The CAT Is Out of the Bag

The US Securities and Exchange Commission (SEC)—and more specifically, chairman Jay Clayton—has been having a time of it recently. Broadly criticized for its handling of the cyber incident that it suffered late last year, and disclosed in September, one of its major projects is now serving as a lightning rod for related criticism—the Consolidated Audit Trail (CAT).

Lawmakers in both houses of Congress and industry figures have expressed hesitance over the amount of data being collected by the CAT, and have been pushing for a delay. This was always going to be an unrealistic play, given that self-regulatory organizations (SROs) are due to begin reporting to the CAT on November 15, and large financial institutions just over 12 months from now.

Clayton has said in no uncertain terms that there will not be a delay, but this hasn’t stopped some quarters of the industry I’ve spoken to from suggesting that maybe it’s not worth turning up the gears on getting ready for the CAT now. After all, they argue, the possibility exists, and it wasn’t too long before a delay to the revised Markets in Financial Instruments Directive (Mifid II) was announced that people were saying there was no possibility of that, either.

This is a mistake. What Clayton has conceded is that the industry and the regulators may need to look more broadly at what is being collected under the CAT regime, but the dates haven’t changed yet. More worrisome is perhaps the fact that polling in a recent webinar held by the London Stock Exchange Group (LSEG) showed that half of the participants in the event hadn’t even begun their preparations yet. Naturally, the LSEG released its own CAT tool this week, hence the concern, but that kind of discrepancy should be taken seriously. Maryse Gordon, a UnaVista executive, told me earlier this week that the polling tallied with what she’d been hearing from clients.

In many ways, this is the same old song that gets repeated again and again—the industry bemoans a lack of time, but fails to begin preparations in time. There are concessions to be made here to uncertainty, but often people use this as an excuse.

After all, outside of a major fubar with the SEC’s hack, where some personal information was exposed, it doesn’t even rank in the same league as the Equifax breach, or the attacks on credit card companies that have resulted in much more severe information breaches—so much so that the UK Financial Conduct Authority (FCA) confirmed this week that it was looking into the Equifax breach and how it may have affected British citizens.

The assault on the CAT, therefore, seems opportunistic—particularly as the SEC isn’t even building the system, Thesys Technologies is. Certain actors are likely using it as a way to burnish their credentials of being tough on regulators that often stray too far into capture territory, but taking this too seriously is a foolish move.

Instead, preparations should begin in earnest. 2018, after all, is hardly lacking for major deadlines.

This Week on Buy-Side Technology:

• On the subject of the SEC, my colleague Anthony Malakian has a fascinating story on how vendors may have been a little too braggadocious about just how much data they had at hand regarding the fixed-income market, and how the SEC relied on that too much when setting up its liquidity rule.
• We also recapped the major themes as they relate to capital markets from this year’s Sibos event here, with reporting from me in Toronto and some sober analysis from Anthony in New York.
• The Intercontinental Exchange Group (ICE) made a bold play in fixed income too this week, acquiring BondPoint from Virtu. This has been anticipated, but it adds a powerful new weapon to ICE’s arsenal, and is a clearly intelligent buy for the exchange operator. The story, from John Brazier in London, is here.
• Our US reporter, Emilia David, was at the Securities Industry and Financial Markets Association’s (Sifma’s) general meeting in DC this week, and filed a few stories of interest from there—first of all on the aforementioned CAT issues, and secondly on how some of these data breaches may well have been prevented had firms followed basic cyber hygiene practices.