b"<html>\n<title> - OVERSIGHT OF THE STATUS OF THE CONSOLIDATED AUDIT TRAIL</title>\n<body><pre>[Senate Hearing 116-113]\n[From the U.S. Government Publishing Office]\n\n\n                                                   S. Hrg. 116-113\n\n\n        OVERSIGHT OF THE STATUS OF THE CONSOLIDATED AUDIT TRAIL\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                              COMMITTEE ON\n                   BANKING,HOUSING,AND URBAN AFFAIRS\n                          UNITED STATES SENATE\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                                   ON\n\nEXAMINING THE EFFORTS TO IMPLEMENT THE CONSOLIDATED AUDIT TRAIL AND TO \nREVIEW ELEMENTS OF THE CAT NATIONAL MARKET SYSTEM PLAN NECESSARY TO THE \n                       MARKET REGULATORY FUNCTION\n\n                               __________\n\n                            OCTOBER 22, 2019\n\n                               __________\n\n  Printed for the use of the Committee on Banking, Housing, and Urban \n                                Affairs\n\n\n                Available at: https: //www.govinfo.gov /\n                \n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n\n                               __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n39-415 PDF                  WASHINGTON : 2020                     \n          \n--------------------------------------------------------------------------------------\n\n\n            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS\n\n                      MIKE CRAPO, Idaho, Chairman\n\nRICHARD C. SHELBY, Alabama           SHERROD BROWN, Ohio\nPATRICK J. TOOMEY, Pennsylvania      JACK REED, Rhode Island\nTIM SCOTT, South Carolina            ROBERT MENENDEZ, New Jersey\nBEN SASSE, Nebraska                  JON TESTER, Montana\nTOM COTTON, Arkansas                 MARK R. WARNER, Virginia\nMIKE ROUNDS, South Dakota            ELIZABETH WARREN, Massachusetts\nDAVID PERDUE, Georgia                BRIAN SCHATZ, Hawaii\nTHOM TILLIS, North Carolina          CHRIS VAN HOLLEN, Maryland\nJOHN KENNEDY, Louisiana              CATHERINE CORTEZ MASTO, Nevada\nMARTHA MCSALLY, Arizona              DOUG JONES, Alabama\nJERRY MORAN, Kansas                  TINA SMITH, Minnesota\nKEVIN CRAMER, North Dakota           KYRSTEN SINEMA, Arizona\n\n                     Gregg Richard, Staff Director\n\n                Laura Swanson, Democratic Staff Director\n\n                  Jen Deci, Professional Staff Member\n\n                 Elisha Tuku, Democratic Chief Counsel\n\n                      Cameron Ricker, Chief Clerk\n\n                      Shelvin Simmons, IT Director\n\n                    Charles J. Moffat, Hearing Clerk\n\n                          Jim Crowell, Editor\n\n                                  (ii)\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                       TUESDAY, OCTOBER 22, 2019\n\n                                                                   Page\n\nOpening statement of Chairman Crapo..............................     1\n    Prepared statement...........................................    24\n\nOpening statements, comments, or prepared statements of:\n    Senator Brown................................................     2\n        Prepared statement.......................................    24\n\n                               WITNESSES\n\nShelly Bohlin, President and COO, FINRA CAT LLC, Financial \n  Industry Regulatory Authority..................................     4\n    Prepared statement...........................................    25\n    Responses to written questions of:\n        Senator Brown............................................    39\n        Senator Sasse............................................    40\n        Senator Kennedy..........................................    40\n        Senator Warner...........................................    46\n        Senator Warren...........................................    48\n        Senator Cortez Masto.....................................    53\n        Senator Sinema...........................................    56\nJudy McDonald, Chair, CAT NMS Plan Advisory Committee............     5\n    Prepared statement...........................................    29\n    Responses to written questions of:\n        Senator Sasse............................................    57\n        Senator Kennedy..........................................    57\n        Senator Warner...........................................    58\n        Senator Cortez Masto.....................................    61\n        Senator Sinema...........................................    63\nMichael J. Simon, Chairman, CAT NMS Plan Operating Committee.....     7\n    Prepared statement...........................................    30\n    Responses to written questions of:\n        Chairman Crapo...........................................    64\n        Senator Brown............................................    66\n        Senator Sasse............................................    68\n        Senator Warner...........................................    68\n        Senator Cortez Masto.....................................    74\n        Senator Sinema...........................................    78\n\n              Additional Material Supplied for the Record\n\nLetter submitted by Better Markets...............................    80\n\n                                 (iii)\n\n \n        OVERSIGHT OF THE STATUS OF THE CONSOLIDATED AUDIT TRAIL\n\n                              ----------                              \n\n\n                       TUESDAY, OCTOBER 22, 2019\n\n                                       U.S. Senate,\n          Committee on Banking, Housing, and Urban Affairs,\n                                                    Washington, DC.\n    The Committee met at 10 a.m., in room SD-538, Dirksen \nSenate Office Building, Hon. Mike Crapo, Chairman of the \nCommittee, presiding.\n\n            OPENING STATEMENT OF CHAIRMAN MIKE CRAPO\n\n    Chairman Crapo. Good morning. The Committee will come to \norder.\n    Today's hearing will focus on oversight of the status of \nthe Consolidated Audit Trail, commonly referred to as the \n``CAT''.\n    In 2010, in response to the flash crash and a number of \nother market disruption events, the SEC proposed the creation \nof a real-time tracking system to track securities orders \nacross all markets throughout the life cycle of the order--from \norigination, to routing, to cancellation, modification, or \nexecution.\n    At the time, the SEC estimated the creation of the CAT \nwould cost $4 billion to launch and have an ongoing maintenance \ncost of $2.1 billion.\n    In 2012, I wrote a letter requesting that the SEC consider \nalternatives to establishing the CAT database, such as housing \nit on FINRA's existing Order Audit Trail System, or OATS.\n    It has been 9 years since the SEC's initial proposal for \nthe CAT, and after multiple challenges and delays, it would \nappear that we have arrived at a version of CAT that realizes \nreal-time, less accurate data is not necessary to the market \nfunction and that slightly delayed, more accurate information \nsignificantly reduces costs while still preserving the \nfunctional improvements that CAT is intended to provide. \nFurther, the CAT now better leverages existing resources by \nrecently selecting a subsidiary of FINRA to be the plan \nprocessor.\n    I continue to have concerns about the costs associated with \nthe build, the volume of the information collected and what \ninformation will be collected, who has access to the \ninformation collected, and how that information will be \nsecured.\n    Last year, Ranking Member Brown and I wrote a letter to SEC \nChairman Clayton that emphasized our bipartisan belief that \nprotecting individuals' personally identifiable information, or \nPII, is paramount to the American people.\n    We have continued to seek a better understanding of what \ntype of PII is being collected, how that information is being \nused, who can access it, and how that data will be secured and \nprotected.\n    Chairman Clayton's September 9th statement echoed this \nsentiment regarding the importance of protecting information \ncollected and stored in the CAT, particularly Social Security \nnumbers, account numbers, and dates of birth.\n    Chairman Clayton stated that he believes ``the regulatory \nobjectives of the CAT can still be achieved without these most \nsensitive pieces of investor information.''\n    Last week, the SROs officially requested a modification to \nthe CAT NMS Plan to exclude the collection of dates of birth, \nSocial Security numbers, individual taxpayer identification \nnumbers, and account numbers.\n    This request is long overdue, and I encourage the SEC to \ngrant this amendment which, I agree with the SROs, will reduce \nthe risk profile of the data collected and stored in the CAT \nwhile still preserving the CAT's intended regulatory use.\n    In his September 9th statement, Chairman Clayton went on to \nsay that even if the SROs reduce the scope of the PII \ncollected, the nature of the data to be included in the CAT \n``necessitates robust security protections.''\n    I could not agree more, and I look forward to hearing from \nour witnesses on how they plan to address these important \nissues from each of their unique roles in the creation of the \nCAT.\n    I look forward to receiving an update from each of our \nwitnesses on outstanding issues and challenges that remain to \nachieving an operational CAT.\n    Again I want to thank our witnesses for coming here and \ntaking your time and bringing us your expertise today.\n    Senator Brown.\n\n           OPENING STATEMENT OF SENATOR SHERROD BROWN\n\n    Senator Brown. Thank you, Mr. Chairman, and thanks to the \nwitnesses. Ms. Bohlin, Ms. McDonald, and Mr. Simon, thank you \nfor joining us.\n    We are just shy of 200 days from the 10th anniversary of \nthe 2010 flash crash. Although there has not been a market \ndisruption of that magnitude since, our markets have become \nfaster, more sophisticated, and more fragmented. In that time, \nindustry has spent billions on upgrading technology and \ndeveloping faster and smarter trading systems.\n    Yet the SEC, whom we all rely on to maintain fair, orderly, \nand efficient markets, still lacks a comprehensive system that \nwould allow it to effectively oversee the securities markets to \nprotect Americans' college savings and retirement funds.\n    In an industry where cutting-edge technology is the name of \nthe game and trading firms erect competing microwave towers so \nthat computers in Chicago can communicate with computers on \nWall Street in milliseconds, the SEC still cobbles together \ndata from multiple sources in an attempt to have a complete \nunderstanding of our markets.\n    This is why the SEC called on FINRA and the firms that run \nour Nation's stock and options exchanges to build the \nConsolidated Audit Trail, one system with a beginning-to-end \nview of how trading happens, so we can prevent insider trading, \nmarket manipulation, and other misconduct that cheats the \nsystem.\n    When the effort began in 2012, it was a huge undertaking. \nBut 7 years later we are only at the first stage of data \nreporting; many details need to be finalized. Under the current \ntimeline, the system will not be fully operational until 2022.\n    Some take issue with the SEC, or any Government agency, \nhaving this much data and call the system a ``target for \nhackers.''\n    I refuse to accept that we cannot both protect people's \npersonal information and go after criminals who take advantage \nof the markets.\n    I know there are dozens of tech experts, data scientists, \nand market veterans working on this. Just last week, the CAT \nOperating Committee submitted to the SEC its proposal to \nexclude Social Security numbers and other personal information \nfrom the reported data.\n    This is just one of many creative solutions that balance \nthe need for oversight with protecting sensitive information.\n    I trust that the very capable minds at the exchanges, \nFINRA, and the SEC can work out access to data concerns, \ntracking the use of the audit trail, and how to keep \ninformation secure to allow this long overdue oversight tool to \nbe completed.\n    The bottom line is if you are smart enough to have \ninformation or strategies you think someone wants to steal, \nthen you are smart enough to help come up with ways to protect \nthem.\n    We cannot afford to wait.\n    Just last week, the SEC filed charges against 18 people, \nmost of them in China, who engaged in a 6-year market \nmanipulation scheme using dozens of accounts, across many \nbrokerage firms, that resulted in $31 million, at least, of \nillicit profits.\n    While we will never know if the new system would have made \nit easier to uncover those crimes, it is that kind of activity \nthe SEC should have the technology to uncover and detect.\n    We know the question is not if but when there will be \nanother crash or major disruption. Everyone--Congress, Main \nStreet, industry--will look to those represented by our \npanelists today and the SEC to understand what happened, how it \nwill be fixed, and who was responsible. Not having an answer or \nwaiting 5 months for one will then be unacceptable.\n    If another flash crash occurs or the delays or \ndisagreements over what should be solvable questions continue, \nyou can expect to be back before this Committee. We are \nexpecting you all to cooperate and work diligently to finish \nthe CAT project.\n    There are not many things that SEC Chair Clayton and I \nagree on, but finishing the Consolidated Audit Trail without \nfurther delay is one of them.\n    Every day we wait creates more risks for our markets and \nmore opportunities for criminals to cheat our regulatory \nsystem.\n    Thanks for joining us.\n    Chairman Crapo. Thank you, Senator Brown.\n    Today's witnesses are Ms. Shelly Bohlin, president and \nchief operating officer of FINRA CAT; Ms. Judy McDonald, Chair \nof the CAT NMS Plan Advisory Committee and associate director \nof Susquehanna International Group; and Mr. Michael Simon, \nChair of the CAT NMS Plan Operating Committee and independent \nsenior adviser of Deloitte & Touche.\n    We welcome all of you with us, and I will ask you to give \nyour statements in the order I introduced you. Ms. Bohlin, you \nmay proceed.\n\n STATEMENT OF SHELLY BOHLIN, PRESIDENT AND COO, FINRA CAT LLC, \n            FINANCIAL INDUSTRY REGULATORY AUTHORITY\n\n    Ms. Bohlin. Great. Thank you. Chairman Crapo, Ranking \nMember Brown, and Members of the Committee, on behalf of FINRA \nCAT, LLC, a subsidiary of FINRA, I would like to thank you for \nthe opportunity to testify today. I serve as the president and \nchief operating officer of FINRA CAT, which was created to \nfocus solely on performing the functions of the plan processor \nto build and operate CAT. FINRA CAT welcomes the Committee's \ninvitation to discuss specific details of our work as the plan \nprocessor of the Consolidated Audit Trail, or CAT, since we \nstepped into this role 6 months ago.\n    The CAT is designed to be a centralized source of \ninformation on activity in the equities and listed options \nmarkets. The SEC adopted Rule 613 in the wake of the 2010 flash \ncrash to create a comprehensive consolidated audit trail that \nallows the SEC, FINRA, and the national securities exchanges to \nefficiently and accurately track all activity in these \nsecurities throughout the U.S. markets in order to facilitate \ncomprehensive market reconstructions, more robust market \nsurveillance, and better analytics to support policymaking.\n    Given the size and complexity of the financial markets, the \nCAT must collect, process, and store a vast amount of data to \nachieve this goal. This is a highly complex project that \nrequires deep technological expertise, sophisticated and \nproactively evolving security, close regulatory coordination \nwith the SEC and the consortium of self-regulatory \norganizations, or SROs, responsible for managing the CAT and \nfull-time engagement with broker-dealers that ultimately must \nreport data to the CAT.\n    FINRA CAT appreciates that there is interest in the CAT \nfrom multiple perspectives, including how this system will \nsupport use by market regulators and how the sensitive data \nincluded in the CAT will be secured. FINRA CAT is fully \ncommitted to serving these interests. FINRA CAT leadership and \nstaff have significant experience in developing audit trail \ntechnology and utilizing it for regulatory purposes. In \naddition, FINRA CAT has access to the full resources of FINRA \nand its long, successful work in this area and the expertise of \nthe relevant exchanges. With this support, our work to build \nthe CAT is on schedule.\n    Since becoming the plan processor in April, FINRA CAT has \nworked closely with the SRO consortium and SEC staff to \nexpeditiously put in place a solution for the first scheduled \nphase of the CAT--specifically, the collection and processing \nof order and trade data from the equities and options exchanges \nand FINRA. FINRA CAT has used scalable technology to process, \non average, over 100 billion market records a day during this \nperiod with no material operational issues or delays. We also \nhave been dedicating substantial resources to preparing for the \nnext phase, industry member reporting, which is scheduled to be \nphased in from April 2020 to July 2022.\n    After a number of interim phases that will require the \nreporting of increasingly complex order and trade information, \nthe final phase of industry member reporting calls for certain \ncustomer and account information reporting to begin in July \n2022.\n    To achieve our goals, FINRA CAT is involved in full-time \nindustry engagement through a variety of channels to ensure \nthat the industry has a voice in development of the CAT \nparticularly as it relates to industry member reporting \nrequirements. Technical reporting specifications and extensive \nreporting guidance have been published to assist broker-dealers \nin meeting their CAT reporting obligations.\n    In addition, each week FINRA CAT participates in a call \nwith SEC staff and the SRO consortium leadership team to \nprovide an update on project development and progress.\n    Finally, I can assure the Committee that the security of \ncustomer account information and of all CAT data more broadly \nis of the utmost priority to FINRA CAT, and that a strong data \nsecurity program has been put in place to meet the CAT NMS \nPlan's stringent security requirements.\n    FINRA CAT is directly subject to SEC Regulation SCI. In \nterms of FINRA CAT's overall information security program, we \nare led by a CISO with over 20 years of experience working on \ninformation security at FINRA, including as a security \narchitect and a security engineer.\n    FINRA CAT's security program aligns with the strictest \nGovernment requirements of the National Institute and Standards \nof Technology, including stringent third-party reviews of \ncritical security controls. The FINRA CAT security program also \nincludes significant layers of architectural-level and program-\nlevel security controls. We are constantly evaluating evolving \nthreats and security control opportunities to ensure that the \nCAT security posture remains strong.\n    In conclusion, thank you again for the opportunity to \nappear today. The CAT is a major regulatory undertaking meant \nto help the SEC, FINRA, and the exchanges better regulate our \nsecurities markets. I am happy to answer any questions that you \nmay have.\n    Chairman Crapo. Thank you.\n    Ms. McDonald.\n\n   STATEMENT OF JUDY MCDONALD, CHAIR, CAT NMS PLAN ADVISORY \n                           COMMITTEE\n\n    Ms. McDonald. My name is Judy McDonald. I am the head of \nRegulatory Technology at Susquehanna International Group, a \nglobal quantitative trading firm headquartered in Bala Cynwyd, \nPennsylvania. In my role at SIG, I have been evaluating the CAT \nNMS Plan since its inception, and since February 2017, I have \nserved along with 13 other industry participants on the \nAdvisory Committee. Since March of 2019 I have served as the \nChair.\n    Today I can confidently state that the effort to deliver \nCAT is moving forward in a very positive manner. Since February \n2019, when FINRA CAT was selected as the new plan processor, \nthe SROS, FINRA CAT, and industry members have been in a \nvirtuous cycle of iterative deliverables and collaboration on \nthe Plan. FINRA CAT brings subject matter expertise, depth of \nresources, and leadership to the effort.\n    The Advisory Committee is satisfied that the intermediate \nmilestones of the past year have been met and that significant \nprogress has been made toward the processing of SRO reporting \nand the completion of industry member technical specifications.\n    However, there are a few areas of concern as the \nimplementation of CAT progresses.\n    First, data security. This is undoubtedly the most \nsignificant concern as the CAT will gather and store an \nunprecedented amount of information that previously has not \nbeen centrally located nor specifically identifiable. The \nconcerns can be broken down into three categories: trading \nrecords for institutions, personally identifiable information \nfor retail customers, and the security policies of regulators.\n    Trading Records. There is significant concern about the \nsecurity of the CAT data repository and the misuse of trading \nrecords by those with ``authorized'' access. Trading records \nwill be less secure than PII and accessible by a broader set of \nindividuals. This highly proprietary information results from \nsignificant investments, and broker-dealers are very concerned \nthat trading strategies could be reverse-engineered by \ncompetitors, academics, or rogue actors. Further, SROs compete \nwith each other and BDs; this is beneficial to investors and \ncould be compromised with the misuse of data.\n    PII Data. We are encouraged by the progress to avoid the \ncollection of Social Security numbers and other sensitive PII \ndata. With this progress we believe some focus should be \nshifted to address the retirement of the legacy Electronic Blue \nSheet system.\n    Security Policies. The Advisory Committee has little \ninsight into the security programs at regulators and whether \nsecurity policies and procedures have changed commensurate with \nthe increased value of the CAT data and the increased threat of \ncompromise. We cannot emphasize enough the harm that could come \nfrom an external bad actor gaining access to trade information \nonce data is bulk downloaded from the central CAT repository.\n    In summary, I appreciate the critical nature of securing \nCAT data. Two of the best ways to achieve data security are to \nlimit the number of people with access and to control the use \nof data as tightly as possible. The Advisory Committee urges \nreconsideration of allowing the 23 exchanges and the SEC to \nbulk download CAT data.\n    Second, verbal and manual quotes. There is a significant \nopen issue with respect to the capture and reporting of verbal \nand manual quotes. Human interaction with highly electronic \nmarkets is a deeply challenging issue that affects a small but \nvery important part of the market and, if disrupted, could \ndramatically reduce market liquidity particularly during \nmoments of extraordinary volatility. The Advisory Committee \nrecommends a stepwise approach for verbal and manual quotes.\n    Third, fees. Another area of concern is the lack of insight \ninto fees that may be applied to broker-dealers. The absence of \na fee schedule creates uncertainty around the effort and \nunnecessarily challenges firms budgeting to comply with CAT.\n    Fourth, the SEC proposal for Financial Accountability \nMilestones. The SEC proposal centers around the best practice \ngoals of increasing accountability and transparency of the CAT \nproject. While we are supportive of these goals, legitimate \nunforeseen circumstances may occur where fixed deadlines work \nagainst the collective best interest of the CAT implementation. \nThere must be some flexibility in place to address these \nunforeseen situations.\n    In closing, I look forward to continuing my work on the CAT \nproject and will be happy to address any specific questions.\n    Chairman Crapo. Thank you.\n    Mr. Simon.\n\n  STATEMENT OF MICHAEL J. SIMON, CHAIR, CAT NMS PLAN OPERATING \n                           COMMITTEE\n\n    Mr. Simon. Good morning. My name is Michael Simon, and I am \nChairman of the CAT Operating Committee. When completely \nimplemented, the CAT will receive and process multiple records \nto create the entire life cycle of events from all of our \nsecurities markets. Only the participants and the SEC will be \nable to query the system and solely for regulatory purposes.\n    CAT is a massive undertaking. We currently receive, as \nShelly mentioned, over 105 billion records per day on average \nand have processed the single-day peak of 182 billion records. \nThis does not even begin to reflect the volume of data we will \nreceive and store when broker-dealers begin submitting data.\n    Much of the interest in CAT has been on the inclusion of \npersonally identifiable information as well as on the security \nand cost of the system. Before discussing these issues, I would \nlike to update you on our progress. You already heard the \nreasons behind and history of the CAT. I will not repeat that.\n    During the plan review process, the participants conducted \na request for proposal and ultimately selected Thesys as the \nCAT processor. Unfortunately, the relationship with Thesys did \nnot proceed as hoped, and earlier this year we selected FINRA \nCAT to serve as the successor plan processor. With FINRA CAT \nnow in place, we continue to work diligently with the SEC staff \nand the CAT Advisory Committee to build and operate the CAT \nsafely and efficiently.\n    The participants began submitting CAT data to the CAT last \nNovember. FINRA CAT collects all the data from the \nparticipants, validates and links all equity data, and is now \non target to validate and link all options data in February. \nFINRA CAT also is on target to commence broker-dealer testing \nnext month and reporting in April. FINRA CAT has not \nexperienced any production outages or major operational issues.\n    As to PII, this has been a topic of interest and concern. \nRule 613 explicitly requires the CAT to be able to identify \nunderlying customers. Indeed, the plan requires the system to \ninclude an individual's name, address, date of birth, an \nindividual taxpayer identification or Social Security number. \nDue to the concerns of including PII in CAT, we have discussed \nwith the SEC and the industry how best to preserve the \nregulatory benefits of the CAT while addressing legitimate \nconcerns related to the inclusion of sensitive information in \nthe system. Based on these discussions, as noted, last week we \nrequested that the SEC grant exemptions from relevant aspects \nof the plan to eliminate Social Security numbers, dates of \nbirth, and account numbers from the CAT. We believe this will \nreduce the risk profile of data collected and stored in the \nCAT. Instead of collecting and storing Social Security numbers, \nFINRA CAT would generate a unique identifier for a customer, \nthe so-called CCID. This would eliminate the inherent risk of \nthe CAT holding Social Security numbers.\n    Regardless of any exemptive relief, security will always be \na top priority in the CAT. To that end, we have instituted \nsafeguards to protect the system and the data within it. CAT \nLLC has both a chief information security officer and chief \ncompliance officer who are fiduciaries of CAT LLC. The CAT CISO \ncreates and enforces controls to monitor and address data \nsecurity issues. The CISO also evaluates if the participants \nhave information security policies comparable to those of the \nplan processor. The participants in FINRA CAT designed and \noperate the system in accordance with stringent security \nstandards that Shelly mentioned. The plan processor and \nindependent third parties perform multiple layers of security \nassessments. These assessments test that the security controls \nare operating effectively and that the system is free of \nsignificant vulnerabilities.\n    Regulators can access the system only over dedicated \nprivate lines. The system is designed without any Internet-\nbased query function. The system also requires multifactor \nauthentication, strongly protecting against unauthorized \naccess. Moreover, the system and relevant personnel continually \nmonitor access and use of the system.\n    Last, cost. CAT requires a significant commitment of \ncapital, both human and financial. We estimate the CAT budget \nto be upwards of $75 million a year, not including participant \nor broker-dealer compliance costs. Even though Rule 613 and the \nplan specifically provide for joint funding by the participants \nand broker-dealers, to date the participants have borne all \ncosts. In 2017, the participants sought to implement the fee \nstructure in the approved plan, but ultimately withdrew the \nfilings when it became clear the SEC was going to disapprove \nthem. Because it remains both important and reasonable that \nindustry members contribute to funding the CAT, we are working \non an amended fee proposal.\n    In closing, we remain committed to meeting our obligation \nto build and operate the CAT system and are making significant \nprogress in that regard. We will continue to take all necessary \nprecautions to safeguard the CAT system and the data within it.\n    Thank you for the opportunity to provide testimony today. I \nam happy to take your questions.\n    Chairman Crapo. Thank you very much, Mr. Simon.\n    I will start out with--actually, this question is for each \nof you. I would like you to be as brief as you can, however, so \nI can get to some other questions. But one of the issues that I \nam concerned about is given that it appears that the PII \ninformation we have talked about already in the hearing is \ngoing to be excluded from collection, can the data that is \ncollected be reverse-engineered in a way to identify the actual \nusers? And maybe I will start with you, Mr. Simon. You \nmentioned that there is an identifier for each individual \ncalled the ``CCID.''\n    Mr. Simon. CCID.\n    Chairman Crapo. OK. What is that?\n    Mr. Simon. The CAT customer ID. Shelly can get into some of \nthe specifics as to how it is generated, but it is important to \nnote that broker-dealers will not be sending Social Security \nnumbers to the CAT; the CAT will never receive or store them. \nRather, we have a multistep system in place that FINRA CAT will \nbe building so that the broker-dealers will be doing some \nhashing or changes to the Social Security number coming in and \nthat will be the CCID that will be kept in the database. And, \nShelly, I think----\n    Chairman Crapo. Ms. Bohlin, could you address that and then \nalso address--to me that seems like it just begs for reverse \nengineering.\n    Ms. Bohlin. So I will start out by saying that the CCID--\nand as Mike described--is based on a Social Security number \nthat never leaves the broker-dealer. But the objective is to be \nable to identify a single customer trading across all broker-\ndealers. So that is one of the primary functions that CAT \nbrings that the regulators do not have the ability to do today.\n    But the CCID is only known by CAT. It is not returned to a \nbroker-dealer. No one outside of CAT will ever have access to \nor know the CCID.\n    Further, the CCID as it comes into the customer and account \nsection of--the customer and account data is segregated from \nthe transaction data. The CCID, while it will have associated \nwith it customer information in the customer and account \ndatabase, it is not available to the transaction data. Only the \nactual CCID number itself, not knowing who it is, whether it is \na natural person, an institution, anything else, only that is \navailable with the transaction data for regulators to run \nqueries against. So it is tightly controlled and not known \noutside of CAT.\n    Chairman Crapo. Well, first, let me ask could CAT tell the \nbroker-dealers to give them the ID, the information later on? I \ndo not mean now. They are not collecting it now. But what if \nthey decided they wanted to have it? Could they just create it?\n    Ms. Bohlin. So to have the broker-dealer create the CCID I \nthink would be difficult because you have to have the same \nidentifier across every single broker-dealer. So CAT \noriginally, as Rule 613 was originally approved, had the \nbroker-dealers submitting a CCID that becomes difficult--it \ngets very detailed very fast. I know we have limited time here. \nI am happy to follow up on any of the details to this. But it \nis designed so that the broker-dealer--each individual broker-\ndealer does not have to have some uniform way to come up with \nthe same number to give CAT for the same----\n    Chairman Crapo. Well, I would like you to perhaps in \nwriting following the hearing give me a little better \nexplanation of this. Let me just give you a quick example. You \nwill recall when the CFPB got rolling really aggressively, it \ndecided it wanted to collect credit card transactions on \nvirtually everybody for everything. And we got into a fight \nwith the CFPB over that, and they finally said, ``Oh, well, we \nare not collecting all of this PII,'' which goes way beyond the \nPII that we are talking about right now. And it turns out, as \nwe explored that with them, that they basically just were not \ncollecting it, but they could easily, by flipping a switch, \npick it up.\n    Mr. Simon. I think it is important to note that when you \nsay will CAT be able to get the underlying information, CAT \nwill not be able to get the underlying information. Each of the \nSROs themselves as a self-regulatory organization and as they \nconduct their surveillance, at some point they will need to \nknow the underlying customer involved, and the SROs, as part of \ntheir surveillance function, will have the ability to go back \nto broker-dealers and to try to identify the person who they do \nnot know their specific identity from the CAT data, but that \nwill be something in the surveillance function of each of the \nSROs and will not be a CAT function.\n    Chairman Crapo. All right. Thank you. I would like you, all \nthree, if you would, to fill in anything else you can for me \nfollowing this in your written responses to the Committee.\n    I only have 30 seconds left, so let me ask whoever would \nlike to jump in on this, who has access? There was a comment \nabout the fact that both of the exchanges have the ability to \ndownload this data?\n    Mr. Simon. Yeah, I will handle that from the consortium \nside.\n    Chairman Crapo. OK.\n    Mr. Simon. There are 23 SROs--23 exchanges plus FINRA as \nthe SROs, plus the SEC. Each of them have regulatory \nresponsibilities under the Federal securities laws. Each of \nthem will have the ability to access the database to conduct \ntheir surveillance. They all conduct surveillance now, and they \nwill have access to the CAT database in whatever manner they \nfeel appropriate to discharge their regulatory \nresponsibilities.\n    There will be controls in place, as Shelly mentioned, as to \nproper training and access and regulatory oversight over who \ndoes have access and how they use it. But its stated purpose, \nboth in the rule and in the plan, is to help each of the \nregulators discharge their regulatory obligations.\n    Chairman Crapo. All right. Thank you. I am going to \nprobably send some questions to you to further elaborate on \nthat.\n    Senator Brown.\n    Senator Brown. Thank you, Chairman.\n    Ms. Bohlin, please describe for us the market oversight and \nenforcement benefits of the Consolidated Audit Trail for the \nSEC and FINRA, and how does this improve on current systems?\n    Ms. Bohlin. So one of the biggest differences and \nimprovements over current systems, it will be all in a central \ndatabase that is reported by 8 a.m. on T+1. It will include \ndata including all the equities exchanges and options \nexchanges. So today we have similar constructs in the equity \nmarkets to what CAT ultimately is, but not the options market. \nSo bringing the options data in is a significant difference \nfrom what we have today; in addition, having the CCID and the \nability to understand if the same entity is trading or trader \nis trading across multiple broker-dealers. So those are two of \nthe biggest improvements and differences from what we have \ntoday.\n    Senator Brown. Mr. Simon, do you want to add to that?\n    Mr. Simon. I think that the main benefits are the first \nname in CAT, consolidated. It will be the first time there will \nbe a Consolidated Audit Trail of all the information from all \nthe securities markets. Currently, as I mentioned before, each \nof the SROs has the obligation to conduct surveillance and \nregulation of their market, and they are doing it from separate \ndatabases. This will be consolidated. This will be the first \ntime that we have end-user information although in a masked way \nthrough the CCID, which will enhance regulation and let you \nmove a lot more quickly in your surveillance obligations. And, \nthird, it is the first time we are going to have the life cycle \nof an entire order included in the system so that you can \nfollow an order from the time it is entered through execution \nand clearing. So there will be a lot of benefits to the \nregulators in how they use this data.\n    Senator Brown. Ms. Bohlin, you were at FINRA 10 years ago \nwhen the flash crash disrupted our market and undermined \ninvestor confidence. Comment on the impact that the flash crash \nhad on working families' confidence then and still what kind of \nimpact it had on their confidence in using the markets to save \nand invest for their futures.\n    Ms. Bohlin. So that is definitely an issue that has, you \nknow, broad impacts. Being here representing FINRA CAT today, \nthat might be FINRA, the parent, and any of the other SROs \nmight be able to more elaborate on that a little bit more. But \nhaving a market, knowing that the market can go down and so \nmuch value can be lost in such a short period of time, I think \nother steps have been taken in addition to CAT that prevent \nthose wild swings, so to speak, like marketwide circuit \nbreakers, limit up/limit down, things that have been put in \nplace to try to prevent----\n    Senator Brown. That is what you are saying from your \nperspective. What are people that are trying to save for their \nfuture, what impact did that have on their confidence back then \nand what kind of residue of that still remains?\n    Ms. Bohlin. Just my personal view on it is that having \nuncertainty about the erratic movements or the fact that stocks \ncould lose so much value in such a short period of time \nobviously is a detriment or may discourage people from \ninvesting. So having the tools in place to try to prevent these \ntypes of wild swings or have the tools we need to make sure we \nunderstood what happened is very important.\n    Senator Brown. The point of the question was just to \nencourage you to think about--I mean, you seem to do your job \nwell. You care about this. You understand the complexities and \ntechnicalities that probably most of us here do not. But I just \nwant you to be thinking what completion of this, 2022 you cited \nearlier, what this means for the confidence of the investor \npublic and pretty shaken a decade ago, maybe pretty forgotten \nnow, but it cannot be forgotten by you, and that is the \nimportance of--that was the reason for the question.\n    Ms. Bohlin. Yes, absolutely. That is why I personally \nbelieve CAT is so important, and I have spent a lot of years \nand I very much believe in it.\n    Senator Brown. OK, good. The bottom line is that markets \nwork best when investors have confidence, as we know, and the \nConsolidated Audit Trail gives the opportunity to catch bad \nactors so working Americans can be confident they are not \ninvesting in a rigged market.\n    Ms. Bohlin. Exactly.\n    Senator Brown. Mr. Chairman, I would like to submit a \nwritten statement for the record from Better Markets.\n    Chairman Crapo. Without objection.\n    Senator Brown. Thank you.\n    Chairman Crapo. Senator Cotton.\n    Senator Cotton. Thank you, Mr. Chairman.\n    I will say I detected a note of skepticism in the \nChairman's questioning. I will say that I will go beyond a \nnote. I have been outright skeptical of the Consolidated Audit \nTrail now for a long time. I have to say what I have heard \ntoday just made me downright opposed to it. I have got real \nreservations about this.\n    Mr. Simon, I want to start with you. You said that so you \nhave made the decision, as Mr. Clayton suggested in his recent \nletter to us, that you will not include Social Security \nnumbers, account numbers, or dates of birth in the Consolidated \nAudit Trail?\n    Mr. Simon. We have submitted an exemption request to the \nSEC asking them to grant that exemption so that we will not \ninclude that in the Consolidated Audit Trail. It is now in the \nhands of the SEC whether or not to grant that exemption. We \nhave a fair level of confidence that he will grant the \nexemption since we work closely with the staff of the \nCommission, with Judy, with the Advisory Committee, and with \nthe industry generally on a means of dealing with sensitive \npersonal information that we think satisfies the needs and \ninterests of the Commission and of the industry as well as the \nregulators.\n    Senator Cotton. And did I hear you say that 25 different \norganizations are going to have access to this information?\n    Mr. Simon. There are 23 exchanges, there is FINRA, and \nthere is the SEC. However, there are only eight specific \norganizations because multiple exchanges are owned by one \nholding company.\n    Senator Cotton. Any idea of the number of people that will \nhave access to this information?\n    Mr. Simon. Shelly will be able to answer that because she \nis going through the user authorizations and it will vary. Some \nof the SRO groups will contract out. Some will have their \nsurveillance obligations. Some will have a significant number \nof people. But I think it is really FINRA and the SEC that will \nhave the most people, and some of the exchange groups will also \nhave a significant number of people----\n    Senator Cotton. Ms. Bohlin, I am not looking for an exact \nnumber. I would just like an order of magnitude. Are we talking \nabout dozens? Hundreds? Thousands?\n    Ms. Bohlin. So the plan has estimates of 3,000 users, and \nunder our contract we are having to build to ensure we can \nsupport access by 3,000 users. That would be across the SEC----\n    Senator Cotton. So 3,000 users will have access to every \ntrade from every account from every broker for every retail \ninvestor in America?\n    Ms. Bohlin. Yeah.\n    Senator Cotton. So you are building the CCID, you said, so \nSocial Security numbers do not have to be used, but you said \nthat would be based on the Social Security number at the \nbroker-dealer. I know you talked about how good the audit trail \nsecurity is going to be. How confident are you that all those \nbroker-dealers, many of whom are small businesses, have equally \ngood security in their databases?\n    Ms. Bohlin. They are all required as registered broker-\ndealers to maintain adequate security programs themselves.\n    Senator Cotton. And the audit trail will not be able to get \naccess to the underlying data. Do we think that, say, China or \nNorth Korea will be able to get access to that underlying data?\n    Ms. Bohlin. We are certainly designing it so that is not \nthe case.\n    Senator Cotton. But this is my point, and let me be clear. \nYou all inherited this. Chairman Clayton inherited this. So I \ndo not doubt your good intentions. I think, Ms. Bohlin, you \nsaid that the security of this information is your highest \npriority. You have ``a strong data security plan.'' I would \njust point out that the Office of Personnel Management and the \nSEC probably thought they had the strongest data security plan \nas well, Government agencies that suffered massive hacks that \nexposed the information of millions of Americans, to say \nnothing of companies like Equifax and Sony and Target and \nMarriott and Yahoo. And I could go on and on and on even \nfurther.\n    There is huge costs to this program. Chairman Crapo \noutlined a bunch of the financial costs, billions of dollars up \nfront and then continued in operating expenses, to say nothing \nof the cost of the personally identifiable information. It is \nnot clear to me what benefit market participants and Americans \nat large get from having this in place. I know that \nCommissioner Peirce has recently written that the Enforcement \nDivision at the SEC does a pretty good job of tracking down \nwrongdoers, and they could probably get almost all of the \nbenefit out of the audit trail if they focused on large \ninstitutional investors as opposed to a single mom who is \ntrying to invest money to save for their kid's college. So I \njust do not see where the benefits outweigh the costs. The game \nis worth the candle; the juice is worth the squeeze. I \nappreciate you are doing everything you can to try to protect \nthe information of individual users, but you are creating a \ndatabase that is so large and so valuable and so attractive, I \ncannot imagine that at some point in the future this Committee \nis going to be having an oversight hearing on how a breach of \nthat database occurred.\n    Chairman Crapo. Thank you, Senator Cotton.\n    Senator Warner.\n    Senator Warner. Well, thank you, Mr. Chairman, and I \nappreciate you holding this hearing. I actually beg to differ \nwith my friend, the Senator from Arkansas. There clearly are \ninherent challenges in this, but I would make the case that I \ndo not think we still, almost 10 years after the flash crash, \nfully appreciate what led to the flash crash, the ability of a \nseries of--and I do not think we are looking so much at the \nindividual investor as we are looking at the ability to have \nmarket manipulation oftentimes by a series of very \nsophisticated investors who may be operating across a whole \nseries of exchanges simultaneously. So there are clearly risks, \nMr. Chairman, in this, but to not have the ability to \nreconstruct in a kind of orderly fashion how these type of \nmarket manipulations could take place--and, frankly, I think \nthe technology has gotten even better in terms of manipulation. \nSo I actually applaud Chairman Clayton. I think he has taken on \nthis challenge. I think it is kind of crazy that it has taken \nus 9 years to get here, and I think there clearly are market \nforces and market participants who want to do everything \npossible to slow this process down because they do not want \nthis Consolidated Audit Trail. They do not want their \nactivities demonstrated to the marketplace.\n    Now, we are going to obviously continue, Ms. Bohlin, to \nkind of follow your efforts. I actually wish--and I think we \ncan get to a good-faith way to resolve some of these issues. I \nwish the SEC was here because I think the SEC--you know, we \nneed their voice in this hearing. I would hope at some point, \nMr. Chairman, you would consider bringing them into this \ndiscussion in a formal way so we can press them in particular.\n    Mr. Simon, one of the first questions I have got for you \nis, recognizing that the SROs are going to have this ability to \naccess the database, should we require the SROs some kind of \nformal explanation process of why they are requesting \ninformation? It would not be an absolute guarantee, but it \nmight--one of the things I am concerned about is not only the \nability to be hacked into, but could the SROs access this \ninformation for their own financial interests? And can we put \nsome kind of at least presumption that they have to give us an \nexplanation why they are accessing the database?\n    Mr. Simon. Well, it is clear under the rule and the plan \nthat the SROs can access this data only for regulatory purposes \nand only for their surveillance purposes. The SROs already have \nregulatory and surveillance programs in place that are subject \nto barriers from the business side of the organization, and \nthose will remain in place, and those are subject to review not \nonly by the SROs and their internal audit department, but by \nthe SEC and their inspections unit, and they are heavily \nregulated. And I think it is fair to say that the SROs operate \nwith integrity in the regulatory system. And, as shown by the \nConsolidated Audit Trail that you have--while you might have \nthe 24 different SROs, they are effectively competitors with \neach other. They are acting cooperatively for the joint good of \nthe industry in developing the Consolidated Audit Trail. But \nShelly and FINRA CAT are developing specific functions within \nthe CAT system to oversee what the regulators are doing and \nwhat types of queries they are looking at and will have \nintelligence in the system to help ensure that they are being \nused for appropriate purposes. And perhaps you can talk to that \nfor a second, Shelly.\n    Ms. Bohlin. Sure. So part of the security program is \nlogging of all access, logging and review, both automated and \nmanually, looking for atypical queries coming from a particular \nregulatory user. Also from an----\n    Senator Warner. Should we ask that SRO to kind of give an \nexplanation of why they are making this request? I am not sure \nI agree 100 percent, but I would ask you to consider--I have \nonly got 38 seconds left. You know, one of the things I have \nseen on kind of the SEC's amended 613 rule that they can start \nto charge fines or expenses if the participants do not meet \ncertain of the timelines on a going-forward basis.\n    Mr. Simon. Right.\n    Senator Warner. I do have a concern that there are going to \nbe folks in the market that will drag their feet because they \ndo not want the CAT. They are going to throw up a lot of \nconcerns, and there are legitimate concerns about PII. But they \nare going to throw up a lot of smoke screens, dragging their \nfeet because they do not want this kind of exposure. How do we \nhold them accountable? Do you think the amended 613 rule does \nthat?\n    Mr. Simon. I think that Rule 613 does it. I think everybody \nis working cooperatively in order to build the CAT in a timely \nand efficient manner. I think, as Judy mentioned, that the \nindustry is now on board with the timeline.\n    And just to your point before about coming up with reasons \nfor doing inquiries, from a regulatory standpoint, you see \nabnormalities in trading, and you do not really know what you \nare looking for, and it is very difficult to say, ``I am \nlooking specifically for an insider trading violation'' or \nthis. You need to be able to look at the data, to analyze the \ndata, to see when there are atypical patterns in there. So I \nthink it is very difficult up front to put in a reason why \nyou----\n    Senator Warner. And I did not get a chance to ask you, Ms. \nMcDonald, but maybe you could submit for me some of the--you do \nnot have a vote on the Operating Committee. Are there \nstructural governance changes we can do to, you know, improve \nthis process.\n    Senator Warner. I would simply say, Mr. Chairman, you raise \nI think appropriate questions about PII. I think there is a way \nwe can sort through this. I think the net benefit for \nprotecting the system will be of enormous value for oversight. \nAnd I frankly think that some of the folks who are part of the \nmarket manipulators, they have gotten substantially better \nsince 2010. So I think we have got a healthy tension here, but \nI look forward to working with you. And I appreciate the \nRanking Member's comments at the front end in terms of how long \nthis has taken, and I completely agree with his earlier \ncomments.\n    Thank you, Mr. Chairman.\n    Chairman Crapo. Thank you.\n    Senator Rounds.\n    Senator Rounds. Thank you, Mr. Chairman.\n    I am just curious. I am going to start with Ms. McDonald, \nbut if you want to defer, you may. I understand the concerns \nthat have been expressed here by those individuals who are \ndoing their best to find a way to limit the amount of insider \ntrading and the type of trading activities that would hurt \nconsumers who want to trust in a market.\n    I also understand the concerns of the loss of privacy, and \nsomewhere in the middle of this, we have to be able in an \noversight capacity to look at trying to resolve both issues.\n    Ms. McDonald, I had the impression that your organization \nhas tried to do this, but specifically, can you share with us \nthe security that you look at and the approaches that you have \ntaken to try to make sure that the information which is being \npicked up will be secure? And what do you do to track down and \nto find problems that may already exist within the system? What \nare you doing to rule it out and to make sure that any system \noperating even today has not been compromised?\n    Ms. McDonald. So as Shelly stated----\n    Senator Rounds. You may want to turn that on.\n    Ms. McDonald. So as Shelly stated, I think that broker-\ndealers are subject to both review by FINRA as well as adhering \nto best practices with regard to security practices. And so \nmany broker-dealers, including SIG, have a very large and \nrobust security program that follows along the same lines that \nhave been outlined here. So basics of things like account and \nidentity management, multifactor authentication, granular role-\nbased access controls, and----\n    Senator Rounds. May I just--look, I appreciate that, but I \nguess what I a looking at, and maybe I am not explaining it \nvery well, we require people to follow speed limits, but the \nway that we also enforce it is then to have a patrol officer on \npatrol that is checking to make sure. Who is the patrol officer \nin this particular case to make sure that the security \nrequirements are actually being followed up? What is the \nfollow-up that you are doing today to assure security as of \nright now? And perhaps Mr. Simon would like to answer that. You \nmay defer if you want.\n    Ms. McDonald. Broker-dealers are subject to review by FINRA \nspecifically around security programs, and so over the years, \nFINRA has conducted increasingly sophisticated security audits \nof their broker-dealer community, and these are conducted by \nsecurity experts who dig deep into both the process and \nprocedures and personnel behind these security programs.\n    Senator Rounds. Thank you.\n    Mr. Simon.\n    Mr. Simon. I think what you are getting at is policing the \nsecurity in the CAT system and who is responsible for that. Who \nis overseeing the system and ensuring that whatever controls we \nput in there are operational, that they are robust, and that \nthey are working. And that is the obligation of the CAT \nOperating Committee, of the consortium of the SROs.\n    As Shelly mentioned and as I mentioned, we have hired a \nCISO, the chief information security officer. He will be the \nperson who has the ultimate responsibility to implement and \noversee the security in the system. The CISO is an employee of \nFINRA CAT, but is an officer at the CAT LLC, so he is going to \nbe responsible for implementing the security.\n    In addition, the SROs, through the consortium, have what we \ncall a ``security working group'' that is compromised of CISOs \nand security experts from all the SROs. The SEC is an active \nparticipant in that, including the SEC's chief security \nofficer. So they all work together, oversee all the policies, \nwork with the CISO, come up with the policies, including the \npolicing of the system once it is up and running. And any of \nthose policies have to come up to the Operating Committee, and \nthey come up again and again as they are amended and put in \nplace for approval by the Operating Committee. And at the same \ntime, we work with Judy and the Advisory Committee and with \nSIFMA and a group of CISOs of the industry to make sure that \nthey are comfortable with the security policies. But, \nultimately, the buck stops with the Operating Committee. They \nhave the responsibility, and they are aware of it and are \nworking actively to ensure the safety and soundness of the \nsystem.\n    Senator Rounds. What percent of the system is actually \noperational today? How far along in the process is it today?\n    Ms. Bohlin. In terms of percentagewise?\n    Senator Rounds. Yes.\n    Ms. Bohlin. This is just, you know, a total back-of-the-\nenvelope. I would say maybe 50 percent, because you have the \nexchanges----\n    Senator Rounds. Fifty, 5-0?\n    Ms. Bohlin. 5-0. We have the exchanges and----\n    Senator Rounds. OK. The reason why I ask is right now--how \nmany incursions do you know of that are attempted per day \nwithin this particular segment?\n    Ms. Bohlin. For what is operational in FINRA CAT today?\n    Senator Rounds. Yes.\n    Ms. Bohlin. How many attempted intrusions there are each \nday?\n    Senator Rounds. On a daily basis.\n    Ms. Bohlin. I would have to go back and get that \ninformation for you. I do not have that number. I do know we \nmonitor that just as FINRA parent monitors it as well, so I \ncould get that information for you.\n    Senator Rounds. Yeah, I think it would be good to know, \nnumber one, the number of attempts and also the number that \nhave actually successfully stepped into it.\n    Ms. Bohlin. So no actual successful attempts since FINRA \nCAT has been operational. And like I noted before, we are \ndirectly--FINRA CAT itself is an SCI entity directly, subject \nto SEC jurisdiction and Reg. SCI. We have to file any time we \nwere to have an intrusion that was successful.\n    Senator Rounds. Mr. Chairman, I know I am going over my \ntime, but I just want to make this--you are saying that you \nhave 50 percent of your system operational today, and that \nwhile you know that there are incursions attempted, you are not \naware of a single incursion that has been found within your \nsystem at this point?\n    Ms. Bohlin. That has been successful--and I am not \npersonally aware of any intrusions that have been attempted. I \nam assuming that there probably are because it happens all the \ntime. But I would want to get that specific information for \nyou. I am not aware of any successful intrusions, and we have \nnot had any SCI events that we have had to file since we have \nbeen operational.\n    Mr. Simon. If there was an intrusion, we would have known \non the Operating Committee and would have had to report it \nimmediately to the SEC and put our breach procedures in effect. \nAnd I am fairly certain--we will double-check and confirm with \nyou--there have been no successful breaches into the system.\n    Senator Rounds. Yes, I apologize for taking the extra time, \nMr. Chairman, but I think this is really important. Number one, \nif the Secretary of the Navy puts out a report showing that \nwithin the Department of Defense we get incursions, and we find \nsome of them, and we know that they occur. To suggest that you \nhave 50 percent of this thing operational right now today and \nyou are not aware of any incursions to date----\n    Ms. Bohlin. That have been successful.\n    Senator Rounds. ----that have actually successfully \noccurred within your system, that is pretty impressive or it--I \nwould like to get a confirmation on that before you say that \nthat is a fact. OK?\n    Ms. Bohlin. Absolutely.\n    Senator Rounds. All right. Thank you.\n    Mr. Simon. We will.\n    Senator Rounds. Thank you.\n    Chairman Crapo. Thank you.\n    Senator Cortez Masto.\n    Senator Cortez Masto. Thank you, and also thank you to the \nChairman and Ranking Member for this hearing, and I do want to \nalign myself with some of the comments that were made by my \ncolleague from Virginia, Senator Warner.\n    Let me jump on this issue really quickly because I think \nthere is this balance. We want to protect PII information, but \nat the same time I think we want to also protect against market \nmanipulation. And so maybe getting in the weeds a little bit \nmore, Mr. Simon, I am assuming that you have a formal \ncyberincident response plan or at least the committees are \ncoming up with that, and maybe you want to address that, \nbecause that will, I hope, give us the information publicly at \nsome point in time--or maybe not--that you are being asked by \nSenator Rounds. So does anybody want to address that with \nrespect to a formal plan?\n    Mr. Simon. Yes, we do, and I will defer to Shelly from \nFINRA CAT who is developing that as the head of FINRA CAT.\n    Ms. Bohlin. Yes, we definitely have a formal cyberincident \nresponse plan, a very detailed plan. We have worked with the \nSROs closely, and their expertise, the expertise that we have \nfrom FINRA parent, who has a very mature system in place and \nhas very mature cyberincident response plans. We are in the \nbusiness of managing sensitive data. And that includes having, \nyou know, available to us experts in cybersecurity breach \nmanagement; that includes containment, forensic analysis of \nwhat happened, responses, any appropriate notifications. Of \ncourse, each depends on the facts and circumstances of any \nparticular incident of what you may or may not have to disclose \nor do. It is a total facts and circumstances basis.\n    Senator Cortez Masto. And as part of your security, you can \nensure that all CAT data is encrypted at rest and in flight as \nwell. Correct?\n    Ms. Bohlin. Yes, fully end-to-end encryption at motion and \nat rest, absolutely.\n    Senator Cortez Masto. OK. Thank you.\n    Can I jump back to also the conversation regarding the May \n6, 2010, flash crash? Let me just ask you this: If the \nConsolidated Audit Trail process were in place in 2010, would \nthe exchanges themselves been able to identify the cause of \nthat crash? My understanding is it took at least 5 years to \nreally figure out the cause of that crash and later determine \nthat a U.K. trader was arrested for placing fake trades that \nmelted the market. If the CAT process were in place, would the \ninformation you have been able to uncover identified much \nearlier, sooner, quicker, however you want to say it, and \nfigured out what was going on there?\n    Mr. Simon. Yeah, I think it certainly would have been much \neasier, and we would have had a better database. And going back \nto what Senator Brown said in the beginning and the confidence \nin the market, the integrity and confidence in the market is \ncritical. And one of the biggest issues with the flash crash \nwas not just that it happened but how long it took to figure \nout what did happen.\n    Senator Cortez Masto. Right.\n    Mr. Simon. We will have much better tools that are \navailable to identify the underlying customer. But the biggest \nnegative and detriment that we have is it is limited to the \nsecurities and the options market. To the extent that there are \nfutures markets and CFTC markets, regulated markets that are \ninvolved, they are not yet included in the Consolidated Audit \nTrail. It would be great from a customer protection and \nconfidence and integrity standpoint to be able to integrate the \nU.S. futures markets into the Consolidated Audit Trail as well \nand potentially at some point the non-U.S. markets since we are \nin a global market, both with respect to products and with \nrespect to geography. But it will be a very important first \nstep in getting there.\n    Senator Cortez Masto. Thank you. And thank you again for \nbeing here. I appreciate the conversation.\n    Chairman Crapo. Thank you.\n    Senator Kennedy.\n    Senator Kennedy. Mr. Simon, is this going to stop flash \ncrashes?\n    Mr. Simon. No.\n    Senator Kennedy. Is this going to stop manipulation?\n    Mr. Simon. No.\n    Senator Kennedy. What is this going to do then?\n    Mr. Simon. This is going to help the regulators police the \nmarkets after there is a flash crash and after there is \nmanipulation, to bring the wrongdoers----\n    Senator Kennedy. How often do we have a flash crash?\n    Mr. Simon. I am aware of one.\n    Senator Kennedy. OK. We are going to spend $4 billion to \nimplement it? Is that the right number?\n    Mr. Simon. That is a number that the SEC used early on. I \ndo not believe that number is currently correct.\n    Senator Kennedy. The SEC says it is going to cost $4 \nbillion. Do you know how long it would take me to count to $4 \nbillion?\n    Mr. Simon. A long time.\n    Senator Kennedy. A hundred-and-28 years. I would not make \nit. None of us would. And it is going to cost another $2.1 \nbillion to keep it up?\n    Mr. Simon. That is not my current estimate as to what the \ncost will be to build or to operate.\n    Senator Kennedy. Do you think it can be done cheaper?\n    Mr. Simon. Yes.\n    Senator Kennedy. How much?\n    Mr. Simon. The current operating budget for the CAT LLC, \nfor the Operating Committee itself, just for the build and \noperation and the ancillary efforts, is approximately $60 to \n$75 million a year for the foreseeable future.\n    Senator Kennedy. OK.\n    Mr. Simon. That does not include, to be----\n    Senator Kennedy. Well, I have got to move on. My briefing \nhere from the SEC says $2.1 billion, you know, $75 million, and \nthis is not going to stop flash crashes, and it is not going to \nstop manipulation, but you are going to have all this \ninformation.\n    Ms. Bohlin, what are you going to do with it? Where are you \ngoing to store it?\n    Ms. Bohlin. So the data will be stored in FINRA CAT's cloud \nenvironment.\n    Senator Kennedy. Who runs the cloud? Is that Amazon?\n    Ms. Bohlin. AWS, Amazon Web Services.\n    Senator Kennedy. OK. So how much will the contract with \nAmazon be? Senator Brown is very interested in this.\n    Ms. Bohlin. The specifics of those contracts are \nconfidential. I am happy to go back, just I would want to \nconsult with counsel.\n    Senator Kennedy. Well, you are going to have to tell us to \nappropriate the money, right?\n    Ms. Bohlin. So in terms of funding perhaps, I do not think \nit is an appropriation that----\n    Mr. Simon. No, the funding is coming--to date, the SROs \nhave paid every penny for the CAT out of their own pocket. \nEventually, we would like the----\n    Senator Kennedy. Who are the SROs?\n    Mr. Simon. The exchanges, 23 registered national securities \nexchanges----\n    Senator Kennedy. And they are not going to pass that cost \non? I mean, this is not free money, right? Somebody is going to \npay Amazon.\n    Mr. Simon. It is an operating cost that the SROs and with \nthe industry, once we get fees in place, we will share the cost \nand it ultimately will be a cost center for the----\n    Senator Kennedy. This is my first impression. Look, freedom \nis risk. You cannot regulate away every risk. It is not going \nto stop manipulation. It is not going to stop a flash crash. It \nis going to help you understand better what happened. You \ncannot understand what happened now? You went back and figured \nout what happened in the one and only flash crash we have had, \nhaven't you, Ms. Bohlin?\n    Ms. Bohlin. Eventually, after quite some time and effort.\n    Senator Kennedy. That did not cost $4 billion, did it?\n    Ms. Bohlin. Not that I am aware of, no.\n    Senator Kennedy. OK. I mean, this sounds like something \nFacebook would ask for, or Google. OK? You say 3,000 people are \ngoing to have access to this information. Does that include the \nChinese?\n    Ms. Bohlin. No. That is just regulators----\n    Senator Kennedy. Does that include the North Koreans?\n    Ms. Bohlin. No.\n    Senator Kennedy. Or Russia?\n    Ms. Bohlin. No.\n    Senator Kennedy. OK. So we do not know how many people are \ngoing to really have access to this.\n    Ms. Bohlin. Well, all of the access is through private \nlines. You have to have a private line connection, so the \ninterfaces are in no way exposed to the Internet.\n    Senator Kennedy. I mean, I am trying--this is the way I am \napproaching it, and I am hurrying because I have to be on the \nfloor. This is $4 billion, $2 billion to maintain it. Haven't \nyou looked at the cost-benefit analysis? We are running $22 \ntrillion in the hole and climbing. Since we have been talking, \nwe borrow $1 million a minute to operate this place, $1.4 \nbillion a day. I mean, why do you want to do this? I understand \nit will give you real-time data and you can go in there and \nlook faster. But $4 billion, $2 billion to maintain it? We run \nthe risk that your data could be compromised. Have you ever \nheard the expression, ``The cure is worse than the disease''? I \nmean, next you are going to want our DNA. I just do not get it. \nAnd I understand you are taking out the personal information, \nand I am not against the good work that the SEC does. I think \nJay Clayton, he is a rock-and-roll star. But I just do not get \nit. I just do not get it. And my time has been gotten, so I \nhave got to go.\n    [Laughter.]\n    Chairman Crapo. Thank you, Senator Kennedy.\n    Senator Van Hollen.\n    Senator Van Hollen. Thank you, Mr. Chairman. Thank you and \nthe Ranking Member and the witnesses here, and sorry I am \nrunning a little later, and I understand some of my questions \nhave been covered, so I will get to the point. But I will say \nthat, Ms. Bohlin, we are pleased to have FINRA in the State of \nMaryland, so thank you for what you do there on the job.\n    I want to pick up on a question that I think Senator Cortez \nMasto covered with respect to a futures contract--I think she \nmentioned the flash crash--and the question about whether the \nCAT system will be able to capture those future contracts, \nwhether that is the intention, and if so, what the timeline is. \nAnd I am happy to take an answer from any of the witnesses \nhere.\n    Mr. Simon. Yes, I will be happy to answer on behalf of the \nconsortium. We are building the CAT system that the SEC has \nmandated, and the SEC obviously has jurisdiction only over the \nequities and the options markets, so they have mandated that we \nbuild the CAT to cover those products.\n    They specifically have asked for comment and are looking at \nthe inclusion of futures contracts, which obviously will be \nnecessary for a comprehensive surveillance of the financial \nmarkets generally. That is a possible next step. We do not have \nthe timeline for that. That would require obviously cooperation \nbetween the CFTC and the SEC in the development of such a \nproject along with the oversight committees in Congress.\n    Senator Van Hollen. Thank you. I mean, you would agree if \nwe do not capture futures contracts, that would be a big hole \nin the system?\n    Mr. Simon. Yes.\n    Senator Van Hollen. So we need one way or another to make \nsure that is included, right?\n    Mr. Simon. Yes. Right now we have our hands full through \n2022 and getting the equities and the options markets in there. \nBut that is certainly something that we would have to address \nthereafter.\n    Senator Van Hollen. And with respect to the concerns some \nof my colleagues have raised about data security, because I \nunderstand this will contain the second largest amount of data \nof any system in the world, certainly in the United States, \nwhat measures are being taken now at the front end to make sure \nthat we address the ever changing and increasing threat of \ncyberattacks?\n    Mr. Simon. Let me address that from one angle and then have \nShelly address it from another. I think the first thing we can \ndo from an Operating Committee and consortium of the SROs is \ntry to make the database less attractive to hackers, and that \nis why we have put in the exemption not to include Social \nSecurity or tax identification numbers in there, not include \ndate of birth, and other types of similar personally \nidentifiable information. So if that information is not there, \nwe think it is a much less attractive target for a hacker. But \nnotwithstanding the lack of PII in the system, we understand \nthat there still will be a lot of data in there that may be \nattractive, so, therefore, we have worked with the CISO at \nFINRA CAT, with the industry, with the SEC to make sure that we \nhave absolute state-of-the-art security measures in place. And, \nShelly, you can quickly summarize those.\n    Ms. Bohlin. Sure, absolutely. The way that we approach it, \nfirst of all, I will say that data security, cybersecurity is \nFINRA CAT's top priority. That is very much our focus. And at a \nvery high level, we approach it with three very fundamental \ncomponents: people, process, technology, you have to have the \nright people with the right experience, number one, very \ncritical. So our CISO, over 20 years of experience. We have all \nof the exchanges' expertise, their CISOs, the industry's \nexpertise, and FINRA parent's expertise. So we cannot stress \nenough technology is incredibly important, end-to-end \nencryption, private lines, the regulator can only access via a \nprivate line, MFA--multifactor authentication, the encryption. \nSo it is really a multifaceted system that is part of everyday \nculture.\n    Senator Van Hollen. Thank you. The last question I have got \nrelates to concerns that some people have expressed about \npotential conflict of interest because this is--the SEC, of \ncourse, has a mandate to protect the public. This is an entity \nmade up of, you know, members who are participating in the \nmarket, for-profit companies, some of whom I understand have \nbeen previously fined by the SEC. So what can you do to assure \nthe public that this system will be run to protect the public \ninterests and avoid conflict of interest which seem to be \nembedded in the structure in some ways?\n    Mr. Simon. As you are well aware, the Nation's securities \nmarkets are based on a system of self-regulation so that the \nmarkets that are operating, the exchanges and FINRA that \noperate markets in one way or another also are responsible for \nthe regulation of those markets. That will not change in CAT. \nAll CAT will do is, very important, provide better surveillance \ntools for the SROs that are responsible for ensuring the \nintegrity of their market through their self-regulatory \noperations. But understanding that with the greater amount of \ndata in there and the more possibility that there is a misuse, \nclearly the SEC has stated in the rule and it stated in the \nplan that the data in the system can be used only for \nregulatory and surveillance purposes, and Shelly and the FINRA \nCAT team are putting together surveillance of the system \nitself, of its use, just to see atypical patterns of use of the \ndata, to try to identify places where regulators may be \nmisusing the data.\n    So we are aware of the concerns. It is nothing new to the \nsecurities industry or to the SROs and is something we are able \nto and think that we will be able to police.\n    Senator Van Hollen. I appreciate that, and there are some \nreports that the industry is actively trying to slow down this \neffort because it would result in greater transparency, even \nunder the current system. Can you comment on that at all?\n    Mr. Simon. I will start and then turn it to Judy. As Judy \nmentioned in her opening statement, we have an Advisory \nCommittee, and we are working closely with SIFMA, and everybody \nin the industry and the SROs, at FINRA CAT, at the SEC are \nworking in a coordinated, cooperative fashion to make the CAT \nsuccessful.\n    Ms. McDonald. So the industry has had unprecedented \ninvolvement--and that goes from the participation in the \nAdvisory Committee to the participation in the industry working \ngroup, and broker-dealers collectively have logged many \nhundreds of hours in the course of explaining work flows, \nreviewing specifications, bringing concerns to the table. We \nare doing this so that there is efficient and accurate \ncollection of data. I do not know how much more the industry \ncould actually put into this effort to make it successful, \nbecause at the end of the day we are required by the exchanges \nto do the reporting to CAT.\n    Senator Van Hollen. OK.\n    Mr. Simon. This is a cost and not--this is an expense and \nnot an income center for the industry and for the SROs, but \nnotwithstanding that, there has been really, in my experience, \nan unprecedented level of cooperation among everybody in the \nindustry to make this successful.\n    Senator Van Hollen. OK. Thank you. Thank you, Mr. Chairman.\n    Chairman Crapo. Thank you, and that concludes our questions \ntoday. I want to again thank the panel for coming. As you can \nsee, there is a strong understanding of the importance and the \nbenefits of CAT. There is also a very high level of concern \nabout the data collection and privacy impacts here, which I \nshare on both sides. And so I think we are far from where I \nhave a comfort level, and I think that is true for a number of \nMembers of the Committee. But we understand and appreciate the \nefforts that are being undertaken to address these issues. I am \nsure you will receive some additional questions from the \nMembers of the Committee who were not able to stay or be here, \nand I encourage you to respond to them quickly. For those \nSenators who do wish to submit questions for the record, those \nquestions will be due by Tuesday, October 29th. And as I always \ndo, I encourage you as the witnesses to respond as quickly as \nyou can to those questions. With that, thank you again. This \nhearing is adjourned.\n    [Whereupon, at 11:11 a.m., the hearing was adjourned.]\n    [Prepared statements, responses to written questions, and \nadditional material supplied for the record follow:]\n               PREPARED STATEMENT OF CHAIRMAN MIKE CRAPO\n    Today's hearing will focus on oversight of the status of the \nConsolidated Audit Trail, commonly referred to as the ``CAT''.\n    In 2010, in response to the Flash Crash and a number of other \nmarket disruption events, the SEC proposed the creation of a real-time \ntracking system to track securities orders across all markets \nthroughout the life cycle of the order--from origination, to routing, \ncancellation, modification, or execution.\n    At the time, the SEC estimated the creation of the CAT would cost \n$4 billion to launch and have ongoing maintenance costs of $2.1 \nbillion.\n    In 2012, I wrote a letter requesting that the SEC consider \nalternatives to establishing the CAT database, such as housing it on \nFINRA's existing Order Audit Trail System, or OATS.\n    It has been 9 years since the SEC's initial proposal for the CAT \nand after multiple challenges and delays it would appear that we have \narrived at a version of CAT that realizes real-time, less accurate data \nis not necessary to the market function and that slightly delayed, more \naccurate information significantly reduces costs while still preserving \nthe functional improvements CAT is intended to provide. Further, the \nCAT now better leverages existing resources by recently selecting a \nsubsidiary of FINRA to be the plan processor.\n    I continue to have concerns about the costs associated with the \nbuild, the volume of the information collected, what information will \nbe collected, who has access to the information collected, and how the \ninformation will be secured.\n    Last year, Ranking Member Brown and I wrote a letter to SEC \nChairman Clayton that emphasized our bipartisan belief that protecting \nindividuals' personally identifiable information, or PII, is paramount \nto the American people.\n    We have continued to seek a better understanding of what type of \nPII is being collected, how that information is being used, who can \naccess it and how the data is secured and protected.\n    Chairman Clayton's September 9th statement echoed this sentiment \nregarding the importance of protecting information collected and stored \nin the CAT, particularly Social Security numbers, account numbers, and \ndates of birth.\n    Chairman Clayton stated that he believes ``the regulatory \nobjectives of the CAT can still be achieved without these most \nsensitive pieces of investor information.''\n    Last week, the SROs officially requested a modification to the CAT \nNMS Plan to exclude the collection of dates of birth, Social Security \nnumbers, individual taxpayer identification numbers, and account \nnumbers.\n    This request is long overdue and I encourage the SEC to grant this \namendment which, I agree with the SROs, will reduce the risk profile of \nthe data collected and stored in the CAT while still preserving the \nCAT's intended regulatory use.\n    In his September 9th statement, Chairman Clayton went on to say \nthat even if the SROs reduce the scope of the PII collected, the nature \nof the data to be included in the CAT ``necessitates robust security \nprotections.''\n    I could not agree more and look forward to hearing from our \nwitnesses on how they plan to address these important issues from each \nof their unique roles in the creation of the CAT.\n    I look forward to receiving an update from each of our witnesses on \noutstanding issues and challenges that remain to achieving an \noperational CAT.\n    I thank the witnesses for their willingness to appear today.\n                                 ______\n                                 \n              PREPARED STATEMENT OF SENATOR SHERROD BROWN\n    Thank you, Chairman Crapo, and welcome to our witnesses.\n    We are just shy of 200 days from the 10th anniversary of the 2010 \nflash crash. Although there hasn't been a market disruption of that \nmagnitude since, our markets have become faster, more sophisticated, \nand more fragmented. In that time, industry has spent untold billions \non upgrading technology and developing faster and smarter trading \nsystems.\n    Yet the SEC, who we all rely on to maintain fair, orderly, and \nefficient markets, still lacks a comprehensive system that would allow \nit to effectively oversee the securities markets to protect Americans' \ncollege savings and retirement funds.\n    In an industry where cutting-edge technology is the name of the \ngame and trading firms erect competing microwave towers so that \ncomputers in Chicago can communicate with computers near Wall Street in \nmilliseconds, the SEC still cobbles together data from multiple sources \nin an attempt to have a complete understanding of our markets.\n    This is why the SEC called on FINRA and the firms that run our \nNation's stock and options exchanges to build the Consolidated Audit \nTrail, or CAT, one system with a beginning-to-end view of how trading \nhappens, so we can prevent insider trading, market manipulation, and \nother misconduct that cheats the system.\n    When the effort began in 2012, it was a huge undertaking. But, 7 \nyears later we are only at the first stage of data reporting, and many \ndetails need to be finalized. Under the current timeline, the system \nwill not be fully operational until 2022.\n    Some take issue with the SEC, or any Government agency, having this \nmuch data and call the system a target for hackers.\n    I refuse to accept that we can't both protect people's personal \ninformation, and go after criminals who take advantage of our markets.\n    I know there are dozens of technology experts, data scientists, and \nmarket veterans working on this. Just last week, the CAT operating \ncommittee submitted to the SEC its proposal to exclude Social Security \nNumbers and other personal information from the reported data.\n    That is just one of many creative solutions that balance the need \nfor oversight with protecting sensitive information.\n    I trust the very capable minds at the exchanges, FINRA, and the SEC \ncan work out access to data concerns, tracking the use of the audit \ntrail, and how to keep information secure to allow this long overdue \noversight tool to be completed.\n    The bottom line is--if you are smart enough to have information or \nstrategies you think someone wants to steal, then you are smart enough \nto help come up with ways to protect them.\n    And we can't afford to wait.\n    Just last week, the SEC filed charges against 18 people, most of \nthem in China, who engaged in a 6-year market manipulation scheme using \ndozens of accounts, across many brokerage firms, that resulted in 31 \nmillion dollars of illicit profits.\n    While we'll never know if the new system would have made it easier \nto uncover those crimes, it is that kind of activity that the SEC \nshould have the technology to uncover.\n    We also know that the question isn't if but when there will be \nanother crash or major disruption. Everyone--Main Street, industry, and \nCongress--will look to those represented by our panelists today and the \nSEC to understand what happened, how it will be fixed, and who was \nresponsible. Not having an answer, or waiting 5 months for one, will be \nunacceptable.\n    If another flash crash happens, or the delays or disagreements over \nwhat should be solvable questions continue, you can expect to be back \nbefore this Committee. We are expecting you all to cooperate and work \ndiligently to finish the CAT project.\n    There are not many things that SEC Chair Clayton and I agree on, \nbut finishing the CAT without further delay is one of them.\n    Every day we wait creates more risks for our markets and more \nopportunities for criminals to cheat our regulatory system.\n    Thank you, Mr. Chairman.\n                                 ______\n                                 \n                  PREPARED STATEMENT OF SHELLY BOHLIN\n    President and COO, FINRA CAT LLC, Financial Industry Regulatory \n                               Authority\n                            October 22, 2019\n    Chairman Crapo, Ranking Member Brown, and Members of the Committee: \nOn behalf of FINRA CAT, LLC, a subsidiary of the Financial Industry \nRegulatory Authority, or FINRA, I would like to thank you for the \nopportunity to testify today. I serve as the President and Chief \nOperating Officer of FINRA CAT, LLC, and I welcome the Committee's \ninvitation to discuss specific details of FINRA CAT's work as the Plan \nProcessor of the Consolidated Audit Trail, or CAT, since FINRA CAT \nstepped into the role 6 months ago.\n    The CAT is designed to be a centralized source of information on \nactivity in the equities and listed options markets. The Securities and \nExchange Commission (SEC) adopted Rule 613 in the wake of the 2010 \nflash crash to require the CAT to be created. The SEC explained at the \ntime that the purpose of the CAT is to create a comprehensive \nconsolidated audit trail that allows regulators to efficiently and \naccurately track all activity in these securities throughout the U.S. \nmarkets to facilitate comprehensive market reconstructions, more robust \nmarket surveillance, and better analytics to support policymaking. \\1\\ \nGiven the size and complexity of the financial markets, the CAT must \ncollect, process, and store a vast amount of data to achieve this goal. \nThis is a highly complex project that requires deep technological \nexpertise, sophisticated and proactively evolving security, close \nregulatory coordination with the SEC and the consortium of self-\nregulatory organizations (SROs) responsible for managing the CAT (SRO \nconsortium), \\2\\ and full-time engagement with broker-dealers that \nultimately must report data to the CAT.\n---------------------------------------------------------------------------\n     \\1\\ See Securities Exchange Act Release No. 67457 (July 18, 2012), \n77 FR 45722 (August 1, 2012) (SEC adopting release for Rule 613 to \nrequire the national securities exchanges and FINRA to file a national \nmarket system (NMS) plan for the creation, implementation, and \nmaintenance of the CAT).\n     \\2\\ The 24 participants currently in the consortium are: BOX \nExchange LLC; Cboe BYX Exchange, Inc., Cboe BZX Exchange, Inc., Cboe \nEDGA Exchange, Inc., Cboe EDGX Exchange, Inc., Cboe C2 Exchange, Inc. \nand Cboe Exchange, Inc.; FINRA; Investors Exchange LLC; Long-Term Stock \nExchange, Inc.; Miami International Securities Exchange LLC, MIAX \nEmerald, LLC, MIAX PEARL, LLC; NASDAQ BX, Inc., Nasdaq GEMX, LLC, \nNasdaq ISE, LLC, Nasdaq MRX, LLC, NASDAQ PHLX LLC, The NASDAQ Stock \nMarket LLC; and New York Stock Exchange LLC, NYSE American LLC, NYSE \nArca, Inc., NYSE Chicago, Inc. and NYSE National, Inc.\n---------------------------------------------------------------------------\n    The CAT NMS Plan was filed with the SEC by the SRO consortium to \nmeet the SEC's Rule 613 requirements, and the Plan was approved by the \nSEC on November 15, 2016. \\3\\ FINRA CAT began serving as the CAT Plan \nProcessor in April of this year after being selected by the SRO \nconsortium to build and operate the CAT system. Since our selection, \nFINRA CAT has been performing these functions on a contract basis for \nthe SRO consortium, in accordance with the consortium's CAT NMS Plan.\n---------------------------------------------------------------------------\n     \\3\\ See https://www.sec.gov/rules/sro/nms/2016/34-79318.pdf.\n---------------------------------------------------------------------------\n    FINRA CAT appreciates that there is interest in the CAT from \nmultiple perspectives. The CAT is an important tool that must be built \nproperly so that the market regulators--including the SEC, FINRA, and \nthe national securities exchanges--can use it as intended to \nefficiently and accurately track all activity in the U.S. securities \nmarkets. In addition, given the importance of sensitive information to \nthe success of the CAT in achieving its goals, its security is of \nparamount concern to the regulators, to industry members who will \nreport data to the CAT, to investors, and to the public.\n    FINRA CAT is fully committed to serving these interests. The \nleadership and staff of FINRA CAT have significant experience in \ndeveloping audit trail technology and utilizing it for regulatory \npurposes. In addition, FINRA CAT has access to the full resources of \nFINRA and its long, successful work in this area, expertise that has \nbeen valuable in the months since FINRA has been tasked with the \ndevelopment of the CAT. With this support, FINRA CAT's work to build \nthe CAT is on schedule. FINRA CAT also is committed to receiving input \nfrom all stakeholders so that it may serve its role most effectively. \nClose engagement with the SROs, SEC, industry stakeholders, the public, \nand Congress is critical to FINRA CAT's efforts and the efforts of the \nSRO consortium.\nTransition to FINRA CAT\n    After FINRA was selected by the SRO consortium to succeed the \nformer Plan Processor, FINRA CAT, a subsidiary of FINRA, was created to \nfocus solely on performing the functions of the Plan Processor. \\4\\\n---------------------------------------------------------------------------\n     \\4\\ While FINRA is a member of the consortium, FINRA recused \nitself and did not take part in the selection decision.\n---------------------------------------------------------------------------\n    Importantly, FINRA CAT is a regulated entity. FINRA CAT is part of \nFINRA's parent SRO umbrella and accordingly an ``SCI Entity.'' \\5\\ This \nmeans that while FINRA CAT serves as a contractor for the SRO plan \nparticipants and is not a CAT NMS Plan participant itself, FINRA CAT \nnevertheless is subject directly to the SEC's jurisdiction, including \nRegulation Systems Compliance and Integrity (Reg SCI). FINRA CAT's \nstatus as an SCI Entity ensures direct accountability--both to the SRO \nplan participants and to the SEC--for important issues like system \nsecurity, integrity, capacity, and business continuity.\n---------------------------------------------------------------------------\n     \\5\\ See https://www.sec.gov/rules/sro/finra/2019/34-85764.pdf.\n---------------------------------------------------------------------------\n    While FINRA CAT is part of FINRA's parent SRO umbrella and \nsupported by FINRA resources, FINRA CAT is a distinct corporate \nsubsidiary with controls in place to create sufficient separation from \nFINRA operations where needed and appropriate. We have built out a \ndedicated FINRA CAT operations staff led by me and a Chief Technology \nOfficer. We also hired, with the approval of the SRO consortium, a \nChief Information Security Officer (CISO) and a Chief Compliance \nOfficer (CCO). These officers are responsible, respectively, for FINRA \nCAT's information technology security and governance and regulatory \ncompliance programs. These two positions also owe fiduciary duties to \nthe SRO consortium, as specified in the CAT NMS Plan. \\6\\\n---------------------------------------------------------------------------\n     \\6\\ See Section 4.6(a) of the CAT NMS Plan, available at https://\ncatnmsplan.com/wp-content/uploads/2019/09/CAT-2.0-Consolidated-Audit-\nTrail-LLC%20Plan-Executed-(175745081)-(1).pdf.\n---------------------------------------------------------------------------\n    Since becoming the Plan Processor in April, FINRA CAT has worked \nclosely with the SRO consortium and SEC staff to expeditiously put in \nplace a solution for the first scheduled phase of the CAT--\nspecifically, the collection and processing of order and trade data \nfrom the equities and options exchanges and FINRA. \\7\\ For equities, \nFINRA CAT has been able to leverage existing data feeds the exchanges \ncurrently provide to FINRA, and in June, FINRA CAT deployed a \nsignificant technology release to ingest and validate newly reported \noptions data from the options exchanges. FINRA CAT has used scalable \ntechnology to process, on average, over 100 billion market records a \nday during this period with no material operational issues or delays.\n---------------------------------------------------------------------------\n     \\7\\ For purposes of CAT reporting, FINRA data includes information \nabout activity in the over-the-counter markets reported to FINRA's \nTrade Reporting Facilities, Alternative Display Facility, and Over-the-\nCounter Reporting Facility. More information can be found on \nwww.finra.org.\n---------------------------------------------------------------------------\n    This current quarter, FINRA CAT will be finishing the development \nof analytical tools that allow the SEC and SRO plan participants, as \nregulatory users of the CAT, to analyze and run complex queries on the \nCAT data. In addition, these tools will include functionality that \nallows regulatory users to see visual displays of the consolidated \nequity market order book for any given period of time. An example of \nthis is the delivery of multifactor authentication, an important \nsecurity enhancement, months ahead of its originally planned \nimplementation date of May 2020.\nUpcoming Milestones--Industry Member Reporting to CAT\n    At the same time that FINRA CAT has been working to implement the \nfirst phase of CAT data reporting from plan participants, we also have \nbeen dedicating substantial resources to preparing for the next stage-\nindustry member reporting, which is scheduled to be phased in from \nApril 2020 to July 2022. \\8\\\n---------------------------------------------------------------------------\n     \\8\\ See https://catnmsplan.com/timelines/.\n---------------------------------------------------------------------------\n    Looking ahead, large and small firms that currently report similar \naudit trail data to FINRA's existing Order Audit Trail System (OATS) \nwill begin reporting equities data in April 2020, followed by large \nfirm reporting of options data in May 2020. Small firms that do not \ncurrently report to OATS are scheduled to begin reporting in December \n2021. Initially, industry member data will be limited to information \nconcerning order and trade events. After a number of interim phases \nthat will require the reporting of increasingly complex order and trade \ninformation, the final phase of industry member reporting--as currently \ncontemplated by the SEC-approved CAT NMS Plan--calls for certain \ncustomer and account information reporting beginning in July 2022. \nPrior to each new reporting phase, there will be mandatory test periods \nto promote compliance for the broker-dealers reporting data to the CAT. \nFINRA CAT continually looks for opportunities to accelerate the \ntimeline where possible.\n    Achieving these reporting milestones requires significant effort \nfrom all parties. FINRA CAT is involved in full-time industry \nengagement through a variety of channels. FINRA CAT has worked with the \nconsortium and CAT stakeholders to publish lengthy guidance on a \nvariety of industry reporting scenarios, a schema for industry member \nreporting, and final technical specifications for the initial industry \nreporting phases. \\9\\ FINRA CAT and the SRO participants provide \nfrequent presentations to the industry, which are archived on the SRO \nconsortium's dedicated CAT NMS Plan website. \\10\\ FINRA CAT also \nmaintains a fully staffed Help Desk to maintain an open line of \ncommunication.\n---------------------------------------------------------------------------\n     \\9\\ See https://catnmsplan.com/technical-specifications/\nindex.html.\n     \\10\\ See https://catnmsplan.com/news-page/index.html.\n---------------------------------------------------------------------------\n    Active broker-dealer participation and feedback is a critical part \nof this engagement, as the success of CAT requires effective broker-\ndealer implementation of the CAT reporting requirements. There are a \nnumber of industry representatives involved in the governance of the \nCAT NMS Plan through their participation on an advisory committee \nestablished by the CAT NMS Plan. \\11\\ A group of industry \nrepresentatives join a weekly working group discussion that FINRA CAT \ncochairs with the consortium to identify and resolve interpretive \nquestions. With the help of this weekly discussion forum, FINRA CAT and \nthe SRO consortium have published answers to numerous frequently asked \nquestions and continue to answer new questions regularly. \\12\\\n---------------------------------------------------------------------------\n     \\11\\ See Section 4.13 of the CAT NMS Plan, available at https://\ncatnmsplan.com/wp-content/uploads/2019/09/CAT-2.0-Consolidated-Audit-\nTrail-LLC%20Plan-Executed-(175745081)-(1).pdf.\n     \\12\\ See https://catnmsplan.com/faq/index.html.\n---------------------------------------------------------------------------\n    Active SEC involvement is critical as well. Each week, FINRA CAT \nhosts a call with SEC staff and the SRO plan participants to provide an \nupdate on project development and progress. FINRA CAT appreciates the \ntime, investment, and insight provided by the SEC staff on all aspects \nof the CAT, and FINRA CAT has been happy to report so far that its work \nis on schedule.\n    FINRA CAT recognizes that challenges are sure to arise throughout \nthe industry phase-in. Prior to becoming the Chief Operating Officer of \nFINRA CAT, I worked for 25 years with FINRA's market regulation \nprogram, including on the successful multiphase implementation of \nFINRA's OATS reporting requirements. Today, FINRA combines OATS data \nwith other regulatory data to process on average more than 78 billion \nrecords a day. As I and my FINRA CAT colleagues draw on our extensive \nprior experience with audit trail implementation, we welcome dialogue \nwith the industry and all CAT stakeholders, particularly as we \nencounter new challenges unique to CAT reporting and prepare CAT to \nsupport regulators' efforts to retire existing systems like OATS.\nSecurity and Customer Identifying Information\n    Under the current CAT NMS plan approved by the SEC in 2016, \\13\\ \nindustry members will be required to report certain customer \nidentifying information, including account numbers and some personally \nidentifying information, or PII. While we recognize the ongoing policy \ndiscussions related to the necessity of specific elements of PII to the \nsuccess of the CAT, those requirements are ultimately matters the SRO \nconsortium and the SEC must determine. However, I can assure the \nCommittee that the security of PII, and of all CAT data more broadly, \nis of the utmost priority to FINRA CAT, and I can address the data \nsecurity program that FINRA CAT has put in place to meet the CAT NMS \nPlan's requirements.\n---------------------------------------------------------------------------\n     \\13\\ See https://www.sec.gov/rules/sro/nms/2016/34-79318.pdf.\n---------------------------------------------------------------------------\n    In terms of FINRA CAT's overall information security program, we \nare led by a CISO who was approved by the SRO consortium who is also \nits fiduciary. Our CISO has over 20 years' experience working on \ninformation security at FINRA, including as a security architect and \nsecurity engineer. The CISO is supported by a dedicated team of \nsecurity analysts who ensure that security controls are effectively \nimplemented, monitor the security of the CAT System and respond to \nanomalies, evaluate and approve access, enforce compliance with \nsecurity policies and standards including National Institute of \nStandards and Technology (NIST) Special Publication (SP) 800-53, and \nevaluate evolving threats and security control opportunities to ensure \nthat the CAT security posture remains strong. In addition, the FINRA \nCAT security team is able to leverage the security expertise and \nadvanced technology solutions that FINRA has invested heavily in over \nthe years, including the people, process, and technologies it has \ndeveloped and deployed to operate a secure cloud environment that is \ncomparable in scale to the fully deployed CAT solution. As the SRO \nconsortium recently discussed in a presentation to the industry, the \nFINRA CAT security program includes significant layers of \narchitectural-level security controls and program-level security \ncontrols. \\14\\ Examples of architectural controls include secure \ninfrastructure for connecting to the CAT system and architectural \nseparation between transaction data and PII. Examples of program \ncontrols include a full suite of information security policies, \nprocedures, and standards, as well as regularly scheduled independent \nthird-party system penetration testing, code reviews, and security \ncontrol validation.\n---------------------------------------------------------------------------\n     \\14\\ See https://catnmsplan.com/news-page/cat-industry-webcast-\nrecording-08-28-19/.\n---------------------------------------------------------------------------\n    The extensive FINRA CAT security policies address a range of issues \nrequired by the CAT NMS Plan, including data storage and handling, \ninsider risk, data connectivity and transfer, incident management, \nsecurity logging and monitoring, and account management. FINRA CAT's \nsecurity program is based on work product developed by the FINRA CAT \nCISO in coordination with a security working group made up of CISOs and \nsecurity experts from each of the SRO plan participants.\n    Each CAT System release is subject to the granting of an Authority \nTo Operate (or ATO) by the SRO consortium. To obtain an ATO from the \nconsortium, the CAT CISO presents a package of materials to the \nsecurity working group that demonstrates the strength of the CAT \nSystem's security posture. This package includes the system security \nplan, internal and third-party security testing reports, and an \nindependent validation and verification report confirming that security \ncontrols are aligned with the NIST industry standards followed by the \nFederal Government. \\15\\\n---------------------------------------------------------------------------\n     \\15\\ See https://catnmsplan.com/news-page/cat-industry-webcast-\nrecording-08-28-19/.\n---------------------------------------------------------------------------\n    FINRA CAT understands concerns that continue to be raised about the \ninherent risk of handling CAT data, particularly PII. Even with the \nenhanced architectural and program controls required by the plan for \nPII--such as containing PII in its own separate system with restricted \naccess--there may be policy questions for the SEC and SRO consortium to \ndiscuss about the costs and benefits of collecting and storing \nsensitive personal data.\n    FINRA CAT's job is to support the regulators' decision making on \nthis issue. This includes making any modifications to the system design \nto account for current discussions between the SEC, the SRO consortium, \nand the industry. As SEC Chairman Clayton recently noted before the \nHouse Financial Services Committee, the SROs are refining the details \nof a recommendation to eliminate Social Security numbers, account \nnumbers, and dates of birth from the CAT, filing a request last week \nwith the SEC to formalize the modified approach. \\16\\ FINRA CAT \ncontinues to work closely and productively with the SEC and the SROs to \nensure that it has the right technological solution in place for when \ncustomer and account information reporting begins in July 2022.\n---------------------------------------------------------------------------\n     \\16\\ See Letter from Michael Simon, CAT NMS Plan Operating \nCommittee Chair, to Vanessa Countryman, SEC, Request for Exemptive \nRelief from Certain Provisions of the CAT NMS Plan related to Social \nSecurity Numbers, Dates of Birth, and Account Numbers (Oct. 16, 2019), \navailable at https://www.catnmsplan.com/wp-content/uploads/2019/10/\nCCID-and-PII-Exemptive-Request-Oct-16-2019.pdf.\n---------------------------------------------------------------------------\nConclusion\n    Thank you again for the opportunity to appear today. The CAT is a \nmajor regulatory undertaking meant to help the SEC, FINRA, and the \nexchanges better regulate our securities markets. FINRA CAT recognizes \nthe role it must play as the CAT Plan Processor to make the CAT fully \noperational and secure. We are on target to complete the build on time \nand in line with the strict data security protocols established in the \nSEC-approved CAT NMS Plan. We look forward to our continued \ncollaboration with Congress, the SRO consortium, the SEC, market \nparticipants, stakeholders and the public as we work to achieve the \nproject's goals.\n                                 ______\n                                 \n                  PREPARED STATEMENT OF JUDY MCDONALD\n                 Chair, CAT NMS Plan Advisory Committee\n                            October 22, 2019\n    My name is Judy McDonald, I am the head of Regulatory Technology at \nSusquehanna International Group, LLP (SIG), a global quantitative \ntrading firm headquartered in Bala Cynwyd, PA. In my role at SIG I have \nbeen evaluating the Consolidated Audit Trail (CAT) NMS Plan since its \ninception and participated in the CAT Development Advisory Group prior \nto the Plan Processor selection. Since February 2017, I have served \nalong with 13 other industry participants on the Advisory Committee, \nand since March 2019 have served as the Chair of the Advisory \nCommittee.\n    Today I can confidently state that the effort to deliver CAT is \nmoving forward in a very positive manner. Since February 2019, when \nFINRA CAT became the new Plan Processor, the Self Regulatory \nOrganizations (SROs), FINRA CAT and industry members have been in a \nvirtuous cycle of iterative deliverables and collaboration on the Plan. \nFINRA CAT brings subject matter expertise, depth of resources, and \nleadership to the effort. These capabilities have resulted in \nimprovements ranging from well written policies and procedures, to \ncapable project management, to delivery on portions of a large, \ncomplex, distributed system.\n    The Advisory Committee is satisfied that the intermediate \nmilestones of the past year have been met and that significant progress \nhas been made toward processing SRO reporting and the completion of \nindustry member technical specifications for the first equity and \noption reporting phases.\n    However, there are a few areas of concern as the implementation of \nCAT progresses,\n\n    1. Data Security. This is undoubtedly the most significant concern \nas the CAT will gather and store an unprecedented amount of information \nthat previously has not been centrally located nor specifically \nidentifiable. The concerns can be broken down into three categories: \n(a) Trading records for institutions, (b) Personally Identifiable \nInformation (PII) for retail customers, and (c) the Security Policies \nof the regulators:\nTrading Records\n    There is significant concern about the security of the CAT data \nrepository and the misuse of trading records by those with \n``authorized'' access. Trading records will be less secure than PII and \naccessible by a broader set of individuals. This highly proprietary \ninformation results from significant investments, and Broker-Dealers \n(BDs) are very concerned that trading strategies could be reverse-\nengineered by competitors, by academics, or by rogue actors. Further, \nSROs compete with each other and BDs; this is beneficial to investors \nand could be compromised with the misuse of data.\nPII Data\n    We are encouraged by the progress to avoid the collection of Social \nSecurity numbers and other sensitive PII data. With this progress we \nbelieve some focus should be shifted to address the retirement of the \nlegacy Electronic Blue Sheet (EBS) system, which currently collects PII \ndata and is less secure than CAT.\nSecurity Policies\n    The Advisory Committee has little insight into the security \nprograms at the regulators and whether security policies and procedures \nhave changed commensurate with the increased value of the CAT data and \nthe increased threat of compromise. We cannot emphasize enough the harm \nthat could come from an external bad actor gaining access to trade \ninformation once data is bulk downloaded from the central FINRA CAT \nrepository.\n    In summary, I appreciate the critical nature of securing CAT data. \nTwo of the best ways to achieve data security is to limit the number of \npeople with access and to control the use of the data as tightly as \npossible. The Advisory Committee urges reconsideration of allowing the \n22 exchanges and the SEC to bulk download CAT data.\n\n    2. Verbal and Manual Quotes. There is a significant open issue with \nrespect to the capture and reporting of verbal and manual quotes. Human \ninteraction with highly electronic markets is a deeply challenging \nissue that affects a small but very important part of the market and if \ndisrupted, could dramatically reduce market liquidity particularly \nduring periods of extraordinary volatility. The Advisory Committee \nrecommends a stepwise approach for reporting verbal and manual quotes.\n\n    3. Fees. Another area of concern is the current lack of insight \ninto fees that may be applied to BDs. The absence of a fee schedule \ncreates uncertainty around the effort and unnecessarily challenges \nfirms budgeting to comply with CAT. It also raises the concern of \nchasing more firms out of business and imposing yet another barrier to \nentry, all to the detriment of market liquidity and competition.\n\n    4. The SEC Proposal for Financial Accountability Milestones. The \nSEC proposal centers on the best-practice goals of increasing \naccountability and transparency of the CAT project. While we are \nsupportive of these goals, legitimate unforeseen circumstances may \noccur where fixed deadlines work against the collective best interest \nof the CAT implementation. There must be some flexibility in place to \naddress unforeseen situations.\n\n    In closing, I look forward to continuing my work on the CAT project \nand will be happy to address any specific questions you have.\n                                 ______\n                                 \n                 PREPARED STATEMENT OF MICHAEL J. SIMON\n               Chairman, CAT NMS Plan Operating Committee\n                            October 22, 2019\nI. Introduction\n    Chairman Crapo, Ranking Member Brown, and Senators of the \nCommittee, thank you for the opportunity to testify before you today \nabout the progress made on developing the Consolidated Audit Trail \nsystem (``CAT System'' or ``CAT''). As you are aware, the national \nsecurities exchanges and the Financial Industry Regulatory Authority \n(FINRA) (as the only national securities association) are developing \nand operating the CAT System as Participants \\1\\ to the National Market \nSystem (NMS) Plan Governing the CAT (the ``Plan''). \\2\\ The Securities \nand Exchange Commission (``SEC'' or ``Commission'') mandated both the \nPlan and the CAT System through adoption of Rule 613 of Regulation NMS. \n\\3\\\n---------------------------------------------------------------------------\n     \\1\\ The 24 Participants are: BOX Exchange LLC; Cboe BYX Exchange, \nInc., Cboe BZX Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe EDGX \nExchange, Inc., Cboe C2 Exchange, Inc. and Cboe Exchange, Inc.; FINRA; \nInvestors' Exchange LLC IEX; Miami International Securities Exchange \nLLC, Long-Term Stock Exchange, Inc.; MIAX Emerald, LLC, MIAX PEARL, \nLLC; NASDAQ BX, Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, \nLLC, NASDAQ PHLX LLC, The NASDAQ Stock Market LLC; and New York Stock \nExchange LLC, NYSE American LLC, NYSE Arca, Inc., NYSE Chicago, Inc. \nand NYSE National, Inc.\n     \\2\\ National Market System Plan Governing the Consolidated Audit \nTrail, Section 1.1 available at https://www.catnmsplan.com/wp-content/\nuploads/2019/09/CAT-2.0-Consolidated-Audit-Trail-LLC%20Plan-Executed-\n(175745081)-(1).pdf [hereinafter the ``Plan''].\n     \\3\\ Consolidated Audit Trail Adopting Release, Exchange Act \nRelease No. 67,457, 77 FR 45,722 (Aug. 1, 2012) [hereinafter ``Rule 613 \nAdopting Release''].\n---------------------------------------------------------------------------\n    Described broadly, the CAT requires Participants, and will require \nbroker-dealers (Industry Members), to submit information to the CAT \nSystem related to the inception, routing, cancellation, modification, \nor execution of an order. \\4\\ When completely implemented, the CAT \nSystem will receive, validate, and process such data to create life \ncycles of orders across the markets. The Participants and the SEC will \nuse the CAT System solely for regulatory purposes, querying the CAT \nSystem to facilitate their oversight of the securities markets and to \nhelp them fulfill their obligations under the Federal securities laws. \nAs noted in Rule 613, the Commission expects the Participants and \nIndustry Members to share in the costs of the CAT, and the Plan \nincludes a funding model consistent with the cost-sharing requirement \nof Rule 613. \\5\\\n---------------------------------------------------------------------------\n     \\4\\ See generally Plan, supra note 2 (outlining the requirements \nof the CAT System).\n     \\5\\ See Regulation NMS, 17 CFR \x06242.613(a)(1)(vii)(D) (2019).\n---------------------------------------------------------------------------\n    There has been significant interest in the CAT. Understandably, \nmuch of this interest has centered around the extent to which the \nsystem will include personally identifiable information (PII), the \nsecurity of the system more generally, as well as the cost of the \nsystem. Before discussing these issues, I'd like to provide a little \nbackground on the CAT, tell you a little about the structure of the \nproject and my role, and give you an update on the progress of the CAT \nSystem.\na. Background on CAT\n    By way of background, the Commission conceived of and ultimately \nmandated the CAT System to more effectively and efficiently conduct \ncross-market supervision of trading activity. \\6\\ The Commission has \nexplained that the regulatory data infrastructure the Commission, the \nexchanges and FINRA currently rely on is outdated, inconsistent, and \ninadequate to effectively oversee a complex, dispersed, and highly \nautomated national market system. \\7\\ Upon complete implementation, the \nCAT system will provide a number of significant benefits, including: \n(i) consolidated trading information across all markets and (ii) the \nability to identify the trading of specific end-customers.\n---------------------------------------------------------------------------\n     \\6\\ See Rule 613 Adopting Release, supra note 3 at 45,723.\n     \\7\\ See id. at 45,723; Joint Industry Plan; Order Approving the \nNational Market System Plan Governing the Consolidated Audit Trail, \nExchange Act Release No. 79,318, 81 FR 84,696, at 84,697 (Nov. 23, \n2016) [hereinafter ``CAT NMS Plan Adopting Release''].\n---------------------------------------------------------------------------\n    One practical example of limitations of current regulatory data \nrelates to regulators' ability to reconstruct and analyze market \nevents. \\8\\ According to the Commission, the lack of direct access to \naudit trail data resulted in the Commission's inability to quickly and \nefficiently reconstruct market events during the financial crisis in \n2008 and the ``Flash Crash'' \\9\\ in 2010. \\10\\ In proposing SEC Rule \n613, the Commission noted that while the existing audit trail \ninformation assisted the staffs of the SEC and the self-regulatory \norganizations in their regulatory responsibility to surveil for \ncompliance with self-regulatory organization rules and the Federal \nsecurities laws and regulations, it believed that existing audit trails \nwere limited in their scope and effectiveness in varying ways. \\11\\\n---------------------------------------------------------------------------\n     \\8\\ See Consolidated Audit Trail Proposing Release, Exchange Act \nRelease No. 62,174, 75 FR 32,556, at 32,557 (June 8, 2010) [hereinafter \n``Rule 613 Proposing Release''].\n     \\9\\ On May 6, 2010, the prices of many U.S.-based equity products \nsuddenly plummeted and recovered almost as quickly. This event is \nreferred to as the ``Flash Crash''. The Commission, along with the \nCommodity Futures Trading Commission, undertook an analysis of the \nFlash Crash. The Commission has explained that the available data \n``hindered staff in determining what happened to liquidity before, \nduring, and after the Flash Crash. Two major problems were the \ninability to identify and eliminate duplicate orders from the data and \nthe inability to accurately sequence events across the multiple data \nsources.'' Rule 613 Adopting Release, supra note 3 at 45,732.\n     \\10\\ CAT NMS Plan Adopting Release, supra note 7 at 84,834 n. \n2246.\n     \\11\\ See Rule 613 Proposing Release, supra note 8 at 32,563-568.\n---------------------------------------------------------------------------\n    To address this need, in August, 2012, the Commission adopted Rule \n613 \\12\\ requiring the Participants to submit an NMS plan to create, \nimplement, and maintain a consolidated audit trail for orders in NMS \nSecurities. \\13\\ The Commission mandated that the Plan address activity \nacross all markets, from the time of order inception through routing, \ncancellation, modification, execution, and allocation, in accordance \nwith the requirements of Rule 613. In September, 2014, the Participants \nsubmitted an initial proposed NMS plan to the Commission. \\14\\ Over the \ncourse of more than 2 years, the Participants filed two amendments to \nthe initial NMS plan; upon publication, the SEC received dozens of \ncomment letters on the proposed NMS plan from across the industry, \\15\\ \nmany of which focused on the security of the CAT System. In addition to \nNMS Securities mandated by Rule 613, the Participants also determined \nto include OTC Equity Securities (NMS Securities and OTC Equity \nSecurities collectively are ``Eligible Securities'') within the initial \nscope of the CAT. \\16\\ The Participants proposed this to allow for a \nmore expanded audit trail and to facilitate an expedited retirement of \nOATS (which applies to OTC Equity Securities as well as NMS stocks) as \nduplicative to CAT. In November 2016, the Commission unanimously \napproved the amended Plan developed by the Participants in accordance \nwith the requirements of Rule 613. \\17\\\n---------------------------------------------------------------------------\n     \\12\\ See Rule 613 Adopting Release, supra note 3.\n     \\13\\ For purposes of the Plan, ``NMS Securities'' are defined as \n``any security or class of securities for which transaction reports are \ncollected, processed, and made available pursuant to an effective \ntransaction reporting plan, or an effective national market system plan \nfor reporting transactions in Listed Options.'' See Plan, supra note 2 \nat Section 1.1.\n     \\14\\ See Initial National Market System Plan Governing the \nConsolidated Audit Trail available at https://www.catnmsplan.com/wp-\ncontent/uploads/2018/02/p600989.pdf. The Participants worked with the \nDevelopment Advisory Group (DAG), which consisted of broker-dealer \nrepresentatives, to solicit industry feedback when creating the Plan.\n     \\15\\ See Securities and Exchange Commission File No. 4-698 \navailable at https://www.sec.gov/comments/4-698/4-698.shtml.\n     \\16\\ For purposes of the Plan, ``OTC Equity Securities'' are \ndefined as ``any equity security, other than an NMS Security, subject \nto prompt last sale reporting rules of a registered national securities \nassociation and reported to one of such association's equity trade \nreporting facilities.'' See Plan, supra note 2 at Section 1.1.\n     \\17\\ See CAT NMS Plan Adopting Release, supra note 7.\n---------------------------------------------------------------------------\n    When the CAT System is fully operational it will address the \nregulatory need the Commission identified and facilitate multiple \nParticipants' ability to conduct their own market surveillance. In \nparticular, the more granular order attribution information that will \nbe available via CAT will help Participants make their surveillance \nprograms more efficient and effective. As Participants develop \nregulatory systems that interact with CAT data, they may use CAT data \nto supplement targeted queries of their own exchange data and/or to \nbuild new exchange-specific surveillance to bolster regulation of \nindividual markets and across markets. For example, Participants will \nmore easily identify exchange-specific manipulative activity, such as \nopening and closing cross-manipulation, using CAT data because a market \nparticipant may be entering manipulative orders on one exchange that \nare otherwise not visible to another exchange's surveillance systems.\n    The CAT presents new opportunities to increase both regulatory \neffectiveness and efficiencies, and the Participants are committed to \nusing the CAT System to reduce regulatory inefficiencies, including \nreducing regulatory duplication, in a manner that promotes the safety \nof the markets and the quality and effectiveness of the Participants' \nregulatory programs.\nb. Structure of CAT Project\n    To understand my role on the CAT project, it may be helpful to \nreview the various stakeholders and contributors to the project. \nConsolidated Audit Trail LLC (CAT LLC) is a consortium of national \nsecurities exchanges and national securities associations. The \nOperating Committee is comprised of representatives of each \nParticipant, serves as the governing body for CAT LLC and provides \nreview, guidance, oversight and decision-making authority for the \noverall operations of the CAT System. The Operating Committee selects \nthe Plan Processor, which is responsible for implementing and operating \nthe CAT System. As mandated by Rule 613 and the Plan, the Operating \nCommittee receives industry perspective and guidance from the CAT LLC \nAdvisory Committee, which is a diverse group of industry \nrepresentatives (e.g., small, medium and large broker-dealers, floor \nbroker-dealers, proprietary trading firms clearing firms, service \nbureaus, buy-side traders, academicians). There also are numerous \nworking groups with discreet responsibilities related to the CAT \nproject.\n    I have been involved with the CAT since the adoption of Rule 613, \nfirst as an employee of a future Participant and, since 2017, as Chair \nof the Operating Committee while also serving as an Independent Senior \nAdvisor to Deloitte. I can represent to you that the Participants have \nbeen working, and continue to work, diligently and in good faith to \ncomply with their regulatory obligations to build and operate the CAT \nin compliance with SEC Rule 613 and the Plan. In doing so, the \nParticipants are working closely with staff of the SEC to ensure the \nCAT is designed and implemented in a manner consistent with regulatory \nexpectations and with the Advisory Committee to ensure that the CAT is \ndesigned and implemented in a manner that is efficient and will benefit \nthe industry-at-large.\n    Throughout the process of creating and operating the CAT, the \nParticipants have been deliberate about ensuring that the CAT System \nand the data within the system are secure. The Participants are \ncommitted to developing and implementing a fully functional and secure \nCAT System in accordance with the timeline developed by the \nParticipants and FINRA CAT, which was shared with the SEC.\nII. Process of Developing and Implementing the CAT\n    In addition to developing the Plan that governs the overall \noperation of the CAT System, the Participants went through a rigorous \nprocess to identify a Plan Processor to develop, implement, and operate \nthe CAT System. Understanding that this would be a challenging effort, \nthe Participants began this undertaking well before the Commission \nultimately approved the Plan. Specifically, the Participants developed \na request for proposal (RFP) process and published a Proposed RFP \nConcept Document for public comment to get feedback on the feasibility \nand costs of implementing the CAT reporting requirements contemplated \nby the Plan. Participants also published information on the anticipated \ncontent and structure of the RFP so that interested bidders had the \nopportunity to review the scope of information they would have to \nprovide in an RFP response. The Participants ultimately published an \nRFP in February 2013.\n    In September 2013, the Participants filed a separate NMS plan with \nthe Commission, entitled the Plan Governing the Process of Selecting a \nPlan Processor and Developing a Plan for the Consolidated Audit Trail \n(Selection Plan). The Selection Plan governed how the Participants \nwould ultimately select the Plan Processor. The Commission approved the \nSelection Plan in February 2014. \\18\\ Following the process outlined in \nthe Selection Plan, 10 entities submitted responses to the RFP. The \nParticipants heard oral presentations from all 10 entities and \nidentified three finalists. The majority of Participants ultimately \nselected Thesys Technologies LLC (Thesys) in accordance with the voting \nprocedures for the selection of the initial Plan Processor under the \nSelection Plan.\n---------------------------------------------------------------------------\n     \\18\\ The Selection Plan was later incorporated into the Plan \napproved by the Commission on November 15, 2016.\n---------------------------------------------------------------------------\n    The relationship with Thesys did not progress in a satisfactory \nmanner. After working closely with Thesys in an attempt to overcome \nwhat the Participants viewed as inadequacies in Thesys' performance as \nPlan Processor, the Participants determined that Thesys could not \nremedy those inadequacies in a timely and cost-effective manner. \nThereafter, the Participants determined to engage a new Plan Processor. \nBecause the Participants understood and appreciated the urgent need to \ncomplete the CAT System, the Participants commenced an abbreviated \nselection process, contacting the two other finalists from the initial \nselection process. Earlier this year, the Participants selected FINRA, \noperating through a subsidiary (FINRA CAT), to serve as the successor \nPlan Processor. The Participants transitioned the project to FINRA CAT \nin order to facilitate the timely development and implementation of the \nCAT. Shortly thereafter, the Participants provided the Commission an \nupdated plan outlining the phased timeline for implementing the CAT \nSystem.\nIII. Progress Update\n    Since transitioning the project to FINRA CAT, the Participants have \nmade substantial progress toward meeting their obligations to build and \noperate the CAT. The Participants actually began submitting data to the \nCAT in November 2018, when Thesys was the Plan Processor, and have \nsuccessfully submitted more than 13 trillion records to the CAT System \nsince transitioning to FINRA CAT. Since commencing operations as Plan \nProcessor, FINRA CAT has collected all data from the Participants, \nvalidated and linked all equity exchange data, and is on target to \nvalidate and link all options exchange data by February 2020. FINRA CAT \nalso has completed various releases related to Participant reporting in \na timely manner and has accelerated the delivery of multifactor \nauthentication--a key aspect of the security of the CAT System--by \nseveral months from the planned date of May 2020. Since selecting FINRA \nCAT as Plan Processor, there have been no production outages or major \noperational issues with the first technical release.\n    The Participants also have made substantial progress with regard to \nIndustry Member CAT reporting (i.e., CAT reporting by broker-dealers), \nwhich is scheduled to commence in April 2020. Industry Member \nonboarding is in progress, and the Participants have finalized the \nTechnical Specifications for Industry Member reporting for the initial \ntwo reporting phases. Additionally, FINRA CAT has finalized Industry \nMember connectivity and completed Industry Member registration.\n    To place the progress made to date in perspective, it may be \nhelpful to provide a sense of the scope and magnitude of the CAT \nproject. The CAT System receives over 105 billion records per day on \naverage and has processed a peak of 182 billion records from \nParticipants alone on one day for options, Options Price Reporting \nAuthority, options national best bid and offer, and equities exchange \ndata. The Participants clearly have complied with the Commission's \ncharge to build a comprehensive system designed to be dependable, \nrobust, and scalable.\n    Importantly, this progress has come about not only through the \nefforts of the Participants and the Plan Processor, but also due to the \nenhanced involvement of Advisory Committee members and Industry Members \nmore broadly. The Participants and FINRA CAT have worked regularly and \nproductively with the Advisory Committee and industry associations, \nsuch as the Securities Industry and Financial Markets Association \n(SIFMA), Financial Information Forum, and the Securities Traders \nAssociation, to gather, assess, and answer numerous interpretive \nquestions, publish Frequently Asked Questions (FAQs), assess timelines \nfor Industry Member technical specifications and reporting, and \notherwise develop a workable CAT. The Participants also met with the \nInvestment Company Institute on topics related to the CAT System. The \nCommission staff, who regularly attend nearly all CAT meetings and \ncalls, also have played an important role in discussions related to the \ndevelopment of the CAT. With the help of these various contributors, \nthe Participants have been able to make significant progress in \ndeveloping the CAT System and preparing the industry for a fully \nfunctional CAT System by publishing or providing 247 pages of technical \nspecifications, 226 of FAQs, 10 workflow documents including a 367 page \nIndustry Member Reporting Scenarios document and a 22 page on-boarding \nguide, and 24 webinars; and registering 1,530 Industry Members.\n    Beginning next month, the Participants and the Plan Processor will \nwork together, using a phased approach, to expeditiously achieve the \nfollowing milestones: (i) large Industry Member testing (December \n2019), (ii) large Industry Member reporting (April 2020), (ii) small \nIndustry Member testing (December 2019), (iii) small Industry Member \nreporting (December 2021), and (iv) customer account and customer \nidentifying information reporting by all firms (July 2022). \\19\\ The \nParticipants are working to achieve all milestones, i.e., achieve \ncomplete implementation of the CAT System, by July 2022. \\20\\\n---------------------------------------------------------------------------\n     \\19\\ Customer account and customer identifying information \nreporting may be impacted by the Participants' request for exemptive \nrelief. See infra note 28 and accompanying text.\n     \\20\\ The phased implementation involves a more detailed breakdown \nof the milestones, including milestones related to OATS reporting and \nnon-OATS reporting small Industry Members.\n---------------------------------------------------------------------------\nIV. PII\n    I would like to discuss personally identifiable information. As \nnoted earlier, the SEC has mandated that the CAT System be designed and \ndeveloped to comply with the requirements of SEC Rule 613 and the Plan. \nRule 613(c)(7)(i)(A) states that the Plan must require Participants and \nIndustry Members to record and electronically report to the CAT System \nCustomer-IDs for each order and each reportable event. \\21\\ Rule \n613(j)(5) defines Customer-ID as ``a code that uniquely and \nconsistently identifies such customer for purposes of providing data'' \nto the CAT System. \\22\\ Rule 613 does not define what qualifies as \ncustomer identifying information, but in proposing and adopting Rule \n613, the SEC suggested that the CAT System ``be responsible for \nassigning a unique customer identifier in response to an input by a \n[regulator] of a customer's Social Security number or tax \nidentification number'' \\23\\ and noted its expectation that the \nParticipants ``establish a process by which [the Customer-IDs] are \nreported to the [CAT System], and how this information is linked to the \nname and address of customers as stored in the [CAT System].'' \\24\\ \nAccordingly, the Commission-approved Plan currently defines Customer \nIdentifying Information as ``information of sufficient detail to \nidentify a Customer, including, but not limited to, (a) with respect to \nindividuals: name, address, date of birth, individual tax payer \nidentification number (ITIN)/Social Security number (SSN), individual's \nrole in the account (e.g., primary holder, joint holder, guardian, \ntrustee, person with the power of attorney) . . . '' \\25\\\n---------------------------------------------------------------------------\n     \\21\\ Regulation NMS, 17 CFR \x06242.613(c)(7)(i)(A) (2019).\n     \\22\\ Regulation NMS, 17 CFR \x06242.613(c)(7)(i)(A) 613(j)(5) (2019).\n     \\23\\ Rule 613 Proposing Release, supra note 8 at 32,573.\n     \\24\\ Rule 613 Adopting Release, supra note 3 at 45,757.\n     \\25\\ Plan, supra note 2 at Section 1.1.\n---------------------------------------------------------------------------\n    It is important to note that the inclusion of PII has been a point \nof contention since the inception of the CAT System. In fact, members \nof Congress, the SEC, Participants and others in the industry have \nraised security and privacy concerns related to the nature and volume \nof information to be included in the CAT System, with particular focus \non the use and inclusion of customer identifying information. The \nCommission made clear, however, that the utility of the CAT System \nwould be significantly degraded without a means to uniquely identify \nunderlying customers. \\26\\\n---------------------------------------------------------------------------\n     \\26\\ See Rule 613 Adopting Release, supra note 3 at 45,756-758.\n---------------------------------------------------------------------------\n    The need to balance facilitating effective regulation using the CAT \nSystem against security concerns related to the breadth of sensitive \ninformation that will be in the CAT System remains paramount. \nParticipants have been in discussions with the SEC and the industry on \nhow best to balance these competing concerns. To that end, the \nOperating Committee formed a PII Working Group to research and \nrecommend potential alternatives regarding the handling of PII in the \nCAT System.\n    After considering various alternatives over the course of 2018, the \nPII Working Group, in consultation with SIFMA, recommended an approach \nthat would have avoided the need to have any PII in CAT. Industry \nMembers would have retained such information as they have to date, and \nthe SEC and Participants would have requested it from each broker-\ndealer firm, as necessary, through the creation of a separate PII \nrequest/response system. At the suggestion of the Commission staff--\nwhich did not favor the approach proposed by the PII Working Group--the \nPII Working Group had further discussions and ultimately recommended an \nalternative approach to the Operating Committee.\n    Specifically, the Participants worked together with SIFMA to \ndevelop what is now referred to as the CCID Alternative. Under this \nalternative, the Plan Processor would generate a unique identifier for \na customer (the ``CAT Customer ID'' or ``CCID'') using a two-phase \ntransformation process that avoids the need to collect and maintain \nSSNs in the CAT. In the first transformation phase, Industry Member CAT \nReporters would transform an SSN to an interim value. \\27\\ Industry \nMembers would submit this transformed value, and not the SSN, to the \nCCID Subsystem operated by the CAT separate and apart from other \ncustomer and account information. The CCID Subsystem would use the \ntransformed value to create a unique CCID for each customer. The \nregulatory staffs of the Participants and the SEC would then use the \nCCID in queries and analysis of CAT data.\n---------------------------------------------------------------------------\n     \\27\\ Industry Members would continue to store individual customer \nSSNs outside the CAT, as they do today. If a Participant's regulatory \nstaff or the SEC staff needs to obtain a customer SSN during an \ninvestigation, the regulator would need to request that information \nfrom the CAT Reporter. If, however, a Participant's regulatory staff or \nthe SEC staff has an SSN through other means, the regulator will have \nthe ability to use that SSN to query the CAT. Similar to the process \njust described, the SSN would be transformed into the CCID, which, in \nturn, may be used by the regulator in queries and analyses of CAT data. \nUnder this alternative, Industry Members would not maintain the \ngenerated CCID.\n---------------------------------------------------------------------------\n    The use of CCIDs would enhance the security of the CAT System while \npreserving the regulatory benefits of the system. The CAT would not \ncollect or store any SSNs. Because the CAT System would only store \nCCIDs, rather than SSNs, this alternative would eliminate the risk of \nhaving a comprehensive aggregated source for all individual customer \nSSNs. Instead, only Industry Members would continue to collect \nindividual customer SSNs, as they do currently. Moreover, the process \nto create CCIDs using, in part, SSNs would be secure. The Participants \nbelieve this will significantly reduce the risk that information in CAT \ncould be used to facilitate identity theft and do so in a manner that \ndoes not compromise the regulatory benefits of the CAT.\n    The Participants recognize that eliminating the collection of SSNs \nby the CAT for initial processing by the Plan Processor would cause CAT \nReporters to assume a critical role in the accurate generation of \nCCIDs. This creates a risk to the integrity of the CCID values \nultimately assigned to customer records in the CAT that is beyond the \nfull control of the Plan Processor. The Plan Processor will consider \nmethods for detecting errors in the transformed values submitted by CAT \nReporters, some of which may be identified by functionality supporting \nthe error resolution for customer data requirement of the Plan. \nNevertheless, the Participants and the working group of Participant and \nIndustry Members that developed the CCID Alternative jointly believe \nthat the value of eliminating the need for CAT Reporters to transmit \nSSNs to the CAT exceeds the potential increased risk to the integrity \nof CCID assignments.\n    The Participants also have developed what is now referred to as the \nModified PII Approach that would eliminate dates of birth and account \nnumbers for natural persons in the CAT System (although year of birth \nfor customers would be collected and maintained in the CAT). Similar to \nSSNs, the Participants believe that dates of birth and account numbers \nare particularly sensitive from a security perspective and should not \nbe included in the CAT. The Participants believe that eliminating dates \nof birth and account numbers from the CAT would further reduce the risk \nprofile of data collected and stored in the CAT by eliminating the PII \ndata elements that would support attempted identity theft without \ncompromising the regulatory benefits of the CAT.\n    To implement the CCID Alternative and the Modified PII Approach, \nthe Participants have requested exemptive relief from the Commission \nfrom relevant aspects of the Plan. \\28\\\n---------------------------------------------------------------------------\n     \\28\\ See Letter from Michael Simon, CAT NMS Plan Operating \nCommittee Chair, to Vanessa Countryman, SEC, Request for Exemptive \nRelief from Certain Provisions of the CAT NMS Plan related to Social \nSecurity Numbers, Dates of Birth and Account Numbers (Oct. 16, 2019) \navailable at https://www.catnmsplan.com/wp-content/uploads/2019/10/\nCCID-and-PII-Exemptive-Request-Oct-16-2019.pdf.\n---------------------------------------------------------------------------\nV. Security\n    Since conceptualizing the Plan, the Participants have been mindful \nof security concerns related to the CAT. Excluding SSNs, dates of birth \nand account numbers from the CAT System will result in the CAT System \nbeing a much less attractive target for cybercriminals. Nevertheless, \nthe security of the CAT System will remain a top priority. The \nParticipants have taken, and will continue to take, all appropriate \nprecautions to safeguard all data within the CAT System.\n    Understanding the importance of information security generally, CAT \nLLC itself is structured in a manner to appropriately emphasize the \nsecurity of the CAT. For example, CAT LLC has both a Chief Information \nSecurity Officer (CISO) and Chief Compliance Officer, both of whom are \nfiduciaries of CAT LLC, and are responsible for ensuring compliance \nwith Plan requirements. \\29\\ Specifically, the CAT CISO is responsible \nfor creating and enforcing appropriate policies, procedures, and \ncontrol structures to monitor and address data security issues for the \nPlan Processor and the CAT System. \\30\\ The CISO also is obligated to \nreview the Participants' information security policies and procedures \nthat are related to the CAT System to evaluate if the Participants that \naccess CAT data have an information security program comparable to the \nPlan Processor's program. \\31\\ Additionally, the Operating Committee \nestablished a Security Working Group, which is comprised of the CAT LLC \nCISO as well as CISOs and security experts from each Participant. \nMembers of the working group collectively represent hundreds of years \nof experience in the information security space. The SEC staff also has \nserved as an active observer to Security Working Group meetings.\n---------------------------------------------------------------------------\n     \\29\\ See Plan, supra note 2 at Section 4.6.\n     \\30\\ See id. at Section 6.2.\n     \\31\\ See id. at Section 6.2.\n---------------------------------------------------------------------------\n    In addition to structuring the oversight and responsibility of the \nCAT System in a manner that focuses on security, the Participants have \ndesigned the CAT System to meet stringent security standards. \\32\\ The \nsystem is subject to the robust controls framework set forth in \nNational Institute of Standards and Technology (NIST) Special \nPublication (SP) 800-53 including, among other things the establishment \nof a System Security Plan and annual third-party independent \nverification and validation. \\33\\ This is the same standard required \nfor Federal information systems under the Federal Information Security \nManagement Act. The Participants designed and built the CAT System with \nboth architectural-level and program-level controls. The SEC and \nParticipants can only query the CAT System via dedicated private \ncircuits between them and the CAT System, mitigating the risk of an \nattack via the Internet. The CAT system further requires multifactor \nauthentication for regulatory use of the query tools, mitigating \ninsider risk at the regulators, as well as for access to the Industry \nMember reporter portal. \\34\\ Additionally, the CAT System and relevant \npersonnel continuously monitor regulatory access and use of the system. \nThe CAT System logs every instance of access to the CAT central \nrepository and will maintain a full audit trail of access to customer \ndata. Additionally, the Operating Committee, the SEC, and Participants \nwill periodically receive and review a list of authorized users and \ntheir most recent access; each user organization will regularly verify \nthat its list of authorized users and the roles they are assigned \nremain accurate. \\35\\\n---------------------------------------------------------------------------\n     \\32\\ See id. at Appendix D Section 4.2.\n     \\33\\ The application of NIST SP800-53 to the CAT is further \ninformed by ISO 27002, NIST Cybersecurity Framework.\n     \\34\\ See Plan, supra note 2 at Appendix D Section 4.1.4.\n     \\35\\ See id. at Appendix D Section 4.1.4.\n---------------------------------------------------------------------------\n    The Participants have integrated security processes into the design \nand development of the CAT System. Threat analysis drives security \nrequirements and design. Continuous automated testing along with \nrigorous security assessment by an expert team of security engineers is \nbrought to bear during the design and build of the system. A highly \nqualified third-party cybersecurity testing organization regularly \nperforms further security testing, including penetration testing and \ncode security assessment.\n    The overall CAT security program also is subject to regular third-\nparty review to verify that the program is operating in accordance with \nits System Security Plan and with applicable standards. The Plan \nProcessor will continue to subject the CAT System to annual NIST SP \n800-53 Independent Validation and Verification (IV&V). FINRA CAT \ndelivered Release 1 (June) on time and with no major security defects, \nas confirmed by both internal and third-party security testing, as well \nas the third-party security controls assessment, i.e., IV&V. FINRA CAT \nis on schedule to deploy Release 2 in November with no major defects as \nwell; internal security testing is complete, third-party security \ntesting is nearly complete, and a new IV&V is in progress.\n    Finally, to keep Industry Members and other interested persons \napprised of CAT security efforts, in August, CAT LLC and FINRA CAT \nhosted an industry webinar focusing on the security of CAT data. During \nthe webinar the Participants shared information about how the data \nreported to the CAT System will be safeguarded to ensure the security \nand confidentiality of the data.\nVI. Costs\n    Developing and operating the CAT System in accordance with SEC Rule \n613 and the Plan requires a significant commitment of capital--both \nhuman and financial. In terms of human capital, all Participants have \ncontributed the time and expertise of numerous senior-level personnel \nfrom their respective organizations. \\36\\ These individuals provide \nexpertise on technology and systems engineering, legal, regulatory and \ncompliance, data, and security issues. To date, the entirety of the \nfinancial commitment to develop and operate the CAT System has been \nborne by the Participants, notwithstanding that Rule 613 and the Plan \nspecifically contemplate the CAT being funded jointly by the \nParticipants and Industry Members.\n---------------------------------------------------------------------------\n     \\36\\ See id. at Section 6.2(b)(vii).\n---------------------------------------------------------------------------\n    To provide context, the cost associated with the CAT System \ninclude: (i) fixed and variable costs for the Plan Processor to build \nand operate the CAT; (ii) legal fees; (iii) consulting fees; (iv) \ninsurance; and (v) costs associated with engaging other vendors, like \nfinancial administrators and auditors. Going forward, we estimate the \nannual budget to operate the CAT System to be upwards of $75 million. \nNote, this figure only reflects CAT LLC's direct costs. It does not \ninclude the cost of compliance for Participants or Industry Members nor \nthe individual costs of the Participants, and CAT LLC is not in a \nposition to collect or estimate those costs.\n    Although the Participants have continued to independently fund the \nCAT, they have attempted to implement fees applicable to both \nParticipants and Industry Members to fund the cost of the CAT as \ncontemplated by Rule 613 and the Plan. In 2017, the Participants filed \nproposed rule changes and a Plan amendment to adopt a schedule to \nestablish fees for Participants and Industry Members, which would have \nresulted in Industry Members helping fund the CAT. \\37\\ After receiving \ncomments to the proposed rule changes and the Participants responding \nto the comments and filing amendments to the proposed rule changes, the \nParticipants withdrew their rule changes when it became clear that the \nSEC was going to disapprove those fees, given it summarily abrogated \nthe Plan amendment that would have established Participant and Industry \nMember fees. \\38\\\n---------------------------------------------------------------------------\n     \\37\\ See, e.g., Notice of Filing and Immediate Effectiveness of a \nProposed Rule Change Related to Fees for Use on Bats EDGX Exchange, \nInc., Exchange Act Release No. 80,821, 82 FR 26,177 (June 6, 2017).\n     \\38\\ See Notice of Withdrawal of Proposed Rule Changes, as \nModified by Amendments, To Establish Fees for Industry Members To Fund \nthe Consolidated Audit Trail, Exchange Act Release No. 82,505, 83 FR \n3,043 (Jan. 22, 2018).\n---------------------------------------------------------------------------\n    There is still no fee structure in place and the Participants alone \ncontinue to fund the CAT. It remains of critical importance that the \nindustry contributes to funding the development and implementation of \nthe CAT System. Not only is this a reasonable approach to financing \nsuch a massive project, it is consistent with Rule 613 and the Plan \nthat the Commission approved. Accordingly, the Participants are working \non an amended fee proposal that they will submit to the Commission for \nits review and approval.\n    Relatedly, the Commission recently issued proposed amendments to \nthe Plan that would add new sections to the Plan to govern the recovery \nof any fees, costs, and expenses incurred by CAT LLC in connection with \nthe development, implementation and operation of the CAT System from \nthe effective date of the amendment until the Participants complete \nimplementation of the Plan. \\39\\ Specifically, Proposed Section 11.6 \nwould require the Participants to meet four critical CAT implementation \nmilestones by certain dates to collect the full amount of any related \npost amendment Industry Member fees established by the Operating \nCommittee or implemented by the Participants. If the Participants fail \nto meet the target deadlines set forth in Proposed Section 11.6, they \nwould only be entitled to collect a portion of the relevant amount, as \ndetermined by the amount of time by which the Participants have missed \nthe target deadlines.\n---------------------------------------------------------------------------\n     \\39\\ See Proposed Amendments to the National Market System Plan \nGoverning the Consolidated Audit Trail, Exchange Act Release No. \n86,901, 84 FR 48,458 (Sept. 13, 2019).\n---------------------------------------------------------------------------\n    The Participants understand the Commission's concerns and ultimate \ngoal of providing financial incentives to complete the CAT in a timely \nmanner. The Participants are reviewing the details of the proposed \namendment and intend to provide a comment letter with considerations \nfor the SEC. These comments will be based on the Participants' \nexperience in designing and building the CAT System and will be aimed \nat helping achieve the SEC's goals in an efficient manner.\nVII. Conclusion\n    The Participants remain committed to meeting their obligation to \nbuild and operate the CAT System and are making significant progress in \nthis regard. The Participants will continue to take all necessary \nprecautions to safeguard the data within the CAT System and to promote \nthe security of the system more generally. Thank you for the \nopportunity to provide testimony on this matter.\n        RESPONSES TO WRITTEN QUESTIONS OF SENATOR BROWN\n                       FROM SHELLY BOHLIN\n\nQ.1. Please describe the FINRA CAT breach/intrusion \nnotification process, including the entities and organizations \nthat would be notified and the timetable for notification. \nPlease also describe any process for notification to investors, \nor the public generally.\n\nA.1. FINRA CAT has a sophisticated information security program \nguided by CAT NMS Plan requirements and is working to support \nthe efforts of the consortium of self-regulatory organizations \n(SRO) responsible for managing the CAT (known as CAT Plan \nParticipants or the SRO consortium) to limit the kinds of \nsensitive retail investor information that would be reported to \nthe CAT. This program includes a formal and formally tested \nincident response plan, consistent with guidance established by \nthe National Institute of Standards and Technology, and which \naddresses notification requirements applicable to the \nunauthorized access to CAT Data. These notifications are driven \nby the facts and circumstances of any breach/intrusion. If \nFINRA CAT becomes aware of actual (or potential) unauthorized \naccess to CAT Data, we, working with the SRO consortium, will \ntake all reasonable steps to investigate the incident and \nmitigate any technical vulnerabilities identified from \nunauthorized access to protect the integrity of the CAT system. \nWe will further work with the SRO consortium to report \nunauthorized access to law enforcement, the SEC and other \nauthorities, and to notify customers or other parties as \nrequired or as the consortium deems appropriate. Also, as an \n``SCI Entity,'' FINRA CAT is subject directly to the SEC's \njurisdiction, including Regulation Systems Compliance and \nIntegrity (Reg SCI). FINRA CAT's status as an SCI Entity \nensures direct accountability, including cyberincident \nreporting requirements.\n\nQ.2. Please provide the available cost estimates for (i) \nbuilding the CAT system and (ii) annual operation of the CAT \nsystem, specifying current cost and costs once it is fully \noperational.\n\nA.2. The SRO consortium is more appropriately able to provide \npublic information concerning costs, as specific details of the \nfinancial terms of the contract between the SRO consortium and \nFINRA CAT are confidential. We understand that they are \naddressing cost-related questions in their answers to the \nCommittee.\n\nQ.3. Please identify the private and Government organizations \nand entities that would be necessary to involve in the \ndevelopment and management of a CAT system that includes U.S. \nfutures data and activity.\n\nA.3. While FINRA CAT has the systems capability to incorporate \nfutures data in the CAT system, any work towards that end would \nnecessarily only follow the legal and policy decisions made by \nFederal regulators, including the CFTC and the SEC. There may \nalso be questions for the Federal regulators and Congress about \nwhether new legislative authority is needed. These regulators \nwould likely engage futures market participants, as well as \nother public and private stakeholders, such as the National \nFutures Association. Should policy makers decide to expand the \nCAT to include futures data, FINRA CAT would work expeditiously \nto support that regulatory objective.\n                                ------                                \n\n\n        RESPONSES TO WRITTEN QUESTIONS OF SENATOR SASSE\n                       FROM SHELLY BOHLIN\n\nQ.1. Is FINRA tied in with the Financial Sector Information \nSharing and Analysis Center (FSISAC)?\n    If not, how are you obtaining cyberthreat information?\n\nA.1. Yes.\n\nQ.2. Would the Commission consider setting up a test bed and \nproving to the Banking Committee Members that the ``SSN's would \nbe secure''?\n\nA.2. While we are happy to provide information to and \ncoordinate demonstrations with your office and other Committee \nMembers, and to work with the various stakeholders to make that \nhappen, I will defer to the SEC on this particular question.\n                                ------                                \n\n\n       RESPONSES TO WRITTEN QUESTIONS OF SENATOR KENNEDY\n                       FROM SHELLY BOHLIN\n\nQ.1. I would like to better understand the relationship between \nFINRA and FINRA CAT.\n    Who will be required to conduct independent reviews of \nFINRA's security controls?\n\nA.1. FINRA and FINRA CAT, LLC are separate legal entities, run \nindependently of each other, although FINRA CAT does contract \nwith FINRA for some services. FINRA CAT, LLC is a subsidiary of \nFINRA and was created to focus solely on performing the \nfunctions of the CAT Plan Processor for the consortium of self-\nregulatory organizations responsible for managing the CAT \n(known as CAT Plan Participants or the SRO consortium). FINRA \nCAT is part of FINRA's parent SRO umbrella and accordingly an \nSCI Entity. This means that while FINRA CAT serves as a \ncontractor for the SRO consortium and is not a CAT NMS Plan \nparticipant itself, FINRA CAT nevertheless is subject directly \nto the SEC's jurisdiction, including compliance with Regulation \nSystems Compliance and Integrity (Reg SCI). FINRA CAT's status \nas an SCI Entity ensures direct accountability to the SEC-for \nimportant issues like system security, integrity, capacity, and \nbusiness continuity. FINRA CAT's security controls are subject \nto the oversight of the CAT Plan Participants, independent \nthird party assessments required pursuant to the Plan, and the \nSEC.\n    Both FINRA and FINRA CAT have implemented controls to \nprevent FINRA from having an advantage over other Plan \nParticipants in accessing CAT data or receiving services from \nFINRA CAT.\n\nQ.2. Who, in the public and private sector, will have access to \ndata from the CAT? Please list those entities.\n\nA.2. CAT Data can only be accessed for regulatory purposes and \nonly by authorized regulatory users from the CAT Plan \nParticipants and the SEC. FINRA CAT has worked with the SRO \nconsortium to develop comprehensive data access controls that \nmeet regulatory requirements. In addition, as currently \ndesigned, only a subset of those authorized regulatory users \nwill have permission to access and view Customer Account \nInformation and Customer Identifying Information, which is \nstored and handled separately from the order and trade data. \nAdditional access controls are discussed below in Question \nseven.\n    The 24 Participants of the CAT NMS Plan are: BOX Exchange \nLLC; Cboe BYX Exchange, Inc., Cboe BZX Exchange, Inc., Cboe \nEDGA Exchange, Inc., Cboe EDGX Exchange, Inc., Cboe C2 \nExchange, Inc. and Cboe Exchange, Inc., Financial Industry \nRegulatory Authority, Inc., Investors Exchange LLC, Long-Term \nStock Exchange, Inc., Miami International Securities Exchange \nLLC, MIAX Emerald, LLC, MIAX PEARL, LLC, Nasdaq BX, Inc., \nNasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, Nasdaq PHLX \nLLC, The NASDAQ Stock Market LLC; and New York Stock Exchange \nLLC, NYSE American LLC, NYSE Arca, Inc., NYSE Chicago, Inc. and \nNYSE National, Inc. Some of these SRO Participants have the \nsame parent company. Those companies include the following: BOX \n(Boston Options Exchange); Cboe; FINRA; IEX; LTSE; Nasdaq; \nNYSE; and, MIAX.\n\nQ.3. What are you doing to ensure a secure mechanism is \ndeveloped for the submission of data, its storage, and the \ndestruction of such data once it is no longer necessary?\n\nA.3. In terms of FINRA CAT's overall information security \nprogram, we are led by a CISO who was approved by the SRO \nconsortium and also has a fiduciary duty to the SRO consortium. \nOur CISO has over 20 years' experience working on information \nsecurity at FINRA, including as a security architect and \nsecurity engineer. The CISO is supported by a dedicated team of \nsecurity analysts who ensure that security controls are \neffectively implemented, monitor the security of the CAT System \nand respond to anomalies, evaluate and approve access, enforce \ncompliance with security policies and standards including \nNational Institute of Standards and Technology (NIST) Special \nPublication (SP) 800-53, and evaluate evolving threats and \nsecurity control opportunities to ensure that the CAT security \nposture remains strong.\n    In addition, the FINRA CAT security team is able to \nleverage the security expertise and advanced technology \nsolutions that FINRA has invested in heavily over the years, \nincluding the people, process, and technologies it has \ndeveloped and deployed to operate a secure cloud environment \nthat is comparable in scale to the fully deployed CAT solution. \nAs the SRO consortium recently discussed in a presentation to \nthe industry (https://www.catnmsplan.com/wp-content/uploads/\n2019/08/FINRA-CAT-Security-Approach-Overview--20190828.pdf), \nthe FINRA CAT security program includes significant layers of \narchitectural-level security controls and program-level \nsecurity controls. Examples of architectural controls include \nsecure infrastructure for connecting to the CAT system and \narchitectural separation between transaction data and customer \ndata. Examples of program controls include a full suite of \ninformation security policies, procedures, and standards, as \nwell as regularly scheduled independent third-party system \npenetration testing, code reviews, and security control \nvalidation.\n    The extensive FINRA CAT security policies address a range \nof issues required by the CAT NMS Plan, including data storage \nand handling, insider risk, data connectivity and transfer, \nincident management, security logging and monitoring, account \nmanagement, and data destruction. FINRA CAT's security program \nis based on work product developed by the FINRA CAT CISO in \ncoordination with the SRO consortium's Security Working Group, \nwhich is comprised of CISOs and security experts from each of \nthe CAT Plan Participants.\n    Each CAT System release is subject to the granting of an \nAuthority To Operate (or ATO) by the SRO consortium. To obtain \nan ATO from the consortium, the CAT CISO must demonstrate the \nstrength of the CAT System's security posture to the Security \nWorking Group. This includes, among other things, system \nsecurity, internal and third-party security testing, and \nindependent validation confirming that security controls are \naligned with the NIST industry standards followed by the \nFederal Government and that they have been effectively \nimplemented.\n    FINRA CAT understands concerns that continue to be raised \nabout the inherent risk of handling CAT data, particularly PII. \nEven with the enhanced architectural and program controls \nrequired by the plan for PII-such as containing PII in its own \nseparate system with restricted access-there may be policy \nquestions for the SEC and SRO consortium to discuss about the \ncosts and benefits of collecting and storing sensitive personal \ndata.\n    FINRA CAT's job is to support the regulators' decision \nmaking on this issue. This includes making any modifications to \nthe system design to account for current discussions between \nthe SEC, the SRO consortium, and the industry. The SROs \nrecently requested exemptive relief to eliminate social \nsecurity numbers, account numbers, and dates of birth from the \nCAT. You will find this request at the following link: https://\nwww.catnmsplan.com/wp-content/uploads/2019/10/CCID-and-PII-\nExemptive-Request-Oct-16-2019.pdf. FINRA CAT continues to work \nclosely and productively with the SEC and the SROs to ensure \nthat it has the right technological solution in place for when \ncustomer and account information reporting begins in July 2022.\n\nQ.4. What security protocols are in place, or will be followed \nby the SROs and the SEC to mitigate the risk of a data breach?\n\nA.4. FINRA CAT has a sophisticated information security program \nguided by CAT NMS Plan requirements and is working to support \nthe consortium's efforts to limit the kinds of sensitive retail \ninvestor information that would be reported to the CAT. FINRA \nCAT has developed a System Security Plan (SSP), in accordance \nwith extensive NIST 800-series Special Publication guidance on \ncomputer security, and follows this SSP to ensure that security \ncontrols, including those used to prevent, detect, and mitigate \na data breach, are defined and effectively implemented. While \nnot public for security reasons, this SSP and its effective \nimplementation undergoes independent third-party evaluation on \nan annual basis. The SSP includes incident response and breach \nmanagement controls. FINRA CAT is prepared for a variety of \nscenarios and has established and tested processes and actions \nin the event of unauthorized access to CAT data that vary \ndepending on the facts and circumstances of any breach/\nintrusion. If FINRA CAT becomes aware of actual (or potential) \nunauthorized access to CAT Data, we, working with the SRO \nconsortium, will take all reasonable steps to investigate the \nincident and mitigate any technical vulnerabilities identified \nfrom unauthorized access to protect the integrity of the CAT \nsystem. We will further work with the SRO consortium to report \nunauthorized access to law enforcement, the SEC and other \nauthorities and to notify customers or other parties as \nrequired or as the consortium deems appropriate.\n\nQ.5. Have you worked with those stakeholders supplying data to \nthe CAT to ensure they are comfortable with the levels of \nsecurity surrounding the system?\n\nA.5. FINRA CAT has worked with the SRO consortium to conduct \nsubstantial engagement with the reporting parties regarding \ntheir reporting obligations and data security measures. With \nrespect to data security measures, the SRO consortium and the \nPlan Processor have sought to provide reporting parties with \nassurance that strong and appropriate security measures are in \nplace, while avoiding disclosure of sensitive information about \nCAT security controls and processes that could be used in an \nattempt to circumvent those controls if it fell into the wrong \nhands. This assurance includes a robust program of regular \nindependent third-party assessments, including validation that \nsecurity controls are effectively implemented in accordance \nwith NIST SP800 series standards, as well as third-party \nindependent penetration testing and code security assessments. \nMeetings are regularly held, and the CAT website \n(catnmsplan.com) provides detailed, up-to-date information on \nthese and other communications, including CAT alerts, regular \npodcasts, and engagement with compliance professionals at \nfirms. These relationships are important to communicating and \nclarifying obligations, and to understanding the questions and \nconcerns of various stakeholders.\n\nQ.6. Will you continue to engage with industry and stakeholders \non information security once the system is up and running?\n\nA.6. FINRA CAT will continue to engage all stakeholders on this \nimportant issue after the CAT is operational. The CAT is a \nhighly complex project that requires deep technological \nexpertise, proactively evolving security, close regulatory \ncoordination with the SEC and the SRO consortium, and full-time \nengagement with broker-dealers that ultimately must report data \nto the CAT. There are a number of industry representatives \ninvolved in the governance of the CAT NMS Plan through their \nparticipation on the Advisory Committee established by the CAT \nNMS Plan.\n    The Advisory Committee established in the CAT NMS plan is \ncharged with advising the Participants on the implementation, \noperation, and administration of the CAT. Under the Plan, the \nAdvisory Committee has the right to attend Operating Committee \nand Subcommittee meetings generally and to submit its views \nprior to a decision by the Operating Committee. The composition \nof the Advisory Committee includes: (a) broker-dealers of \nvarying sizes and types of business, including a clearing firm; \n(b) an individual who maintains a securities account; (c) an \nacademic; and (d) institutional investors. This kind of \nstakeholder participation and feedback is and will continue to \nbe critical to FINRA CAT's efforts in all areas, including \ninformation security.\n\nQ.7. What protocols will FINRA CAT have to ensure staff that \nhave access to the CAT database, and potentially the ability to \nextract this data, do not misuse it? Can you elaborate on any \naccess controls, limitations, and monitoring of the extractions \nthat will take place?\n\nA.7. FINRA CAT has worked with the SRO consortium to develop \ncomprehensive data access controls that meet regulatory \nrequirements. For example, only authorized regulatory users \nfrom the Participants and the SEC will have permission to \naccess CAT Data via the CAT System. And, as currently designed, \nonly a subset of those authorized regulatory users will have \npermission to access and view Customer Account Information and \nCustomer Identifying Information, which is stored and handled \nseparately from the order and trade data. Authorized regulatory \nusers outside of the SEC must execute a Safeguard of \nInformation Affidavit provided by the Plan Processor, which \nprovides, among other things, that authorized regulatory users \nmust maintain the confidentiality and security of CAT Data and \nto use CAT Data only for regulatory purposes. In addition, \nauthorized regulatory users outside of the SEC are required to \ncomplete the CAT Security Awareness Training Course provided by \nthe Plan Processor. As the Plan Processor, however, FINRA CAT \ndoes not have the authority to oversee or enforce restrictions \non the appropriate regulatory use of CAT data by those who \naccess it. The obligation to monitor and enforce restrictions \non the uses of and access to CAT data falls on each SRO that is \npart of the CAT Plan for their respective employees and the SEC \nfor SEC staff. Also, the SEC is responsible for any training \nfor authorized regulatory users inside the agency. FINRA CAT \nhas also established monitoring controls at multiple system \nlayers (e.g., data storage, application front end) designed to \ndetect access anomalies. This includes the use of behavioral \nanalytics designed to recognize normal and abnormal access \npatterns. All access to CAT Data is logged, in accordance with \nthe Plan and subject to this monitoring. Instances of potential \nabnormal access will be flagged for the respective SRO or the \nSEC to follow up on.\n    With respect to Plan Processor personnel, only those who \nneed access to CAT Data to fulfill their responsibilities for \ndelivery and operation of the CAT System are granted access to \nCAT Data. That access must be justified to the satisfaction of \nthe CISO and CCO (who are fiduciaries to the SRO consortium) \nand approved by them. This access is subject to periodic \nreview, as well as to monitoring that is attuned to the \nrestricted use patterns expected of these personnel.\n\nQ.8. Cybersecurity is one of the greatest risks facing the \nfinancial services industry and every sector of critical \ninfrastructure in the U.S. Currently, the CAT plan does not \nrequire the plan processor to notify market participants of \ncyberincidents that compromise their data.\n    What procedures will be followed to notify firms in the \nevent of a breach of CAT data?\n\nA.8. FINRA CAT has a sophisticated information security program \nguided by CAT NMS Plan requirements and is working to support \nthe consortium's efforts to limit the kinds of sensitive retail \ninvestor information that would be reported to the CAT. We also \nhave notification processes in the event of unauthorized access \nto CAT Data, but those vary depending on the facts and \ncircumstances of any breach/intrusion. If FINRA CAT becomes \naware of actual (or potential) unauthorized access to CAT Data, \nwe, working with the SRO consortium, will take all reasonable \nsteps to investigate the incident and mitigate any technical \nvulnerabilities identified from unauthorized access to protect \nthe integrity of the CAT system. We will further work with the \nSRO consortium to report unauthorized access to law \nenforcement, the SEC and other authorities and to notify \ncustomers or other parties as required or as the consortium \ndeems appropriate.\n\nQ.9. Do you think such a notification requirement would be in \nthe best interests of all parties involved? SEC registrants are \nrequired to have breach notification policies and procedures, \nwhy not FINRA CAT?\n\nA.9. While the response to any unauthorized access to CAT Data \nwill necessarily vary depending on the facts and circumstances \nof the event, FINRA CAT, working with the SRO consortium, \ndeveloped a coordinated incident response framework. In the \nevent of an incident, FINRA CAT will investigate the incident. \nWe will further work with the SRO consortium to report \nunauthorized access to law enforcement, the SEC and other \nauthorities and to notify customers or other parties as \nrequired or as the consortium deems appropriate. In addition, \nFINRA CAT, as an SCI entity under the SEC's Regulation SCI, has \nan obligation to report to the SEC ``any unauthorized entry \ninto the SCI systems or indirect SCI systems of an SCI \nentity''.\n\nQ.10. I am concerned the CAT is a likely target for those who \nwish to manipulate U.S. markets--are you confident the CAT \nsystem and data included within will be adequately protected \nfrom these threats?\n\nA.10. I have confidence in our data security program, not only \nin the systems we have in place, but also our team's ongoing \ncommitment to making data security central to our function. The \nCAT system by its nature requires deep technological expertise, \nproactively evolving security, close regulatory coordination \nwith the SEC and the SRO consortium, and full-time engagement \nwith broker-dealers that ultimately must report data to the \nCAT.\n    FINRA CAT has policies, procedures, and a robust set of \nother security controls to ensure the security and \nconfidentiality of information submitted to the CAT. Such \npolicies and procedures require information barriers between \nregulatory and nonregulatory staff of the Participants with \nregard to access and use of CAT Data, a mechanism to confirm \nthe identity of persons permitted to use CAT Data, and a \ncomprehensive information security program. Participant \ninformation security policies and procedures are subject to \nreview by the CAT Chief Compliance Officer and Chief \nInformation Security Officer, with any deficiencies reportable \nto the CAT LLC Operating Committee. FINRA CAT's security \nprogram is aligned with NIST SP800-53--the Security and Privacy \nControls for Federal Information Systems and Organizations--and \nundergoes regular third-party audits. In addition, we are \nrequired to subject the CAT System to regular penetration \ntesting and code reviews by a qualified third-party security \nassessor. This is on top of an extensive internal cybersecurity \nprogram staffed by highly qualified cybersecurity personnel \nthat is integrated into the development and operations life \ncycle of FINRA CAT. Among other benefits, this internal program \nimplements yet another layer of threat analysis, penetration \ntesting, and code assessment. In addition, FINRA's Internal \nAudit Department will conduct reviews of various aspects of the \nCAT system, procedures, and operation.\n    The CAT System is designed from the ground up with \nstructural controls that avoid exposure to certain common \nthreats. Notably, the CAT Regulator systems are designed \nwithout Internet access. CAT Data is only accessible by \nParticipants and the SEC via private connectivity lines, with \ntheir users subject to multifactor authentication. Monitoring \naugmented by behavioral analytics is used to detect and quickly \nrespond to potential improper attempts to access CAT Data or \nuse the CAT System in an inappropriate manner. Industry \nMembers--which may only submit and correct data sent to the \nCAT--are required to submit data either via private lines, AWS \nPrivateLink or the CAT Secure Reporting Gateway; unlike \nParticipants and the SEC, Industry Members are not permitted to \nquery CAT Data. Reporting subsystems are architecturally \nseparate from query subsystems and the underlying CAT Data \nrepository; they are designed without the ability to read data \nin the CAT, and to quickly move received data into the CAT to \ngreatly shield the reporting subsystem from being a viable \ntarget for unauthorized access to CAT Data.\n    FINRA CAT's multifaceted cybersecurity program, with \narchitectural constraints such as private-line-only access, \nalong with multiple levels of complimentary and redundant \nsecurity testing by both Plan Processor security staff and \nindependent third parties justifies strong confidence that the \nCAT system and included data are appropriately protected from \ncybersecurity threats consistent with current standards. \nNevertheless, FINRA CAT is cognizant that its cybersecurity \nframework must not be static; it must evolve as more effective \ncybersecurity techniques and practices emerge.\n                                ------                                \n\n\n        RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER\n                       FROM SHELLY BOHLIN\n\nQ.1. Irrespective of how the PII issue is ultimately resolved \nbetween the SEC and the consortium, do you have confidence that \nthe FINRA CAT's data security program and architecture has the \ncontrols in place to keep whatever data is stored safe and \nsecure?\n\nA.1. I have confidence in our data security program, not only \nin the systems we have in place, but also our team's ongoing \ncommitment to making data security central to our function. The \nCAT is a highly complex project that requires deep \ntechnological expertise, proactively evolving security, close \nregulatory coordination with the SEC and the consortium of \nself-regulatory organizations responsible for managing the CAT \n(known as CAT Plan Participants or the SRO consortium), and \nfull-time engagement with broker-dealers that ultimately must \nreport data to the CAT.\n    FINRA CAT has policies and procedures to ensure the \nsecurity and confidentiality of information submitted to the \nCAT. Such policies and procedures require information barriers \nbetween regulatory and nonregulatory staff of the Participants \nwith regard to access and use of CAT Data, a mechanism to \nconfirm the identity of persons permitted to use CAT Data, and \na comprehensive information security program. Participant \ninformation security policies and procedures are subject to \nreview by the CAT Chief Compliance Officer and Chief \nInformation Security Officer, with any deficiencies reportable \nto the CAT LLC Operating Committee. FINRA CAT's security \nprogram is aligned with NIST SP800-53--the Security and Privacy \nControls for Federal Information Systems and Organizations--and \nundergoes regular third-party audits. In addition, we are \nrequired to subject the CAT System to regular penetration \ntesting and code reviews by a qualified third-party security \nassessor. This is on top of an extensive internal cybersecurity \nprogram staffed by highly qualified cybersecurity personnel \nthat is integrated into the development and operations life \ncycle of FINRA CAT. Among other benefits, this internal program \nimplements yet another layer of threat analysis, penetration \ntesting, and code assessment.\n    The CAT System is designed from the ground up with \nstructural controls that avoid exposure to certain common \nthreats. Notably, the CAT Regulator systems are designed \nwithout Internet access. CAT Data is only accessible by \nParticipants and the SEC via private connectivity lines, with \ntheir users subject to multifactor authentication. Monitoring \naugmented by behavioral analytics is used to detect and quickly \nrespond to attempts to access CAT Data or use the CAT System in \nan inappropriate manner. Industry Members--which may only \nsubmit and correct data sent to the CAT--are required to submit \ndata either via private lines, AWS PrivateLink or the CAT \nSecure Reporting Gateway; unlike Participants and the SEC, \nIndustry Members are not permitted to query CAT Data. Reporting \nsubsystems are architecturally separate from query subsystems \nand the underlying CAT Data repository; they are designed \nwithout the ability to read data in the CAT, and to quickly \nmove received data into the CAT to greatly shield the reporting \nsubsystem as a viable target for unauthorized access to CAT \nData.\n    FINRA CAT's multifaceted cybersecurity program, with \narchitectural constraints such as private-line-only access, \nalong with multiple levels of complimentary and redundant \nsecurity testing by both Plan Processor security staff and \nindependent third parties justifies strong confidence that the \nCAT system and included data are appropriately protected from \ncybersecurity threats consistent with current standards. \nNevertheless, FINRA CAT is cognizant that its cybersecurity \nframework must not be static; it must evolve as more effective \ncybersecurity techniques and practices emerge.\n\nQ.2. What, in your view, were the causes for implementation \ndelays?\n\nA.2. As the head of FINRA CAT, I can speak only to what has \nhappened since we took over as plan processor in April 2019. We \nare currently on schedule and are confident in our ability to \nmeet the milestones moving forward.\n\nQ.3. Please describe how a subsidiary of FINRA was selected \nearlier this year to replace Thesys? Was there an open bidding \nprocess? Were there other bidders?\n\nA.3. FINRA provided bid information to the SRO consortium at \nthe consortium's request, and the SRO consortium's selection of \nFINRA was announced on February 27, 2019. As part of the SRO \nconsortium, FINRA recused itself and did not take part in the \nselection decision. After the selection, FINRA created FINRA \nCAT as a separate and distinct subsidiary to focus solely on \nperforming the functions of the CAT Plan Processor. FINRA CAT \nbelieves that the SRO consortium is best positioned to respond \nto questions about other bidders and the operation of the \nbidding process.\n\nQ.4. How was the SEC engaged with CAT NMS as it began \nexperiencing significant delays?\n\nA.4. FINRA CAT believes the SRO consortium is best positioned \nto respond to questions about project development and \nmanagement before FINRA CAT assumed the role of Plan Processor. \nFINRA CAT notes that since it became the CAT Plan Processor, it \nhas completed all deliverables according to schedule.\n\nQ.5. What are SEC current authorities in compelling the \nimplementation of CAT?\n\nA.5. The CAT NMS Plan was filed with the SEC by the SRO \nconsortium to meet requirements the SEC established when it \nadopted Rule 613 of Regulation NMS. In its role as CAT Plan \nProcessor, FINRA CAT is committed to continuing to complete \nwork according to schedule. FINRA CAT is also a part of FINRA's \nparent SRO umbrella, meaning FINRA CAT, as part the FINRA self-\nregulatory organization, is subject directly to the SEC's \njurisdiction over SROs.\n                                ------                                \n\n\n        RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARREN\n                       FROM SHELLY BOHLIN\n\nQ.1. The Flash Crash on May 6, 2010, briefly erased about $1 \ntrillion from our Nation's economy. In response, more than 2 \nyears later, the Securities and Exchange Commission (SEC) \nadopted a rule to create, implement, and maintain the \nConsolidated Audit Trail (CAT) to monitor securities trades in \nU.S. markets.\n    The CAT would be a real-time tracking system to enhance \nregulators' efforts to oversee U.S. markets by collecting data \nabout securities quotes and orders and allow the SEC to \nunderstand trading practices. Without the CAT and other tools \nto more quickly analyze trading data, the SEC was unnecessarily \ndelayed in reporting on what caused the brief crash to U.S. \nmarkets. \\1\\ Federal regulators took 7 months to analyze and \npublicly report the causes of the Flash Crash, and it took an \nadditional 5 years to analyze and publicly report that a \nLondon-based trader played a significant role in the crash. \\2\\\n---------------------------------------------------------------------------\n     \\1\\ Reuters, ``Factbox: After the Flash Crash, Changes to U.S. \nMarkets'', Jonathan Spicer, September 1, 2011, https://www.reuters.com/\narticle/us-financial-regulation-algos-factbox/factbox-after-the-flash-\ncrash-changes-to-us-markets-idUSTRE7806QS20110901.\n     \\2\\ Reuters, ``SEC Urges Completion of Long-Delayed Trading \nDatabase'', John McCrank, August 27, 2018, https://www.reuters.com/\narticle/us-usa-stocks-regulation-cat/sec-urges-completion-of-long-\ndelayed-trading-database-idUSKCNILC2FA.\n---------------------------------------------------------------------------\n    What are the risks to the market if the SEC does not have \nthe tools to quickly, efficiently, and accurately track \ninformation about trades in the event of another Flash Crash?\n\nA.1. The CAT is intended to enhance the regulators' ability to \nperform market analyses and market reconstruction. When the SEC \napproved the CAT NMS Plan filed by the SRO consortium, it \ndiscussed the benefits of such audit trail enhancements \nincluding to conduct surveillance and market reconstruction. In \nits role as CAT Plan Processor for the SRO consortium, FINRA \nCAT is committed to providing a CAT solution that meets the \nrequirements of the CAT NMS Plan and supports the CAT's \nintended regulatory uses.\n\nQ.2. High-frequency trading, which allows for rapid buying and \nselling based on computer formulas and complex algorithms, now \naccounts for more than half of daily trading volume. \\3\\\n---------------------------------------------------------------------------\n     \\3\\ CNBC, ``Just 10 Percent of Trading Is Regular Stock Picking, \nJPMorgan Estimates'', Evelyn Cheng, June 14, 2017, https://\nwww.cnbc.com/2017/06/13/death-of-the-human-investor-just-10-percent-of-\ntrading-is-regular-stock-picking-jpmorgan-estimates.html.\n---------------------------------------------------------------------------\n    What are the risks of not having a comprehensive regulatory \nsystem, such as the proposed CAT, to oversee these frequent and \nrapid securities trades?\n\nA.2. The CAT NMS Plan includes a number of provisions designed \nto promote the accuracy of linked and sequenced order activity \ndata. When the SEC approved the CAT NMS Plan filed by the SRO \nconsortium, it discussed the benefits of these provisions and \nhow they are designed to enhance the ability of regulators to \noversee trading activity in the equities and options markets. \nIn its role as the CAT Plan Processor for the SRO consortium, \nFINRA CAT is committed to providing a CAT solution that meets \nthe requirements of the CAT NMS Plan and supports the CAT's \nintended regulatory uses.\n\nQ.3. In 2012, the SEC approved a rule to establish the CAT. \nNearly 10 years after the May 2010 Flash Crash, the CAT is \nstill not in place to protect the U.S. economy and people \nacross the country that would suffer from another major hit to \nthe market. The continued lack of real-time trade reporting and \nmonitoring of the securities market, however, remains a \nsignificant vulnerability in our regulatory system.\n    Senator Brown's opening statement stated that, `` . . . the \nSEC called on [the Financial Industry Regulatory Authority \n(FINRA)] and the firms that run our Nation's stock and options \nexchanges to build the Consolidated Audit Trail, or CAT, one \nsystem with a beginning-to-end view of how trading happens, so \nwe can prevent insider trading, market manipulation, and other \nmisconduct that cheats the system.'' \\4\\\n---------------------------------------------------------------------------\n     \\4\\ Opening statement of Ranking Member Sherrod Brown to the U.S. \nSenate Committee on Banking, Housing, and Urban Affairs, October 22, \n2019, https://www.banking.senate.2.ov/imo/media/doc/\nBrown%20Statement%2010-22-192.pdf.\n---------------------------------------------------------------------------\n    Please explain how the CAT would prevent these harmful and \nillegal practices in U.S. securities trades.\n\nA.3. When the SEC approved the CAT NMS Plan filed by the SRO \nconsortium, it discussed the intended use of CAT data to \nenhance the ability of regulators to surveil the equities and \noptions markets, including for market manipulation, insider \ntrading and violations of trading rules, among other things. \nEnhanced surveillance with CAT data will, in part, be achieved \nby including more complete and aggregated information about the \nfull life cycle of orders and customer-identifying information. \nThe SEC noted its belief that enhanced surveillance may reduce \nviolative behavior through potential enforcement actions and \nthrough deterrence if market participants believe violative \nactivities are more likely to be detected. In its role as the \nCAT Plan Processor for the SRO consortium, FINRA CAT is \ncommitted to providing a CAT solution that meets the \nrequirements of the CAT NMS Plan and supports the CAT's \nintended regulatory uses.\n\nQ.4. Despite the many benefits of the CAT, as described in your \nwritten testimony and the testimonies of the other witnesses, \nthe securities industry and their lobbying groups have \nrepeatedly pushed to delay the implementation of the CAT by \narguing that collecting large amounts of trading data is unsafe \ndue to cybersecurity concerns. \\5\\  \\6\\\n---------------------------------------------------------------------------\n     \\5\\ The Hill, Opinion, ``The National Security Risk No One Is \nTalking About'', Christopher Iacovella, July 3, 2019, https://\nthehill.com/opinion/cybersecurity/451403-the-national-security-risk-no-\none-is-talking-about.\n     \\6\\ SIFMA, ``Beware of CAT'', Randy Snook, November 30, 2017, \nhttps://www.sifma.org/resources/news/beware-of-cat/.\n---------------------------------------------------------------------------\n    You state in your written testimony, ``Given the size and \ncomplexity of the financial markets, the CAT must collect, \nprocess, and store a vast amount of data to achieve this \ngoal.'' \\7\\\n---------------------------------------------------------------------------\n     \\7\\ Written testimony of Shelley Bohlin to the U.S. Senate \nCommittee on Banking, Housing, and Urban Affairs, October 22, 2019, \nhttps://www.banking.senate.gov/imo/media/doc/Bohlin%20Testimony%2010-\n22-192.pdf.\n---------------------------------------------------------------------------\n    Please explain in detail why the CAT must collect and \nmaintain significant amounts of data on the entire life cycle \nof securities orders.\n\nA.4. The SEC-approved CAT NMS Plan includes discussion of the \nsurveillance and oversight benefits intended by Plan \nrequirements to track the entire life cycle of orders from \norigination through routing, cancellation, modification, or \nexecution. This necessarily requires that the CAT collect and \nmaintain significant amounts of data. As the SEC noted in its \norder adopting Rule 613, in analyzing the events of May 6, \n2010, SEC staff were only able to create a comprehensive view \nof the order books by acquiring, processing, and aggregating \nfour distinct data sets that each contained a subset of order \nbook information from each of the four exchanges that could \nprovide such information: Nasdaq ModelView, NYSE Openbook \nUltra, NYSE ARCABook, and BATS Exchange (citing to the final \njoint report issued by the staffs of the CFTC and the SEC on \nSeptember 30, 2010). The SEC further noted that this required \nthe processing of an enormous volume of data. Since FINRA CAT \nassumed the role of the CAT Plan Processor and began work on a \nsolution for the first scheduled phase of the CAT--the \ncollection and processing of order and trade data from the \nequities and options exchanges and FINRA--it has used scalable \ntechnology to process, on average, over 100 billion market \nrecords a day.\n\nQ.5. Please explain why the lack of this data would render the \nCAT insufficient to protect the markets from disruptions, such \nas the May 2010 Flash Crash.\n\nA.5. If CAT does not contain order life cycles, the stated \nobjectives of CAT will not be achieved--better market \nreconstruction, enhanced policymaking, and more robust \nsurveillance, among other things. All of these objectives, \nwhich will be enhanced by the CAT, may contribute to better \nmarket features and rules that could further minimize the risk \nof another flash crash-type event, but the CAT itself will not \nhalt or prevent market activity. The SEC-approved CAT NMS Plan \nincludes a number of requirements to promote the complete, \naccurate and timely consolidation of audit trail information to \nserve these uses. In turn, the CAT is designed to better inform \npolicy decisions and generally improve oversight of the \nsecurities markets. In its role as the CAT Plan Processor for \nthe SRO consortium, FINRA CAT is committed to providing a CAT \nsolution that meets the requirements of the CAT NMS Plan and \nsupports the CAT's intended regulatory uses.\n\nQ.6. A July 2019 op-ed from the head of the securities \nindustry's lobbying organization argued that, ``The SEC has \nbeen hacked before, and it knows the CAT will put the \n[personally identifiable information (PII)] of millions of \nAmerican investors at risk.'' \\8\\ The consortium in place to \ncreate and implement the CAT, however, recently published a \npresentation with details regarding ongoing cybersecurity \nprotections. \\9\\\n---------------------------------------------------------------------------\n     \\8\\ The Hill, Opinion, ``The National Security Risk No One Is \nTalking About'', Christopher Iacovella, July 3, 2019, https://\nthehill.com/opinion/cybersecurity/451403-the-national-security-risk-no-\none-is-talking-about.\n     \\9\\ CAT NMS Plan, ``CAT Security Overview: Safeguarding Data \nReported to CAT'', Accessed October 25, 2019, https://\nwww.catnmsplan.com/wp-content/uploads/2019/08/FINRA-CAT-Security-\nApproach-Overview20190828.pdf.\n---------------------------------------------------------------------------\n    Please explain in detail how the CAT would protect \nsensitive personal data from data breaches or other \ncybervulnerabilities. Please also explain how the consortium \ncreating and implementing the CAT would be held accountable for \ncybervulnerabilities.\n\nA.6. The security of PII, and of all CAT data more broadly, is \nof the utmost priority to FINRA CAT. FINRA CAT has put in place \na robust data security program to meet the CAT NMS Plan's \nrequirements. This program is defined in an extensive System \nSecurity Plan built in accordance with the NIST SP800 series \nSpecial Publication with security controls specifically defined \nin accordance with NIST SP800-53. While not public for security \nreasons, this SSP is evaluated by an expert independent third-\nparty as an integral part of an annual Independent Verification \nand Validation (IV&V) assessment that verifies that security \ncontrols are well defined and effectively implemented. The SSP \nincludes incident response and breach management controls. As \nthe SRO consortium recently discussed in a presentation to the \nindustry, the FINRA CAT security program includes significant \nlayers of architectural-level security controls and program-\nlevel security controls. Examples of architectural controls \ninclude secure private-line-only infrastructure for connecting \nto the CAT regulatory interfaces (designed without an Internet \ninterface) and architectural separation between transaction \ndata and PII. Examples of program controls include a full suite \nof information security policies, procedures and standards, an \nextensive cybersecurity program staffed by highly qualified \ncybersecurity personnel that is integrated into the full \ndevelopment and operations life cycle of FINRA CAT, and \nregularly scheduled independent third-party system penetration \ntesting, code reviews, and security control validation. FINRA \nCAT also is cognizant that its cybersecurity framework must not \nbe static; it must evolve as more effective cybersecurity \ntechniques and practices emerge.\n    FINRA CAT has notification processes in the event of \nunauthorized access to CAT Data, but those vary depending on \nthe facts and circumstances of any breach/intrusion. If FINRA \nCAT becomes aware of actual (or potential) unauthorized access \nto CAT Data, we, working with the SRO consortium, will take all \nreasonable steps to investigate the incident, mitigate any \ntechnical vulnerabilities identified from unauthorized access \nto protect the integrity of the CAT system. We also will work \nwith the SRO consortium to report unauthorized access to law \nenforcement, the SEC and other authorities and to notify \ncustomers as required or as the consortium deems appropriate. \nAs an ``SCI Entity,'' FINRA CAT is subject directly to the \nSEC's jurisdiction, including Regulation Systems Compliance and \nIntegrity (Reg SCI). FINRA CAT's status as an SCI Entity \nensures direct accountability, including cyber incident \nreporting requirements to the SEC, as well as important issues \nlike system security, integrity, capacity, and business \ncontinuity.\n\nQ.7. Please explain how Federal regulators will be able to \nquickly and effectively detect and respond to malicious \ncyberactivity targeting the CAT. Please also explain how \nFederal regulators and the consortium would test and maintain \nthe CAT's cybersecurity mechanisms.\n\nA.7. The FINRA CAT System Security Plan includes controls for \ndetecting and responding to malicious activity, including \nmonitoring controls at multiple system layers (e.g., data \nstorage, application front end) designed to detect access and \nusage anomalies. This includes the use of behavioral analytics \ndesigned to recognize normal and abnormal access patterns. All \naccess to CAT Data is logged, in accordance with the Plan and \nsubject to this monitoring. Should any such anomalies be \ndetected, they will be handled in accordance with the published \nInformation Security Incident Response Plan, which includes \nnotification of appropriate regulatory bodies, including the \nSEC in accordance with Reg SCI.\n    With respect to testing and maintaining the CAT's \ncybersecurity mechanisms, as required by the Plan, FINRA CAT \nsubjects itself to the following regular independent third-\nparty assessments:\n\n  <bullet>  Third-party security penetration testing and code \n        security assessments. These third-party assessments are \n        performed in addition to a robust suite of internal \n        security testing that is performed by highly qualified \n        security staff of the Plan Processor and embedded into \n        the system development life cycle.\n\n  <bullet>  An independent validation and verification (IV&V) \n        of the controls defined in the System Security Plan \n        (SSP). The SSP encompasses the hundreds of security \n        controls defined by NIST SP800-53. The design and \n        effective implementation of these controls is \n        independently validated by the IV&V. This is the same \n        set of security controls and independent validation \n        process required for Federal Systems under the Federal \n        Information Security Management Act.\n\n  <bullet>  Material security deficiencies identified by these \n        testing processes are presented to the consortium's \n        Operating Committee when it considers whether to grant \n        an Authorization To Operate (ATO) for each release. Any \n        security deficiencies identified by these testing \n        processes are presented to the consortium's Operating \n        Committee as part of the package of information it \n        considers in granting an Authorization To Operate (ATO) \n        for each release.\n                                ------                                \n\n\n               RESPONSES TO WRITTEN QUESTIONS OF\n            SENATOR CORTEZ MASTO FROM SHELLY BOHLIN\n\nQ.1. Will the CAT help regulators, such as FINRA, SEC, FBI, and \nthe Department of Justice, catch short selling, spoofing, fake \ntrades, and wire fraud more quickly?\n\nA.1. When the SEC approved the CAT NMS Plan filed by the SRO \nconsortium, it discussed the intended use of CAT data to \nenhance the regulators' ability to surveil for market \nmanipulation, such as spoofing and other violations of trading \nrules, which include rules concerning short sales. In its role \nas the CAT Plan Processor for the consortium of self-regulatory \norganizations responsible for managing the CAT (known as CAT \nPlan Participants or the SRO consortium), FINRA CAT is \ncommitted to providing a CAT solution that meets the \nrequirements of the CAT NMS Plan and supports the CAT's \nintended regulatory uses.\n\nQ.2. Could the CAT system help investigate who is making a \nbillion-dollar profit in trades made right before the Trump \nadministration makes a market-moving announcement?\n\nA.2. One of the intended uses of the CAT discussed by the SEC \nand the SRO consortium is the enhanced ability to identify \ncustomers who originate orders. In its role as the CAT Plan \nProcessor for the SRO consortium, FINRA CAT is committed to \nproviding a CAT solution that meets the requirements of the CAT \nNMS Plan and supports the CAT's intended regulatory uses.\n\nQ.3. Will the CAT be able to help exchanges and regulators know \nif brokers are being ``unduly influenced by fees and rebates'' \nrather than the best execution outcome for investors?\n\nA.3. When the SEC approved the CAT NMS Plan, it noted its \nbelief that the Plan would facilitate enforcement of best \nexecution. In addition, when the SEC adopted its Transaction \nFee Pilot to study the effects that exchange transaction fee-\nand-rebate pricing models may have on order routing behavior, \nexecution quality and market quality, it discussed the \npotential for CAT data to be used to support the study. In its \nrole as the CAT Plan Processor for the SRO consortium, FINRA \nCAT is committed to providing a CAT solution that meets the \nrequirements of the CAT NMS Plan and supports the CAT's \nintended regulatory uses.\n\nQ.4. Will the CAT help exchanges and regulators know if brokers \nare routing the trading interests of mutual funds, pensions, \nand endowments in a way that results in information leakage?\n\nA.4. When the SEC approved the CAT NMS Plan, it noted its \nbelief that the Plan would facilitate enforcement of trading \nrules. For example, the SEC-approved CAT NMS Plan is intended \nto enhance regulators' ability to track the entire life cycle \nof orders from origination through routing, cancellation, \nmodification, or execution. In its role as the CAT Plan \nProcessor for the SRO consortium, FINRA CAT is committed to \nproviding a CAT solution that meets the requirements of the CAT \nNMS Plan and supports the CAT's intended regulatory uses.\n\nQ.5. Will the CAT help exchanges and regulators identify \nsophisticated market participants who use multiple brokers and \nmarket centers to engage in disruptive trading?\n\nA.5. When the SEC approved the CAT NMS Plan filed by the SRO \nconsortium, it discussed the intended use of CAT data to \nenhance the regulators' ability to surveil for market \nmanipulation, including by conducting surveillance across \nmarket centers and identifying activity originating from \nmultiple market participants. In its role as the CAT Plan \nProcessor for the SRO consortium, FINRA CAT is committed to \nproviding a CAT solution that meets the requirements of the CAT \nNMS Plan and supports the CAT's intended regulatory uses.\n\nQ.6. We have had a lot of discussion about how difficult it is \nto identify the beneficial owners of firms. This secrecy can \nlead to criminal activities. For example, Mr. Navinder Singh \nSarao (the individual who initiated the 2010 flash crash) was \nnot registered as a broker in the U.S. He used four firms to \nplace his trades.\n    Would CAT be able to find him or just his brokers?\n\nA.6. The SEC adopted Rule 613 in the wake of the 2010 flash \ncrash to require the CAT to be created. The SEC explained at \nthe time that the purpose of the CAT is to create a \ncomprehensive consolidated audit trail that allows regulators \nto efficiently and accurately track all activity in listed and \nunlisted equity securities and listed options throughout the \nU.S. markets to facilitate comprehensive market \nreconstructions, more robust market surveillance, and better \nanalytics to support policymaking.\n    Any broker-dealer that is a member of a national securities \nexchange or FINRA and receives and/or handles orders in NMS \nSecurities, which includes NMS stocks and Listed Options, and/\nor unlisted OTC Equity Securities--regardless of whether they \noperate in a foreign country--must report to CAT and satisfy \nclock synchronization requirements. If a non-U.S. broker-dealer \nroutes an order to a U.S. broker-dealer, the receiving U.S. \nbroker-dealer is required to report the receipt of an order \nfrom a non-U.S. broker-dealer in the same way as it would \nreport the receipt of an order from a Customer. Specifically, \nthe receiving U.S. broker-dealer would report the receipt of \nthis order as the original receipt of the order from the non-\nU.S. broker-dealer, and the receiving U.S. broker-dealer also \nwould report the Firm Designated ID for the non-U.S. broker-\ndealer. The U.S. broker-dealer would not report the ultimate \ncustomer of the non-U.S. broker-dealer. However, CAT Plan \nParticipants and other regulators like the SEC could request \nthe identification of the ultimate customer at the non-U.S. \nbroker-dealer from the U.S. broker-dealer, and if necessary may \nbe able to request the information from foreign regulators.\n\nQ.7. The system is only as good as the exchanges who report \nconcerns and ownership. How will you ensure that exchanges \nfully comply with reporting?\n\nA.7. FINRA CAT is required by the CAT NMS Plan to develop and \nimplement a comprehensive compliance program to monitor CAT \nReporters' adherence to SEC Rule 613. The CAT Plan Processor \nmust produce and provide reports to the SROs and the SEC \ncontaining performance and comparison statistics, as needed, on \neach CAT Reporters' compliance thresholds so that the \nParticipants or the SEC may take appropriate action if a \nParticipant fails to comply with its CAT reporting obligations.\n\nQ.8. What are your views on including futures data and over-\nthe-counter equities in CAT?\n\nA.8. While futures data could aid regulators in cross-market \nsurveillance, the current plans for the consolidated audit \ntrail (CAT) do not include this information. As a practical \nmatter, while FINRA CAT has the systems capability, knowledge, \nand expertise to build out a system that could incorporate \nfutures data, any work towards that end would necessarily only \nfollow the legal and policy decisions made by Federal \nregulators, including the CFTC and the SEC. The current CAT NMS \nPlan already requires the reporting of over-the-counter \nequities to CAT.\n\nQ.9. What are your views on including initial public offering \ndata, clearing data, and other data into the CAT database?\n\nA.9. FINRA CAT has the knowledge and expertise to build a \nsystem that can gather other forms of data, but those are \npolicy decisions that would need to be made by others, \nincluding the SEC and the SRO consortium. Currently, clearing \nand IPO data is not within the scope of SEC Rule 613 or the CAT \nNMS Plan. However, the SRO consortium filed a public written \nassessment with the SEC concerning an expansion of the CAT to \ninclude certain additional data, including information on \nprimary market transactions. You can find more information \nabout this issue at the following link: https://\nwww.catnmsplan.com/wp-content/uploads/2017/06/Expansion-Report-\nFinal-5.15.17.pdf.\n\nQ.10. How is CAT Advisory Committee and Operating Committee \nensuring that CAT will remain technologically robust and \nmodern?\n\nA.10. Pursuant to the CAT NMS Plan, the CCO's annual \nassessment, which is provided to the SEC and the CAT NMS Plan \nOperating Committee, must include ``an evaluation of potential \ntechnology upgrades based on a review of technological \nadvancements over the preceding year, drawing on technological \nexpertise whether internal or external.'' For example, as cloud \ntechnology evolves and advances, CAT will adapt accordingly. In \naddition, the Plan Participants, with their own wealth of \ntechnological expertise, are actively involved with making sure \nthat CAT remains technologically robust and modern. In \naddition, unless a matter is discussed in executive session, \nthe Advisory Committee has an opportunity to comment on or ask \nquestions about relevant topics during Operating Committee \nmeetings, including the technology used to support the CAT.\n\nQ.11. Assuming CAT is implemented in the next 3 years, what are \nthe upgrades that will need to take place to ensure CAT does \nnot fall behind the industry best practices?\n\nA.11. FINRA CAT will continue to work with the industry and \nother stakeholders to not only maintain state-of-the-art \ntechnology and data security practices, but it will strive to \nlead the industry and anticipate technological needs and \nimprovements. We will evolve as technology evolves. The \ncomplexity of CAT requires deep technological expertise, \nsophisticated and proactively evolving security, and close \ncoordination with all stakeholders. As an ``SCI Entity,'' FINRA \nCAT is subject directly to the SEC's jurisdiction, including \ncompliance with Regulation Systems Compliance and Integrity \n(Reg SCI). FINRA CAT's status as an SCI Entity ensures direct \naccountability to the SEC--for important issues like system \nsecurity, integrity, capacity, and business continuity. We have \nbuilt out a dedicated FINRA CAT operations staff led by me and \na Chief Technology Officer. We also hired, with the approval of \nthe SRO consortium, a Chief Information Security Officer (CISO) \nand a Chief Compliance Officer (CCO). These officers are \nresponsible, respectively, for FINRA CAT's information \ntechnology security and governance and regulatory compliance \nprograms.\n                                ------                                \n\n\n        RESPONSES TO WRITTEN QUESTIONS OF SENATOR SINEMA\n                       FROM SHELLY BOHLIN\n\nQ.1. Upon full implementation, the Consolidated Audit Trail \n(CAT) system will be an unprecedented database, collecting 58 \nbillion records and maintaining data on over 100 million \ninstitutional and retail accounts on a daily basis. The CAT, \nand all the unique customer data it holds, will also be \naccessible to thousands of users. Therefore, while the CAT has \nthe potential to offer important oversight, it will also be a \nprime target for cyberhacks. Under current CAT requirements, \nwhat kind of personal information would be accessible to system \nusers? Is this information already being collected by other \naudit trail systems?\n\nA.1. Under the current CAT NMS Plan, industry members will be \nrequired to report certain customer identifying information, \nincluding account numbers and some personally identifying \ninformation, or PII. The consortium of self-regulatory \norganizations responsible for managing the CAT (known as CAT \nPlan Participants or the SRO consortium) has filed requests \nwith the SEC to limit the Plan's PII collection requirements. \nSpecifically, under the SRO consortium's requests, the CAT \nwould not receive and store individuals' account numbers, \nsocial security numbers or dates of birth. FINRA CAT notes that \nany PII stored in the CAT is subject to heightened security \ncontrols, such as architectural separation in a separate PII \nsubsystem with restricted user access. When the SEC approved \nthe CAT NMS Plan, it discussed the extent to which customer-\nidentifying information is included in existing audit trail \nsystems such as Electronic Blue Sheets.\n\nQ.2. The Securities and Exchange Commission has been advised \nthat the CAT system should not collect Social Security numbers, \naccount numbers, and full dates of birth. Can regulators \nproperly conduct market analysis, investigations, and \nenforcement if these pieces of information are not collected by \nthe CAT?\n\nA.2. FINRA CAT recognizes the ongoing policy discussions \nrelated to the necessity of specific elements of customer-\nidentifying information for the success of the CAT, which are \nultimately matters the SRO consortium and the SEC must \ndetermine. FINRA CAT is committed to providing a CAT solution \nthat supports the regulators' decision making on this issue.\n                                ------                                \n\n\n        RESPONSES TO WRITTEN QUESTIONS OF SENATOR SASSE\n                       FROM JUDY MCDONALD\n\nQ.1. Would the Commission consider setting up a test bed and \nproving to the Banking Committee Members that the ``SSN's would \nbe secure''?\n\nA.1. Provided the October 16, 2019, Request for Exemptive \nRelief is accepted, SSNs will not be stored in the CAT Customer \nand Account Information data repository. \\1\\ The only PII which \nwill be stored will be ``phone book'' type data: name, address, \nyear of birth, masked account number, account type, and the \nindividual's role in the account. I encourage the Banking \nCommittee to request to review the results of the third party \nsecurity reviews including the (1) Independent Verification and \nValidation and (2) Penetration Testing results which should \nprovide reasonable assurances about the security of all PII \ndata.\n---------------------------------------------------------------------------\n     \\1\\ https://www.catnmsplan.com/wp-content/uploads/2019/10/CCID-\nand-PII-Exemptive-Request-Oct-16-2019.pdf\n---------------------------------------------------------------------------\n                                ------                                \n\n\n       RESPONSES TO WRITTEN QUESTIONS OF SENATOR KENNEDY\n                       FROM JUDY MCDONALD\n\nQ.1. I am concerned the CAT is a likely target for those who \nwish to manipulate U.S. markets--are you confident the CAT \nsystem and data included within will be adequately protected \nfrom these threats?\n\nA.1. No, the AC shares your concerns with the vulnerability of \nCAT data. Although FINRA CAT has very good security in the \nFINRA CAT environment and has not only met the ``gold \nstandard'' of NIST SP800-53 but has exceeded this standard by \nencrypting data at-rest and in-transit, establishing \nindependent third party verification and validation, \nestablishing independent penetration testing as well as \nmonitoring every query and command with behavioral-based \nanalysis for alerting. There is also considerable oversight of \nthese security efforts.\n    However, some significant concerns exist, specifically:\n    1. The bulk downloading of CAT data by 23 different \nexchanges plus the SEC. Currently, each of the securities \nregulators has unfettered access to bulk down load CAT data. \nAlthough the SRO's have always had to satisfy security \nrequirements, the AC has no insight into their security \nprograms and do not know if they meet the same standards or \npractices as FINRA CAT, which is especially concerning in light \nof the increased value of the CAT data and the increased \nlikelihood of compromise.\n    2. There will be up to 3,000 CAT individual users \n(individual users) made up of (presumably) regulatory staff and \nacademics, which once again multiplies the risk of compromise. \n\\1\\ These users may download CAT data to their respective PCs \nwithout limitation. While oversight is required, the AC has no \ninsight into the criteria, quality, or frequency of that \noversight; nor does the AC have an understanding of the \nprotocols that would preclude any of the individual users from \nmisappropriating the CAT data. Likewise, the AC has no insight \ninto any protections of these entities from computer hacks or \nother cyber threats, and ergo have no basis for confidence in \ntheir security protocols. Additionally the only review SRO's \nundergo prior to enabling their employee's access to the CAT \ndata is a security policy review by the FINRA CAT CISO. \\2\\ The \nAC is concerned that even if the security policy is well \nwritten, it does not provide assurance with respect to actual \nimplementation.\n---------------------------------------------------------------------------\n     \\1\\ The CAT Plan does not limit access to regulatory staff, but \nrather limits access to ``regulatory purposes'', which is an undefined \nterm. Accordingly, it is uncertain how each exchange may interpret the \nscope of this limitation and therefore what personnel may have access.\n     \\2\\ The individual employees must sign A ``Safeguard of \nInformation'' Affidavit however, this is independent of any SRO \nrequirement.\n---------------------------------------------------------------------------\n    3. Unlimited access of cross-market data. Historically, the \nexchanges have always had access to the data in their own \nmarkets and limited access to activities in other markets; \nhowever, CAT will supply easy and very broad access to all \nexchange and broker-dealer data at all times.\n    4. The CAT Reporter Agreement. Broker-dealers must sign the \nCAT Reporter Agreement in order to access the CAT to report \ntransactions. This agreement contains provisions including \nlimiting the financial liability of CAT to $500 and maintaining \nregulatory immunity for data breaches.\n    In light of these issues, two of the best ways to \nstrengthen data security is to (1) control the use of the data \nas tightly as possible and (2) limit the number of people with \naccess to the data. The AC has developed, and continues to \nrefine, a number of security recommendations that have been \nshared with the SEC and SROs including; establishing a secure \ndata reviewing environment, limits on bulk-downloading, and \nimprovements to cross-market data access policies and \nprocedures.\n                                ------                                \n\n\n        RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER\n                       FROM JUDY MCDONALD\n\nQ.1. You've raised concerns with allowing the exchanges to hold \nCAT data. Given that our system currently gives SROs regulatory \nauthority, would restricting the exchanges' access to CAT data \nlimit the overall ability to identify bad conduct and \nreconstruct market events?\n\nA.1. The AC is concerned about the SROs having access to cross-\nmarket data that is beyond what they would need to meet their \nexisting regulatory obligations. These obligations generally \ninclude monitoring their member's activities, but not for each \nof the 23 SROs to individually undertake cross-market \nsurveillance, since that is already covered by FINRA. I believe \nthe SROs can very effectively use CAT data to pursue issues and \nalerts that arise in the course of monitoring the activities of \ntheir members, including access to specific data of interest \nabout a member's activities on other exchanges. Targeted access \nto cross-market data, instead of unrestricted access, will \nensure a more secure and properly used CAT.\n    The SEC has the expertise and experience to undertake \nwholesale market reconstruction. The AC is not recommending any \nrestrictions on access by the SEC to any of the non-PII data in \nCAT, with the caveat that the number of staff accessing the \nsystem should be minimized to only those who are in fact \nworking on market reconstructions, rule proposals, or specific \nexam/investigations matters, and that the nature of the queries \nshould be narrowly scoped to the set of data needed to complete \nthe task.\n\nQ.2. What were the causes for implementation delays?\n\nA.2. There are many reasons for the delay in CAT implementation \nfrom the aggressive initial timeline to those enumerated in the \nSRO's November 13, 2017, Request for Exemptive Relief. \\1\\\n---------------------------------------------------------------------------\n     \\1\\ https://www.sec.gov/comments/4-698/4698-2681993-161486.pdf\n\nQ.3. Please describe the background of how Thesys was selected \n---------------------------------------------------------------------------\nas the Plan Processor to build the CAT?\n\nA.3. The selection of Thesys as the Plan Processor predates the \nformation of the AC, so I cannot comment the background of how \nThesys was selected as the Plan Processor.\n\nQ.4. What other bidders were short-listed? Why was Thesys \nselected? Which exchanges voted for Thesys?\n\nA.4. The bidding process predates the formation of the AC, so I \ncannot comment on how Thesys was selected.\n\nQ.5. Would you agree that a major part of the delay in the CAT \nimplementation occurred from the inability of Thesys to provide \na viable system after working on it nearly 2 years?\n\nA.5. Yes, there are many reasons for the delay in CAT \nimplementation from the aggressive initial timeline to those \nenumerated in the SRO's November 13, 2017, Request for \nExemptive Relief. \\2\\ Additional information can be provided by \nother witnesses.\n---------------------------------------------------------------------------\n     \\2\\ https://www.sec.gov/comments/4-698/4698-2681993-161486.pdf\n\nQ.6. What did other participants propose to replace Thesys \nbefore they were finally fired earlier this year? Why did the \nexchanges keep them on the contract for as long as they did?\n    Were the exchanges in agreement on whether Thesys should be \nretained?\n\nA.6. I have no direct knowledge of these topics.\n\nQ.7. Please describe how a subsidiary of FINRA was selected \nearlier this year to replace Thesys? Was there an open bidding \nprocess? Were there other bidders?\n\nA.7. I have no direct knowledge of these topics.\n\nQ.8. How was the SEC engaged with CAT NMS as it began \nexperiencing significant delays?\n\nA.8. I have no direct knowledge of these interactions.\n\nQ.9. What are SEC current authorities in compelling the \nimplementation of CAT?\n\nA.9. I am unaware of any specific authorities.\n\nQ.10. I understand that as a member of the Advisory Committee \nyou don't have a vote or seat at the operating committee.\n    Are there improvements that you would make to help the \noperating committee run more effectively?\n\nA.10. The CAT NMS Plan underlines the flaws inherent with the \ngovernance model for NMS Plans. NMS Plans grant SRO's sole \nauthority as Operating Committee members to design, implement \nand allocate costs without providing industry members any \nrepresentation on a decision-making body. This governance \nstructure limits transparency and creates perceived conflicts \nof interest. The industry is limited to the AC which \nparticipates in general Operating Committee meetings but does \nnot meet in executive sessions nor have a vote in any forum. \nAdditionally, the AC does not participate in all working \ngroups. The AC is not typically included in other meetings or \nprior to the formation of a subcommittee working group. \nProviding Broker-Dealers and Asset Management firms better \naccess to contribute their expertise and experience with voting \nrights would lead to better outcomes.\n\nQ.11. Do you think investors are adequately represented as part \nof the governance process?\n\nA.11. No, I think investors are under-represented in the \ngovernance of this process.\n    Under the approved CAT NMS Plan, the AC is comprised of 14 \nmembers including one ``individual who maintains a securities \naccount with a registered broker or dealer but who otherwise \nhas no material business relationship with a broker or dealer \nor with a participant'' as well as three persons selected to \n``represent a registered investment company.'' These four AC \nmembers are particularly focused on the interests of the \ninvesting public.\n    Members of the AC represent the industry from various \nperspectives; the AC is united on three common and deep \nconcerns--that is, data security, preventing the misuse of \ninformation, and limiting costs which might be ultimately borne \nby the investing public. Protection of personally identifiable \ninformation (PII) and transactional data and minimizing costs \nare the primary goals of all members of the AC, not just those \nrepresenting individual investors and investment companies.\n    The AC itself is restricted in its power and ability to be \neffective. The AC provides as much input and feedback as the \ncurrent structure and practice allow; however, the AC has no \nvoting position on the Operating Committee, is excluded from \nExecutive Sessions, and is frequently provided information in \nan untimely manner. Investors would be more fully represented \nif the AC were permitted greater involvement in the governance \nprocess.\n\nQ.12. Can the SEC appoint or remove members of the operating \ncommittee? Does the CAT NMS Plan or Rule 613 prohibit the SEC \nfrom appointing or removing members of the operating committee?\n\nA.12. No, CAT NMS Plan Section 4.2 provides for the composition \nof the operating committee which does not include provisions \nfor appointment or removal of members by the SEC.\n\nQ.13. Does Rule 613 prohibit the SEC from appointing \nindependent members to the operating committee?\n\nA.13. The CAT NMS Plan does not have any provision that \nprovides for the SEC to appoint an independent member of the \noperating committee.\n\nQ.14. What, in your view, can independent members provide to \nthe operating committee? Are there benefits?\n\nA.14. The Operating Committee is currently composed solely of \nSRO representatives which are dominated by three large exchange \n``families'' including ICE, Nasdaq, and CBOE. Each of these \nSRO's have coaligned regulatory obligations and financial \ninterest in the operation and regulation conducted with CAT \ndata. Absent from this committee is any insight from the \nthousands of broker-dealers, market makers, and asset managers \nwhose proprietary data will be submitted to CAT, who will be \nsubject to the reporting obligations of CAT, and who will in \ntime significantly fund the CAT.\n                                ------                                \n\n\n               RESPONSES TO WRITTEN QUESTIONS OF\n            SENATOR CORTEZ MASTO FROM JUDY MCDONALD\n\nQ.1. Will the CAT help regulators, such as FINRA, SEC, FBI, and \nthe Department of Justice, catch short selling, spoofing, fake \ntrades, and wire fraud more quickly?\n\nA.1. CAT data will be used by SEC and self-regulatory \norganizations (SRO's) within the definition of Section 3(a)(26) \nof the Exchange Act. The CAT data is intended to be used for, \n``surveillance and regulatory purposes,'' a broad term that has \nyet to be defined, and industry participants remained concerned \nthat SRO's can take an expansive view and use this data for \nquasicommercial purposes. CAT data should enable regulatory \npersonnel to better identify anomalous trading activities \nacross multiple markets and accounts. Short selling, of course, \nis not illegal, but CAT should allow regulators to better \nidentify manipulative strategies that involve short selling. It \nis unclear if CAT data would help in identifying wire fraud.\n\nQ.2. Could the CAT system help investigate who is making a \nbillion-dollar profit in trades made right before the Trump \nadministration makes a market-moving announcement?\n\nA.2. CAT data and analysis tools are intended to help \nregulators identify anomalous trading patterns which occur \nprior to an event and assist regulators more quickly to \nidentify both the beneficial owners of those trades and persons \nwith the authority to trade.\n\nQ.3. Will the CAT be able to help exchanges and regulators know \nif brokers are being ``unduly influenced by fees and rebates'' \nrather than the best execution outcome for investors?\n\nA.3. CAT data and analysis tools provided with CAT should, in \naddition to existing public disclosure of executing and routing \npractices reports which are already required under Rule 605 and \n606 of Regulation NMS, help regulators identify patterns of \norder routing.\n\nQ.4. Will the CAT help exchanges and regulators know if brokers \nare routing the trading interests of mutual funds, pensions, \nand endowments in a way that results in information leakage?\n\nA.4. CAT data and analysis tools are intended to help \nregulators identify order routing patterns which could be \nindicative of information leakage, when combined with other \ninformation such as financial news.\n\nQ.5. Will the CAT help exchanges and regulators identify \nsophisticated market participants who use multiple brokers and \nmarket centers to engage in disruptive trading?\n\nA.5. Market participants may use multiple brokers and trade \nacross market centers for a number of legitimate reasons, \nhowever, one of the most significant characteristics that \ndifferentiates CAT from existing regulatory systems is that CAT \nwill enable regulators to identify an individual or entity's \ntrading patterns across multiple broker-dealers and market \ncenters. All trading activity will be tracked to the individual \nor entity with a common CAT Customer ID(s).\n\nQ.6. We have had a lot of discussion about how difficult it is \nto identify the beneficial owners of firms. This secrecy can \nlead to criminal activities. For example, Mr. Navinder Singh \nSarao (the individual who initiated the 2010 flash crash) was \nnot registered as a broker in the U.S. He used four firms to \nplace his trades.\n    Would CAT be able to find him or just his brokers?\n\nA.6. The CAT Customer and Account Information combined with the \nCAT Customer ID allows for the identification of the accounts \nof U.S. citizens across broker-dealers and the beneficial \nowners of those accounts. However if the beneficial owner is \nnot a U.S. citizen, the account can only be identified to the \nbroker-dealer.\n\nQ.7. The system is only as good as the exchanges who report \nconcerns and ownership. How will you ensure that exchanges \nfully comply with reporting?\n\nA.7. The SEC and SRO's are responsible for ensuring compliance \nwith CAT reporting. The Advisory Committee (AC) has no power to \nenforce exchange compliance with reporting and is limited to \nproviding comments on policies and procedures which could help \nmotivate compliance and detect lack of compliance.\n\nQ.8. What are your views on including futures data and over-\nthe-counter equities in CAT?\n\nA.8. OTC equities will be included in CAT data. Futures are (1) \na different asset class, (2) traded with different participants \nand for different reason than equities and options, and (3) are \nregulated by the CFTC rather than the SEC. Including futures in \nCAT would require significant input from not only financial \nservices firms with CAT obligations, but also end-users \nincluding energy producers, agricultural, and other commodities \nparticipants. While including futures data in CAT would provide \na more robust picture of some cross-asset class trading such as \nthe SPY (the S&P 500 Depository Receipt) vs. S&P 500 e-mini \ncontract at the Chicago Mercantile Exchange, a significant \nstudy of the need for futures data in CAT as well as the \nexpected outcome of including futures in CAT should commence \nprior to any further action.\n\nQ.9. What are your views on including initial public offering \ndata, clearing data, and other data into the CAT database?\n\nA.9. IPO data would provide regulatory value, however it would \nbe a very expensive effort in light of the current business \npractices related to an IPO which are extremely manual, \nunstructured, and highly variable with each offering. Any \nreporting requirements are likely to change business practices. \nI suggest performing a thorough analysis prior to publishing a \nrule proposal and then taking an iterative approach, starting \nwith the very basic reporting requirements and gradually \nincreasing if additional information is needed and additional \nvalue is anticipated. Many of these ideas are more fully \nexpressed in the October 28, 2019, Financial Information Forum \ncomment letter. \\1\\\n---------------------------------------------------------------------------\n     \\1\\ https://fif.com/comment-letters\n---------------------------------------------------------------------------\n    Clearing data will have little regulatory value for CAT \nonce allocation reporting into CAT is complete in April 2021 \nfor equities and December 2021 for options. CAT data will \nprovide regulators with access to account information including \nthe account owner of the order when it was placed, the \nbeneficial owner of where the equities or options are held, \nfill reports, and final allocation instructions.\n\nQ.10. How is CAT Advisory Committee and Operating Committee \nensuring that CAT will remain technologically robust and \nmodern?\n\nA.10. The AC is very active and provides extensive technical \nfeedback at the level of standards, procedures and practices \nand insight based on the experiences of the relative firms; \nhowever the AC is limited in that it can only offer comments, \nopinions, and suggestions and thus far, has not been consulted \non technology specifics such as architecture, tools, or \nspecific technical approaches.\n\nQ.11. Assuming CAT is implemented in the next 3 years, what are \nthe upgrades that will need to take place to ensure CAT does \nnot fall behind the industry best practices?\n\nA.11. The AC anticipates working with CAT LLC and the SRO's to \nensure that CAT maintains industry best practices as it relates \nto (1) data security including adherence to industry standards, \n(2) experimentation and utilization of emerging technology, and \n(3) capacity and performance planning.\n                                ------                                \n\n\n        RESPONSES TO WRITTEN QUESTIONS OF SENATOR SINEMA\n                       FROM JUDY MCDONALD\n\nQ.1. Upon full implementation, the Consolidated Audit Trail \n(CAT) system will be an unprecedented database, collecting 58 \nbillion records and maintaining data on over 100 million \ninstitutional and retail accounts on a daily basis. The CAT, \nand all the unique customer data it holds, will also be \naccessible to thousands of users. Therefore, while the CAT has \nthe potential to offer important oversight, it will also be a \nprime target for cyberhacks. Under current CAT requirements, \nwhat kind of personal information would be accessible to system \nusers? Is this information already being collected by other \naudit trail systems?\n\nA.1. Provided the October 16, 2019, Request for Exemptive \nRelief is accepted, SSNs will not be stored in the CAT Customer \nand Account Information data repository. \\1\\ The only PII which \nwill be stored will be ``phone book'' type data: name, address, \nyear of birth, masked account number, account type, and the \nindividual's role in the account. Currently this information \ncan only be obtained on an ad hoc basis through the use of the \nElectronic Blue Sheet System.\n---------------------------------------------------------------------------\n     \\1\\ https://www.catnmsplan.com/wp-content/uploads/2019/10/CCID-\nand-PII-Exemptive-Request-Oct-16-2019.pdf\n---------------------------------------------------------------------------\n    In addition to PII, the CAT will also expose the valuable \nintellectual property of individual investors and trading firms \nby assembling in one place the details of all trading activity \nwhich were previously stored in disparate locations; this data \ncould be exploited by a bad actor.\n\nQ.2. The Securities and Exchange Commission has been advised \nthat the CAT system should not collect Social Security numbers, \naccount numbers, and full dates of birth. Can regulators \nproperly conduct market analysis, investigations, and \nenforcement if these pieces of information are not collected by \nthe CAT?\n\nA.2. Yes, through the use of the CAT Customer Identifier and \nthe Customer and Account Information data repository, the \nregulators should be able to conduct market analysis, \ninvestigations, and enforcement. This is the primary goal of \nthe approach which underlies the Exemptive relief request. This \napproach has been broadly supported in an informal nature by \nindustry members and regulators and was a result of many months \nof collaboration amongst regulators and industry members.\n                                ------                                \n\n\n        RESPONSES TO WRITTEN QUESTIONS OF CHAIRMAN CRAPO\n                     FROM MICHAEL J. SIMON\n\nQ.1. Early estimates for the creation of a ``real-time'' CAT \nwould cost $4 billion to launch and have ongoing maintenance \ncosts of $2.1 billion. What are the current cost estimates for \ninitial launch costs and what are the cost estimates for \nongoing maintenance for the ``next-day'' CAT approach?\n\nA.1. The Consolidated Audit Trail, LLC (CAT LLC) \\1\\ operates \npursuant to a budget that the Operating Committee approves on a \nquarterly basis. Based on the most recent CAT LLC budget, the \ncurrent annualized cost for building and operating the CAT is \napproximately $60 million for calendar year 2019. The budget \ndoes not distinguish between build and operating costs. While \nthe 2020 CAT LLC budget is under development, current estimates \nare that the annualized costs will be between $60 and $75 \nmillion.\n---------------------------------------------------------------------------\n     \\1\\ Note, CAT NMS, LLC is the predecessor to CAT LLC.\n---------------------------------------------------------------------------\n    Under current budgetary projections, the FINRA CAT build \ncosts will peak next year, and then decrease over the next few \nyears as FINRA CAT finishes the build. On the other hand, the \nFINRA CAT costs to operate the CAT will increase substantially \nin the coming years, particularly beginning in 2021 as we \napproach full CAT functionality. We also expect legal and \nconsulting costs to decrease as the CAT moves from development \nto operation. The bottom line is that the total cost to operate \nthe CAT is uncertain, but unlikely to increase above $75 \nmillion annually in the near future.\n    There are a number of assumptions and qualifications to \nthese projections. First, these are the costs solely borne by \nCAT LLC regarding the build and operation of the CAT. Thus, \nthese costs do not include the costs to the Participants and \nthe industry members to prepare for, and comply with, CAT \nrequirements. Second, a number of FINRA CAT costs are variable. \nThose include the costs of cloud hosting and the customer/\naccount database. Thus, any estimates of such costs at this \ntime is somewhat speculative. Finally, FINRA CAT costs could \nchange based on changes to the current design and operation of \nthe CAT system, effectuated through the change request process. \nAny such change request could add additional costs both to the \ndevelopment of the CAT and the ongoing costs of operating the \nCAT.\n\nQ.2. As the CAT is currently designed, more than 20 SROs and \nthe SEC would be allowed to download bulk data from CAT into \ntheir systems. In such an arrangement, there is a grave \nincrease in the likelihood that sensitive information stored in \nCAT will be compromised.\n    Can you explain why the transmission and downloading of \nbulk data is currently allowed under the plan? Would a \nlimitation on downloading of bulk data affect the regulatory \nfunction of the CAT?\n\nA.2. SEC Rule 613 requires that the Participants address data \nextraction in the CAT NMS Plan. \\2\\ Pursuant to this \nrequirement, the CAT NMS Plan filed with and approved by the \nCommission describes the methods by which Participants may \nextract data from the CAT system, including via user-defined \ndirect queries and bulk extracts. \\3\\ Importantly, the CAT NMS \nPlan permits the bulk extract of transaction data only; \nCustomer Account Information, Customer Identifying Information \nand other personally identifiable information (PII) (as defined \nin the Plan) may not be subject to bulk extraction. In \naddition, Rule 613 and the CAT NMS Plan both require that \nParticipants develop and implement surveillance systems, or \nenhance their existing surveillance systems, to make use of CAT \nData. \\4\\ As discussed in the Commission's order approving the \nCAT NMS Plan, the Participants ``believe that permitting \nregulators to download/order transaction data from the Central \nRepository for regulatory use (i.e., ``bulk data extracts'') is \nimportant for their regulatory purposes, and that eliminating \nor limiting bulk data extracts of transaction data from the CAT \nmay significantly and adversely impact the Participants' \nability to effectively conduct surveillance of their markets \nusing CAT Data.'' \\5\\\n---------------------------------------------------------------------------\n     \\2\\ See Regulation NMS, 17 CFR \x06242.613(a)(1)(i), (iii) (2019).\n     \\3\\ See National Market System Plan Governing the Consolidated \nAudit Trail, Section 6.10(c)(i)(B) available at https://\nwww.catnmsplan.com/wp-content/uploads/2019/09/CAT-2.0-Consolidated-\nAudit-Trail-LLC%20Plan-Executed-(175745081)-(1).pdf [hereinafter the \n``CAT NMS Plan'']. See also id. at Appendix D, Section 8.2.2 (``The \nCentral Repository must provide for direct queries, bulk extraction, \nand download of data for all regulatory users. Both the user-defined \ndirect queries and bulk extracts will be used by regulators to deliver \nlarge sets of data that can then be used in internal surveillance or \nmarket analysis applications.'').\n     \\4\\ See Regulation NMS, 17 CFR \x06242.613(f) (2019); and CAT NMS \nPlan, supra note 3 at Appendix D, Section 6.10(a).\n     \\5\\ See Joint Industry Plan; Order approving the National Market \nSystem Plan Governing the Consolidated Audit Trail, Exchange Act \nRelease No. 79318 (Nov. 15, 2016), 81 FR 84696, 84757 (Nov. 23, 2018) \n[hereinafter, ``Plan Adopting Release''].\n---------------------------------------------------------------------------\n    The Participants are focused on the security of CAT Data, \nincluding with respect to bulk extracts. Access to CAT Data, \nvia bulk extract or otherwise, will be subject to the CAT \nsecurity protocols. For instance, only authorized regulatory \nusers with appropriate permissions will be able to access and \nextract CAT Data, and all CAT Data returned shall be encrypted. \n\\6\\ Additionally, the CAT system requires multifactor \nauthentication for regulatory use of the query tools, \nmitigating insider risk at the regulators, as well as for \naccess to the Industry Member reporter portal. \\7\\\n---------------------------------------------------------------------------\n     \\6\\ CAT NMS Plan, supra note 3 at Section 6.10(c)(ii).\n     \\7\\ See id. at Appendix D, Section 4.1.4.\n---------------------------------------------------------------------------\n    Access and the ability to extract PII is subject to \nadditional safeguards. All PII collected by the CAT must be \nstored separately from transaction data and will not be \neligible for bulk extract. \\8\\ Regulatory users must have \nspecial entitlements (beyond entitlements to transactional CAT \nData) to access PII data. \\9\\\n---------------------------------------------------------------------------\n     \\8\\ See id. at Appendix D, Section 4.1.6.\n     \\9\\ See id.\n---------------------------------------------------------------------------\n    Additionally, to balance security considerations and \npotential risks related to the bulk extraction of CAT Data, CAT \nLLC authorized FINRA CAT to develop and implement a secure \nanalytics workspace (SAW), which the Participants and the SEC \nmay use to analyze CAT Data and run their surveillance \nprotocols. Development of the SAW is underway, and \nimplementation is expected in the fall of 2020. Until SAW is \noperational, the Participants' use of CAT Data must necessarily \ntake place outside of the SAW. Temporary and persistent copies \nof CAT Data may exist in an Amazon Web Services (AWS) \nenvironment protected by security controls, policies, and \npractices consistent with the CAT system itself. Small subsets \nof CAT Data may be extracted in support of regulatory and \nsurveillance activities.\n                                ------                                \n\n\n        RESPONSES TO WRITTEN QUESTIONS OF SENATOR BROWN\n                     FROM MICHAEL J. SIMON\n\nQ.1. Please describe the FINRA CAT breach/intrusion \nnotification process, including the entities and organizations \nthat would be notified and the timetable for notification. \nPlease also describe any process for notification to investors, \nor the public generally.\n\nA.1. As required by the Plan, the CAT has a sophisticated \ninformation security program, which includes an incident \nresponse plan consistent with National Institute of Standards \nand Technology guidance. The actions taken in the event of \nunauthorized access to CAT Data will depend on the \ncircumstances. If FINRA CAT becomes aware of actual (or \npotential) unauthorized access to CAT Data, FINRA CAT will work \nwith the Participants and will take all reasonable steps to \ninvestigate the incident and mitigate any identified technical \nvulnerabilities to protect the integrity of the CAT system. CAT \nLLC will report unauthorized access to law enforcement, the \nSEC, and other authorities as required or appropriate. This \nprocess may result in the use of, among other things, forensic \nservices, breach notification services, and/or identity/fraud \nmonitoring.\n\nQ.2. Please provide the available cost estimates for (i) \nbuilding the CAT system and (ii) annual operation of the CAT \nsystem, specifying current cost and costs once it is fully \noperational.\n\nA.2. As noted in the answer to Chairman Crapo, CAT LLC operates \npursuant to a budget that the Operating Committee approves on a \nquarterly basis. Based on the 2019 CAT LLC budget and actuals \nto date, the current annualized cost for building and operating \nthe CAT is approximately $60 million. The budget does not \ndistinguish between build and operating costs. While the 2020 \nCAT LLC budget is under development, current estimates are that \nthe annualized costs will be between $60 and $75 million.\n    Under current budgetary projections, the FINRA CAT build \ncosts will peak next year, and then decrease over the next few \nyears as FINRA CAT finishes the build. On the other hand, the \nFINRA CAT costs to operate the CAT will increase substantially \nin the coming years, particularly beginning in 2021. We also \nexpect legal and consulting costs to decrease as the CAT moves \nfrom development to operation. The bottom line is that the \ntotal cost to operate the CAT is uncertain, but unlikely to \nincrease above $75 million annually in the near future.\n    There are a number of assumptions and qualifications to \nthese projections. First, these are the costs solely borne by \nCAT LLC regarding the build and operation of the CAT. Thus, \nthese costs do not include the costs to the Participants and \nthe industry members to prepare for, and comply with, CAT \nrequirements. Second, a number of FINRA CAT costs are variable. \nThese include the costs of cloud hosting and the customer/\naccount database. Thus, any estimates of such costs at this \ntime is somewhat speculative. Finally, FINRA CAT costs could \nchange based on changes to the CAT system, effectuated through \nthe change request process. Any such change request could add \nadditional costs both to the development of the CAT and the \nongoing costs of operating the CAT.\n\nQ.3. Please identify the private and Government organizations \nand entities that would be necessary to involve in the \ndevelopment and management of a CAT system that includes U.S. \nfutures data and activity.\n\nA.3. A more complete assessment would be necessary to \ndefinitively respond to this question, particularly the type \nand number of the products underlying the futures contracts. \nFor futures based on single securities, or narrow-based \nsecurity indices (e.g., nine or fewer securities), the \nSecurities Exchange Commission and the Commodity Futures \nTrading Commission (CFTC) share jurisdiction. But for futures \ncontracts based on broad-based security indices or commodities, \nthe CFTC is the oversight authority. Based on the nature of the \ninstrument, the Participants believe that if the CAT NMS Plan \nwere amended so that the CAT system included U.S. futures data \nand activity, the following private and Government \norganizations and entities, in addition to the SEC and current \nPlan Participants, likely would need to be involved: (i) the \nCFTC, (ii) the National Futures Association, (iii) relevant \ndesignated contract markets, (iv) relevant futures commission \nmerchants, (v) relevant broker-dealers, (vi) relevant \nderivatives clearing organizations, (vii) the Futures Industry \nAssociation, and (viii) relevant introducing brokers.\n                                ------                                \n\n\n        RESPONSES TO WRITTEN QUESTIONS OF SENATOR SASSE\n                     FROM MICHAEL J. SIMON\n\nQ.1. In your testimony, you discuss the PII Working Group and \nhow their initial recommendation was an approach that would \nhave avoided the need to have any PII in the CAT.\n    Can you tell me why the Commission staff denied this \ninitial approach?\n    How were the options presented by the working group \nevaluated?\n\nA.1. The PII Working Group worked closely with SIFMA and the \nCISOs of each Participant to develop an approach that would \nhave eliminated the need to maintain any PII in the CAT system. \nCommission staff was invited to all discussions on this topic. \nThe approach would have involved the creation of a new request \nand response system that would allow regulators to request PII \nfrom Industry Member CAT Reporters rather than having such data \nincluded in the CAT. Commission staff requested that the PII \nWorking Group develop another approach. The Participants are \nnot in a position to know why the Commission staff preferred \nthe development of an alternative to the initial recommendation \nof the PII Working Group.\n                                ------                                \n\n\n        RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER\n                     FROM MICHAEL J. SIMON\n\nQ.1. One of the concerns we've heard time and time again \nregarding the CAT is that it presents a privacy and \ncybersecurity risk. I know that the SEC has been working \ndiligently on the PII issue and that the Exchanges have \nproposed ``CAT Customer IDs'' as an alternative approach to \nSocial Security numbers.\n    Would you agree that the data security question can be a \nvery solvable issue as long as all parties work constructively \nand in good faith?\n\nA.1. The security of CAT Data is and will remain a top priority \nof the Participants. While all systems are subject to ongoing \nsecurity risks, the Participants have taken, and will continue \nto take, all appropriate precautions to safeguard all data \nwithin the CAT system. The Participants believe that data \nsecurity and associated risks can be managed effectively with \nthe assistance and good faith effort of all parties.\n\nQ.2. My goal is to have an effective CAT up and running as soon \nas possible. Given the long history of delays and challenges \nwith its implementation, I wonder if there should be some \nreforms to the operating committee so that it runs more \nefficiently.\n    What were the causes for implementation delays?\n\nA.2. The CAT is an extremely complex project. Rule 613 required \nthe Participants to select a Plan Processor, contract with that \nentity and build, test and implement Participant reporting to \nthe CAT within a year.\n    Recognizing the challenges of the timetable, the \nParticipants proposed, and the SEC approved, a supplemental \nnational market system plan to provide for the selection of a \nPlan Processor while the SEC considered adoption of the overall \nCAT NMS Plan. Pursuant to the Selection Plan, \\1\\ the \nParticipants were able to choose a Plan Processor (Thesys \nTechnologies LLC) within approximately 2 months of SEC approval \nof the CAT NMS Plan, and complete the Plan Processor Agreement \nwithin another few months. \\2\\\n---------------------------------------------------------------------------\n     \\1\\ See Plan Governing the Process of Selecting a Plan Processor \nand Developing a Plan for the Consolidated Audit Trail, which was \nincorporated as Article V of the CAT NMS Plan approved by the \nCommission on November 15, 2016.\n     \\2\\ Thesys Technologies LLC was selected by CAT NMS LLC to be the \nPlan Processor for the CAT. Thesys Technologies established its \nsubsidiary, Thesys CAT (TCAT) to serve as the Plan Processor.\n---------------------------------------------------------------------------\n    Notwithstanding the relatively prompt selection of a Plan \nProcessor, TCAT ultimately proved unable to build the system \nrequired under the CAT NMS Plan and the Plan Processor \nAgreement between the parties. The Participants worked in good \nfaith with TCAT to begin operation of the CAT one year later \nthan required under the CAT NMS Plan and Rule 613. However, \nTCAT proved unable to deliver a compliant system even with the \nadditional year for development.\n    After TCAT failed to deliver a contract-compliant system in \nthe timeframes required and demanded significant payments in \nexcess of the contract requirements, among other things, the \nParticipants decided to terminate the Plan Processor Agreement \nfor default and change Plan Processors, selecting and \ncontracting with FINRA CAT. While this initially added time to \nthe development of the CAT, the Participants believe that \nchanging processors when they did actually will result in a \nfully functional CAT in a shorter time frame than if they had \ncontinued the project with TCAT as processor.\n\nQ.3. Please describe the background for how Thesys was selected \nas the Plan Processor to build the CAT?\n\nA.3. As noted in response to Question 2, the Participants \nselected Thesys Technologies LLC, which ultimately formed TCAT, \nas the Plan Processor pursuant to the provisions of the CAT NMS \nPlan and the supplemental Selection Plan discussed above. \nTechnical and legal/regulatory experts from the Participants, \nworking with outside consultants and legal advisors, developed \ndetailed requirements for the operation of the CAT. The \nParticipants then issued a request for proposal (RFP) for the \nPlan Processor. Ten entities submitted responses to the RFP. \nThe Participants provided each applicant with the opportunity \nto make an oral presentation to the Participants group. From \nthose 10 applicants the Participants selected three finalists \nand sought additional information from each finalist. The \nParticipants ultimately selected TCAT as the Plan Processor.\n\nQ.4. What other bidders were short-listed? Why was Thesys \nselected? Which exchanges voted for Thesys?\n\nA.4. The other two finalists for Plan Processor were FINRA and \nSungard/Fidelity National Information Services Inc. (Sungard/\nFIS). Sungard/FIS withdrew from consideration before the final \nParticipant vote for Plan Processor. The Participants then \nconducted a vote between FINRA and Thesys, and each Participant \nvoted pursuant to their own selection criteria. The vote was \nvia closed ballot and the only result announced was that Thesys \nwon the vote; there was no announcement as to how each \nParticipant voted.\n\nQ.5. Would you agree that a major part of the delay in the CAT \nimplementation occurred from the inability of Thesys to provide \na viable system after working on it nearly 2 years?\n\nA.5. Yes. Please see the response to Question 2, above.\n\nQ.6. What did other participants propose to replace Thesys \nbefore they were finally fired earlier this year? Why did the \nexchanges keep them on the contract for as long as they did? \nWere the exchanges in agreement on whether Thesys should be \nretained?\n\nA.6. When it became clear to the Participants that TCAT would \nbe unable on its own to build the CAT system that the CAT NMS \nPlan requires, the Participants first considered providing \nsupplemental support to TCAT, either from the Participants \nthemselves or from a third party. However, it soon became clear \nthat even with support, TCAT would not be able to build a \ncompliant CAT system in a timely and cost-efficient manner. In \nlight of TCAT's failure to deliver a contract-compliant system \nin the timeframes required (and other defaults), the \nParticipants decided to terminate the Plan Processor Agreement \nfor default and replace TCAT. The Participants' decision to \nterminate TCAT for default was unanimous.\n    The Participants kept TCAT on contract as long as they did \nbecause they understood that changing processors necessarily \nwould add time to the project. Thus, the Participants worked in \ngood faith with TCAT as long as they could to try to remedy the \ndefects in the deliverables and to address concerns with future \ndeliverables. It was only after receiving, testing, and \nattempting to remedy the defects in TCAT's system, as well as \nother defaults by TCAT including its extracontractual payment \ndemands, that the Participants concluded that TCAT could not \nmeet the requirements of its Plan Processor Agreement and was, \nin any event, unwilling to do so on the agreed-upon terms and \nconditions. Upon reaching that conclusion the Participants \npromptly terminated the TCAT Plan Processor agreement for \ndefault.\n\nQ.7. Please describe how a subsidiary of FINRA was selected \nearlier this year to replace Thesys? Was there an open bidding \nprocess? Were there other bidders?\n\nA.7. The Participants followed the requirements in the CAT NMS \nPlan in selecting a successor Plan Processor. Specifically, \nunder Section 6.1(t) of the CAT NMS Plan, CAT NMS, LLC formed a \nSelection Committee and established a process to evaluate and \nreview bids. That process, which took into account the \napplicable time constraints, was to contact FINRA and FIS, the \ntwo other finalists in the initial process, to gauge their \ninterest in bidding on the CAT project. Both entities submitted \nproposals. FINRA proposed specifics as to how they would build \na system compliant with the CAT NMS Plan, together with a cost \nproposal. FIS proposed an interim step in which CAT NMS, LLC \nwould hire them as consultants to review the system to \ndetermine how best they could provide services moving forward. \nBased on these proposals, the Selection Committee recommended \nFINRA to the Operating Committee, which voted to approve FINRA \nas the Plan Processor. Note, FINRA recused itself and did not \ntake part in the selection decision.\n\nQ.8. How was the SEC engaged with CAT NMS as it began \nexperiencing significant delays?\n\nA.8. The SEC and its staff have been engaged with CAT LLC \\3\\ \nand the Participants throughout the entire life of the project. \nWhen the problems with TCAT became apparent, Chairman Clayton \nconvened a meeting of the presidents or CEOs of the \nParticipants on April 9, 2018, to express his concerns with the \ndelays in the project. Brett Redfearn, Director of the Division \nof Trading and Markets also communicated the importance of \ngetting the project back on track.\n---------------------------------------------------------------------------\n     \\3\\ Note, CAT NMS, LLC is the predecessor to CAT LLC.\n---------------------------------------------------------------------------\n    In response to the requests of Chairman Clayton and the \nstaff, the Participants submitted a comprehensive Master Plan \nto the staff that included all material steps to implement all \nphases of the project. The Participants also created a \nLeadership Team of four Participant representatives to help \nstreamline decision making on day-to-day issues that did not \nraise policymaking concerns.\n    More fundamentally, the SEC has been actively monitoring \nall CAT activities. The SEC staff participates in Operating \nCommittee, Compliance Committee and most working group calls, \nincluding the Security Working Group. In January of this year \nChairman Clayton hired Manisha Kimmel as Senior Policy Advisor \nfor Regulatory Reporting to coordinate the SEC's oversight of \nthe creation and implementation of the CAT. Ms. Kimmel \npreviously was the Chair of the CAT Advisory Committee and, \namong other things, holds weekly calls with the CAT Leadership \nTeam. The staff of the Division of Trading and Markets works \nclosely with Ms. Kimmel in overseeing CAT matters.\n\nQ.9. What are SEC current authorities in compelling the \nimplementation of CAT?\n\nA.9. The SEC compels the implementation of the CAT through Rule \n613, and the CAT NMS Plan adopted under that rule, and via its \noversight role over the Participants. The SEC has not amended \nRule 613 since its adoption. With respect to the CAT NMS Plan, \nthe SEC recently has proposed amendments to the CAT NMS Plan \nregarding transparency and cost recovery.\n\nQ.10. What is the SEC's typical engagement with the operating \ncommittee?\n\nA.10. As provided under Section 4.4 of the CAT NMS Plan, the \nSEC staff may attend, and does attend, all Operating Committee \nmeetings, including both regular and executive sessions. In \naddition, as noted above, the SEC staff also participate in \nCompliance Committee and most working group calls. While most \ninteraction between the SEC and the Participants is informal, \nthe SEC conducts all formal communications with the Operating \nCommittee through letters and other communications.\n\nQ.11. Has the SEC attended any of the operating committee \nmeetings?\n    Does the SEC have access to the meeting transcripts?\n\nA.11. As noted above, the SEC staff attends Operating Committee \nmeetings. The Operating Committee does not record or otherwise \ntranscribe its meetings. However, the Operating Committee does \ndraft minutes of its meetings, and the SEC staff receives those \nminutes.\n\nQ.12. Does the CAT NMS Plan or Rule 613 prohibit the SEC from \nappointing or removing members of the operating committee?\n\nA.12. There is no provision in either Rule 613 or the CAT NMS \nPlan giving the SEC the authority either to appoint or remove \nmembers of the Operating Committee. Rule 613 broadly addresses \nsome operational and administrative requirements related to the \nCAT, such as requiring the CAT NMS Plan to include provisions \nrelated to the fair representation of Participants, the \nadministration of the CAT NMS Plan and an Advisory Committee. \nHowever, Rule 613 does not otherwise dictate the specific \nmanner in which the Participants would govern CAT LLC. In \nimplementing Rule 613, the Participants provided in the CAT NMS \nPlan for the governance of CAT LLC through an Operating \nCommittee. The CAT NMS Plan specifies that each Participant \nappoints one voting member, plus an alternate, to the Operating \nCommittee. The SEC approved those provisions in approving the \nCAT NMS Plan.\n\nQ.13. Does Rule 613 prohibit the SEC from appointing other \nindependent members to the operating committee?\n\nA.13. As noted in the answer to the previous question, Rule 613 \ndoes not grant the SEC the ability to appoint members of the \nOperating Committee. The CAT NMS Plan controls the composition \nof the Operating Committee and it does not include any \nprovision regard the appointment of independent members to the \ncommittee.\n\nQ.14. What, in your view, can independent members provide to \nthe operating committee? Are there benefits?\n\nA.14. Rule 613 specifically requires the Participants establish \nan Advisory Committee ``to advise the plan sponsors on the \nimplementation, operation, and administration of the central \nrepository.'' The Participants implemented that provision in \nthe CAT NMS Plan by providing for an Advisory Committee \nconsisting of 14 representatives from the industry, academia \nand the public. Under Rule 613, Advisory Committee members \n``have the right to attend any meetings of the plan sponsors \n[other than in executive session], to receive information \nconcerning the operation of the central repository, and to \nprovide their views to the plan sponsors.'' The CAT NMS Plan \nand Commission guidance acknowledge the need for appropriate \nlimitations on the role of the Advisory Committee. In excluding \nAdvisory Committee members from executive session meetings, for \nexample, the Commission explained that ``meet[ing] in \n[E]xecutive [S]ession without members of the Advisory Committee \nappropriately balances the need to provide a mechanism for \nindustry input into the operation of the central repository, \nagainst the regulatory imperative that the operations and \ndecisions regarding the consolidated audit trail be made by \n[Participant]s who have a statutory obligation to regulate the \nsecurities markets, rather than by members of the \n[Participant]s, who have no corresponding statutory obligation \nto oversee the securities markets.'' \\4\\\n---------------------------------------------------------------------------\n     \\4\\ Plan Adopting Release, supra note 5 at 84732-3.\n---------------------------------------------------------------------------\n    Thus, the Participants, which, as self-regulatory \norganizations, have the regulatory obligation to develop and \nimplement the CAT, have voting membership on the Operating \nCommittee. The independent members of the Advisory Committee \nhave a vehicle to provide their views to the Operating \nCommittee in a structured manner. The Participants believe that \nthis establishes the appropriate balance in the governance and \noversight of the CAT.\n\nQ.15. As we look forward, assuming CAT is implemented in the \nnext 3 years, what are the upgrades that will need to take \nplace to ensure CAT does not fall behind the industry best \npractices?\n\nA.15. As required by Rule 613 and the CAT NMS Plan, the CAT \nsystem is designed to be flexible, scalable, and \ntechnologically robust and modern. Rule 613(a)(1)(v) requires \nthat the CAT be flexible and scalable, including the capacity \n``to efficiently incorporate, in a cost-effective manner, \nimprovements in technology, additional capacity, additional \norder data, information about additional securities or \ntransactions, changes in regulatory requirements, and other \ndevelopments.'' The CAT NMS Plan also requires that the CAT be \nflexible and scalable, and that it ``employ[s] optimal \ntechnology for supporting (1) scalability to increase capacity \nto handle a significant increase in the volume of data \nreported, (2) adaptability to support future technology \ndevelopments and new requirements, and (3) maintenance and \nupgrades to ensure that technology is kept current, supported, \nand operational.'' \\5\\ The CAT system has been designed with \nthese requirements in mind.\n---------------------------------------------------------------------------\n     \\5\\ CAT NMS Plan, supra note 3 at Appendix C-Section 5(a). The CAT \nNMS Plan further requires: ``Participants will provide metrics and \nforecasted growth to facilitate Central Repository capacity planning. \nThe Plan Processor will maintain records of usage statistics to \nidentify trends and processing peaks. The Central Repository's capacity \nlevels will be determined by the Operating Committee and used to \nmonitor resources, including CPU power, memory, storage, and network \ncapacity.'' Id. As a baseline, the CAT must have capacity requirements \n``based on twice (2X) the historical peaks for the most recent 6 years, \nand the Plan Processor must be prepared to handle peaks in volume that \ncould exceed this baseline for short periods.'' Id. at Appendix D, \nSection 1.1. Note that Appendix D includes additional information on \nthe technical architecture of the CAT.\n---------------------------------------------------------------------------\n    The Operating Committee has the responsibility to ensure \nthat CAT remains technologically robust and modern. In doing \nso, the Operating Committee works closely with the Advisory \nCommittee, FINRA CAT, the technology staffs of the \nParticipants, industry organizations (such as Securities \nIndustry and Financial Markets Association (SIFMA) and \nFinancial Information Forum (FIF)) and the SEC. To oversee \nthese efforts, the Operating Committee has established a \nTechnology Working Group that works closely with FINRA CAT to \noversee the technological development and operation of the CAT. \nFurthermore, the CAT NMS Plan requires the Plan Processor to \nengage an Independent Auditor to conduct an annual audit of the \nPlan Processor's policies, procedures and control structures. \nThrough these vehicles, the various groups can make \nrecommendations to the Operating Committee to help ensure that \nCAT remains technologically robust and modern.\n    Finally, the CCO's annual written assessment must consider, \namong other things, ``an evaluation of potential technology \nupgrades based on a review of technological advancements over \nthe preceding year, drawing on technological expertise whether \ninternal or external.'' \\6\\ Based on his review, the CCO may \nrecommend potential technology upgrades to the Operating \nCommittee. Thus, in addition to being designed in a manner that \nis intended to be flexible, scalable, and technically robust, \nthe technology used in the CAT is separately assessed at least \nannually.\n---------------------------------------------------------------------------\n     \\6\\ Id. at Section 6.6(b)(ii)(B)(1).\n---------------------------------------------------------------------------\n                                ------                                \n\n\n               RESPONSES TO WRITTEN QUESTIONS OF\n           SENATOR CORTEZ MASTO FROM MICHAEL J. SIMON\n\nQ.1. Will the CAT help regulators, such as FINRA, SEC, FBI, and \nthe Department of Justice, catch short selling, spoofing, fake \ntrades, and wire fraud more quickly?\n\nA.1. The CAT system is designed to make data available to the \nSEC and Participants to perform surveillance or analyses, or \nfor other purposes as part of their regulatory or oversight \nresponsibilities. The CAT system will facilitate the ability of \nregulators to surveil for suspicious activity. The data that \nwill be available in the CAT system may assist the SEC and \nParticipants in more quickly identifying manipulative activity, \nincluding manipulative short selling, spoofing, and fake \ntrades, for example. Although the FBI and Department of Justice \nwill not have access to the CAT system or the data within it, \nthe FBI and Department of Justice may benefit from such \ninformation to the extent either body is engaged in a joint \ninvestigation with a regulator with such access, e.g., a joint \ninvestigation with the SEC.\n\nQ.2. Could the CAT system help investigate who is making a \nbillion-dollar profit in trades made right before the Trump \nadministration makes a market-moving announcement?\n\nA.2. As noted in response to Question 1, the CAT system is \ndesigned to make data available to the SEC and Participants to \nperform surveillance or analyses, or for other purposes as part \nof their regulatory or oversight responsibilities. The data \nthat will be available in the CAT system may assist the SEC and \nParticipants in more quickly identifying various forms of \npotentially suspicious trading activity.\n\nQ.3. Will the CAT be able to help exchanges and regulators know \nif brokers are being ``unduly influenced by fees and rebates'' \nrather than the best execution outcome for investors?\n\nA.3. Both SEC Rule 613 and the CAT NMS Plan expressly require \nthat the Participants and their employees use CAT Data only for \nsurveillance and regulatory purposes. \\1\\ In Particular, \nAppendix D of the CAT NMS Plan states: ``The Plan Processor \nmust provide Participants' regulatory staff and the SEC with \naccess to all CAT Data for regulatory purposes only. \nParticipants' regulatory staff and the SEC will access CAT Data \nto perform functions, including economic analyses, market \nstructure analyses, market surveillance, investigations, and \nexaminations.'' \\2\\ In light of this permitted use of CAT Data, \nthe Participants believe that CAT Data can be used to conduct \neconomic and market structure analyses that may assist \nregulators in studying many issues including, for example, fees \nand rebates.\n---------------------------------------------------------------------------\n     \\1\\ Regulation NMS, 17 CFR \x06242.613(e)(4)(i)(A) (2019); CAT NMS \nPlan, supra note 3 at Section 6.5(g), Appendix C-Section 4(b), and \nAppendix D-Section 8.1.\n     \\2\\ CAT NMS Plan, supra note 3 at Appendix D-Section 8.1.\n\nQ.4. Will the CAT help exchanges and regulators know if brokers \nare routing the trading interests of mutual funds, pensions, \n---------------------------------------------------------------------------\nand endowments in a way that results in information leakage?\n\nA.4. As designed, the CAT system will include detailed \ninformation with respect to the handling of orders. For \nexample, CAT Reporters will be required to provide information \nwith respect to the routing of orders within an individual \nreporting firm as well as between reporting firms. In addition, \nCAT Reporters will be required to record the identification of \ninformation barriers for certain order events, including when \nan order is received or originated, transmitted to a department \nwithin a firm, and when it is modified. Thus, while the ability \nto identify information leakage will vary based on the facts \nand circumstances in any instance, CAT will provide regulators \nwith the complete life cycle of an order, which will help in \nexaminations or investigations related to the appropriate \nhandling of orders.\n\nQ.5. Will the CAT help exchanges and regulators identify \nsophisticated market participants who use multiple brokers and \nmarket centers to engage in disruptive trading?\n\nA.5. As discussed in the response to Question 3 above, the \nParticipants must use CAT Data only for regulatory purposes, \nincluding economic analyses, market structure analyses, market \nsurveillance, investigations, and examinations. In practice, \nthe CAT will allow Participants and the SEC to investigate, \namong other things, potentially suspicious trading activity \nthat may be dispersed across broker-dealers and market centers.\n\nQ.6. We have had a lot of discussion about how difficult it is \nto identify the beneficial owners of firms. This secrecy can \nlead to criminal activities. For example, Mr. Navinder Singh \nSarao (the individual who initiated the 2010 flash crash) was \nnot registered as a broker in the U.S. He used four firms to \nplace his trades.\n    Would CAT be able to find him or just his brokers?\n\nA.6. While the CAT system is designed to have information on \nU.S. broker-dealers and their customers, it will not have \ninformation on foreign customers in all instances. For example, \na U.S. broker-dealer receiving an order is required to report \nthe receipt of the order and the Firm Designated ID (i.e., \ntrading account information) of the customer. Where a U.S. \nbroker-dealer receives an order from a foreign broker-dealer, \nthe U.S. broker-dealer reporting information to the CAT system \nis required to report the foreign broker-dealer involved in the \ntrade rather than the ultimate customer of such foreign broker-\ndealer (whose identity may not be known to the U.S. broker-\ndealer).\n\nQ.7. The system is only as good as the exchanges who report \nconcerns and ownership. How will you ensure that exchanges \nfully comply with reporting?\n\nA.7. Under Rule 613 and the CAT NMS Plan, the national \nsecurities and options exchanges have a regulatory obligation \nto report data to the CAT system and the SEC will be able to \nexamine the exchanges' compliance with Rule 613 and the CAT NMS \nPlan. The SEC also is able to enforce compliance with Rule \n613's and the CAT NMS Plan's reporting obligations. In addition \nto being subject to the SEC's examination and enforcement \nauthority, the Plan Processor must provide the Operating \nCommittee with reporting metrics related to Participant \nperformance. These metrics will assist the Operating Committee \nin identifying and addressing potential Participant reporting \nissues. Note, the SEC also will receive these metrics.\n\nQ.8. What are your views on including futures data and over-\nthe-counter equities in CAT?\n\nA.8. The reporting requirements of the CAT NMS Plan apply to \nall ``Eligible Securities,'' which includes all NMS Securities \nand all OTC Equity Securities. \\3\\ The CAT NMS Plan currently \ndoes not apply to futures or other products that are not NMS \nSecurities or OTC Equity Securities. \\4\\\n---------------------------------------------------------------------------\n     \\3\\ See id. at Section 1.1.\n     \\4\\ On May 15, 2017, the Participants filed with the Commission a \nreport discussing the potential expansion of the CAT to include primary \nmarket transactions in securities that are not NMS Securities or OTC \nEquity Securities, and debt securities. See Discussion of the Potential \nExpansion of the Consolidated Audit Trail pursuant to Section 6.11 of \nthe CAT NMS Plan (May 15, 2017), available at https://catnmsplan.com/\nwp-content/uploads/2017/06/Expansion-Report-Final-5.15.17.pdf. At the \ntime, the Participants declined to expand the scope of the CAT and \nexplained:\n      As a result of their analysis, the Participants believe that it \nwould be premature to expand the CAT to include such transactions at \nthis time. The Participants believe that further consideration of \nwhether to include such transactions should be based on data derived \nfrom Participants' and Industry Members' actual experience with CAT \nreporting, as well as a consideration of the costs required to build \nsystems to enable CAT reporting.\n---------------------------------------------------------------------------\n    The Participants believe that they must gain experience \nwith CAT reporting and CAT Data before determining to \npotentially expand the scope of the CAT. Note that any \nexpansion of the CAT would be subject to public notice and \ncomment, and Commission approval. Separately, each year the \nChief Compliance Officer of CAT LLC (CCO) is required to \ncomplete a written assessment of the Plan Processor's \nperformance, which typically includes, among other things, a \nconsideration of whether the CCO believes that the CAT should \nbe expanded to include additional data elements or products. \n\\5\\\n---------------------------------------------------------------------------\n     \\5\\ See CAT NMS Plan, supra note 3 at Section 6.6(b).\n\nQ.9. What are your views on including initial public offering \n---------------------------------------------------------------------------\ndata, clearing data, and other data into the CAT database?\n\nA.9. As discussed in the response to Question 8 (including \nfootnote 4), the Participants believe that they must gain \nexperience with CAT reporting and CAT Data before determining \nto potentially expand the scope of the CAT. Note that any \nexpansion of the CAT would be subject to public notice and \ncomment, and Commission approval.\n\nQ.10. How is CAT Advisory Committee and Operating Committee \nensuring that CAT will remain technologically robust and \nmodern?\n\nA.10. As required by Rule 613 and the CAT NMS Plan, the CAT \nsystem is designed to be flexible, scalable, and \ntechnologically robust and modern. Rule 613(a)(1)(v) requires \nthat the CAT be flexible and scalable, including the capacity \n``to efficiently incorporate, in a cost-effective manner, \nimprovements in technology, additional capacity, additional \norder data, information about additional securities or \ntransactions, changes in regulatory requirements, and other \ndevelopments.'' The CAT NMS Plan also requires that the CAT be \nflexible and scalable, and that it ``employ[s] optimal \ntechnology for supporting (1) scalability to increase capacity \nto handle a significant increase in the volume of data \nreported, (2) adaptability to support future technology \ndevelopments and new requirements and (3) maintenance and \nupgrades to ensure that technology is kept current, supported \nand operational.'' \\6\\ The CAT system has been designed with \nthese requirements in mind.\n---------------------------------------------------------------------------\n     \\6\\ Id. at Appendix C-Section 5(a). The CAT NMS Plan further \nrequires: ``Participants will provide metrics and forecasted growth to \nfacilitate Central Repository capacity planning. The Plan Processor \nwill maintain records of usage statistics to identify trends and \nprocessing peaks. The Central Repository's capacity levels will be \ndetermined by the Operating Committee and used to monitor resources, \nincluding CPU power, memory, storage, and network capacity.'' Id. As a \nbaseline, the CAT must have capacity requirements ``based on twice (2X) \nthe historical peaks for the most recent 6 years, and the Plan \nProcessor must be prepared to handle peaks in volume that could exceed \nthis baseline for short periods.'' Id. at Appendix D, Section 1.1. Note \nthat Appendix D includes additional information on the technical \narchitecture of the CAT.\n---------------------------------------------------------------------------\n    The Operating Committee has the responsibility to ensure \nthat CAT remains technologically robust and modern. In doing \nso, the Operating Committee works closely with the Advisory \nCommittee, FINRA CAT, the technology staffs of the \nParticipants, industry organizations (such as Securities \nIndustry and Financial Markets Association (SIFMA) and \nFinancial Information Forum (FIF)) and the SEC. To oversee \nthese efforts, the Operating Committee has established a \nTechnology Working Group that works closely with FINRA CAT to \noversee the technological development and operation of the CAT. \nFurthermore, the CAT NMS Plan requires the Plan Processor to \nengage an Independent Auditor to conduct an annual audit of the \nPlan Processor's policies, procedures and control structures. \nThrough these vehicles, the various groups can make \nrecommendations to the Operating Committee to help ensure that \nCAT remains technologically robust and modern.\n    Finally, the CCO's annual written assessment, discussed in \nthe response to Question 8, must consider, among other things, \n``an evaluation of potential technology upgrades based on a \nreview of technological advancements over the preceding year, \ndrawing on technological expertise whether internal or \nexternal.'' \\7\\ Based on his review, the CCO may recommend \npotential technology upgrades to the Operating Committee. Thus, \nin addition to being designed in a manner that is intended to \nbe flexible, scalable, and technically robust, the technology \nused in the CAT is separately assessed at least annually.\n---------------------------------------------------------------------------\n     \\7\\ Id. at Section 6.6(b)(ii)(B)(1).\n\nQ.11. Assuming CAT is implemented in the next 3 years, what are \nthe upgrades that will need to take place to ensure CAT does \n---------------------------------------------------------------------------\nnot fall behind the industry best practices?\n\nA.11. Please see the response to Question 10 above, which \ndiscusses measures designed to ensure that the CAT remains \nflexible, scalable, and technically robust and modern going \nforward.\n                                ------                                \n\n\n        RESPONSES TO WRITTEN QUESTIONS OF SENATOR SINEMA\n                     FROM MICHAEL J. SIMON\n\nQ.1. Upon full implementation, the Consolidated Audit Trail \n(CAT) system will be an unprecedented database, collecting 58 \nbillion records and maintaining data on over 100 million \ninstitutional and retail accounts on a daily basis. The CAT, \nand all the unique customer data it holds, will also be \naccessible to thousands of users. Therefore, while the CAT has \nthe potential to offer important oversight, it will also be a \nprime target for cyberhacks. Under current CAT requirements, \nwhat kind of personal information would be accessible to system \nusers? Is this information already being collected by other \naudit trail systems?\n\nA.1. Under Rule 613, and in addition to certain transaction \ndata, Participants and broker-dealers must record and \nelectronically report Customer Identifying Information and \nCustomer Account Information to the CAT system. \\1\\ Currently, \nthe Commission-approved CAT NMS Plan defines Customer \nIdentifying Information as ``information of sufficient detail \nto identify a Customer, including, but not limited to, (a) with \nrespect to individuals: name, address, date of birth, \nindividual tax payer identification number (ITIN)/social \nsecurity number (SSN), individual's role in the account (e.g., \nprimary holder, joint holder, guardian, trustee, person with \nthe power of attorney).'' \\2\\ Rule 613(j)(4) and the CAT NMS \nPlan generally define Customer Account Information as ``account \nnumber, account type, customer type, date account opened, and \nlarge trader identifier (if applicable).'' \\3\\ Pursuant to the \nCAT NMS Plan, Customer Identifying Information and Customer \nAccount Information are segregated from other general \ntransaction data. \\4\\ Additionally, the SEC and the \nParticipants cannot bulk extract such information and \nregulatory users must have special entitlements to access such \ndata. \\5\\ As mentioned during testimony, the Participants have \nrequested exemptive relief from the Commission from relevant \naspects of the CAT NMS Plan to eliminate the requirement that \nCAT LLC collect and retain SSNs, dates of birth, and account \nnumbers.\n---------------------------------------------------------------------------\n     \\1\\ Regulation NMS, 17 CFR \x06242.613(c)(7)(i)(A) (2019).\n     \\2\\ CAT NMS Plan, supra note 3 at Section 1.1.\n     \\3\\ Regulation NMS, 17 CFR \x06242.613(j)(5) (2019); CAT NMS Plan, \nsupra note 3 at Section 1.1.\n     \\4\\ CAT NMS Plan, supra note 3 at Appendix D-Section 4.1.6.\n     \\5\\ Id.\n---------------------------------------------------------------------------\n    Currently, broker-dealers are required to provide this type \nof information, except for date of birth, to the SEC or a \nParticipant in response to an electronic blue sheet (EBS) \nrequest from the requesting regulator.\n\nQ.2. The Securities and Exchange Commission has been advised \nthat the CAT system should not collect Social Security numbers, \naccount numbers, and full dates of birth. Can regulators \nproperly conduct market analysis, investigations, and \nenforcement if these pieces of information are not collected by \nthe CAT?\n\nA.2. Yes. The Participants believe that the proposed \nalternative to collecting SSNs, account numbers, and full dates \nof birth will enhance the security of the CAT system while \npreserving the regulatory benefits of the CAT. Under the \nproposed alternative, regulators would continue to have the \ncapability to create a reliable and accurate CAT Customer ID \n(CCID) that is unique for each customer, and to use the unique \nCCID to track orders from any customer throughout the order's \nlife cycle, regardless of what brokerage account was used to \nenter the order. This approach would eliminate the risk of \nhaving a comprehensive aggregated source for all individual \ncustomer SSNs without having an adverse impact on the effective \nuse of the CAT by regulators, including the ability of \nregulators to identify customers and their related trading \nactivity.\n              Additional Material Supplied for the Record\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                             [all]\n</pre></body></html>\n"