, ``[b]ased on their
experience, the Participants believe that the difference in the
amount of time it takes to access the name of an investor in CAT
versus the time it takes to request and obtain a name from an
Industry Member would be relevant in only very limited scenarios and
would not materially impede examinations and investigations.'');
FINRA Letter at 4 (stating that ``FINRA and other regulators are
able to use alternative mechanisms to obtain information regarding
the identity of market participants on an as-needed basis'' and that
``elimination of this customer information would not unduly hinder
FINRA's ability to oversee market activity'').
---------------------------------------------------------------------------
The Commission further recognizes that removal of PII from the CAIS
system will mean regulators will be unable to immediately link
transaction data to customer PII, and will instead have to seek
Customer identifying information from broker-dealers, which may result
in increased requests through EBS.\168\ As discussed in Part III.A
above, the Commission is aware of and encourages discussion about the
development of a request-response system as a more efficient and secure
replacement for EBS. However, even in the absence of such a system, the
security and other benefits of removing customer information from the
CAT are sufficient to justify the potential increase in costs
associated with an increased number of EBS requests to broker-dealers
by regulators.
---------------------------------------------------------------------------
\168\ See FIF July Letter at 3-4, 10. In addition, one
commenter, representing a group of Participants, states that since
the since the issuance of the CAIS Exemption, the exchanges have
reverted to using blue sheet requests to broker-dealers to obtain
customer data for regulatory purposes. See NYSE Letter, at 3.
---------------------------------------------------------------------------
The Commission also recognizes that because the Proposed Amendment
would eliminate the requirements relating to reporting of Names,
Addresses, and YOBs of foreign Customers, there is a risk that the CAT
may not reliably generate unique CCIDs for foreign Customers, as a
unique foreign Customer may have multiple government issued IDs used
across multiple broker-dealers to generate multiple TIDs and thus
multiple CCIDs. The potential existence of multiple CCIDs for one
Customer may make it
[[Page 2175]]
more difficult for regulators to identify the full extent of such
persons' trading activities, and the Proposed Amendment proposes to
delete the information--Name, Address and YOB--that regulators can
currently use to mitigate that problem for their CAT searches. Thus,
the deletion of the requirement to report information related to
foreign Customers could delay the Commission's efforts to take swift
and covert actions to protect U.S. markets. However, the potential risk
of foreign Customers having multiple CCIDs may be mitigated by steps
taken by the Participants, including instructions to broker-dealers for
determining what identifier should be used for foreign customers to
generate TIDs, which should reduce the odds of foreign Customers having
multiple CCIDs.\169\
---------------------------------------------------------------------------
\169\ See CAT Reporting Customer & Account Technical
Specifications for Industry Members 29 (v. 2.2.0 r4 2025) (``Full
CAIS Technical Specifications''), at Section 2.2.5, available at
<a href="https://www.catnmsplan.com/sites/default/files/2025-08/08.14.25_Full_CAIS_Technical_Specifications_2.2.0_r4_CLEAN.pdf">https://www.catnmsplan.com/sites/default/files/2025-08/08.14.25_Full_CAIS_Technical_Specifications_2.2.0_r4_CLEAN.pdf</a>; CAT
FAQ Q57 (addressing when there is a CAT Customer with multiple valid
Input Identifiers who is associated with a single account at a CAT
Reporter firm, which Input Identifier must be used to generate a TID
for the Customer), available at <a href="https://catnmsplan.com/faq#Q57">https://catnmsplan.com/faq#Q57</a>.
---------------------------------------------------------------------------
Regulators may also be able to take steps in response to this
issue. Importantly, the CAT will maintain a ``foreign'' flag to
identify which trades are associated with foreign Customers. Also,
broker-dealers are obligated to collect certain information about their
customers pursuant to various recordkeeping rules, Know Your Customer
Rules, and anti-money laundering rules, and thus key foreign Customer
information will be available to regulators upon request. Thus, if a
regulator needs to determine the identity of the individual behind a
particular CCID, the regulator would be able to use one or more of the
FDIDs associated with the CCID and contact the broker-dealer(s) who
reported the FDID(s) and request the Name, Address, and YOB for the
individual Customer.\170\ A regulator, however, will not be able to use
a CCID to determine FDIDs that are associated with other CCIDs that may
exist for a particular Customer and thus because some foreign Customers
may have multiple CCIDs, regulators may have to contact more broker-
dealers to determine whether a foreign Customer has multiple CCIDs.
While this workaround is less efficient and more time-consuming than
current practice, it does not warrant disapproval of the Proposed
Amendment.
---------------------------------------------------------------------------
\170\ See 15 U.S.C. 78q(a), requiring registered broker-dealers
to ``furnish'' records as the SEC prescribes by rule. See also 17
CFR 240.17a-25(a), requiring broker-dealers to electronically submit
securities information (including customer identifying information)
to the SEC ``upon request.'' If multiple FDIDs are associated with a
single CCID, regulators would only need to contact one broker-dealer
to request the name and/or address of the individual. Contacting
other broker-dealers should result in the same name and/or address.
---------------------------------------------------------------------------
The security benefits of eliminating the requirement to report PII
to the CAT support approval of the Proposed Amendment, as modified
herein, despite the loss of some regulatory efficiency. From the CAT's
inception, the Commission has sought to continually balance the
regulatory benefits of the CAT with the risks associated with a
security breach. In the CAT NMS Plan Approval Order, the Commission
recognized that ``because some of the CAT Data stored in the Central
Repository will contain PII such as names, [and] addresses . . . a
security breach could raise the possibility of identity theft. . ., ''
and it emphasized that the Plan contained provisions designed to
mitigate the risks of such a breach.\171\ In issuing the CAIS Exemption
Order, the Commission considered the benefits of maintaining some of
the PII in the CAT differently in light of both the heightened security
risks posed by the increased sophistication of bad actors and the
prospect of relatively efficient indirect access to customer
information. The Commission also recognized the risks identified by
market participants, industry representatives, and members of Congress,
and acknowledged the increased sophistication of cybercriminals and bad
actors.\172\
---------------------------------------------------------------------------
\171\ See CAT NMS Plan Approval Order, supra note 3, at 84874-
75.
\172\ See CAIS Exemption Order, at 9644.
---------------------------------------------------------------------------
As one commenter noted,\173\ in response to evolving threats
surrounding PII the Participants could instead implement additional
encryption and enhanced security measures to proactively identify and
mitigate vulnerabilities and prevent future data leaks and associated
risks. However, rather than engage in costly and difficult measures
that could substantially add to the costs of CAT as a whole and would
still not eliminate the serious risks associated with maintaining large
amounts of customer information in the CAT, the Participants' proposed
approach to instead remove the data from the CAT is reasonable.
---------------------------------------------------------------------------
\173\ See FIF July Letter, at 11.
---------------------------------------------------------------------------
The risks of maintaining personal information in the CAT include
potential harm to all market participants, including the Participants,
Industry Members, and Customers. For Customers, a cybercriminal with
knowledge of a person's Name, Address, and YOB may be able to
impersonate a customer or broker-dealer to gain access to a Customer's
account or attempt to defraud the Customer directly. For Participants
and Industry Members, a breach involving PII could result in
significant financial harm from legal fines, penalties, and lawsuits,
as well as significant reputational harm and loss of consumer
confidence and trust. In addition, any legal costs and damages suffered
by the Participants or Industry Members due to a security breach could
ultimately be borne by Customers. While it is true that wrongdoers
could do things beyond the Participants' control, such as hacking
personal information from checking accounts, credit card accounts, or
brokerage accounts that are placing retail trades, the Proposed
Amendment addresses risks that are within the Participants' control--
the risks of maintaining personal information in the CAT.\174\ And
these risks have only grown since the adoption of the CAT, due to the
increased sophistication of cybercriminals and bad actors, as
acknowledged by the Commission when it adopted amendments to Regulation
S-P.\175\
---------------------------------------------------------------------------
\174\ See Better Markets Letter, at 5-6.
\175\ See Securities Exchange Act Release No. 100155 (May 16,
2024), 89 FR 47688 (June 3, 2024) (citing, Federal Bureau of
Investigation, 2022 internet Crime Report (Mar. 27, 2023), at 7-8
(stating that the FBI's internet Crime Complaint Center received
800,944 complaints in 2022 (an increase from 351,937 complaints in
2018). The complaints included 58,859 related to personal data
breaches (an increase from 50,642 breaches in 2018)); the Financial
Industry Regulatory Authority (``FINRA''), 2022 Report on FINRA's
Examination and Risk Monitoring Program: Cybersecurity and
Technology Governance (Feb. 2022), (noting increased number and
sophistication of cybersecurity attacks and reminding firms of their
obligations to oversee, monitor, and supervise cybersecurity
programs and controls of third-party vendors); Office of Compliance
Inspections and Examinations (now the Division of Examinations)
(``EXAMS''), Risk Alert, Cybersecurity: Safeguarding Client Accounts
against Credential Compromise (Sept. 15, 2020) (describing
increasingly sophisticated methods used by attackers to gain access
to customer accounts and firm systems)). This Risk Alert, and any
other Commission staff statements represent the views of the staff.
They are not a rule, regulation, or statement of the Commission.
Furthermore, the Commission has neither approved nor disapproved
their content. These staff statements, like all staff statements,
have no legal force or effect. They do not alter or amend applicable
law; and they create no new or additional obligations for any
person.
---------------------------------------------------------------------------
In light of these risks and the increasing sophistication of
cybercriminals and bad actors, it is appropriate to approve the
Participants' proposal to eliminate the requirement
[[Page 2176]]
that the CAT collect Name, Address, and YOB for all Customers,
including foreign Customers and legal entities. The Commission
considered the trade-off between the protection of investors' personal
information and losses to regulatory efficiency that would result from
eliminating this information from the CAT and has concluded that the
regulatory benefit of collecting the Name, Address, and YOB for
Customers no longer justifies the associated risks. Even if the CAT no
longer collects the Name, Address, and YOB (as applicable) for these
individuals and legal entities, broker-dealers would still be required
to transform SSNs/ITINs/government issued ID numbers into interim
values and report those TIDs to the CCID Subsystem for each order, such
that the system of generating CCIDs will not be materially impacted.
The Commission finds that the proposed modifications to the CAT NMS
Plan are reasonably designed to implement the CAIS Exemption Order and
CCID Exemption Order and to remove references to Name, Address, and
YOB. This includes modifications to sections 9.1 and 9.2 of Appendix D
of the CAT NMS Plan, which would modify the CAT to capture and store
the more limited Reference Data in the Proposed Amendment, state that
TIDs must be accepted by the CAT, and eliminate reporting requirements
inconsistent with reduced reporting of Customer information. The
modification of the term ``Firm Identifier Number'' to ``Firm
Designated ID'' is also reasonable, as this more accurately defines a
number that is currently reported by CAT reporters on all orders
generated for a particular account.
In addition, proposed changes in the Proposed Amendment designed to
maintain current processes are reasonable and should be approved.
Specifically, maintaining the process for monitoring and documenting
access to the Reference Database and FDID validations processes is
appropriate and would help ensure the security of the Reference
Database and the accuracy of FDID data.\176\ The Participants state
that following the implementation of the Proposed Amendment, the Plan
Processor will record all access to, and all queries of, data stored in
the Reference Database in a series of logs that can be used to generate
periodic reports in the same way that the Plan Processor currently
records and tracks access to the broader CAT System.\177\ In addition,
the Participants confirm that FDID validations would not change as a
result of implementing the Proposed Amendment, and that the Plan
Processor would continue to perform the same consistency checks that it
currently performs today to confirm that all FDIDs reported to the
transaction database exist in the Reference Database and were active on
the relevant transaction date.\178\
---------------------------------------------------------------------------
\176\ See proposed Sections 4.1.4 and 9.1 of Appendix D of the
CAT NMS Plan; CAT December Response Letter, at 4-5.
\177\ See CAT December Response Letter, at 4.
\178\ Id. at 5.
---------------------------------------------------------------------------
The proposed modifications to definitions in the CAT NMS Plan are
also reasonable. Specifically, it is appropriate to modify the
definition of ``Customer Account Information'' to ``Account Reference
Data,'' and remove account number and customer type as elements of
Customer Account Information, because pursuant to the Proposed
Amendment these elements would no longer be reportable to the CAT.\179\
Similarly, it is reasonable to modify the definition of ``Customer
Identifying Information'' by changing it to ``Customer Reference
Data,'' and removing references to name, address, date of birth, ITIN,
SSN removed for individuals and name, address, and EIN for legal
entities. Pursuant to the Proposed Amendment, these fields will no
longer be reportable to the CAT.\180\ It is also reasonable to remove a
reference to ``other information of sufficient detail to identify a
Customer'' for legal entities from the definition of ``Customer
Reference Data,'' because the Proposed Amendment modifies Customer
reporting requirements to be limited to a specific list of categories
of Customer information that will still be maintained by the CAT.\181\
---------------------------------------------------------------------------
\179\ See proposed Section 1.1.
\180\ See id.
\181\ See id.
---------------------------------------------------------------------------
The removal of the defined term PII, as well as changes throughout
the CAT NMS Plan to replace references to ``PII'' or ``Customer Account
Information and Customer Identifying Information'' to references to
``Reference Data,'' or otherwise remove the concept of ``PII'' from
relevant portions of the CAT NMS Plan, is reasonable.\182\ ``PII'' was
a term used in the CAT NMS Plan to distinguish certain Customer data
elements as particularly sensitive and warranting additional levels of
protection (e.g., SSNs/ITINs, addresses), but without the reporting of
these Customer data elements the definition and PII-specific CAT NMS
Plan provisions are no longer necessary. The continued inclusion of the
term PII could also imply that the CAT system is collecting personal
data about Customers that it will no longer be accepting after the
Proposed Amendment.
---------------------------------------------------------------------------
\182\ See proposed Sections 6.2(a)(v)(C), 6.2(b)(v)(F),
6.4(d)(ii), and 6.10(c)(ii), and Appendix D, Sections 4.1; 4.1.2;
4.1.4; 4.1.6; 6.2, 8.1.1; 8.1.3; 8.2; 8.2.2; 9.1 and 10.1.
---------------------------------------------------------------------------
In addition, the proposed addition of footnotes to the definition
of ``Full Availability and Regulatory Utilization of Transactional
Database Functionality'' \183\ is designed to maintain the existing
meaning of the defined term and avoid retroactively changing the
meaning of a FAM-related term. Specifically, the definition of ``Full
Availability and Regulatory Utilization of Transactional Database
Functionality'' references ``Customer Identifying Information'' and
``Customer Account Information,'' which terms are being replaced by the
terms ``Customer Reference Data'' and ``Account Reference Data.''
Because the replacement terms refer to a narrower scope of customer-
and-account related information than do the original terms,\184\ the
proposed footnotes are important to clarify that those previously
defined terms maintain the same meaning as they did when the Financial
Accountability Milestones Order was first issued, even though they will
no longer appear in the CAT NMS Plan, and that more broadly, the
definition added by the Financial Accountability Milestones Order
maintains the same meaning as it did before in spite of modifications
to other definitions in the CAT NMS Plan approved January 12, 2026.
---------------------------------------------------------------------------
\183\ See proposed Section 1.1 of the CAT NMS Plan; CAT LLC
December Response Letter, at 2-3.
\184\ See CAT LLC December Response Letter, at 3.
---------------------------------------------------------------------------
The removal of reporting requirements relating to EINs is likewise
reasonable. The Commission agrees with the reasoning of the
Participants that requiring the reporting of EINs, in plain text and
with the same number of digits as SSNs, increases the risk of improper
reporting of SSNs. The Participants state that even in the absence of
EIN reporting, the Plan Processor's ability to create a unique CCID
would not be affected as Industry Members would continue to report a
translated TID value (based on EIN) to the CCID Subsystem.\185\ The
Commission notes that the Participants state that even if the EIN field
is eliminated, ``regulators would retain the ability to search by EIN
for a CCID value.'' \186\
---------------------------------------------------------------------------
\185\ See CAT LLC May Letter, at 6.
\186\ See id.
---------------------------------------------------------------------------
The elimination of the requirement that the Plan Processor design
and implement procedures and mechanisms to handle minor and material
[[Page 2177]]
inconsistencies in Customer information is also appropriate. As noted
above, one commenter specifically supports eliminating requirements
relating to the handling of inconsistencies and requests that CAT LLC
remove all outstanding material inconsistencies.\187\ The Participants
explain that elimination of this requirement is consistent with the
Proposed Amendment because the Plan Processor currently accounts for
minor inconsistencies in how CAT Reporters report data to CAT that
would no longer be reported--customer addresses and years of
birth.\188\ It is reasonable to remove this provision in light of the
customer information that will no longer be reported to the CAT.
---------------------------------------------------------------------------
\187\ See FIF April Letter, at 2.
\188\ See CAT May Letter, at 8-9.
---------------------------------------------------------------------------
Rule 613 and the CAT NMS Plan
Although one commenter raises concerns regarding statutory
authority and the Fourth Amendment \189\ the Commission is not, in this
proceeding, reconsidering or revisiting the decision to establish a
consolidated audit trail or to approve the CAT NMS Plan. Rather, the
Commission is reviewing an SRO-initiated amendment to the CAT NMS Plan
pursuant to Rule 608--an amendment that is intended to mitigate many of
the privacy and security concerns highlighted by the commenter. In any
event, CAT falls within the Commission's authority under the Exchange
Act and does not violate the Fourth Amendment.\190\
---------------------------------------------------------------------------
\189\ See Data Boiler Letter, at 4.
\190\ See, e.g., SEC's Opposition to Petitioners' Motion for
Stay and Injunctive Relief at 11-13, Am. Secs. Ass'n v. SEC, No. 23-
13396 (11th Cir. Sept. 30, 2024); SEC Defendants' Motion to Dismiss
and Opposition to Plaintiff's Preliminary-Injunction Motion at 37-
47, Davidson v. Gensler, No. 6:24-cv-00197 (W.D. Tex. July 12,
2024); Securities Exchange Act Release No. 98290 (Sept. 6, 2023), 88
FR 62628, 62672-73 (Sept. 12, 2023), vacated on other grounds by Am.
Secs. Ass'n v. SEC, 147 F.4th 1264 (11th Cir. 2025).
---------------------------------------------------------------------------
C. Removal of Previously Reported Customer Data
The Proposed Amendment would add a new section 9.5 to Appendix D of
the CAT NMS Plan, ``Deletion from CAIS of Certain Reported Customer
Data,'' which would require CAT LLC to direct the Plan Processor to
delete from CAIS all existing Customer data and information
contemplated by the Proposed Amendment,\191\ and state that such
Customer data and information would not constitute records that CAT LLC
must retain under Exchange Act Rule 17a-1.\192\ Section 9.5 would also
state that CAT LLC or the Plan Processor would be permitted to delete
any such information that has been improperly reported by an Industry
Member to the extent that either becomes aware of such improper
reporting through self-reporting or otherwise. This provision would
also require CAT LLC to direct the Plan Processor to document all
deletions of Customer information from the Reference Database and
provide periodic reports of all such deletions to the CAT Operating
Committee.
---------------------------------------------------------------------------
\191\ See proposed section 9.5 of Appendix D of the CAT NMS
Plan. Specifically proposed section 9.5 of Appendix D would require
the following data attributes be deleted or otherwise made
inaccessible to regulatory users: Customer name, Customer address,
account name, account address, authorized trader names list, account
number, day of birth, month of birth, year of birth, and ITIN/SSN.
See id.
\192\ Id. Because the CAT NMS Plan cannot overrule the Exchange
Act and because the Commission is granting exemptive relief from
these requirements, the Commission is modifying the proposed text of
new section 9.5 to delete this reference and issuing the
accompanying Exemptive Relief, as discussed below.
---------------------------------------------------------------------------
Commenters generally support the deletion of previously reported
customer data information.\193\ One commenter, a Participant, states
that retaining historical information would ``not provide sufficient
regulatory benefit when balanced against the privacy and security
risks,'' and states that ``this is particularly true since the
previously reported data would no longer be actively maintained or
validated, and thus, its reliability would diminish over time.\194\
However, as noted above, one commenter objects to the Proposed
Amendment generally, stating that, among other things, a purpose of CAT
was to allow regulators to identify the parties responsible for each
order and that the Proposed Amendment would make it more difficult for
the SEC to identify securities law violators.\195\ Another commenter
states that the retention of Account Reference Data and Customer
Reference Data, combined with the documentation and review of the
deletion of Customer information from the Reference Database, would
allow for the possibility of reverse-engineering to reconstruct the
private information.\196\
---------------------------------------------------------------------------
\193\ See FIF May Letter, at 2. FINRA Letter, at 1-2, 10; SIFMA
Letter.
\194\ See FINRA Letter, at 10.
\195\ See Better Markets Letter.
\196\ See Data Boiler Letter, at 2.
---------------------------------------------------------------------------
The Participants state that deleting all historical customer
information would improve operational efficiency and would be the most
straightforward and efficient way to remove sensitive information that
is currently held in the customer information database.\197\ The
Participants also assert that deleting all historical customer
information would have minimal impact on regulatory efficiency, because
the Plan Processor would continue to create a unique CCID for each
customer and provide daily CCID enrichment of transaction data,
allowing regulatory users to conduct cross-market, cross-broker, and
cross-account surveillance of a single customer's trading
activity.\198\ The Participants state that deleting the information
would reduce cloud hosting fees by approximately $2 to $4 million per
year and lower Plan Processor operating fees by $5 million, which would
outweigh any additional cost associated with the need to obtain Name,
Address, and YOB data directly from Industry Members when that
information is needed.\199\
---------------------------------------------------------------------------
\197\ See CAT LLC September Response Letter.
\198\ See id. at 5.
\199\ Id. 4-5.
---------------------------------------------------------------------------
The Participants' proposal to eliminate existing Customer data
information from CAIS is reasonable and should be approved. Merely
eliminating the prospective reporting of customer data and information
would leave a significant amount of older Customer data and information
in CAIS and thus only partially address the risks of a security breach.
Moreover, such information would no longer be subject to updates or
corrections and thus become less reliable and useful over time in any
event. And, according to the Participants, eliminating the data will
result in substantial cost savings. The Commission also believes that
the requirement that the Plan Processor document all deletions of
Customer information and provide reports to the CAT Operating Committee
will help ensure that the Participants are effectively monitoring the
Plan Processor's elimination of Customer information and ensure that
customer information is deleted in a thoughtful and appropriate manner.
The Commission disagrees with the commenter that believes that Customer
account information, once deleted, could be ``reverse-engineered''
through other information maintained by the CAT to ``reconstruct the
entire [Customer Account Information] and [Customer Identifying
Information] privacy information..\200\ The requirement to document
deletions of Customer information does not require the documentation of
Customer information itself, and the deleted Customer information will
not be accessible to regulators once the Proposed Amendment is fully
implemented.\201\
---------------------------------------------------------------------------
\200\ See Data Boiler Letter, at 2.
\201\ See CAT LLC December Response Letter, at 5 (stating that
logs required by proposed section 9.5 of Appendix D will include
both the time of and reason for each deletion); proposed section 9.5
of Appendix D (requiring CAT LLC to direct the Plan Processor to
develop and implement a mechanism to delete from CAIS, or otherwise
make inaccessible to regulatory users, certain Customer
information).
---------------------------------------------------------------------------
[[Page 2178]]
In conjunction with proposed section 9.5 of Appendix D of the CAT
NMS Plan, the Participants specifically request, ``[t]o the extent that
the Commission deems it necessary,'' exemptive relief from Rule 17a-1
under the Exchange Act with respect to existing Customer data and
information in CAIS on a retroactive and prospective basis.\202\ Such
relief is necessary in order to effectuate the Proposed Amendment, as
Rule 17a-1 would otherwise require the customer data and information in
CAIS be preserved by the Participants. \203\ The Commission finds that
it is appropriate in the public interest and consistent with the
protection of investors under section 36 of the Exchange Act,\204\ as
well as consistent with the public interest, the protection of
investors, the maintenance of fair and orderly markets and the removal
of impediments to, and the perfection of, a national market system
under Rule 608(e) under the Exchange Act,\205\ to grant relief that
exempts each Participant from the recordkeeping and data retention
requirements for Customer data and information in the CAIS that is
subject to section 9.5 of Appendix D of the CAT NMS Plan and that
otherwise would apply as set forth in Rule 17a-1 under the Exchange
Act. This relief applies only to the Participants' obligation to keep
and preserve the customer information and records in CAIS. It does not
apply to any customer information or records that the Participants are
required to keep and preserve outside of CAIS.
---------------------------------------------------------------------------
\202\ See Notice, at 12850.
\203\ Rule 17a-1 requires national securities exchanges and
national securities associations, among others, to keep and preserve
at least one copy of all documents, including all correspondence,
memoranda, papers, books, notices, accounts, and other such records
as shall be made or received by it in the course of its business as
such and in the conduct of its self-regulatory activity. 17 CFR
240.17a-1.
\204\ 17 CFR 242.608(e).
\205\ 17 CFR 240.17a-1.
---------------------------------------------------------------------------
However, pursuant to Rule 608(b)(2),\206\ the Commission is
modifying proposed section 9.5 of Appendix D of the CAT NMS Plan as
described below. In the Proposed Amendment, section 9.5 of Appendix D
would state that ``[n]otwithstanding any other provision of the CAT NMS
Plan, this Appendix D, or the Exchange Act, CAT LLC shall direct the
Plan Processor to develop and implement a mechanism to delete from CAIS
. . .'' (emphasis added).\207\ In addition, the provision would state,
``[f]or the avoidance of doubt, such data attributes do not constitute
records that must be retained by CAT LLC under Exchange Act Rule 17a-
1.'' \208\ An NMS plan, however, cannot void or otherwise modify the
requirements of the Exchange Act. The CAT NMS plan is a contractual
agreement among the Participants created pursuant to the Exchange Act
and, absent an exemption or other relief, the NMS Plan and the
Participants themselves are subject to applicable Exchange Act
requirements. In addition, this reference to Exchange Act Rule 17a-1 is
unnecessary given the exemptive relief granted above. Thus, the
Commission is modifying section 9.5 of the CAT NMS Plan to remove the
references to the Exchange Act and Exchange Act Rule 17a-1. The
approved section 9.5 of Appendix D of the CAT NMS Plan is shown below:
---------------------------------------------------------------------------
\206\ 17 CFR 242.608(b)(2).
\207\ See Notice of Amendment No. 2, at 56231.
\208\ Id.
---------------------------------------------------------------------------
9.5 Deletion From CAIS of Certain Reported Customer Data
Notwithstanding any other provision of the CAT NMS Plan or this
Appendix D, CAT LLC shall direct the Plan Processor to develop and
implement a mechanism to delete from CAIS, or otherwise make
inaccessible to regulatory users, the following data attributes:
Customer name, Customer address, account name, account address,
authorized trader names list, account number, day of birth, month of
birth, year of birth, and ITIN/SSN. CAT LLC or the Plan Processor shall
be permitted to delete any such information that has been improperly
reported by an Industry Member to the extent that either becomes aware
of such improper reporting through self-reporting or otherwise. CAT LLC
shall direct the Plan Processor to document all deletions of Customer
information from the Reference Database and provide periodic reports of
all such deletions to the Operating Committee.
In comparison to proposed section 9.5 of the CAT NMS Plan in the
Proposed Amendment, as modified by Amendments No. 1 and 2, the
following changes would apply. Deletions are shown through [brackets],
and additions are shown with italics:
9.5 Deletion From CAIS of Certain Reported Customer Data
Notwithstanding any other provision of the CAT NMS Plan[,] or this
Appendix D[, or the Exchange Act], CAT LLC shall direct the Plan
Processor to develop and implement a mechanism to delete from CAIS, or
otherwise make inaccessible to regulatory users, the following data
attributes: Customer name, Customer address, account name, account
address, authorized trader names list, account number, day of birth,
month of birth, year of birth, and ITIN/SSN. [For the avoidance of
doubt, such data attributes do not constitute records that must be
retained by CAT LLC under Exchange Act Rule 17a-1.] CAT LLC or the Plan
Processor shall be permitted to delete any such information that has
been improperly reported by an Industry Member to the extent that
either becomes aware of such improper reporting through self-reporting
or otherwise. CAT LLC shall direct the Plan Processor to document all
deletions of Customer information from the Reference Database and
provide periodic reports of all such deletions to the Operating
Committee.
D. Implementation
The Participants state that the Proposed Amendment will save
between $7 million and $9 million annually after an implementation cost
of $4.5 million to $5.5 million. In order to achieve these savings, the
Participants state that the Plan Processor would need to eliminate the
software that is required to support regulatory queries of Name,
Address, and YOB.\209\ As discussed above, regulators have other ways,
even if less efficient, to obtain this information from broker-dealers.
One commenter recommends a two-phase implementation, with the first
phase allowing Industry Members to continue to report fields that
contain PII, but the CAIS system would not record or store those
fields, and a second phase where all Industry Members would be
prohibited from reporting PII.\210\ This commenter states that this
implementation approach will give firms that need more time to update
their systems the chance to do so, while allowing firms for whom it
does not take as long to cease reporting faster.\211\ This commenter
also asks that, upon approval of the Proposed Amendment, that CAT LLC
remove all error codes and outstanding rejections relating to the
fields that will no longer be reportable to the CAIS.\212\
---------------------------------------------------------------------------
\209\ Id.
\210\ See FIF April Letter, at 2.
\211\ See id. at 3.
\212\ See id. at 7.
---------------------------------------------------------------------------
The Participants responded to this commenter to provide more
detailed information regarding how the Proposed Amendment would be
implemented, if approved.\213\ The commenter that recommended a two-
phase implementation plan above responded
[[Page 2179]]
to the Participants to state that its members support the phased
approach proposed by the Participants.\214\
---------------------------------------------------------------------------
\213\ See CAT LLC May Response Letter, at 16.
\214\ See FIF July Letter, at 12.
---------------------------------------------------------------------------
In their response, the Participants state that any implementation
schedule will be designed to allow the Plan Processor and Industry
Members adequate time to finalize Technical Specifications and
guidance, and to develop, test and implement the necessary changes to
firm systems in order to comply with the Proposed Amendment.\215\ The
Participants outline a potential phased implementation schedule to
include the following key phases, but state that this is subject to
change based on discussions among the Participants, the Plan Processor,
Industry Members, and Commission staff: \216\
---------------------------------------------------------------------------
\215\ See CAT LLC May Response Letter, at 16-17.
\216\ Id.
---------------------------------------------------------------------------
<bullet> Stop providing visibility to regulators of existing Names,
Addresses, and YOBs in CAT--approximately 3 months from effective date;
<bullet> Continue to accept submissions from Industry Members that
include Names, Addresses, and YOBs, but stop processing any such
information in CAT (such Customer information would remain on the as-
submitted file)--approximately 3 months;
<bullet> Reject any submissions from Industry Members that continue
to include Names, Addresses, and YOBs (i.e., Industry Members would no
longer be able to report these fields to CAIS)--approximately 6 months
or more depending on the amount of time required for Industry Members
to update their reporting systems;
<bullet> Delete all existing Names, Addresses, and YOBs (as well as
any other sensitive Customer data and information contemplated by the
Proposed Amendment) from the CAT--approximately 9-12 months after the
data migration is completed and verified; it will take approximately 2-
3 months to permanently remove old data.
The Commission agrees that a phased implementation schedule is
appropriate, to help assure that the removal of PII from the CAT is
implemented in a careful and efficient manner, with minimal impact on
other CAT Data.\217\ The Commission, however, encourages the Plan
Processor to extend the approximately three month period for providing
regulators with visibility into the existing Names, Addresses, and YOBs
in CAT, to provide regulators with sufficient transition time. The
Commission also believes that it may be appropriate for the Plan
Processor to extend the phased implementation schedule in light of
pending amendments \218\ to the CAT NMS Plan that, if approved, could
require the Plan Processor to make further changes to CAIS and Industry
Members to make changes to their reporting systems.
---------------------------------------------------------------------------
\217\ See FIF July Letter, at 12 (stating that ``FIF members
support the phased approach proposed by CAT LLC in the amended
filing for implementing the removal of PII from CAT.'').
\218\ Securities Exchange Act Release No. 104504 (Dec. 23,
2025); 90 FR 61506 (Dec. 31, 2025).
---------------------------------------------------------------------------
IV. Efficiency, Competition, and Capital Formation
In determining whether to approve an amendment to the CAT NMS Plan
and whether that amendment is in the public interest, Rule 613 requires
the Commission to consider the impact of that amendment on efficiency,
competition, and capital formation.\219\ The Participants stated that
the Proposed Amendment will have a positive impact on competition,
efficiency, and capital formation. Based on its analysis, the
Commission concludes that the Proposed Amendment will result in cost
savings that will improve the operational efficiency of the CAT central
repository. These savings in operating costs will have a small positive
effect on competition, while the changes to CAIS Data will reduce the
efficiency of some regulatory workflows. Effects on market efficiency
and capital formation, stemming from the impacts of the Proposed
Amendment on regulatory and operational efficiencies, will likely be
second-order and limited. The Commission recognizes, however, that
while the Proposed Amendment, in combination with the CAIS Exemption
Order, will reduce the costs to operate the CAT central repository, it
will also require regulators to seek alternatives to CAIS for certain
regulatory activities, which are less efficient and will increase costs
for Industry Members.
---------------------------------------------------------------------------
\219\ 17 CFR 242.613(a)(5).
---------------------------------------------------------------------------
A. Baseline
In analyzing the impact of the Proposed Amendment on efficiency,
competition and capital formation, the Commission considered the
current reporting, use, and state of CAIS Data as the baseline.
Specifically, the baseline consists of the characteristics \220\ and
the actual and potential regulatory usages of CAT Data, in the absence
of the Proposed Amendment. The baseline includes the CCID Exemption
Order and the CAIS Exemption Order.
---------------------------------------------------------------------------
\220\ Characteristics include the scope of data fields that are
included in CAT Data, as well as how these fields are described in
data specifications provided by FINRA CAT and populated by CAT
Reporters.
---------------------------------------------------------------------------
1. CAIS Exemption Order
The baseline takes into account the exemptive relief that has been
granted since the implementation of the CAT NMS Plan, which has changed
the information that is reported to and maintained within CAIS.\221\
The CAT NMS Plan originally required that Industry Members report the
following customer information: the Firm Designated ID; the Customer's
name, address, date of birth; individual tax payer identifier number
(``ITIN'')/social security number (``SSN''); individual's role in the
account (i.e., primary holder, joint holder, guardian, trustee, person
with power of attorney); and LEI, and/or Large Trader ID
(``LTID'').\222\ Under the CCID Exemption Order, the Commission issued
relief that exempted the Participants from collecting or retaining an
individual's SSN or ITIN, as well as date of birth and account numbers.
The CAIS Exemption Order provided relief from requirements relating to
reporting of the names, addresses and years of birth of natural persons
reported with transformed SSNs or ITINs to CAIS; this exemptive relief
does not extend to foreign nationals or legal entities. Because some
Industry Members have stopped reporting and/or updating this
information, over time, the data covered by the exemption (mostly the
names, addresses, and years of birth of U.S.-based natural persons) are
expected to become increasingly unreliable and/or unavailable in CAIS.
---------------------------------------------------------------------------
\221\ See supra notes 21-27 and accompanying text.
\222\ See CAT NMS Plan Approval Order, at 84715.
---------------------------------------------------------------------------
The changes to CAIS data resulting from the CAIS Exemption Order
have resulted in, and would have continued to result in, changes to the
manner in which regulators perform regulatory duties that require
identifying individual customers who might be U.S. natural persons, or
linking trading activity to customer data in CAIS when the trading data
might be from U.S. natural persons. These changes have reduced
regulatory efficiency,\223\ which refers to the efficiency of
regulatory activities conducted by SROs and/or the Commission necessary
to protect investors, maintain fair, orderly, and efficient markets,
and facilitate capital formation. Regulators can currently access CAIS
to obtain customer information when such information is needed; in many
instances, the CAIS data sought may not be covered by the CAIS
Exemption, in which case they would still be available to regulators in
the CAT, or it may not have become stale since the exemption went into
[[Page 2180]]
effect. But, as a result of the CAIS Exemption, certain tasks that
regulators could perform using CAIS data--such as identifying a
particular customer who might be a U.S. natural person who is
associated with specific transactions--may currently and increasingly
would have required regulators to request identifying information
associated with a CAT Customer-ID (``CCID'') from Industry Members by
using EBS requests or other ad hoc data requests.\224\ The need to make
such requests delays regulatory tasks that require such information
because regulators must create data requests and communicate them to
Industry Members and then regulators must process responses to these
requests and combine resulting data with transaction data from CAT or
other sources.\225\ The state of CAIS data usage in regulatory
activities is discussed further in the baseline sections that follow.
---------------------------------------------------------------------------
\223\ See CAIS Exemption Order, at 9645, where the Commission
acknowledged this effect.
\224\ This is discussed further in section IV.A.2, infra.
\225\ See CAT NMS Plan Approval Order, at 84814 and 84826,
discussing the inefficiencies associated with combining data
sources. See also infra note .
---------------------------------------------------------------------------
The Participants stated that the CAIS Exemptive Relief would not
result in cost savings for the Plan Processor.\226\ However, additional
data requests by regulators as a result of the CAIS Exemption Order
have increased, and would continue to increase, Industry Member costs,
because Industry Members invest staff time and other resources to
respond to ad hoc data requests.\227\ In addition, the exemptive relief
has resulted in some Industry Members incurring certain implementation
costs associated with changes to CAIS data reporting. On the other
hand, Industry Members that relied upon the exemption to reduce their
CAIS data reporting likely would ultimately incur reduced CAT Data
reporting costs because reporting requirements would cover less
customer data overall and Industry Members would not have to resolve
reporting errors returned by the Plan Processor associated with data
they no longer reported.
---------------------------------------------------------------------------
\226\ ``[T]he Plan Processor must maintain all software that is
required to continue to accept such Customer information for those
Industry Members who choose to continue reporting it, as well as to
support regulatory queries of Name, Address, and YOB data for non-
exempted persons. Consequently, the CAIS Exemption Order will not
result in any cost savings.'' Notice, at 12847.
\227\ These increased ad hoc data requests would not just impact
Industry Members that relied upon the exemption to reduce their CAIS
data reporting because regulators would not be able to determine
whether data that had not been updated recently was stale, or
whether the data was reliable but recently unchanged. Consequently,
regulators would need to make more ad hoc data requests because CAIS
data was, in its entirety, less reliable and regulators would often
not be able to tell what CAIS data had become unreliable.
---------------------------------------------------------------------------
Because the CAIS Exemption Order forms part of the baseline with
respect to the reporting and use of CAIS data, the economic effects of
the CAIS Exemption Order are discussed in greater detail in the
following sections of the baseline. The discussion of effects on
efficiency, competition, and capital formation below considers the
incremental effects of the Proposed Amendment beyond the effects of the
CAIS Exemption Order.
2. Regulatory Use
(a) CAIS Data
CAT Data was intended to improve regulators' ability to perform
analysis and reconstruction of market events,\228\ market analysis and
research that informs policy decisions, regulatory activities such as
market surveillance, examinations and investigations, and enforcement
functions in an efficient and effective manner.\229\ Regulators rely on
the CAIS data for a subset of these regulatory activities. In the CAT
NMS Plan Approval Order, the Commission explained how investors benefit
from the CAT-enabled improvements to such regulatory activities.\230\
This baseline discussion considers how the CAT data elements being
removed from the CAIS data by the Proposed Amendment are currently used
by regulators, and how this usage is anticipated to change absent the
Proposed Amendments whose effects are analyzed in a later section.
---------------------------------------------------------------------------
\228\ In market reconstructions, regulators aim to provide an
accurate and factual accounting of what transpired during a market
event. These market events often encompass activities in many
securities across multiple trading venues. See CAT NMS Plan Approval
Order, at 84805.
\229\ See id. at 84833-84840.
\230\ A discussion of the expected benefits and regulatory usage
of the CAT NMS Plan is available in the CAT NMS Plan Approval Order.
See CAT NMS Plan Approval Order, at 84816-40.
---------------------------------------------------------------------------
CAT maintains transaction data in the Central Repository, separate
from customer and account information, which is maintained in CAIS. In
CAT data, customers are uniquely identified by a CAT Customer ID
(``CCID''), which is attached to all of a customer's account records in
CAIS (allowing regulators to connect together all of a customer's
accounts, even those held with different Industry Members) and to all
transaction records pertaining to the customer (allowing regulators to
obtain all of a customer's transaction records across all
accounts).\231\ Changes to customer and account information maintained
in CAIS do not affect related CAT transaction data; CAT transaction
records do not themselves contain information about the customer(s) in
a transaction, but can instead be connected to customer and account
records obtained from CAIS using CCID.
---------------------------------------------------------------------------
\231\ Also attached to CAT transaction records is the customer's
FDID, which identifies the customer but not uniquely: a customer may
have multiple FDIDs associated with their different accounts.
---------------------------------------------------------------------------
Access to CAT data by default does not confer access to CAIS data;
regulators must separately request and be approved for access to CAIS
data.\232\ CAIS data, including PII stored in CAIS, are not returned in
the results of online or direct query tools used to access CAT
transaction data and are instead accessed using separate query tools.
Access to CAIS data is logged and monitored to lower the risk of data
misuse.\233\
---------------------------------------------------------------------------
\232\ See Appendix D to the CAT NMS Plan, at 15.
\233\ One commenter stated that monitoring and documenting
access to reference data ``exposes a higher risk than it intends to
address.'' See Data Boiler Letter at 3. The creation of this data
trail improves the security of CAIS data by potentially exposing
inappropriate access to this data by regulatory users.
---------------------------------------------------------------------------
Customer records in CAIS can be used to establish elements of the
identity of customers in CAT transaction data. Customer information
currently stored in CAIS for customers that are natural persons
includes (but is not limited to) names, addresses, YOBs, and customer
types; and for customers that are legal entities, such information
includes (but is not limited to) legal names, addresses, EINs, LEIs,
and customer types. Customer records can be linked to transaction
records by two unique identifiers, the FDID and the CCID. FDID is a
unique identifier for accounts, determined and reported by Industry
Members. Each FDID may be linked to one or more entities that are
holders of an account, and potentially to one or more other entities
that are authorized traders on an account, but not account holders.
Customers may have multiple FDIDs assigned to them by different
Industry Members with whom they hold accounts. CCID is a unique
identifier for customers and is computed from identifiers reported to
CAIS by Industry Members.\234\ CCIDs nominally correspond to customers
on a one-to-one basis and are therefore generally preferred over FDID
as a customer identifier by regulators.
---------------------------------------------------------------------------
\234\ The CCID is generated by applying certain computational
transformations to one of several identifiers; the identifier used
depends on the type of customer in question. See Foreign Input
Identifiers and Generating TID Values (2022) (``Foreign Input
Identifiers and Generating TID Values''), available at <a href="https://www.catnmsplan.com/sites/default/files/2022-04/04.12.22-CAIS-TSWG-Foreign-Input-Identifiers-and-TID.pdf">https://www.catnmsplan.com/sites/default/files/2022-04/04.12.22-CAIS-TSWG-Foreign-Input-Identifiers-and-TID.pdf</a>.
---------------------------------------------------------------------------
[[Page 2181]]
CAIS is useful for regulatory activities that involve connecting
customer or account data with transaction data. It is useful in quickly
establishing such connections in either direction: it can be used
either to run queries of CCIDs or FDIDs obtained from CAT transaction
data to obtain the corresponding customer information (``Queries of
CCID'') or to run queries of customer information for a particular
customer to obtain that customer's CCID or FDID (``Queries of Customer
Information''), enabling regulators to query the CAT transaction data
for that customer's transaction information. The ability to quickly
establish these connections is important for many regulatory
activities, although some regulatory functions predominantly require
establishing a connection only in one direction; Queries of Customer
Information are particularly useful when attempting to obtain
transaction information for a customer identified only by name or
address, as may be the case when investigating tips, complaints, and
referrals. CAIS aids in establishing these connections for customers
that are U.S. natural persons, non-U.S. natural persons, and legal
entities alike.
On occasion, investigations are resolved in early stages, using
only CAIS information and the CAT transaction information linked to a
CCID retrieved from CAIS. Resolution of matters using CAIS data without
making data requests to other regulators or Industry Members is cost
effective and efficient. However, often investigations involve
contacting Industry Members for additional information even when CAIS
data are available, for example to verify the completeness of
information obtained from CAT before proceeding further with an
investigation of potentially violative behavior indicated by the CAT
data, or to obtain information about related activity not required to
be reported to CAT such as ETF creations and redemptions.
The CAIS Exemption Order provides optional relief from the
requirement that Industry Members report customer names, addresses and
YOBs for U.S. natural persons (i.e., customers with transformed SSNs or
ITINs) to CAIS and that they correct errors in such information that
they previously reported. As such, the baseline of information on U.S.
natural persons is different than the baseline of information for non-
U.S. natural persons and legal entities, for which such exemptive
relief has not been granted, in that some of the information may not be
reported or updated for U.S. natural persons. Despite the CAIS
Exemption Order, many Industry members continue to report this
information for U.S. natural persons, and CAIS still retains
information previously required to be reported by Industry
Members.\235\ Under the baseline--that is, under the CAIS Exemption
Order, in the absence of the Proposed Amendment--the Commission expects
that, as a result of the CAIS Exemption Order, the Industry Members
that continue to report, update, and/or correct this information would
over time make changes to their reporting systems to no longer do
so.\236\ As a result, the Commission expects that over time this extant
CAIS data for U.S. natural persons would become less reliable, both in
the sense that CAIS would less reliably contain these types of
information for a given U.S. natural person customer and in the sense
that where it does so, it would less reliably be current; regulators
would not be able to tell which information still in CAIS was accurate,
and as such, would be less able to rely on such information in their
regulatory activities even to the extent that CAIS still contains such
information for a customer. Moreover, under the baseline, CAT's six-
year data retention policy would cause the extant data of this type in
CAIS to be removed over approximately six years following the CAIS
Exemption Order, thereby further reducing the likelihood that CAIS
would contain such information as time goes on.\237\
---------------------------------------------------------------------------
\235\ The Participants report that roughly 12% of CAIS records
include dummy values that the Plan Processor recommended to Industry
Members as substitutes for actual customer names, addresses and
years of birth. See CAT LLC September Response Letter, at 2.
\236\ The Commission understands that some CAT Reporters have
not yet made such changes since the CAIS Exemption Order. See id,
discussing the apparent prevalence of such changes. While there are
ongoing costs to maintaining systems that report this information,
which could be avoided by modifying the systems to no longer do so,
these modifications would also incur costs. The Commission expects
that some CAT Reporters have delayed making these modifications
because they could more cost-effectively implement them at a later
point in their systems' development lifecycle. Additionally, to the
extent that there is uncertainty as to the permanence of the CAIS
Exemption Order, some CAT Reporters may have delayed making these
changes as a precaution against the risk of the CAIS Exemption Order
being removed and necessitating that they then reverse the changes
to their reporting systems.
\237\ To the extent that some CAT Reporters would continue to
report this information for some time following the CAIS Exemption
Order, such reporting would extend the data retention period; the
Commission understands that such information would only be removed
from CAIS six years after it was reported. See supra note 248,
discussing this continued reporting.
---------------------------------------------------------------------------
Under the CAIS Exemption Order, address data for U.S. natural
persons would likely become unreliable more quickly than name data,
since changes of addresses are generally more common than name changes.
YOB data for U.S. natural persons would largely remain reliable until
they were removed from CAIS at the end of the data retention period,
since the only reason that this data should change is if it were
incorrectly reported and a subsequent correction was made.
Regulators have used CAT to identify the trading of individuals or
accounts, and many times CAT Data queries using CCIDs obtained from
CAIS formed a viable substitute for data that regulators would
previously have obtained through EBS or ad hoc data requests. The CAIS
Exemption Order reduces the effectiveness of Queries of CCID, which
seek to obtain the identity of customers using the CCID or FDID of
transactions of interest, and particularly the efficacy of Queries of
Customer Information, which seek to obtain a CCID or FDID using
specified customer information.
First, the CAIS Exemption Order would result in it gradually
becoming more difficult to determine the identity of U.S. natural
person customers associated with transactions of interest using Queries
of CCID, such as to follow-up when an SRO surveillance identifies
transactions for particular FDIDs or CCIDs in exception reports.
Because CAT transaction records identify customers in the transaction
using their CCID and FDID, the real-world identity of such customers is
not immediately apparent from the transaction record. It is currently
generally possible for regulators to obtain U.S. natural person
customers' name, address, and/or YOB from CAIS, but as this information
would become less reliable in CAIS, identifying the customer associated
with a CCID would, with increasing frequency, require regulators to
request information from other sources, such as a broker-dealer with a
relationship to the customer.\238\ It would therefore become
increasingly difficult and time-consuming to identify U.S. natural
person customers associated with transactions of interest.
---------------------------------------------------------------------------
\238\ The Commission expects that a typical workflow to
establish the identity of a customer from a CCID would involve first
identifying the broker-dealers and FDIDs associated with the
customer in CAIS, and then submitting an EBS or ad-hoc data request
to broker-dealers for customer and account information associated
with the FDID they submitted.
---------------------------------------------------------------------------
[[Page 2182]]
Second, when a regulator needs to investigate the trading of a
specified U.S. natural person,\239\ regulators would more frequently,
under the CAIS Exemption Order, find that Queries of Customer
Information in CAIS data would be unable to return the CCID necessary
to identify the transaction data associated with the customer. In
particular, a search of CAIS using customer information may not return
that customer's CCID if the customer's information in CAIS is stale or
unavailable. This could increasingly make it necessary for regulators
to obtain some non-CAT data linking the customer to their CCID, which
would generally be more difficult.\240\ Further, requesting a
customer's FDID from Industry Members could be impractical for U.S.
natural person customers if regulators are unaware of which broker-
dealers service the customer and the customer does not have an
alternative identifier, such as an LTID.\241\
---------------------------------------------------------------------------
\239\ For example, when a member of the public submits a tip
that a particular individual has engaged in insider trading.
\240\ Name, address, and YOB data in CAIS would remain accurate
for some customers, allowing regulators to obtain these customers'
CCIDs from CAIS. Additionally, there might remain other ways of
obtaining some customers' CCIDs from CAIS even without accurate
name, address, and YOB data: for example, where a CAT Customer has
an LTID recorded in CAIS, and this LTID is known to a CAT user, the
user might be able to use this identifier to find the customer's
CCID. The CAT NMS Plan requires Industry Members to report the LTIDs
of their customers when the customer has these identifiers and the
Industry Member has this information. The Commission understands
LTIDs to be vastly more common among legal entities than natural
persons; however, since it is possible for a U.S. natural person
customer whose PII is no longer accurately recorded within CAIS to
have an LTID, this may serve as an alternative means of identifying
such a customer following the CAIS Exemption Order. See CAT NMS
Plan, at 48.
\241\ For example, in a case where regulators receive concerning
information about a customer's potentially violative trading without
information on which broker-dealers service that customer,
regulators would not be able to obtain the customer's FDID from just
those broker-dealers. Instead, determining this customer's CCID and
FDID in the absence of name, address, and YOB data in CAIS could
involve sending a ``scattershot'' EBS or ad-hoc data request to a
large number of broker-dealers who may or may not have a
relationship with this customer, which would impose costs on most of
these broker-dealers such that regulators could determine that such
an approach is impractical.
---------------------------------------------------------------------------
One commenter stated, ``[s]ince the Commission exempted reporting
of certain personally identifiable information (`PII') from the CAT,
the NYSE Exchanges have reverted to using blue sheet requests to
broker-dealers to obtain customer data for regulatory uses.'' \242\ The
Commission interprets this as an indication that regulators already
have begun falling back on data requests to Industry Members as a
replacement for the data no longer required to be reported to CAIS.
---------------------------------------------------------------------------
\242\ See NYSE Letter, at 3.
---------------------------------------------------------------------------
(b) Use of CCID as Unique Identifier
The purpose of the CCID is to act as a unique identifier for
customers, bridging multiple accounts, possibly at multiple broker-
dealers, that belong to the same customer. CCID thus allows regulators
to easily obtain all of a customer's transaction information, rather
than just the transaction information for a single known account
belonging to the customer. The Participants have described the CCID as
``one of the critical innovations of CAT'' and noted that it allows
regulators ``the ability to identify a Customer's market activity
across multiple exchanges, broker-dealers, and accounts.'' \243\
---------------------------------------------------------------------------
\243\ See CAT LLC May Response Letter, at 17-18, CAT LLC
September Response Letter, at 4-5.
---------------------------------------------------------------------------
The Commission understands the CCID to be generally reliable as a
unique customer identifier. The Participants have stated that the Plan
Processor performs certain validation checks upon information submitted
to CAIS \244\ and that ending the collection of customer information
(as under the CAIS Exemption Order) would not significantly impact the
thoroughness of validations performed upon information that continues
to be submitted to CAIS. The Commission concurs with this assessment,
but notes that these validations are not, and likely cannot be,
sufficient to perfectly detect errors \245\ in CCID assignment,\246\
and that there likely exists a small but non-zero rate of these errors.
The Commission also understands there to be concerns about the accuracy
of CCIDs for customers that are non-U.S. natural persons,\247\ for whom
there may be a greater rate of errors in CCID assignment, as well as
for certain other types of customer.\248\ The Commission staff
understands from its experience that errors of this nature associated
with U.S. natural persons and legal entities are not routinely
discovered and are thus likely rare.\249\
---------------------------------------------------------------------------
\244\ E.g., to verify that a Transformed ID (TID) is a
correctly-transformed SSN, ITIN or EIN. See also Foreign Input
Identifiers and Generating TID Values.
\245\ There are broadly two types of errors that would cause
CCIDs to be less effective as a unique customer identifier:
assignment of multiple CCIDs to the same customer, and assignment of
the same CCID to multiple customers. Either type could conceivably
occur due to errors in data entry, data transmission, or the process
by which CCIDs are generated and assigned. In cases where a customer
is mistakenly assigned multiple CCIDs, this could lead regulators to
be unable to correctly identify all of a customer's trading activity
during an investigation. In cases where the same CCID is mistakenly
assigned to multiple customers, this could lead regulators to
mistakenly associate these customers' trading activity with the
others' during an investigation.
\246\ To give one example, the Commission does not believe that
these validations would generally be sufficient to detect that the
TID reported to CAIS was generated using an SSN in which two digits
had been transposed due to typographical error. Additionally, the
Commission understands that for practical purposes, even the Plan
Processor's ability to detect errors in CCID generation and
assignment is limited to validation checks when assigning CCIDs and
spot checks afterwards. It would be prohibitively complex and costly
to run a comprehensive search of CAIS for CCID assignment errors,
and even such a search would not be guaranteed to find all such
errors.
\247\ The Commission understands that it is possible to validate
that a TID purportedly transformed from an SSN is in fact a
transformation of a valid SSN, because the Plan Processor can
trivially determine the set of TIDs that would be generated from
transformations of the set of valid SSNs. However, because there are
numerous types of identifiers issued by foreign governments, it is
not feasible for the Plan Processor to check that a TID generated
from a foreign-origin identifier is in fact a transformation of a
valid such identifier. See supra note 257 and accompanying text.
\248\ The Commission also has anecdotal evidence that CAIS data
does not always correctly reference investment advisers who have
trading authority for an account, but the Commission cannot gauge
the extent of such data errors because it does not have relevant
data (if such data exists) from the Plan Processor. It also has
anecdotal experience that CAT transaction data queried by a CCID
following a CAIS Queries of Customer Information using authorized
traders does not always align with data requested directly from
Industry Members; this misalignment of results may be partly or
mostly attributable to the design of CAIS because a CCID can link to
trading of multiple authorized traders for a given account.
\249\ For both U.S. natural persons and legal entities, there is
a small range of identifiers that may be used to generate a
customer's TID (SSN and ITIN for U.S. natural persons, EIN for legal
entities), while for non-U.S. natural persons, the TID is generated
using one of a wider range of identifiers; if a customer uses
different identifiers to open accounts at different Industry Members
(e.g., a foreign passport number at one and a permanent resident
number at another), this may result in the Industry Members using
different identifiers to generate a TID such that multiple TIDs are
reported to CAIS for the same customer.
---------------------------------------------------------------------------
As name, address, and YOB data for U.S. natural persons would
become less reliable and/or available in CAIS under the baseline due to
the CAIS Exemption, any inaccuracies in their CCIDs would become more
difficult to identify, and analyses using CAT data would be more
frequently affected by such inaccuracies. Currently, the presence of
name, address, and YOB data in CAIS makes it possible for regulators to
perform certain spot-checks that would indicate some types of CCID
inaccuracy early in the course of an investigation.\250\ Spot-checks of
this
[[Page 2183]]
nature make analyses using CAT data less susceptible to such errors by
helping regulators to detect, report, and correct for errors in CCID
assignment before expending significant effort on the basis of
erroneous information.\251\ As the data for U.S. natural persons would
become less reliable and/or accessible over time due to the CAIS
Exemption Order, the Commission anticipates that conducting spot-checks
of this nature would become substantially less informative. It is
likely that some errors of this nature would still be caught without
these early spot-checks, but only at a later point in an
investigation.\252\
---------------------------------------------------------------------------
\250\ A reasonable early step in an investigation into an entity
with known PII would be to query CAIS using that PII, which would
likely uncover whether any duplicative CCIDs had been assigned to
the entity. Likewise, a reasonable early step in an investigation of
an entity with known CCID would be to search CAIS using that CCID,
which would uncover whether it had been assigned to multiple
entities.
\251\ For example, if the error discussed in note 257 above,
resulting in a customer being assigned an erroneous second CCID,
were detected early in an investigation, this would allow regulators
to then obtain the transaction data associated with both CCIDs early
in the investigation. If the error went undetected, this would
result in regulators working with an incomplete set of transaction
data, at least until a later stage of the investigation when
requests for information from Industry Members might reveal the
error. Depending on the nature of the investigation, this might
result in regulators expending effort that would otherwise be
unnecessary, might impose unnecessary costs on the customer, or
might cause the investigation to reach inaccurate conclusions and be
closed prematurely.
\252\ Errors assigning the same CCID to multiple customers could
still be identified and reported to the Plan Processor by regulators
during an investigation into a customer affected by such an error,
if the investigation proceeds to the point of requesting customer
information from an Industry Member; however, not all such
investigations necessarily reach such a point, and this would cause
the error to be detected only later in the investigation. It would
be less likely that errors in which a single customer is assigned
multiple CCIDs are caught in the course of an investigation, since
if information obtained from an Industry Member in the course of an
investigation were sufficient to identify an error of this type, the
responsive Industry Member would in many cases itself be able to
detect the error, and would have been required to report it already.
---------------------------------------------------------------------------
In the CAT NMS Plan Approval Order, the Commission discussed how
the CAT would aid regulators in performing market surveillance,\253\
noting that the CAT's use of unique customer identifiers (what would
later be termed the CCID) would grant regulators the ability to ``link
uniquely identified customers with suspicious trading behavior'' and
provide them ``a better opportunity to identify the distribution of
suspicious trading instances by a customer as well as improve
regulators' ability to utilize customer-based risk assessment.''
---------------------------------------------------------------------------
\253\ See CAT NMS Plan Approval Order, at 84836.
---------------------------------------------------------------------------
(c) Authorized Traders
One type of CAT Customer that Industry Members are required to
report to CAIS is ``[a]ny person from whom the broker-dealer is
authorized to accept trading instructions for such account, if
different from the account holder(s)'' (``Authorized Traders'').\254\
Industry Members are required to report Authorized Traders for an
account in the same manner as the account's holders; this would result
in both the account's holders and Authorized Traders having FDID
Customer Records associated with the account within CAIS. Authorized
Traders for an account are distinguished from the account's holders by
the role field in their FDID Customer Records.\255\ This allows
regulators to identify not just the customers who hold and benefit from
the account, but also those entities with the ability to enter trading
instructions on behalf of those account holders.
---------------------------------------------------------------------------
\254\ See supra note 4.
\255\ The role field identifies each reported CAT Customer for
an account as either an account holder with trading authorization,
an account holder without trading authorization, a representative of
the reporting entity with trading authorization, or a third party
(neither an account holder nor representative of the reporting
entity) with trading authorization. The Commission understands that
Authorized Traders on an account would fall into one of the latter
two categories, and might include, among other categories, spouses,
investment advisers, trustees, and entities with power of attorney
for the account holder(s).
---------------------------------------------------------------------------
However, CAIS requires that CAT Customers who are natural persons
be reported with certain required data, including a TID.\256\ Because
not all Industry Members have historically collected and systematized
the data required to compute the TID for Authorized Traders who are
natural persons (``Natural Person Authorized Traders'' or ``NPATs''),
the Plan Participants have temporarily made available an Authorized
Trader Names List (``ATNL'') on the FDID Record.\257\ The ATNL may be
used to report a NPAT only if an Industry Member ``has not historically
collected and systematized all data required'' to report the NPAT as a
CAT Customer, and allows Industry Members to report only the name of
the NPAT, ``where [they do] not have all data required to report a full
Customer Record.'' \258\ Use of the ATNL ``is only allowable on a
temporary basis and, with sufficient time and notice, will be retired
from the Full CAIS Technical Specifications at a future date'' which
has not yet been set.\259\ Once this future date is set, ``Industry
Members will be required to resubmit the FDID Record to CAIS with all
required data for a full Customer Record'' by or before that future
date.\260\ The ATNL allows reporting names of natural persons who are
Authorized Traders for accounts held by any type of entity (U.S.
natural person, non-U.S. natural person, or legal entity).
---------------------------------------------------------------------------
\256\ See Full CAIS Technical Specifications, at 29.
\257\ See id.
\258\ See id.
\259\ See Full CAIS Technical Specifications, at 30.
\260\ See id.
---------------------------------------------------------------------------
Because of the CAIS Exemption Order, Industry Members currently
have three options when reporting a U.S. NPAT to CAIS: (1) where they
have all the required information to report the U.S. NPAT as a CAT
Customer, they may do so, reporting the U.S. NPAT's name, address, and/
or YOB even though this is optional following the CAIS Exemption Order;
(2) they may report the U.S. NPAT as a CAT Customer while not reporting
name, address, or YOB, due to the optionality granted due to the CAIS
Exemption Order; or (3) they may use the ATNL to report only the U.S.
NPAT's name. Under the baseline--that is, under the CAIS Exemption
Order, in the absence of the Proposed Amendment--the Commission expects
the first two of these options would remain available following the
eventual retirement of the ATNL at some future date, as the retirement
of the ATNL would not be anticipated to affect the information that the
NMS CAT Plan would require to be reported when reporting a Natural
Person CAT Customer, nor would it be anticipated to affect the CAIS
Exemption Order.
For those U.S. NPATs currently reported to CAIS as CAT Customers,
name, address, and YOB data on these entities would become less
reliable and/or accessible over time, as for U.S. natural persons in
general. However, until the retirement of the ATNL, name data on other
U.S. NPATs would continue to be updated via this list, to the extent
that Industry Members would continue to report U.S. NPATS using the
ATNL. Once this list is retired, it is uncertain whether name data
previously reported as part of this list would be retained in CAIS or
would be deleted. If these data were retained, they would become
gradually less reliable and/or available in the same manner as name
data for U.S. natural persons, and would do so more rapidly than name
data in general, since changes to authorized traders on an account
would be likely to occur more frequently than changes of or corrections
to the legal names of customers.
Because the CAIS Exemption Order provided relief from requirements
to report names, addresses, and YOBs of U.S. natural person customers,
including U.S. NPATs reported as CAT Customers, the only circumstance
in which an Industry Member currently must report the name of a U.S.
NPAT to CAIS is when reporting them via the ATNL. As such, to the
extent that U.S. NPATs continue to be reported via the
[[Page 2184]]
ATNL, because certain Industry Members have not systematized the
information required to report them as CAT Customers, the ATNL data
would continue to contain reliable name data for these entities, which
might not otherwise be reported to CAIS.\261\
---------------------------------------------------------------------------
\261\ For example, if a U.S. NPAT undergoes a legal change of
name, this might not be reported to CAIS except by an Industry
Member who has not systematized the data necessary to report this
person as a CAT Customer, and therefore reports them via the ATNL.
---------------------------------------------------------------------------
Under the baseline, the Commission expects that, over time,
Industry Members would likely modify their systems to systematize the
information required to report NPATs (including non-U.S. NPATs) to CAIS
as CAT Customers, in anticipation of the eventual retirement of the
ATNL requiring such modifications, and would thus be required to report
NPATs as CAT Customers instead of using the ATNL. These modifications,
coupled with modifications to reporting systems to no longer report
name, address and YOB data for U.S. Natural Person CAT Customers
following the CAIS Exemption Order, would result in name data for U.S.
NPATs reported via the ATNL becoming less reliable in the manner of
name data for U.S. natural persons generally. This would require
regulators to connect such Authorized Traders to transaction data using
the same methods employed for U.S. natural persons in general, as
discussed above.
(d) Trading Activity by Customer Type
The degree to which regulatory activities such as investigations or
market analysis focus on particular customer types is likely related to
the relative trading volume of different customer types. Between 2021
and 2025, in both equity and options markets, trading activity of legal
entities increased substantially. In particular, legal entities have
come to have disproportionately larger shares in dollar values of trade
compared to retail.\262\
---------------------------------------------------------------------------
\262\ Among the information that the Proposed Amendment would
eliminate are ``Name, Address, and YOB'' of natural persons not
subject to the CAIS Exemption Order, a category that includes Legal
Entities. See, supra section III.B. See Table 1 for a description of
how information on account holder type is used to categorize legal
entities and retail for the analysis in this section.
---------------------------------------------------------------------------
Legal entities account for the majority of trading in both equities
and options. Table 1 presents the trade shares by retail and legal
entities as identified by account holder type designation in CAT from
2021 to 2025. Although retail trades have captured a lot of
attention,\263\ Table 1 shows that, between Q2-2021 and Q2-2025 not
only do legal entities comprise the majority of trading activity, their
share of trading increased while that of retail decreased. For example,
in the equities market, the share of retail in trade count, trade
volume, and dollar value of trade reduced by 43 percent, 46 percent and
36 percent, respectively. In the options market, the share of legal
entities in dollar value of trade increased by 18 percent while, in the
equities market, the share of legal entities in trade volume increased
by 45 percent.
---------------------------------------------------------------------------
\263\ See, e.g., Svetlana Bryzgalova, Anna Pavlova, & Taisiya
Sikorskaya, Retail Trading in Options and the Rise of the Big Three
Wholesalers, 78 J. Fin. 3465 (2023).
Table 1--Daily Average Trade Shares by Account
[Type 2021-2025]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Share of trade count (%) Share of trade volume (%) Share of dollar volume of
---------------------------------------------------------------- trade (%)
Quarter-year -------------------------------
Legal entities Retail Legal entities Retail Legal entities Retail
--------------------------------------------------------------------------------------------------------------------------------------------------------
Equities:
Q2-2021............................................. 75 25 51 49 82 17
Q2-2025............................................. 86 14 73 27 89 11
Options:
Q2-2021............................................. 57 43 57 43 64 36
Q2-2025............................................. 57 43 63 37 76 24
--------------------------------------------------------------------------------------------------------------------------------------------------------
Notes: (a) Source: Consolidated Audit Trail. (b) The second quarter of 2021 (Q2-2021) is the earliest quarter that data on account type is broadly
available in CAT. (c) Legal entities (institutional customers, market makers, foreign brokers, other proprietary accounts, and broker avg price
accounts), and retail (individual accounts and broker employee accounts), in the analysis presented in this table are imperfect categorizations; for
example, individual customer accounts can include some legal entities. (d) Daily averages for each quarter are estimated by using the daily average of
the second week of the last month of the quarter.
3. CAIS-Related Operational Costs of the Plan Processor
CAIS-related costs account for a non-trivial share of the Plan
Processor's operating costs. Table 2 presents some of the publicly
available CAT cost information and estimates. According to the
Participants' 2025 budget estimate and their May response letter, the
total CAIS-related costs of $32.5 million to $33.5 million are
approximately 21 percent of total operating expenses; \264\ 52 percent
of total operating expenses is cloud hosting fees, approximately 10-11
percent of which is CAIS-related cloud hosting fees. CAIS-related cloud
hosting fees combined with CAIS operating fees account for 91-92
percent of total CAIS-related costs (see Table 2).
---------------------------------------------------------------------------
\264\ See CAT LLC May Response Letter, at 13; CAT LLC, 2025
Financial and Operating Budget (``CAT LLC 2025 Budget''), available
at <a href="https://www.catnmsplan.com/sites/default/files/2025-11/11.07.25-CAT-LLC-2025-Finacial_and_Operating-Budget.pdf">https://www.catnmsplan.com/sites/default/files/2025-11/11.07.25-CAT-LLC-2025-Finacial_and_Operating-Budget.pdf</a>.
Table 2--CAT Operating Costs, Technology Costs, and CAIS-related Costs
[2024-2025]
------------------------------------------------------------------------
(Estimated) 2025 (Estimated) 2024
------------------------------------------------------------------------
Total Operating Expenses.......... 156,432,998 208,927,267
Technology costs.............. 137,514,003 196,921,118
Cloud hosting services.... 81,900,006 148,789,981
CAIS-related cloud 9,000,000 n/a
hosting fees.........
[[Page 2185]]
CAIS operating fees 21,268,584 20,199,919
(payable to the Plan
Processor)...............
CAIS licensing fees (payable to 2,800,000 n/a
the Plan Processor)..............
------------------------------------------------------------------------
Notes: (1) Sources of the statements are CAT LLC 2024 Mid-Year Budget
and the CAT LLC 2025 Budget. The Participants estimated CAIS-related
cloud hosting services fees of (approximately) $8.5-9.5 million (see
CAT LLC May Response Letter at 14). The analysis in this section
utilizes midpoint of this range and the figures used in the 2025
Financial and Operating Budget as they were as of December 11, 2025.
(2) The 2025 entries for CAIS related cloud hosting fees and CAIS
licensing fees are obtained from CAT LLC May Letter (possibly rounded
up). (3) `n/a' indicates that data are not available in the financial
statement used for 2024.
Although CAIS-related cloud hosting fees and CAIS licensing fees
(payable to the Plan Processor) for the year 2024 are not separately
reported in the 2024 Financial and Operating Budget--Mid-Year Update--
July 2024,\265\ based on the information that is available,\266\ a
reasonable estimate is that the total CAIS-related costs between 2024
and 2025 declined by 15-17 percent.\267\
---------------------------------------------------------------------------
\265\ See CAT LLC, 2024 Mid-Year Budget--Mid-Year Update--July
2024 (``CAT LLC 2024 Mid-Year Budget''), available at <a href="https://www.catnmsplan.com/sites/default/files/2024-08/07.31.24-CAT-LLC-2024-Financial_and_Operating-Budget.pdf">https://www.catnmsplan.com/sites/default/files/2024-08/07.31.24-CAT-LLC-2024-Financial_and_Operating-Budget.pdf</a>.
\266\ See, e.g., CAT LLC May Response Letter.
\267\ Assuming that the share of CAIS-related cloud hosting fees
in the total cloud hosting services costs in 2024 was the same as
that in 2025 (i.e., 10.4-11.6%), an estimate for CAIS-related cloud
hosting fees for 2024 is $15.4-17.3 million. As the Participants
report in CAT LLC May Response Letter at 14, the CAIS licensing fees
(payable to the Plan Processor) is $2.8 million whether the Proposed
Amendment is implemented or not, a reasonable assumption for CAIS
licensing fees (payable to the Plan Processor) is that it remained
the same in 2024 at $2.8 million. Then, under these assumptions, the
estimated total CAIS-related costs in 2024 are $38.4 million
(20.2+15.4+2.8) to $40.2 million (20.2+17.3+2.8).
---------------------------------------------------------------------------
By contrast, Table 3 shows that the message traffic in equities and
options markets between Q2-2024 and Q2-2025 increased by 120 percent
and 69 percent, respectively. Table 3 also shows the growth of message
traffic since the beginning of CAT reporting: \268\ between Q2-2021 and
Q2-2025, message traffic has grown by approximately 250 percent in both
equities and options markets. These data suggest that overall CAIS-
related costs may not increase in the same proportion as message
traffic.\269\
---------------------------------------------------------------------------
\268\ Since the reporting started in the middle of 2020--
equities reporting on June 22, 2020, and options on July 20, 2020
(2021 is the first full year of CAT reporting.) See Update on the
Consolidated Audit Trail: Data Security and Implementation Progress,
Aug. 21, 2020, available at <a href="https://www.sec.gov/newsroom/speeches-statements/clayton-kimmel-redfearn-nms-cat-2020-08-21">https://www.sec.gov/newsroom/speeches-statements/clayton-kimmel-redfearn-nms-cat-2020-08-21</a>. In addition,
complete information of the message traffic in the equities market
is first available from the beginning of the second quarter (Q2) of
2021.
\269\ The Participants have stated that, ``CAT operating costs
are estimated to approach $250 million in 2025 as data volumes
continue to reach record highs,'' and that, ``On March 4, 2025, data
volumes exceeded 1 trillion reportable events for the first time,''
and that, ``CAT LLC and the Plan Processor have put significant
effort into reducing CAT costs that are within their control given
the strict reporting requirements in the CAT NMS Plan, but
additional cost savings measures--like those contemplated in this
CAIS Amendment--require Commission action to permit their
implementation.'' See Notice, at 12850.
Table 3--Pattern of Growth in Message Traffic
[2021-2025]
----------------------------------------------------------------------------------------------------------------
Equities Options
-------------------------------------------------------------------------------
Industry
Exchanges members Total OMM quotes Total
----------------------------------------------------------------------------------------------------------------
Growth (%) in messages:
Q2-2024 to Q2-2025.......... 107 124 120 62 69
Q2-2021 to Q2-2025.......... 132 311 253 226 241
----------------------------------------------------------------------------------------------------------------
Notes: (a) Source: Consolidated Audit Trail (CAT). (b) Message traffic measured in billions of daily (average)
CAT events. (c) Complete information of the message traffic in the equities market is first available from the
beginning of the second quarter (Q2) of 2021. (d) Options market maker (OMM) quotes account for quote events.
Some of CAT's operating costs are cybersecurity costs associated
with maintaining the security of CAT including preventing breaches of
transaction data, and customer and account information. CAIS currently
presents cybersecurity risks in relation to two broad areas of
activities: transmission (when information is sent from Industry
Members to CAIS or from CAIS to regulators and other users of CAIS
data),\270\ and storage (when information is at rest within CAIS or the
systems of a party who received the information from CAIS).\271\
Because the information in CAIS is sensitive and includes investor
customers, CAIS is likely to significantly contribute to the
cybersecurity insurance costs that CAT LLC bears related to CAT. It is
unclear to the Commission how large the cybersecurity prevention costs
are. No data breaches of CAT are known to have occurred. The CAT LLC
Revised 2025 Financial and Operating Budget does not distinguish
cybersecurity costs from other operating costs; nor does the Proposed
Amendment make this distinction. The CAIS Exemption Order, and the
prior CCID Exemption Order, have reduced the scope of sensitive PII
that is required to be reported to, and stored in, CAIS, thus reducing
the range of data that could be exposed by a breach. The costs of
cybersecurity measures represent an added cost to
[[Page 2186]]
investors, as they may ultimately bear the costs of CAT.\272\
---------------------------------------------------------------------------
\270\ The Plan Processor is required to have appropriate
solutions and controls in place to address data confidentiality and
security during all communication between CAT Reporters, Data
Submitters, and the Plan Processor; data extraction, manipulation,
and transformation; data loading to and from the Central Repository;
and data maintenance by the CAT System. See Securities Exchange Act
Release No. 89632 (Aug. 21, 2020), 85 FR 65990, at 65991 (Oct. 16,
2020).
\271\ The CAT NMS Plan also sets forth minimum data security
requirements for CAT that the Plan Processor must meet, including
requirements governing connectivity and data transfer, data
encryption, data storage, data access, breach management, data
requirements for PII, and applicable data security industry
standards. See id.
\272\ See CAT NMS Plan Approval Order, at 84992 (``broker-
dealers may seek to pass on to investors their costs to build and
maintain the CAT, which may include their own costs and any costs
passed on to them by Participants. . . . The extent to which these
costs are passed on to investors depends on the materiality of the
costs and the ease with which investors can substitute away from any
given broker-dealer.'').
---------------------------------------------------------------------------
4. Competition Baseline
Participants and Industry Members compete in the market for trading
services and the market for broker-dealer services.
(a) Market for Trading Services
Participants and Industry Members compete in the market for trading
services, which is served by exchanges, ATSs, and liquidity providers
(internalizers and others).\273\ This market relies on competition to
supply investors with execution services at efficient prices. These
trading venues, which compete to match traders with counterparties,
provide a framework for trading and disseminate trading information.
The market for trading services in options and equities consists of 25
national securities exchanges, which are all Plan Participants, and
off-exchange trading venues including broker-dealer internalizers,
which execute substantial volumes of transactions, and 36 ATSs,\274\
which are not Plan Participants. Finally, some Industry Members provide
liquidity by trading with customers from their own inventory without
the facilitation of a trading venue.
---------------------------------------------------------------------------
\273\ See CAT NMS Plan Approval Order, at 84882.
\274\ The remainder of the 99 extant ATSs do not trade NMS
stocks or listed options.
---------------------------------------------------------------------------
(b) Market for Broker Dealer Services
Industry Members compete in the Market for Broker Dealer Services
which covers many different markets for a variety of services,
including, but not limited to, managing orders for customers and
routing them to various trading venues, holding customer funds and
securities, handling clearance and settlement of trades, intermediating
between customers and carrying/clearing brokers, dealing in government
bonds, private placements of securities, and effecting transactions in
mutual funds that involve transferring funds directly to the
issuer.\275\ Some broker-dealers may specialize in just one narrowly
defined service, while others may provide a wide variety of services.
---------------------------------------------------------------------------
\275\ See Securities Act Release No. 77724 (Apr. 27, 2016), 81
FR 30614, at 30742 (May 17, 2016).
---------------------------------------------------------------------------
The market for broker-dealer services relies on competition among
broker-dealers to provide the services listed above to their customers
at efficient levels of quality and quantity. This market includes a
small set of large broker-dealers and thousands of small broker-dealers
competing for niche or regional segments of the market. To limit costs
and make business more viable, small broker-dealers often contract with
larger broker-dealers or service bureaus to handle certain functions,
such as clearing and execution, or to update their technology. Large
broker-dealers typically enjoy economies of scale over small broker-
dealers and compete with each other to service the smaller broker-
dealers, who are both their competitors and their customers.
Of the extant 3,284 \276\ broker dealers, there are 1,768 \277\
Industry Members that are CAT Reporters. Industry Members may compete
with broker-dealers that are not CAT Reporters in various broker-dealer
market segments that do not generate activity that is reported to CAT.
---------------------------------------------------------------------------
\276\ Based on 2025 second quarter FOCUS filings.
\277\ Based on the FINRA CAT list of CAT Reporter IDs, <a href="https://files.catnmsplan.com/firm-data/IMID_Daily_List.txt">https://files.catnmsplan.com/firm-data/IMID_Daily_List.txt</a>.
---------------------------------------------------------------------------
Some broker-dealers may offer specialized services in one line of
business mentioned above, while other broker-dealers may offer
diversified services across many different lines of businesses. As
such, the competitive dynamics within each of these specific lines of
business for broker-dealers is different, depending on the number of
broker-dealers that operate in the given segment and the market share
that the broker-dealers occupy.
B. Efficiency
The Proposed Amendment involves tradeoffs between operational
efficiency and regulatory efficiency. In particular, the Proposed
Amendments will cause reductions in regulatory efficiency for certain
types of regulatory activities. At the same time, the Proposed
Amendment will likely result in modest improvements to operational
efficiency. It is unlikely to impact market efficiency.
1. Operational Efficiency
Economically, operational efficiency refers to the effective use of
resources to generate a given output. In the case of CAT, the output
refers to the CAT Data, which is generated for regulatory purposes.
Even though the output, CAT Data, under the proposal is not the same as
that in the absence of the proposal, the analysis of operational
efficiency is simplified by focusing on the use of resources as
measured by the cost savings, net of implementation costs; the
efficiency effects of changes in CAT Data are discussed separately (as
impacts on regulatory efficiency).\278\ The estimated cost savings from
the Proposed Amendment are small relative to the overall cost of the
Plan Processor, but meaningful relative to the overall costs of CAIS.
At the same time, the Amendment is associated with implementation costs
to be incurred by the Plan Processor that offset much of the first year
of cost savings. Further, some of these cost savings are transferred to
Industry Members in the form of costs incurred responding to data
requests from SROs or the Commission. Overall, the Proposed Amendment
is likely to result in a modest improvement in operational efficiency.
---------------------------------------------------------------------------
\278\ See Securities Exchange Act Release No. 101901 (Dec. 12,
2024), 80 FR 103033, 103045 (Dec. 18, 2024).
---------------------------------------------------------------------------
(a) Operating Costs of the Central Repository
The Participants estimate that the Proposed Amendment is expected
to save approximately $7 to $9 million in overall costs annually.\279\
In size, the overall cost savings from the Proposed Amendment are 4.5-
5.8 percent of estimated 2025 total operating expenses, and the
incremental cloud savings \280\ are 2.4-4.9 percent of estimated 2025
cloud hosting services costs.\281\ Relative to the CAIS costs, however,
the cost savings appear more meaningful. The overall cost savings of
the Proposed Amendment are expected to be 21-27 percent of 2025
budgeted total CAIS costs and the expected incremental cloud hosting
savings are 21-47 percent of 2025 budgeted CAIS cloud hosting costs.
The participants stated that ``the CAIS Exemption Order will not result
in any cost savings''; the cost savings estimates presented, therefore,
pertain only to the Proposed Amendment.\282\
---------------------------------------------------------------------------
\279\ The Notice estimated a $10 million to $12 million annual
cost savings. See Notice, at 12850. In the CAT LLC May Response
Letter, at 14, the estimate was revised to $7 to $9 million.
\280\ The Participants state that the Proposed Amendment is
expected to save approximately $2 to $4 million in incremental cloud
costs.
\281\ See Consolidated Audit Trail, LLC, 2025 Financial and
Operating Budget, <a href="https://www.catnmsplan.com/sites/default/files/2025-11/11.07.25-CAT-LLC-2025-Finacial_and_Operating-Budget.pdf">https://www.catnmsplan.com/sites/default/files/2025-11/11.07.25-CAT-LLC-2025-Finacial_and_Operating-Budget.pdf</a>; see
also CAT Financial and Operating Budget, CAT, <a href="https://www.catnmsplan.com/cat-financial-and-operating-budget">https://www.catnmsplan.com/cat-financial-and-operating-budget</a>.
\282\ See Notice, at 12847.
---------------------------------------------------------------------------
One commenter stated, ``[w]e do [not] believe the proposed
amendments if adopted would achieve its stated [`]cost savings and
efficiency.['] Referencing to 2022 CAT Budget, $118.7 million
[[Page 2187]]
(73.8% of total technology cost or 69% of operating cost) goes to
[Cloud] hosting services.'' \283\ Although the Commission agrees that
cloud hosing services are a large percentage of the CAT budget, the
Commission concludes that the Proposed Amendment does achieve cost
savings and efficiency.
---------------------------------------------------------------------------
\283\ See supra note 130.
---------------------------------------------------------------------------
The primary source of these cost savings is the $5 million
reduction in CAIS operating fees (payable to the Plan Processor). In
addition, the Participants estimate $2-4 million in incremental cloud
savings that arise from a reduction in CAIS-related cloud hosting
services fees.\284\ The remaining item, CAIS licensing fees payable to
the Plan Processor remains the same at $2.8 million. The Amendment
entails implementation costs--the Participants estimate approximately
$4.5-$5.5 million in one-time implementation costs,\285\ that is
approximately 50-80 percent of the estimated first year's cost
savings.\286\
---------------------------------------------------------------------------
\284\ See CAT LLC May Response Letter, at 14.
\285\ See id. at 15.
\286\ One-time implementation costs will generally consist of
labor costs on the part of the Plan Processor associated with coding
and software development, as well as any related cloud fees
associated with the development, testing, and load testing of the
Propo
[…truncated; see source link]Indexed from Federal Register on January 16, 2026.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.