[Senate Hearing 116-113]
[From the U.S. Government Publishing Office]


                                                   S. Hrg. 116-113


        OVERSIGHT OF THE STATUS OF THE CONSOLIDATED AUDIT TRAIL

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
                   BANKING,HOUSING,AND URBAN AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION

                                   ON

EXAMINING THE EFFORTS TO IMPLEMENT THE CONSOLIDATED AUDIT TRAIL AND TO 
REVIEW ELEMENTS OF THE CAT NATIONAL MARKET SYSTEM PLAN NECESSARY TO THE 
                       MARKET REGULATORY FUNCTION

                               __________

                            OCTOBER 22, 2019

                               __________

  Printed for the use of the Committee on Banking, Housing, and Urban 
                                Affairs


                Available at: https: //www.govinfo.gov /
                
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]


                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
39-415 PDF                  WASHINGTON : 2020                     
          
--------------------------------------------------------------------------------------


            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS

                      MIKE CRAPO, Idaho, Chairman

RICHARD C. SHELBY, Alabama           SHERROD BROWN, Ohio
PATRICK J. TOOMEY, Pennsylvania      JACK REED, Rhode Island
TIM SCOTT, South Carolina            ROBERT MENENDEZ, New Jersey
BEN SASSE, Nebraska                  JON TESTER, Montana
TOM COTTON, Arkansas                 MARK R. WARNER, Virginia
MIKE ROUNDS, South Dakota            ELIZABETH WARREN, Massachusetts
DAVID PERDUE, Georgia                BRIAN SCHATZ, Hawaii
THOM TILLIS, North Carolina          CHRIS VAN HOLLEN, Maryland
JOHN KENNEDY, Louisiana              CATHERINE CORTEZ MASTO, Nevada
MARTHA MCSALLY, Arizona              DOUG JONES, Alabama
JERRY MORAN, Kansas                  TINA SMITH, Minnesota
KEVIN CRAMER, North Dakota           KYRSTEN SINEMA, Arizona

                     Gregg Richard, Staff Director

                Laura Swanson, Democratic Staff Director

                  Jen Deci, Professional Staff Member

                 Elisha Tuku, Democratic Chief Counsel

                      Cameron Ricker, Chief Clerk

                      Shelvin Simmons, IT Director

                    Charles J. Moffat, Hearing Clerk

                          Jim Crowell, Editor

                                  (ii)


                            C O N T E N T S

                              ----------                              

                       TUESDAY, OCTOBER 22, 2019

                                                                   Page

Opening statement of Chairman Crapo..............................     1
    Prepared statement...........................................    24

Opening statements, comments, or prepared statements of:
    Senator Brown................................................     2
        Prepared statement.......................................    24

                               WITNESSES

Shelly Bohlin, President and COO, FINRA CAT LLC, Financial 
  Industry Regulatory Authority..................................     4
    Prepared statement...........................................    25
    Responses to written questions of:
        Senator Brown............................................    39
        Senator Sasse............................................    40
        Senator Kennedy..........................................    40
        Senator Warner...........................................    46
        Senator Warren...........................................    48
        Senator Cortez Masto.....................................    53
        Senator Sinema...........................................    56
Judy McDonald, Chair, CAT NMS Plan Advisory Committee............     5
    Prepared statement...........................................    29
    Responses to written questions of:
        Senator Sasse............................................    57
        Senator Kennedy..........................................    57
        Senator Warner...........................................    58
        Senator Cortez Masto.....................................    61
        Senator Sinema...........................................    63
Michael J. Simon, Chairman, CAT NMS Plan Operating Committee.....     7
    Prepared statement...........................................    30
    Responses to written questions of:
        Chairman Crapo...........................................    64
        Senator Brown............................................    66
        Senator Sasse............................................    68
        Senator Warner...........................................    68
        Senator Cortez Masto.....................................    74
        Senator Sinema...........................................    78

              Additional Material Supplied for the Record

Letter submitted by Better Markets...............................    80

                                 (iii)

 
        OVERSIGHT OF THE STATUS OF THE CONSOLIDATED AUDIT TRAIL

                              ----------                              


                       TUESDAY, OCTOBER 22, 2019

                                       U.S. Senate,
          Committee on Banking, Housing, and Urban Affairs,
                                                    Washington, DC.
    The Committee met at 10 a.m., in room SD-538, Dirksen 
Senate Office Building, Hon. Mike Crapo, Chairman of the 
Committee, presiding.

            OPENING STATEMENT OF CHAIRMAN MIKE CRAPO

    Chairman Crapo. Good morning. The Committee will come to 
order.
    Today's hearing will focus on oversight of the status of 
the Consolidated Audit Trail, commonly referred to as the 
``CAT''.
    In 2010, in response to the flash crash and a number of 
other market disruption events, the SEC proposed the creation 
of a real-time tracking system to track securities orders 
across all markets throughout the life cycle of the order--from 
origination, to routing, to cancellation, modification, or 
execution.
    At the time, the SEC estimated the creation of the CAT 
would cost $4 billion to launch and have an ongoing maintenance 
cost of $2.1 billion.
    In 2012, I wrote a letter requesting that the SEC consider 
alternatives to establishing the CAT database, such as housing 
it on FINRA's existing Order Audit Trail System, or OATS.
    It has been 9 years since the SEC's initial proposal for 
the CAT, and after multiple challenges and delays, it would 
appear that we have arrived at a version of CAT that realizes 
real-time, less accurate data is not necessary to the market 
function and that slightly delayed, more accurate information 
significantly reduces costs while still preserving the 
functional improvements that CAT is intended to provide. 
Further, the CAT now better leverages existing resources by 
recently selecting a subsidiary of FINRA to be the plan 
processor.
    I continue to have concerns about the costs associated with 
the build, the volume of the information collected and what 
information will be collected, who has access to the 
information collected, and how that information will be 
secured.
    Last year, Ranking Member Brown and I wrote a letter to SEC 
Chairman Clayton that emphasized our bipartisan belief that 
protecting individuals' personally identifiable information, or 
PII, is paramount to the American people.
    We have continued to seek a better understanding of what 
type of PII is being collected, how that information is being 
used, who can access it, and how that data will be secured and 
protected.
    Chairman Clayton's September 9th statement echoed this 
sentiment regarding the importance of protecting information 
collected and stored in the CAT, particularly Social Security 
numbers, account numbers, and dates of birth.
    Chairman Clayton stated that he believes ``the regulatory 
objectives of the CAT can still be achieved without these most 
sensitive pieces of investor information.''
    Last week, the SROs officially requested a modification to 
the CAT NMS Plan to exclude the collection of dates of birth, 
Social Security numbers, individual taxpayer identification 
numbers, and account numbers.
    This request is long overdue, and I encourage the SEC to 
grant this amendment which, I agree with the SROs, will reduce 
the risk profile of the data collected and stored in the CAT 
while still preserving the CAT's intended regulatory use.
    In his September 9th statement, Chairman Clayton went on to 
say that even if the SROs reduce the scope of the PII 
collected, the nature of the data to be included in the CAT 
``necessitates robust security protections.''
    I could not agree more, and I look forward to hearing from 
our witnesses on how they plan to address these important 
issues from each of their unique roles in the creation of the 
CAT.
    I look forward to receiving an update from each of our 
witnesses on outstanding issues and challenges that remain to 
achieving an operational CAT.
    Again I want to thank our witnesses for coming here and 
taking your time and bringing us your expertise today.
    Senator Brown.

           OPENING STATEMENT OF SENATOR SHERROD BROWN

    Senator Brown. Thank you, Mr. Chairman, and thanks to the 
witnesses. Ms. Bohlin, Ms. McDonald, and Mr. Simon, thank you 
for joining us.
    We are just shy of 200 days from the 10th anniversary of 
the 2010 flash crash. Although there has not been a market 
disruption of that magnitude since, our markets have become 
faster, more sophisticated, and more fragmented. In that time, 
industry has spent billions on upgrading technology and 
developing faster and smarter trading systems.
    Yet the SEC, whom we all rely on to maintain fair, orderly, 
and efficient markets, still lacks a comprehensive system that 
would allow it to effectively oversee the securities markets to 
protect Americans' college savings and retirement funds.
    In an industry where cutting-edge technology is the name of 
the game and trading firms erect competing microwave towers so 
that computers in Chicago can communicate with computers on 
Wall Street in milliseconds, the SEC still cobbles together 
data from multiple sources in an attempt to have a complete 
understanding of our markets.
    This is why the SEC called on FINRA and the firms that run 
our Nation's stock and options exchanges to build the 
Consolidated Audit Trail, one system with a beginning-to-end 
view of how trading happens, so we can prevent insider trading, 
market manipulation, and other misconduct that cheats the 
system.
    When the effort began in 2012, it was a huge undertaking. 
But 7 years later we are only at the first stage of data 
reporting; many details need to be finalized. Under the current 
timeline, the system will not be fully operational until 2022.
    Some take issue with the SEC, or any Government agency, 
having this much data and call the system a ``target for 
hackers.''
    I refuse to accept that we cannot both protect people's 
personal information and go after criminals who take advantage 
of the markets.
    I know there are dozens of tech experts, data scientists, 
and market veterans working on this. Just last week, the CAT 
Operating Committee submitted to the SEC its proposal to 
exclude Social Security numbers and other personal information 
from the reported data.
    This is just one of many creative solutions that balance 
the need for oversight with protecting sensitive information.
    I trust that the very capable minds at the exchanges, 
FINRA, and the SEC can work out access to data concerns, 
tracking the use of the audit trail, and how to keep 
information secure to allow this long overdue oversight tool to 
be completed.
    The bottom line is if you are smart enough to have 
information or strategies you think someone wants to steal, 
then you are smart enough to help come up with ways to protect 
them.
    We cannot afford to wait.
    Just last week, the SEC filed charges against 18 people, 
most of them in China, who engaged in a 6-year market 
manipulation scheme using dozens of accounts, across many 
brokerage firms, that resulted in $31 million, at least, of 
illicit profits.
    While we will never know if the new system would have made 
it easier to uncover those crimes, it is that kind of activity 
the SEC should have the technology to uncover and detect.
    We know the question is not if but when there will be 
another crash or major disruption. Everyone--Congress, Main 
Street, industry--will look to those represented by our 
panelists today and the SEC to understand what happened, how it 
will be fixed, and who was responsible. Not having an answer or 
waiting 5 months for one will then be unacceptable.
    If another flash crash occurs or the delays or 
disagreements over what should be solvable questions continue, 
you can expect to be back before this Committee. We are 
expecting you all to cooperate and work diligently to finish 
the CAT project.
    There are not many things that SEC Chair Clayton and I 
agree on, but finishing the Consolidated Audit Trail without 
further delay is one of them.
    Every day we wait creates more risks for our markets and 
more opportunities for criminals to cheat our regulatory 
system.
    Thanks for joining us.
    Chairman Crapo. Thank you, Senator Brown.
    Today's witnesses are Ms. Shelly Bohlin, president and 
chief operating officer of FINRA CAT; Ms. Judy McDonald, Chair 
of the CAT NMS Plan Advisory Committee and associate director 
of Susquehanna International Group; and Mr. Michael Simon, 
Chair of the CAT NMS Plan Operating Committee and independent 
senior adviser of Deloitte & Touche.
    We welcome all of you with us, and I will ask you to give 
your statements in the order I introduced you. Ms. Bohlin, you 
may proceed.

 STATEMENT OF SHELLY BOHLIN, PRESIDENT AND COO, FINRA CAT LLC, 
            FINANCIAL INDUSTRY REGULATORY AUTHORITY

    Ms. Bohlin. Great. Thank you. Chairman Crapo, Ranking 
Member Brown, and Members of the Committee, on behalf of FINRA 
CAT, LLC, a subsidiary of FINRA, I would like to thank you for 
the opportunity to testify today. I serve as the president and 
chief operating officer of FINRA CAT, which was created to 
focus solely on performing the functions of the plan processor 
to build and operate CAT. FINRA CAT welcomes the Committee's 
invitation to discuss specific details of our work as the plan 
processor of the Consolidated Audit Trail, or CAT, since we 
stepped into this role 6 months ago.
    The CAT is designed to be a centralized source of 
information on activity in the equities and listed options 
markets. The SEC adopted Rule 613 in the wake of the 2010 flash 
crash to create a comprehensive consolidated audit trail that 
allows the SEC, FINRA, and the national securities exchanges to 
efficiently and accurately track all activity in these 
securities throughout the U.S. markets in order to facilitate 
comprehensive market reconstructions, more robust market 
surveillance, and better analytics to support policymaking.
    Given the size and complexity of the financial markets, the 
CAT must collect, process, and store a vast amount of data to 
achieve this goal. This is a highly complex project that 
requires deep technological expertise, sophisticated and 
proactively evolving security, close regulatory coordination 
with the SEC and the consortium of self-regulatory 
organizations, or SROs, responsible for managing the CAT and 
full-time engagement with broker-dealers that ultimately must 
report data to the CAT.
    FINRA CAT appreciates that there is interest in the CAT 
from multiple perspectives, including how this system will 
support use by market regulators and how the sensitive data 
included in the CAT will be secured. FINRA CAT is fully 
committed to serving these interests. FINRA CAT leadership and 
staff have significant experience in developing audit trail 
technology and utilizing it for regulatory purposes. In 
addition, FINRA CAT has access to the full resources of FINRA 
and its long, successful work in this area and the expertise of 
the relevant exchanges. With this support, our work to build 
the CAT is on schedule.
    Since becoming the plan processor in April, FINRA CAT has 
worked closely with the SRO consortium and SEC staff to 
expeditiously put in place a solution for the first scheduled 
phase of the CAT--specifically, the collection and processing 
of order and trade data from the equities and options exchanges 
and FINRA. FINRA CAT has used scalable technology to process, 
on average, over 100 billion market records a day during this 
period with no material operational issues or delays. We also 
have been dedicating substantial resources to preparing for the 
next phase, industry member reporting, which is scheduled to be 
phased in from April 2020 to July 2022.
    After a number of interim phases that will require the 
reporting of increasingly complex order and trade information, 
the final phase of industry member reporting calls for certain 
customer and account information reporting to begin in July 
2022.
    To achieve our goals, FINRA CAT is involved in full-time 
industry engagement through a variety of channels to ensure 
that the industry has a voice in development of the CAT 
particularly as it relates to industry member reporting 
requirements. Technical reporting specifications and extensive 
reporting guidance have been published to assist broker-dealers 
in meeting their CAT reporting obligations.
    In addition, each week FINRA CAT participates in a call 
with SEC staff and the SRO consortium leadership team to 
provide an update on project development and progress.
    Finally, I can assure the Committee that the security of 
customer account information and of all CAT data more broadly 
is of the utmost priority to FINRA CAT, and that a strong data 
security program has been put in place to meet the CAT NMS 
Plan's stringent security requirements.
    FINRA CAT is directly subject to SEC Regulation SCI. In 
terms of FINRA CAT's overall information security program, we 
are led by a CISO with over 20 years of experience working on 
information security at FINRA, including as a security 
architect and a security engineer.
    FINRA CAT's security program aligns with the strictest 
Government requirements of the National Institute and Standards 
of Technology, including stringent third-party reviews of 
critical security controls. The FINRA CAT security program also 
includes significant layers of architectural-level and program-
level security controls. We are constantly evaluating evolving 
threats and security control opportunities to ensure that the 
CAT security posture remains strong.
    In conclusion, thank you again for the opportunity to 
appear today. The CAT is a major regulatory undertaking meant 
to help the SEC, FINRA, and the exchanges better regulate our 
securities markets. I am happy to answer any questions that you 
may have.
    Chairman Crapo. Thank you.
    Ms. McDonald.

   STATEMENT OF JUDY MCDONALD, CHAIR, CAT NMS PLAN ADVISORY 
                           COMMITTEE

    Ms. McDonald. My name is Judy McDonald. I am the head of 
Regulatory Technology at Susquehanna International Group, a 
global quantitative trading firm headquartered in Bala Cynwyd, 
Pennsylvania. In my role at SIG, I have been evaluating the CAT 
NMS Plan since its inception, and since February 2017, I have 
served along with 13 other industry participants on the 
Advisory Committee. Since March of 2019 I have served as the 
Chair.
    Today I can confidently state that the effort to deliver 
CAT is moving forward in a very positive manner. Since February 
2019, when FINRA CAT was selected as the new plan processor, 
the SROS, FINRA CAT, and industry members have been in a 
virtuous cycle of iterative deliverables and collaboration on 
the Plan. FINRA CAT brings subject matter expertise, depth of 
resources, and leadership to the effort.
    The Advisory Committee is satisfied that the intermediate 
milestones of the past year have been met and that significant 
progress has been made toward the processing of SRO reporting 
and the completion of industry member technical specifications.
    However, there are a few areas of concern as the 
implementation of CAT progresses.
    First, data security. This is undoubtedly the most 
significant concern as the CAT will gather and store an 
unprecedented amount of information that previously has not 
been centrally located nor specifically identifiable. The 
concerns can be broken down into three categories: trading 
records for institutions, personally identifiable information 
for retail customers, and the security policies of regulators.
    Trading Records. There is significant concern about the 
security of the CAT data repository and the misuse of trading 
records by those with ``authorized'' access. Trading records 
will be less secure than PII and accessible by a broader set of 
individuals. This highly proprietary information results from 
significant investments, and broker-dealers are very concerned 
that trading strategies could be reverse-engineered by 
competitors, academics, or rogue actors. Further, SROs compete 
with each other and BDs; this is beneficial to investors and 
could be compromised with the misuse of data.
    PII Data. We are encouraged by the progress to avoid the 
collection of Social Security numbers and other sensitive PII 
data. With this progress we believe some focus should be 
shifted to address the retirement of the legacy Electronic Blue 
Sheet system.
    Security Policies. The Advisory Committee has little 
insight into the security programs at regulators and whether 
security policies and procedures have changed commensurate with 
the increased value of the CAT data and the increased threat of 
compromise. We cannot emphasize enough the harm that could come 
from an external bad actor gaining access to trade information 
once data is bulk downloaded from the central CAT repository.
    In summary, I appreciate the critical nature of securing 
CAT data. Two of the best ways to achieve data security are to 
limit the number of people with access and to control the use 
of data as tightly as possible. The Advisory Committee urges 
reconsideration of allowing the 23 exchanges and the SEC to 
bulk download CAT data.
    Second, verbal and manual quotes. There is a significant 
open issue with respect to the capture and reporting of verbal 
and manual quotes. Human interaction with highly electronic 
markets is a deeply challenging issue that affects a small but 
very important part of the market and, if disrupted, could 
dramatically reduce market liquidity particularly during 
moments of extraordinary volatility. The Advisory Committee 
recommends a stepwise approach for verbal and manual quotes.
    Third, fees. Another area of concern is the lack of insight 
into fees that may be applied to broker-dealers. The absence of 
a fee schedule creates uncertainty around the effort and 
unnecessarily challenges firms budgeting to comply with CAT.
    Fourth, the SEC proposal for Financial Accountability 
Milestones. The SEC proposal centers around the best practice 
goals of increasing accountability and transparency of the CAT 
project. While we are supportive of these goals, legitimate 
unforeseen circumstances may occur where fixed deadlines work 
against the collective best interest of the CAT implementation. 
There must be some flexibility in place to address these 
unforeseen situations.
    In closing, I look forward to continuing my work on the CAT 
project and will be happy to address any specific questions.
    Chairman Crapo. Thank you.
    Mr. Simon.

  STATEMENT OF MICHAEL J. SIMON, CHAIR, CAT NMS PLAN OPERATING 
                           COMMITTEE

    Mr. Simon. Good morning. My name is Michael Simon, and I am 
Chairman of the CAT Operating Committee. When completely 
implemented, the CAT will receive and process multiple records 
to create the entire life cycle of events from all of our 
securities markets. Only the participants and the SEC will be 
able to query the system and solely for regulatory purposes.
    CAT is a massive undertaking. We currently receive, as 
Shelly mentioned, over 105 billion records per day on average 
and have processed the single-day peak of 182 billion records. 
This does not even begin to reflect the volume of data we will 
receive and store when broker-dealers begin submitting data.
    Much of the interest in CAT has been on the inclusion of 
personally identifiable information as well as on the security 
and cost of the system. Before discussing these issues, I would 
like to update you on our progress. You already heard the 
reasons behind and history of the CAT. I will not repeat that.
    During the plan review process, the participants conducted 
a request for proposal and ultimately selected Thesys as the 
CAT processor. Unfortunately, the relationship with Thesys did 
not proceed as hoped, and earlier this year we selected FINRA 
CAT to serve as the successor plan processor. With FINRA CAT 
now in place, we continue to work diligently with the SEC staff 
and the CAT Advisory Committee to build and operate the CAT 
safely and efficiently.
    The participants began submitting CAT data to the CAT last 
November. FINRA CAT collects all the data from the 
participants, validates and links all equity data, and is now 
on target to validate and link all options data in February. 
FINRA CAT also is on target to commence broker-dealer testing 
next month and reporting in April. FINRA CAT has not 
experienced any production outages or major operational issues.
    As to PII, this has been a topic of interest and concern. 
Rule 613 explicitly requires the CAT to be able to identify 
underlying customers. Indeed, the plan requires the system to 
include an individual's name, address, date of birth, an 
individual taxpayer identification or Social Security number. 
Due to the concerns of including PII in CAT, we have discussed 
with the SEC and the industry how best to preserve the 
regulatory benefits of the CAT while addressing legitimate 
concerns related to the inclusion of sensitive information in 
the system. Based on these discussions, as noted, last week we 
requested that the SEC grant exemptions from relevant aspects 
of the plan to eliminate Social Security numbers, dates of 
birth, and account numbers from the CAT. We believe this will 
reduce the risk profile of data collected and stored in the 
CAT. Instead of collecting and storing Social Security numbers, 
FINRA CAT would generate a unique identifier for a customer, 
the so-called CCID. This would eliminate the inherent risk of 
the CAT holding Social Security numbers.
    Regardless of any exemptive relief, security will always be 
a top priority in the CAT. To that end, we have instituted 
safeguards to protect the system and the data within it. CAT 
LLC has both a chief information security officer and chief 
compliance officer who are fiduciaries of CAT LLC. The CAT CISO 
creates and enforces controls to monitor and address data 
security issues. The CISO also evaluates if the participants 
have information security policies comparable to those of the 
plan processor. The participants in FINRA CAT designed and 
operate the system in accordance with stringent security 
standards that Shelly mentioned. The plan processor and 
independent third parties perform multiple layers of security 
assessments. These assessments test that the security controls 
are operating effectively and that the system is free of 
significant vulnerabilities.
    Regulators can access the system only over dedicated 
private lines. The system is designed without any Internet-
based query function. The system also requires multifactor 
authentication, strongly protecting against unauthorized 
access. Moreover, the system and relevant personnel continually 
monitor access and use of the system.
    Last, cost. CAT requires a significant commitment of 
capital, both human and financial. We estimate the CAT budget 
to be upwards of $75 million a year, not including participant 
or broker-dealer compliance costs. Even though Rule 613 and the 
plan specifically provide for joint funding by the participants 
and broker-dealers, to date the participants have borne all 
costs. In 2017, the participants sought to implement the fee 
structure in the approved plan, but ultimately withdrew the 
filings when it became clear the SEC was going to disapprove 
them. Because it remains both important and reasonable that 
industry members contribute to funding the CAT, we are working 
on an amended fee proposal.
    In closing, we remain committed to meeting our obligation 
to build and operate the CAT system and are making significant 
progress in that regard. We will continue to take all necessary 
precautions to safeguard the CAT system and the data within it.
    Thank you for the opportunity to provide testimony today. I 
am happy to take your questions.
    Chairman Crapo. Thank you very much, Mr. Simon.
    I will start out with--actually, this question is for each 
of you. I would like you to be as brief as you can, however, so 
I can get to some other questions. But one of the issues that I 
am concerned about is given that it appears that the PII 
information we have talked about already in the hearing is 
going to be excluded from collection, can the data that is 
collected be reverse-engineered in a way to identify the actual 
users? And maybe I will start with you, Mr. Simon. You 
mentioned that there is an identifier for each individual 
called the ``CCID.''
    Mr. Simon. CCID.
    Chairman Crapo. OK. What is that?
    Mr. Simon. The CAT customer ID. Shelly can get into some of 
the specifics as to how it is generated, but it is important to 
note that broker-dealers will not be sending Social Security 
numbers to the CAT; the CAT will never receive or store them. 
Rather, we have a multistep system in place that FINRA CAT will 
be building so that the broker-dealers will be doing some 
hashing or changes to the Social Security number coming in and 
that will be the CCID that will be kept in the database. And, 
Shelly, I think----
    Chairman Crapo. Ms. Bohlin, could you address that and then 
also address--to me that seems like it just begs for reverse 
engineering.
    Ms. Bohlin. So I will start out by saying that the CCID--
and as Mike described--is based on a Social Security number 
that never leaves the broker-dealer. But the objective is to be 
able to identify a single customer trading across all broker-
dealers. So that is one of the primary functions that CAT 
brings that the regulators do not have the ability to do today.
    But the CCID is only known by CAT. It is not returned to a 
broker-dealer. No one outside of CAT will ever have access to 
or know the CCID.
    Further, the CCID as it comes into the customer and account 
section of--the customer and account data is segregated from 
the transaction data. The CCID, while it will have associated 
with it customer information in the customer and account 
database, it is not available to the transaction data. Only the 
actual CCID number itself, not knowing who it is, whether it is 
a natural person, an institution, anything else, only that is 
available with the transaction data for regulators to run 
queries against. So it is tightly controlled and not known 
outside of CAT.
    Chairman Crapo. Well, first, let me ask could CAT tell the 
broker-dealers to give them the ID, the information later on? I 
do not mean now. They are not collecting it now. But what if 
they decided they wanted to have it? Could they just create it?
    Ms. Bohlin. So to have the broker-dealer create the CCID I 
think would be difficult because you have to have the same 
identifier across every single broker-dealer. So CAT 
originally, as Rule 613 was originally approved, had the 
broker-dealers submitting a CCID that becomes difficult--it 
gets very detailed very fast. I know we have limited time here. 
I am happy to follow up on any of the details to this. But it 
is designed so that the broker-dealer--each individual broker-
dealer does not have to have some uniform way to come up with 
the same number to give CAT for the same----
    Chairman Crapo. Well, I would like you to perhaps in 
writing following the hearing give me a little better 
explanation of this. Let me just give you a quick example. You 
will recall when the CFPB got rolling really aggressively, it 
decided it wanted to collect credit card transactions on 
virtually everybody for everything. And we got into a fight 
with the CFPB over that, and they finally said, ``Oh, well, we 
are not collecting all of this PII,'' which goes way beyond the 
PII that we are talking about right now. And it turns out, as 
we explored that with them, that they basically just were not 
collecting it, but they could easily, by flipping a switch, 
pick it up.
    Mr. Simon. I think it is important to note that when you 
say will CAT be able to get the underlying information, CAT 
will not be able to get the underlying information. Each of the 
SROs themselves as a self-regulatory organization and as they 
conduct their surveillance, at some point they will need to 
know the underlying customer involved, and the SROs, as part of 
their surveillance function, will have the ability to go back 
to broker-dealers and to try to identify the person who they do 
not know their specific identity from the CAT data, but that 
will be something in the surveillance function of each of the 
SROs and will not be a CAT function.
    Chairman Crapo. All right. Thank you. I would like you, all 
three, if you would, to fill in anything else you can for me 
following this in your written responses to the Committee.
    I only have 30 seconds left, so let me ask whoever would 
like to jump in on this, who has access? There was a comment 
about the fact that both of the exchanges have the ability to 
download this data?
    Mr. Simon. Yeah, I will handle that from the consortium 
side.
    Chairman Crapo. OK.
    Mr. Simon. There are 23 SROs--23 exchanges plus FINRA as 
the SROs, plus the SEC. Each of them have regulatory 
responsibilities under the Federal securities laws. Each of 
them will have the ability to access the database to conduct 
their surveillance. They all conduct surveillance now, and they 
will have access to the CAT database in whatever manner they 
feel appropriate to discharge their regulatory 
responsibilities.
    There will be controls in place, as Shelly mentioned, as to 
proper training and access and regulatory oversight over who 
does have access and how they use it. But its stated purpose, 
both in the rule and in the plan, is to help each of the 
regulators discharge their regulatory obligations.
    Chairman Crapo. All right. Thank you. I am going to 
probably send some questions to you to further elaborate on 
that.
    Senator Brown.
    Senator Brown. Thank you, Chairman.
    Ms. Bohlin, please describe for us the market oversight and 
enforcement benefits of the Consolidated Audit Trail for the 
SEC and FINRA, and how does this improve on current systems?
    Ms. Bohlin. So one of the biggest differences and 
improvements over current systems, it will be all in a central 
database that is reported by 8 a.m. on T+1. It will include 
data including all the equities exchanges and options 
exchanges. So today we have similar constructs in the equity 
markets to what CAT ultimately is, but not the options market. 
So bringing the options data in is a significant difference 
from what we have today; in addition, having the CCID and the 
ability to understand if the same entity is trading or trader 
is trading across multiple broker-dealers. So those are two of 
the biggest improvements and differences from what we have 
today.
    Senator Brown. Mr. Simon, do you want to add to that?
    Mr. Simon. I think that the main benefits are the first 
name in CAT, consolidated. It will be the first time there will 
be a Consolidated Audit Trail of all the information from all 
the securities markets. Currently, as I mentioned before, each 
of the SROs has the obligation to conduct surveillance and 
regulation of their market, and they are doing it from separate 
databases. This will be consolidated. This will be the first 
time that we have end-user information although in a masked way 
through the CCID, which will enhance regulation and let you 
move a lot more quickly in your surveillance obligations. And, 
third, it is the first time we are going to have the life cycle 
of an entire order included in the system so that you can 
follow an order from the time it is entered through execution 
and clearing. So there will be a lot of benefits to the 
regulators in how they use this data.
    Senator Brown. Ms. Bohlin, you were at FINRA 10 years ago 
when the flash crash disrupted our market and undermined 
investor confidence. Comment on the impact that the flash crash 
had on working families' confidence then and still what kind of 
impact it had on their confidence in using the markets to save 
and invest for their futures.
    Ms. Bohlin. So that is definitely an issue that has, you 
know, broad impacts. Being here representing FINRA CAT today, 
that might be FINRA, the parent, and any of the other SROs 
might be able to more elaborate on that a little bit more. But 
having a market, knowing that the market can go down and so 
much value can be lost in such a short period of time, I think 
other steps have been taken in addition to CAT that prevent 
those wild swings, so to speak, like marketwide circuit 
breakers, limit up/limit down, things that have been put in 
place to try to prevent----
    Senator Brown. That is what you are saying from your 
perspective. What are people that are trying to save for their 
future, what impact did that have on their confidence back then 
and what kind of residue of that still remains?
    Ms. Bohlin. Just my personal view on it is that having 
uncertainty about the erratic movements or the fact that stocks 
could lose so much value in such a short period of time 
obviously is a detriment or may discourage people from 
investing. So having the tools in place to try to prevent these 
types of wild swings or have the tools we need to make sure we 
understood what happened is very important.
    Senator Brown. The point of the question was just to 
encourage you to think about--I mean, you seem to do your job 
well. You care about this. You understand the complexities and 
technicalities that probably most of us here do not. But I just 
want you to be thinking what completion of this, 2022 you cited 
earlier, what this means for the confidence of the investor 
public and pretty shaken a decade ago, maybe pretty forgotten 
now, but it cannot be forgotten by you, and that is the 
importance of--that was the reason for the question.
    Ms. Bohlin. Yes, absolutely. That is why I personally 
believe CAT is so important, and I have spent a lot of years 
and I very much believe in it.
    Senator Brown. OK, good. The bottom line is that markets 
work best when investors have confidence, as we know, and the 
Consolidated Audit Trail gives the opportunity to catch bad 
actors so working Americans can be confident they are not 
investing in a rigged market.
    Ms. Bohlin. Exactly.
    Senator Brown. Mr. Chairman, I would like to submit a 
written statement for the record from Better Markets.
    Chairman Crapo. Without objection.
    Senator Brown. Thank you.
    Chairman Crapo. Senator Cotton.
    Senator Cotton. Thank you, Mr. Chairman.
    I will say I detected a note of skepticism in the 
Chairman's questioning. I will say that I will go beyond a 
note. I have been outright skeptical of the Consolidated Audit 
Trail now for a long time. I have to say what I have heard 
today just made me downright opposed to it. I have got real 
reservations about this.
    Mr. Simon, I want to start with you. You said that so you 
have made the decision, as Mr. Clayton suggested in his recent 
letter to us, that you will not include Social Security 
numbers, account numbers, or dates of birth in the Consolidated 
Audit Trail?
    Mr. Simon. We have submitted an exemption request to the 
SEC asking them to grant that exemption so that we will not 
include that in the Consolidated Audit Trail. It is now in the 
hands of the SEC whether or not to grant that exemption. We 
have a fair level of confidence that he will grant the 
exemption since we work closely with the staff of the 
Commission, with Judy, with the Advisory Committee, and with 
the industry generally on a means of dealing with sensitive 
personal information that we think satisfies the needs and 
interests of the Commission and of the industry as well as the 
regulators.
    Senator Cotton. And did I hear you say that 25 different 
organizations are going to have access to this information?
    Mr. Simon. There are 23 exchanges, there is FINRA, and 
there is the SEC. However, there are only eight specific 
organizations because multiple exchanges are owned by one 
holding company.
    Senator Cotton. Any idea of the number of people that will 
have access to this information?
    Mr. Simon. Shelly will be able to answer that because she 
is going through the user authorizations and it will vary. Some 
of the SRO groups will contract out. Some will have their 
surveillance obligations. Some will have a significant number 
of people. But I think it is really FINRA and the SEC that will 
have the most people, and some of the exchange groups will also 
have a significant number of people----
    Senator Cotton. Ms. Bohlin, I am not looking for an exact 
number. I would just like an order of magnitude. Are we talking 
about dozens? Hundreds? Thousands?
    Ms. Bohlin. So the plan has estimates of 3,000 users, and 
under our contract we are having to build to ensure we can 
support access by 3,000 users. That would be across the SEC----
    Senator Cotton. So 3,000 users will have access to every 
trade from every account from every broker for every retail 
investor in America?
    Ms. Bohlin. Yeah.
    Senator Cotton. So you are building the CCID, you said, so 
Social Security numbers do not have to be used, but you said 
that would be based on the Social Security number at the 
broker-dealer. I know you talked about how good the audit trail 
security is going to be. How confident are you that all those 
broker-dealers, many of whom are small businesses, have equally 
good security in their databases?
    Ms. Bohlin. They are all required as registered broker-
dealers to maintain adequate security programs themselves.
    Senator Cotton. And the audit trail will not be able to get 
access to the underlying data. Do we think that, say, China or 
North Korea will be able to get access to that underlying data?
    Ms. Bohlin. We are certainly designing it so that is not 
the case.
    Senator Cotton. But this is my point, and let me be clear. 
You all inherited this. Chairman Clayton inherited this. So I 
do not doubt your good intentions. I think, Ms. Bohlin, you 
said that the security of this information is your highest 
priority. You have ``a strong data security plan.'' I would 
just point out that the Office of Personnel Management and the 
SEC probably thought they had the strongest data security plan 
as well, Government agencies that suffered massive hacks that 
exposed the information of millions of Americans, to say 
nothing of companies like Equifax and Sony and Target and 
Marriott and Yahoo. And I could go on and on and on even 
further.
    There is huge costs to this program. Chairman Crapo 
outlined a bunch of the financial costs, billions of dollars up 
front and then continued in operating expenses, to say nothing 
of the cost of the personally identifiable information. It is 
not clear to me what benefit market participants and Americans 
at large get from having this in place. I know that 
Commissioner Peirce has recently written that the Enforcement 
Division at the SEC does a pretty good job of tracking down 
wrongdoers, and they could probably get almost all of the 
benefit out of the audit trail if they focused on large 
institutional investors as opposed to a single mom who is 
trying to invest money to save for their kid's college. So I 
just do not see where the benefits outweigh the costs. The game 
is worth the candle; the juice is worth the squeeze. I 
appreciate you are doing everything you can to try to protect 
the information of individual users, but you are creating a 
database that is so large and so valuable and so attractive, I 
cannot imagine that at some point in the future this Committee 
is going to be having an oversight hearing on how a breach of 
that database occurred.
    Chairman Crapo. Thank you, Senator Cotton.
    Senator Warner.
    Senator Warner. Well, thank you, Mr. Chairman, and I 
appreciate you holding this hearing. I actually beg to differ 
with my friend, the Senator from Arkansas. There clearly are 
inherent challenges in this, but I would make the case that I 
do not think we still, almost 10 years after the flash crash, 
fully appreciate what led to the flash crash, the ability of a 
series of--and I do not think we are looking so much at the 
individual investor as we are looking at the ability to have 
market manipulation oftentimes by a series of very 
sophisticated investors who may be operating across a whole 
series of exchanges simultaneously. So there are clearly risks, 
Mr. Chairman, in this, but to not have the ability to 
reconstruct in a kind of orderly fashion how these type of 
market manipulations could take place--and, frankly, I think 
the technology has gotten even better in terms of manipulation. 
So I actually applaud Chairman Clayton. I think he has taken on 
this challenge. I think it is kind of crazy that it has taken 
us 9 years to get here, and I think there clearly are market 
forces and market participants who want to do everything 
possible to slow this process down because they do not want 
this Consolidated Audit Trail. They do not want their 
activities demonstrated to the marketplace.
    Now, we are going to obviously continue, Ms. Bohlin, to 
kind of follow your efforts. I actually wish--and I think we 
can get to a good-faith way to resolve some of these issues. I 
wish the SEC was here because I think the SEC--you know, we 
need their voice in this hearing. I would hope at some point, 
Mr. Chairman, you would consider bringing them into this 
discussion in a formal way so we can press them in particular.
    Mr. Simon, one of the first questions I have got for you 
is, recognizing that the SROs are going to have this ability to 
access the database, should we require the SROs some kind of 
formal explanation process of why they are requesting 
information? It would not be an absolute guarantee, but it 
might--one of the things I am concerned about is not only the 
ability to be hacked into, but could the SROs access this 
information for their own financial interests? And can we put 
some kind of at least presumption that they have to give us an 
explanation why they are accessing the database?
    Mr. Simon. Well, it is clear under the rule and the plan 
that the SROs can access this data only for regulatory purposes 
and only for their surveillance purposes. The SROs already have 
regulatory and surveillance programs in place that are subject 
to barriers from the business side of the organization, and 
those will remain in place, and those are subject to review not 
only by the SROs and their internal audit department, but by 
the SEC and their inspections unit, and they are heavily 
regulated. And I think it is fair to say that the SROs operate 
with integrity in the regulatory system. And, as shown by the 
Consolidated Audit Trail that you have--while you might have 
the 24 different SROs, they are effectively competitors with 
each other. They are acting cooperatively for the joint good of 
the industry in developing the Consolidated Audit Trail. But 
Shelly and FINRA CAT are developing specific functions within 
the CAT system to oversee what the regulators are doing and 
what types of queries they are looking at and will have 
intelligence in the system to help ensure that they are being 
used for appropriate purposes. And perhaps you can talk to that 
for a second, Shelly.
    Ms. Bohlin. Sure. So part of the security program is 
logging of all access, logging and review, both automated and 
manually, looking for atypical queries coming from a particular 
regulatory user. Also from an----
    Senator Warner. Should we ask that SRO to kind of give an 
explanation of why they are making this request? I am not sure 
I agree 100 percent, but I would ask you to consider--I have 
only got 38 seconds left. You know, one of the things I have 
seen on kind of the SEC's amended 613 rule that they can start 
to charge fines or expenses if the participants do not meet 
certain of the timelines on a going-forward basis.
    Mr. Simon. Right.
    Senator Warner. I do have a concern that there are going to 
be folks in the market that will drag their feet because they 
do not want the CAT. They are going to throw up a lot of 
concerns, and there are legitimate concerns about PII. But they 
are going to throw up a lot of smoke screens, dragging their 
feet because they do not want this kind of exposure. How do we 
hold them accountable? Do you think the amended 613 rule does 
that?
    Mr. Simon. I think that Rule 613 does it. I think everybody 
is working cooperatively in order to build the CAT in a timely 
and efficient manner. I think, as Judy mentioned, that the 
industry is now on board with the timeline.
    And just to your point before about coming up with reasons 
for doing inquiries, from a regulatory standpoint, you see 
abnormalities in trading, and you do not really know what you 
are looking for, and it is very difficult to say, ``I am 
looking specifically for an insider trading violation'' or 
this. You need to be able to look at the data, to analyze the 
data, to see when there are atypical patterns in there. So I 
think it is very difficult up front to put in a reason why 
you----
    Senator Warner. And I did not get a chance to ask you, Ms. 
McDonald, but maybe you could submit for me some of the--you do 
not have a vote on the Operating Committee. Are there 
structural governance changes we can do to, you know, improve 
this process.
    Senator Warner. I would simply say, Mr. Chairman, you raise 
I think appropriate questions about PII. I think there is a way 
we can sort through this. I think the net benefit for 
protecting the system will be of enormous value for oversight. 
And I frankly think that some of the folks who are part of the 
market manipulators, they have gotten substantially better 
since 2010. So I think we have got a healthy tension here, but 
I look forward to working with you. And I appreciate the 
Ranking Member's comments at the front end in terms of how long 
this has taken, and I completely agree with his earlier 
comments.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you.
    Senator Rounds.
    Senator Rounds. Thank you, Mr. Chairman.
    I am just curious. I am going to start with Ms. McDonald, 
but if you want to defer, you may. I understand the concerns 
that have been expressed here by those individuals who are 
doing their best to find a way to limit the amount of insider 
trading and the type of trading activities that would hurt 
consumers who want to trust in a market.
    I also understand the concerns of the loss of privacy, and 
somewhere in the middle of this, we have to be able in an 
oversight capacity to look at trying to resolve both issues.
    Ms. McDonald, I had the impression that your organization 
has tried to do this, but specifically, can you share with us 
the security that you look at and the approaches that you have 
taken to try to make sure that the information which is being 
picked up will be secure? And what do you do to track down and 
to find problems that may already exist within the system? What 
are you doing to rule it out and to make sure that any system 
operating even today has not been compromised?
    Ms. McDonald. So as Shelly stated----
    Senator Rounds. You may want to turn that on.
    Ms. McDonald. So as Shelly stated, I think that broker-
dealers are subject to both review by FINRA as well as adhering 
to best practices with regard to security practices. And so 
many broker-dealers, including SIG, have a very large and 
robust security program that follows along the same lines that 
have been outlined here. So basics of things like account and 
identity management, multifactor authentication, granular role-
based access controls, and----
    Senator Rounds. May I just--look, I appreciate that, but I 
guess what I a looking at, and maybe I am not explaining it 
very well, we require people to follow speed limits, but the 
way that we also enforce it is then to have a patrol officer on 
patrol that is checking to make sure. Who is the patrol officer 
in this particular case to make sure that the security 
requirements are actually being followed up? What is the 
follow-up that you are doing today to assure security as of 
right now? And perhaps Mr. Simon would like to answer that. You 
may defer if you want.
    Ms. McDonald. Broker-dealers are subject to review by FINRA 
specifically around security programs, and so over the years, 
FINRA has conducted increasingly sophisticated security audits 
of their broker-dealer community, and these are conducted by 
security experts who dig deep into both the process and 
procedures and personnel behind these security programs.
    Senator Rounds. Thank you.
    Mr. Simon.
    Mr. Simon. I think what you are getting at is policing the 
security in the CAT system and who is responsible for that. Who 
is overseeing the system and ensuring that whatever controls we 
put in there are operational, that they are robust, and that 
they are working. And that is the obligation of the CAT 
Operating Committee, of the consortium of the SROs.
    As Shelly mentioned and as I mentioned, we have hired a 
CISO, the chief information security officer. He will be the 
person who has the ultimate responsibility to implement and 
oversee the security in the system. The CISO is an employee of 
FINRA CAT, but is an officer at the CAT LLC, so he is going to 
be responsible for implementing the security.
    In addition, the SROs, through the consortium, have what we 
call a ``security working group'' that is compromised of CISOs 
and security experts from all the SROs. The SEC is an active 
participant in that, including the SEC's chief security 
officer. So they all work together, oversee all the policies, 
work with the CISO, come up with the policies, including the 
policing of the system once it is up and running. And any of 
those policies have to come up to the Operating Committee, and 
they come up again and again as they are amended and put in 
place for approval by the Operating Committee. And at the same 
time, we work with Judy and the Advisory Committee and with 
SIFMA and a group of CISOs of the industry to make sure that 
they are comfortable with the security policies. But, 
ultimately, the buck stops with the Operating Committee. They 
have the responsibility, and they are aware of it and are 
working actively to ensure the safety and soundness of the 
system.
    Senator Rounds. What percent of the system is actually 
operational today? How far along in the process is it today?
    Ms. Bohlin. In terms of percentagewise?
    Senator Rounds. Yes.
    Ms. Bohlin. This is just, you know, a total back-of-the-
envelope. I would say maybe 50 percent, because you have the 
exchanges----
    Senator Rounds. Fifty, 5-0?
    Ms. Bohlin. 5-0. We have the exchanges and----
    Senator Rounds. OK. The reason why I ask is right now--how 
many incursions do you know of that are attempted per day 
within this particular segment?
    Ms. Bohlin. For what is operational in FINRA CAT today?
    Senator Rounds. Yes.
    Ms. Bohlin. How many attempted intrusions there are each 
day?
    Senator Rounds. On a daily basis.
    Ms. Bohlin. I would have to go back and get that 
information for you. I do not have that number. I do know we 
monitor that just as FINRA parent monitors it as well, so I 
could get that information for you.
    Senator Rounds. Yeah, I think it would be good to know, 
number one, the number of attempts and also the number that 
have actually successfully stepped into it.
    Ms. Bohlin. So no actual successful attempts since FINRA 
CAT has been operational. And like I noted before, we are 
directly--FINRA CAT itself is an SCI entity directly, subject 
to SEC jurisdiction and Reg. SCI. We have to file any time we 
were to have an intrusion that was successful.
    Senator Rounds. Mr. Chairman, I know I am going over my 
time, but I just want to make this--you are saying that you 
have 50 percent of your system operational today, and that 
while you know that there are incursions attempted, you are not 
aware of a single incursion that has been found within your 
system at this point?
    Ms. Bohlin. That has been successful--and I am not 
personally aware of any intrusions that have been attempted. I 
am assuming that there probably are because it happens all the 
time. But I would want to get that specific information for 
you. I am not aware of any successful intrusions, and we have 
not had any SCI events that we have had to file since we have 
been operational.
    Mr. Simon. If there was an intrusion, we would have known 
on the Operating Committee and would have had to report it 
immediately to the SEC and put our breach procedures in effect. 
And I am fairly certain--we will double-check and confirm with 
you--there have been no successful breaches into the system.
    Senator Rounds. Yes, I apologize for taking the extra time, 
Mr. Chairman, but I think this is really important. Number one, 
if the Secretary of the Navy puts out a report showing that 
within the Department of Defense we get incursions, and we find 
some of them, and we know that they occur. To suggest that you 
have 50 percent of this thing operational right now today and 
you are not aware of any incursions to date----
    Ms. Bohlin. That have been successful.
    Senator Rounds. ----that have actually successfully 
occurred within your system, that is pretty impressive or it--I 
would like to get a confirmation on that before you say that 
that is a fact. OK?
    Ms. Bohlin. Absolutely.
    Senator Rounds. All right. Thank you.
    Mr. Simon. We will.
    Senator Rounds. Thank you.
    Chairman Crapo. Thank you.
    Senator Cortez Masto.
    Senator Cortez Masto. Thank you, and also thank you to the 
Chairman and Ranking Member for this hearing, and I do want to 
align myself with some of the comments that were made by my 
colleague from Virginia, Senator Warner.
    Let me jump on this issue really quickly because I think 
there is this balance. We want to protect PII information, but 
at the same time I think we want to also protect against market 
manipulation. And so maybe getting in the weeds a little bit 
more, Mr. Simon, I am assuming that you have a formal 
cyberincident response plan or at least the committees are 
coming up with that, and maybe you want to address that, 
because that will, I hope, give us the information publicly at 
some point in time--or maybe not--that you are being asked by 
Senator Rounds. So does anybody want to address that with 
respect to a formal plan?
    Mr. Simon. Yes, we do, and I will defer to Shelly from 
FINRA CAT who is developing that as the head of FINRA CAT.
    Ms. Bohlin. Yes, we definitely have a formal cyberincident 
response plan, a very detailed plan. We have worked with the 
SROs closely, and their expertise, the expertise that we have 
from FINRA parent, who has a very mature system in place and 
has very mature cyberincident response plans. We are in the 
business of managing sensitive data. And that includes having, 
you know, available to us experts in cybersecurity breach 
management; that includes containment, forensic analysis of 
what happened, responses, any appropriate notifications. Of 
course, each depends on the facts and circumstances of any 
particular incident of what you may or may not have to disclose 
or do. It is a total facts and circumstances basis.
    Senator Cortez Masto. And as part of your security, you can 
ensure that all CAT data is encrypted at rest and in flight as 
well. Correct?
    Ms. Bohlin. Yes, fully end-to-end encryption at motion and 
at rest, absolutely.
    Senator Cortez Masto. OK. Thank you.
    Can I jump back to also the conversation regarding the May 
6, 2010, flash crash? Let me just ask you this: If the 
Consolidated Audit Trail process were in place in 2010, would 
the exchanges themselves been able to identify the cause of 
that crash? My understanding is it took at least 5 years to 
really figure out the cause of that crash and later determine 
that a U.K. trader was arrested for placing fake trades that 
melted the market. If the CAT process were in place, would the 
information you have been able to uncover identified much 
earlier, sooner, quicker, however you want to say it, and 
figured out what was going on there?
    Mr. Simon. Yeah, I think it certainly would have been much 
easier, and we would have had a better database. And going back 
to what Senator Brown said in the beginning and the confidence 
in the market, the integrity and confidence in the market is 
critical. And one of the biggest issues with the flash crash 
was not just that it happened but how long it took to figure 
out what did happen.
    Senator Cortez Masto. Right.
    Mr. Simon. We will have much better tools that are 
available to identify the underlying customer. But the biggest 
negative and detriment that we have is it is limited to the 
securities and the options market. To the extent that there are 
futures markets and CFTC markets, regulated markets that are 
involved, they are not yet included in the Consolidated Audit 
Trail. It would be great from a customer protection and 
confidence and integrity standpoint to be able to integrate the 
U.S. futures markets into the Consolidated Audit Trail as well 
and potentially at some point the non-U.S. markets since we are 
in a global market, both with respect to products and with 
respect to geography. But it will be a very important first 
step in getting there.
    Senator Cortez Masto. Thank you. And thank you again for 
being here. I appreciate the conversation.
    Chairman Crapo. Thank you.
    Senator Kennedy.
    Senator Kennedy. Mr. Simon, is this going to stop flash 
crashes?
    Mr. Simon. No.
    Senator Kennedy. Is this going to stop manipulation?
    Mr. Simon. No.
    Senator Kennedy. What is this going to do then?
    Mr. Simon. This is going to help the regulators police the 
markets after there is a flash crash and after there is 
manipulation, to bring the wrongdoers----
    Senator Kennedy. How often do we have a flash crash?
    Mr. Simon. I am aware of one.
    Senator Kennedy. OK. We are going to spend $4 billion to 
implement it? Is that the right number?
    Mr. Simon. That is a number that the SEC used early on. I 
do not believe that number is currently correct.
    Senator Kennedy. The SEC says it is going to cost $4 
billion. Do you know how long it would take me to count to $4 
billion?
    Mr. Simon. A long time.
    Senator Kennedy. A hundred-and-28 years. I would not make 
it. None of us would. And it is going to cost another $2.1 
billion to keep it up?
    Mr. Simon. That is not my current estimate as to what the 
cost will be to build or to operate.
    Senator Kennedy. Do you think it can be done cheaper?
    Mr. Simon. Yes.
    Senator Kennedy. How much?
    Mr. Simon. The current operating budget for the CAT LLC, 
for the Operating Committee itself, just for the build and 
operation and the ancillary efforts, is approximately $60 to 
$75 million a year for the foreseeable future.
    Senator Kennedy. OK.
    Mr. Simon. That does not include, to be----
    Senator Kennedy. Well, I have got to move on. My briefing 
here from the SEC says $2.1 billion, you know, $75 million, and 
this is not going to stop flash crashes, and it is not going to 
stop manipulation, but you are going to have all this 
information.
    Ms. Bohlin, what are you going to do with it? Where are you 
going to store it?
    Ms. Bohlin. So the data will be stored in FINRA CAT's cloud 
environment.
    Senator Kennedy. Who runs the cloud? Is that Amazon?
    Ms. Bohlin. AWS, Amazon Web Services.
    Senator Kennedy. OK. So how much will the contract with 
Amazon be? Senator Brown is very interested in this.
    Ms. Bohlin. The specifics of those contracts are 
confidential. I am happy to go back, just I would want to 
consult with counsel.
    Senator Kennedy. Well, you are going to have to tell us to 
appropriate the money, right?
    Ms. Bohlin. So in terms of funding perhaps, I do not think 
it is an appropriation that----
    Mr. Simon. No, the funding is coming--to date, the SROs 
have paid every penny for the CAT out of their own pocket. 
Eventually, we would like the----
    Senator Kennedy. Who are the SROs?
    Mr. Simon. The exchanges, 23 registered national securities 
exchanges----
    Senator Kennedy. And they are not going to pass that cost 
on? I mean, this is not free money, right? Somebody is going to 
pay Amazon.
    Mr. Simon. It is an operating cost that the SROs and with 
the industry, once we get fees in place, we will share the cost 
and it ultimately will be a cost center for the----
    Senator Kennedy. This is my first impression. Look, freedom 
is risk. You cannot regulate away every risk. It is not going 
to stop manipulation. It is not going to stop a flash crash. It 
is going to help you understand better what happened. You 
cannot understand what happened now? You went back and figured 
out what happened in the one and only flash crash we have had, 
haven't you, Ms. Bohlin?
    Ms. Bohlin. Eventually, after quite some time and effort.
    Senator Kennedy. That did not cost $4 billion, did it?
    Ms. Bohlin. Not that I am aware of, no.
    Senator Kennedy. OK. I mean, this sounds like something 
Facebook would ask for, or Google. OK? You say 3,000 people are 
going to have access to this information. Does that include the 
Chinese?
    Ms. Bohlin. No. That is just regulators----
    Senator Kennedy. Does that include the North Koreans?
    Ms. Bohlin. No.
    Senator Kennedy. Or Russia?
    Ms. Bohlin. No.
    Senator Kennedy. OK. So we do not know how many people are 
going to really have access to this.
    Ms. Bohlin. Well, all of the access is through private 
lines. You have to have a private line connection, so the 
interfaces are in no way exposed to the Internet.
    Senator Kennedy. I mean, I am trying--this is the way I am 
approaching it, and I am hurrying because I have to be on the 
floor. This is $4 billion, $2 billion to maintain it. Haven't 
you looked at the cost-benefit analysis? We are running $22 
trillion in the hole and climbing. Since we have been talking, 
we borrow $1 million a minute to operate this place, $1.4 
billion a day. I mean, why do you want to do this? I understand 
it will give you real-time data and you can go in there and 
look faster. But $4 billion, $2 billion to maintain it? We run 
the risk that your data could be compromised. Have you ever 
heard the expression, ``The cure is worse than the disease''? I 
mean, next you are going to want our DNA. I just do not get it. 
And I understand you are taking out the personal information, 
and I am not against the good work that the SEC does. I think 
Jay Clayton, he is a rock-and-roll star. But I just do not get 
it. I just do not get it. And my time has been gotten, so I 
have got to go.
    [Laughter.]
    Chairman Crapo. Thank you, Senator Kennedy.
    Senator Van Hollen.
    Senator Van Hollen. Thank you, Mr. Chairman. Thank you and 
the Ranking Member and the witnesses here, and sorry I am 
running a little later, and I understand some of my questions 
have been covered, so I will get to the point. But I will say 
that, Ms. Bohlin, we are pleased to have FINRA in the State of 
Maryland, so thank you for what you do there on the job.
    I want to pick up on a question that I think Senator Cortez 
Masto covered with respect to a futures contract--I think she 
mentioned the flash crash--and the question about whether the 
CAT system will be able to capture those future contracts, 
whether that is the intention, and if so, what the timeline is. 
And I am happy to take an answer from any of the witnesses 
here.
    Mr. Simon. Yes, I will be happy to answer on behalf of the 
consortium. We are building the CAT system that the SEC has 
mandated, and the SEC obviously has jurisdiction only over the 
equities and the options markets, so they have mandated that we 
build the CAT to cover those products.
    They specifically have asked for comment and are looking at 
the inclusion of futures contracts, which obviously will be 
necessary for a comprehensive surveillance of the financial 
markets generally. That is a possible next step. We do not have 
the timeline for that. That would require obviously cooperation 
between the CFTC and the SEC in the development of such a 
project along with the oversight committees in Congress.
    Senator Van Hollen. Thank you. I mean, you would agree if 
we do not capture futures contracts, that would be a big hole 
in the system?
    Mr. Simon. Yes.
    Senator Van Hollen. So we need one way or another to make 
sure that is included, right?
    Mr. Simon. Yes. Right now we have our hands full through 
2022 and getting the equities and the options markets in there. 
But that is certainly something that we would have to address 
thereafter.
    Senator Van Hollen. And with respect to the concerns some 
of my colleagues have raised about data security, because I 
understand this will contain the second largest amount of data 
of any system in the world, certainly in the United States, 
what measures are being taken now at the front end to make sure 
that we address the ever changing and increasing threat of 
cyberattacks?
    Mr. Simon. Let me address that from one angle and then have 
Shelly address it from another. I think the first thing we can 
do from an Operating Committee and consortium of the SROs is 
try to make the database less attractive to hackers, and that 
is why we have put in the exemption not to include Social 
Security or tax identification numbers in there, not include 
date of birth, and other types of similar personally 
identifiable information. So if that information is not there, 
we think it is a much less attractive target for a hacker. But 
notwithstanding the lack of PII in the system, we understand 
that there still will be a lot of data in there that may be 
attractive, so, therefore, we have worked with the CISO at 
FINRA CAT, with the industry, with the SEC to make sure that we 
have absolute state-of-the-art security measures in place. And, 
Shelly, you can quickly summarize those.
    Ms. Bohlin. Sure, absolutely. The way that we approach it, 
first of all, I will say that data security, cybersecurity is 
FINRA CAT's top priority. That is very much our focus. And at a 
very high level, we approach it with three very fundamental 
components: people, process, technology, you have to have the 
right people with the right experience, number one, very 
critical. So our CISO, over 20 years of experience. We have all 
of the exchanges' expertise, their CISOs, the industry's 
expertise, and FINRA parent's expertise. So we cannot stress 
enough technology is incredibly important, end-to-end 
encryption, private lines, the regulator can only access via a 
private line, MFA--multifactor authentication, the encryption. 
So it is really a multifaceted system that is part of everyday 
culture.
    Senator Van Hollen. Thank you. The last question I have got 
relates to concerns that some people have expressed about 
potential conflict of interest because this is--the SEC, of 
course, has a mandate to protect the public. This is an entity 
made up of, you know, members who are participating in the 
market, for-profit companies, some of whom I understand have 
been previously fined by the SEC. So what can you do to assure 
the public that this system will be run to protect the public 
interests and avoid conflict of interest which seem to be 
embedded in the structure in some ways?
    Mr. Simon. As you are well aware, the Nation's securities 
markets are based on a system of self-regulation so that the 
markets that are operating, the exchanges and FINRA that 
operate markets in one way or another also are responsible for 
the regulation of those markets. That will not change in CAT. 
All CAT will do is, very important, provide better surveillance 
tools for the SROs that are responsible for ensuring the 
integrity of their market through their self-regulatory 
operations. But understanding that with the greater amount of 
data in there and the more possibility that there is a misuse, 
clearly the SEC has stated in the rule and it stated in the 
plan that the data in the system can be used only for 
regulatory and surveillance purposes, and Shelly and the FINRA 
CAT team are putting together surveillance of the system 
itself, of its use, just to see atypical patterns of use of the 
data, to try to identify places where regulators may be 
misusing the data.
    So we are aware of the concerns. It is nothing new to the 
securities industry or to the SROs and is something we are able 
to and think that we will be able to police.
    Senator Van Hollen. I appreciate that, and there are some 
reports that the industry is actively trying to slow down this 
effort because it would result in greater transparency, even 
under the current system. Can you comment on that at all?
    Mr. Simon. I will start and then turn it to Judy. As Judy 
mentioned in her opening statement, we have an Advisory 
Committee, and we are working closely with SIFMA, and everybody 
in the industry and the SROs, at FINRA CAT, at the SEC are 
working in a coordinated, cooperative fashion to make the CAT 
successful.
    Ms. McDonald. So the industry has had unprecedented 
involvement--and that goes from the participation in the 
Advisory Committee to the participation in the industry working 
group, and broker-dealers collectively have logged many 
hundreds of hours in the course of explaining work flows, 
reviewing specifications, bringing concerns to the table. We 
are doing this so that there is efficient and accurate 
collection of data. I do not know how much more the industry 
could actually put into this effort to make it successful, 
because at the end of the day we are required by the exchanges 
to do the reporting to CAT.
    Senator Van Hollen. OK.
    Mr. Simon. This is a cost and not--this is an expense and 
not an income center for the industry and for the SROs, but 
notwithstanding that, there has been really, in my experience, 
an unprecedented level of cooperation among everybody in the 
industry to make this successful.
    Senator Van Hollen. OK. Thank you. Thank you, Mr. Chairman.
    Chairman Crapo. Thank you, and that concludes our questions 
today. I want to again thank the panel for coming. As you can 
see, there is a strong understanding of the importance and the 
benefits of CAT. There is also a very high level of concern 
about the data collection and privacy impacts here, which I 
share on both sides. And so I think we are far from where I 
have a comfort level, and I think that is true for a number of 
Members of the Committee. But we understand and appreciate the 
efforts that are being undertaken to address these issues. I am 
sure you will receive some additional questions from the 
Members of the Committee who were not able to stay or be here, 
and I encourage you to respond to them quickly. For those 
Senators who do wish to submit questions for the record, those 
questions will be due by Tuesday, October 29th. And as I always 
do, I encourage you as the witnesses to respond as quickly as 
you can to those questions. With that, thank you again. This 
hearing is adjourned.
    [Whereupon, at 11:11 a.m., the hearing was adjourned.]
    [Prepared statements, responses to written questions, and 
additional material supplied for the record follow:]
               PREPARED STATEMENT OF CHAIRMAN MIKE CRAPO
    Today's hearing will focus on oversight of the status of the 
Consolidated Audit Trail, commonly referred to as the ``CAT''.
    In 2010, in response to the Flash Crash and a number of other 
market disruption events, the SEC proposed the creation of a real-time 
tracking system to track securities orders across all markets 
throughout the life cycle of the order--from origination, to routing, 
cancellation, modification, or execution.
    At the time, the SEC estimated the creation of the CAT would cost 
$4 billion to launch and have ongoing maintenance costs of $2.1 
billion.
    In 2012, I wrote a letter requesting that the SEC consider 
alternatives to establishing the CAT database, such as housing it on 
FINRA's existing Order Audit Trail System, or OATS.
    It has been 9 years since the SEC's initial proposal for the CAT 
and after multiple challenges and delays it would appear that we have 
arrived at a version of CAT that realizes real-time, less accurate data 
is not necessary to the market function and that slightly delayed, more 
accurate information significantly reduces costs while still preserving 
the functional improvements CAT is intended to provide. Further, the 
CAT now better leverages existing resources by recently selecting a 
subsidiary of FINRA to be the plan processor.
    I continue to have concerns about the costs associated with the 
build, the volume of the information collected, what information will 
be collected, who has access to the information collected, and how the 
information will be secured.
    Last year, Ranking Member Brown and I wrote a letter to SEC 
Chairman Clayton that emphasized our bipartisan belief that protecting 
individuals' personally identifiable information, or PII, is paramount 
to the American people.
    We have continued to seek a better understanding of what type of 
PII is being collected, how that information is being used, who can 
access it and how the data is secured and protected.
    Chairman Clayton's September 9th statement echoed this sentiment 
regarding the importance of protecting information collected and stored 
in the CAT, particularly Social Security numbers, account numbers, and 
dates of birth.
    Chairman Clayton stated that he believes ``the regulatory 
objectives of the CAT can still be achieved without these most 
sensitive pieces of investor information.''
    Last week, the SROs officially requested a modification to the CAT 
NMS Plan to exclude the collection of dates of birth, Social Security 
numbers, individual taxpayer identification numbers, and account 
numbers.
    This request is long overdue and I encourage the SEC to grant this 
amendment which, I agree with the SROs, will reduce the risk profile of 
the data collected and stored in the CAT while still preserving the 
CAT's intended regulatory use.
    In his September 9th statement, Chairman Clayton went on to say 
that even if the SROs reduce the scope of the PII collected, the nature 
of the data to be included in the CAT ``necessitates robust security 
protections.''
    I could not agree more and look forward to hearing from our 
witnesses on how they plan to address these important issues from each 
of their unique roles in the creation of the CAT.
    I look forward to receiving an update from each of our witnesses on 
outstanding issues and challenges that remain to achieving an 
operational CAT.
    I thank the witnesses for their willingness to appear today.
                                 ______
                                 
              PREPARED STATEMENT OF SENATOR SHERROD BROWN
    Thank you, Chairman Crapo, and welcome to our witnesses.
    We are just shy of 200 days from the 10th anniversary of the 2010 
flash crash. Although there hasn't been a market disruption of that 
magnitude since, our markets have become faster, more sophisticated, 
and more fragmented. In that time, industry has spent untold billions 
on upgrading technology and developing faster and smarter trading 
systems.
    Yet the SEC, who we all rely on to maintain fair, orderly, and 
efficient markets, still lacks a comprehensive system that would allow 
it to effectively oversee the securities markets to protect Americans' 
college savings and retirement funds.
    In an industry where cutting-edge technology is the name of the 
game and trading firms erect competing microwave towers so that 
computers in Chicago can communicate with computers near Wall Street in 
milliseconds, the SEC still cobbles together data from multiple sources 
in an attempt to have a complete understanding of our markets.
    This is why the SEC called on FINRA and the firms that run our 
Nation's stock and options exchanges to build the Consolidated Audit 
Trail, or CAT, one system with a beginning-to-end view of how trading 
happens, so we can prevent insider trading, market manipulation, and 
other misconduct that cheats the system.
    When the effort began in 2012, it was a huge undertaking. But, 7 
years later we are only at the first stage of data reporting, and many 
details need to be finalized. Under the current timeline, the system 
will not be fully operational until 2022.
    Some take issue with the SEC, or any Government agency, having this 
much data and call the system a target for hackers.
    I refuse to accept that we can't both protect people's personal 
information, and go after criminals who take advantage of our markets.
    I know there are dozens of technology experts, data scientists, and 
market veterans working on this. Just last week, the CAT operating 
committee submitted to the SEC its proposal to exclude Social Security 
Numbers and other personal information from the reported data.
    That is just one of many creative solutions that balance the need 
for oversight with protecting sensitive information.
    I trust the very capable minds at the exchanges, FINRA, and the SEC 
can work out access to data concerns, tracking the use of the audit 
trail, and how to keep information secure to allow this long overdue 
oversight tool to be completed.
    The bottom line is--if you are smart enough to have information or 
strategies you think someone wants to steal, then you are smart enough 
to help come up with ways to protect them.
    And we can't afford to wait.
    Just last week, the SEC filed charges against 18 people, most of 
them in China, who engaged in a 6-year market manipulation scheme using 
dozens of accounts, across many brokerage firms, that resulted in 31 
million dollars of illicit profits.
    While we'll never know if the new system would have made it easier 
to uncover those crimes, it is that kind of activity that the SEC 
should have the technology to uncover.
    We also know that the question isn't if but when there will be 
another crash or major disruption. Everyone--Main Street, industry, and 
Congress--will look to those represented by our panelists today and the 
SEC to understand what happened, how it will be fixed, and who was 
responsible. Not having an answer, or waiting 5 months for one, will be 
unacceptable.
    If another flash crash happens, or the delays or disagreements over 
what should be solvable questions continue, you can expect to be back 
before this Committee. We are expecting you all to cooperate and work 
diligently to finish the CAT project.
    There are not many things that SEC Chair Clayton and I agree on, 
but finishing the CAT without further delay is one of them.
    Every day we wait creates more risks for our markets and more 
opportunities for criminals to cheat our regulatory system.
    Thank you, Mr. Chairman.
                                 ______
                                 
                  PREPARED STATEMENT OF SHELLY BOHLIN
    President and COO, FINRA CAT LLC, Financial Industry Regulatory 
                               Authority
                            October 22, 2019
    Chairman Crapo, Ranking Member Brown, and Members of the Committee: 
On behalf of FINRA CAT, LLC, a subsidiary of the Financial Industry 
Regulatory Authority, or FINRA, I would like to thank you for the 
opportunity to testify today. I serve as the President and Chief 
Operating Officer of FINRA CAT, LLC, and I welcome the Committee's 
invitation to discuss specific details of FINRA CAT's work as the Plan 
Processor of the Consolidated Audit Trail, or CAT, since FINRA CAT 
stepped into the role 6 months ago.
    The CAT is designed to be a centralized source of information on 
activity in the equities and listed options markets. The Securities and 
Exchange Commission (SEC) adopted Rule 613 in the wake of the 2010 
flash crash to require the CAT to be created. The SEC explained at the 
time that the purpose of the CAT is to create a comprehensive 
consolidated audit trail that allows regulators to efficiently and 
accurately track all activity in these securities throughout the U.S. 
markets to facilitate comprehensive market reconstructions, more robust 
market surveillance, and better analytics to support policymaking. \1\ 
Given the size and complexity of the financial markets, the CAT must 
collect, process, and store a vast amount of data to achieve this goal. 
This is a highly complex project that requires deep technological 
expertise, sophisticated and proactively evolving security, close 
regulatory coordination with the SEC and the consortium of self-
regulatory organizations (SROs) responsible for managing the CAT (SRO 
consortium), \2\ and full-time engagement with broker-dealers that 
ultimately must report data to the CAT.
---------------------------------------------------------------------------
     \1\ See Securities Exchange Act Release No. 67457 (July 18, 2012), 
77 FR 45722 (August 1, 2012) (SEC adopting release for Rule 613 to 
require the national securities exchanges and FINRA to file a national 
market system (NMS) plan for the creation, implementation, and 
maintenance of the CAT).
     \2\ The 24 participants currently in the consortium are: BOX 
Exchange LLC; Cboe BYX Exchange, Inc., Cboe BZX Exchange, Inc., Cboe 
EDGA Exchange, Inc., Cboe EDGX Exchange, Inc., Cboe C2 Exchange, Inc. 
and Cboe Exchange, Inc.; FINRA; Investors Exchange LLC; Long-Term Stock 
Exchange, Inc.; Miami International Securities Exchange LLC, MIAX 
Emerald, LLC, MIAX PEARL, LLC; NASDAQ BX, Inc., Nasdaq GEMX, LLC, 
Nasdaq ISE, LLC, Nasdaq MRX, LLC, NASDAQ PHLX LLC, The NASDAQ Stock 
Market LLC; and New York Stock Exchange LLC, NYSE American LLC, NYSE 
Arca, Inc., NYSE Chicago, Inc. and NYSE National, Inc.
---------------------------------------------------------------------------
    The CAT NMS Plan was filed with the SEC by the SRO consortium to 
meet the SEC's Rule 613 requirements, and the Plan was approved by the 
SEC on November 15, 2016. \3\ FINRA CAT began serving as the CAT Plan 
Processor in April of this year after being selected by the SRO 
consortium to build and operate the CAT system. Since our selection, 
FINRA CAT has been performing these functions on a contract basis for 
the SRO consortium, in accordance with the consortium's CAT NMS Plan.
---------------------------------------------------------------------------
     \3\ See https://www.sec.gov/rules/sro/nms/2016/34-79318.pdf.
---------------------------------------------------------------------------
    FINRA CAT appreciates that there is interest in the CAT from 
multiple perspectives. The CAT is an important tool that must be built 
properly so that the market regulators--including the SEC, FINRA, and 
the national securities exchanges--can use it as intended to 
efficiently and accurately track all activity in the U.S. securities 
markets. In addition, given the importance of sensitive information to 
the success of the CAT in achieving its goals, its security is of 
paramount concern to the regulators, to industry members who will 
report data to the CAT, to investors, and to the public.
    FINRA CAT is fully committed to serving these interests. The 
leadership and staff of FINRA CAT have significant experience in 
developing audit trail technology and utilizing it for regulatory 
purposes. In addition, FINRA CAT has access to the full resources of 
FINRA and its long, successful work in this area, expertise that has 
been valuable in the months since FINRA has been tasked with the 
development of the CAT. With this support, FINRA CAT's work to build 
the CAT is on schedule. FINRA CAT also is committed to receiving input 
from all stakeholders so that it may serve its role most effectively. 
Close engagement with the SROs, SEC, industry stakeholders, the public, 
and Congress is critical to FINRA CAT's efforts and the efforts of the 
SRO consortium.
Transition to FINRA CAT
    After FINRA was selected by the SRO consortium to succeed the 
former Plan Processor, FINRA CAT, a subsidiary of FINRA, was created to 
focus solely on performing the functions of the Plan Processor. \4\
---------------------------------------------------------------------------
     \4\ While FINRA is a member of the consortium, FINRA recused 
itself and did not take part in the selection decision.
---------------------------------------------------------------------------
    Importantly, FINRA CAT is a regulated entity. FINRA CAT is part of 
FINRA's parent SRO umbrella and accordingly an ``SCI Entity.'' \5\ This 
means that while FINRA CAT serves as a contractor for the SRO plan 
participants and is not a CAT NMS Plan participant itself, FINRA CAT 
nevertheless is subject directly to the SEC's jurisdiction, including 
Regulation Systems Compliance and Integrity (Reg SCI). FINRA CAT's 
status as an SCI Entity ensures direct accountability--both to the SRO 
plan participants and to the SEC--for important issues like system 
security, integrity, capacity, and business continuity.
---------------------------------------------------------------------------
     \5\ See https://www.sec.gov/rules/sro/finra/2019/34-85764.pdf.
---------------------------------------------------------------------------
    While FINRA CAT is part of FINRA's parent SRO umbrella and 
supported by FINRA resources, FINRA CAT is a distinct corporate 
subsidiary with controls in place to create sufficient separation from 
FINRA operations where needed and appropriate. We have built out a 
dedicated FINRA CAT operations staff led by me and a Chief Technology 
Officer. We also hired, with the approval of the SRO consortium, a 
Chief Information Security Officer (CISO) and a Chief Compliance 
Officer (CCO). These officers are responsible, respectively, for FINRA 
CAT's information technology security and governance and regulatory 
compliance programs. These two positions also owe fiduciary duties to 
the SRO consortium, as specified in the CAT NMS Plan. \6\
---------------------------------------------------------------------------
     \6\ See Section 4.6(a) of the CAT NMS Plan, available at https://
catnmsplan.com/wp-content/uploads/2019/09/CAT-2.0-Consolidated-Audit-
Trail-LLC%20Plan-Executed-(175745081)-(1).pdf.
---------------------------------------------------------------------------
    Since becoming the Plan Processor in April, FINRA CAT has worked 
closely with the SRO consortium and SEC staff to expeditiously put in 
place a solution for the first scheduled phase of the CAT--
specifically, the collection and processing of order and trade data 
from the equities and options exchanges and FINRA. \7\ For equities, 
FINRA CAT has been able to leverage existing data feeds the exchanges 
currently provide to FINRA, and in June, FINRA CAT deployed a 
significant technology release to ingest and validate newly reported 
options data from the options exchanges. FINRA CAT has used scalable 
technology to process, on average, over 100 billion market records a 
day during this period with no material operational issues or delays.
---------------------------------------------------------------------------
     \7\ For purposes of CAT reporting, FINRA data includes information 
about activity in the over-the-counter markets reported to FINRA's 
Trade Reporting Facilities, Alternative Display Facility, and Over-the-
Counter Reporting Facility. More information can be found on 
www.finra.org.
---------------------------------------------------------------------------
    This current quarter, FINRA CAT will be finishing the development 
of analytical tools that allow the SEC and SRO plan participants, as 
regulatory users of the CAT, to analyze and run complex queries on the 
CAT data. In addition, these tools will include functionality that 
allows regulatory users to see visual displays of the consolidated 
equity market order book for any given period of time. An example of 
this is the delivery of multifactor authentication, an important 
security enhancement, months ahead of its originally planned 
implementation date of May 2020.
Upcoming Milestones--Industry Member Reporting to CAT
    At the same time that FINRA CAT has been working to implement the 
first phase of CAT data reporting from plan participants, we also have 
been dedicating substantial resources to preparing for the next stage-
industry member reporting, which is scheduled to be phased in from 
April 2020 to July 2022. \8\
---------------------------------------------------------------------------
     \8\ See https://catnmsplan.com/timelines/.
---------------------------------------------------------------------------
    Looking ahead, large and small firms that currently report similar 
audit trail data to FINRA's existing Order Audit Trail System (OATS) 
will begin reporting equities data in April 2020, followed by large 
firm reporting of options data in May 2020. Small firms that do not 
currently report to OATS are scheduled to begin reporting in December 
2021. Initially, industry member data will be limited to information 
concerning order and trade events. After a number of interim phases 
that will require the reporting of increasingly complex order and trade 
information, the final phase of industry member reporting--as currently 
contemplated by the SEC-approved CAT NMS Plan--calls for certain 
customer and account information reporting beginning in July 2022. 
Prior to each new reporting phase, there will be mandatory test periods 
to promote compliance for the broker-dealers reporting data to the CAT. 
FINRA CAT continually looks for opportunities to accelerate the 
timeline where possible.
    Achieving these reporting milestones requires significant effort 
from all parties. FINRA CAT is involved in full-time industry 
engagement through a variety of channels. FINRA CAT has worked with the 
consortium and CAT stakeholders to publish lengthy guidance on a 
variety of industry reporting scenarios, a schema for industry member 
reporting, and final technical specifications for the initial industry 
reporting phases. \9\ FINRA CAT and the SRO participants provide 
frequent presentations to the industry, which are archived on the SRO 
consortium's dedicated CAT NMS Plan website. \10\ FINRA CAT also 
maintains a fully staffed Help Desk to maintain an open line of 
communication.
---------------------------------------------------------------------------
     \9\ See https://catnmsplan.com/technical-specifications/
index.html.
     \10\ See https://catnmsplan.com/news-page/index.html.
---------------------------------------------------------------------------
    Active broker-dealer participation and feedback is a critical part 
of this engagement, as the success of CAT requires effective broker-
dealer implementation of the CAT reporting requirements. There are a 
number of industry representatives involved in the governance of the 
CAT NMS Plan through their participation on an advisory committee 
established by the CAT NMS Plan. \11\ A group of industry 
representatives join a weekly working group discussion that FINRA CAT 
cochairs with the consortium to identify and resolve interpretive 
questions. With the help of this weekly discussion forum, FINRA CAT and 
the SRO consortium have published answers to numerous frequently asked 
questions and continue to answer new questions regularly. \12\
---------------------------------------------------------------------------
     \11\ See Section 4.13 of the CAT NMS Plan, available at https://
catnmsplan.com/wp-content/uploads/2019/09/CAT-2.0-Consolidated-Audit-
Trail-LLC%20Plan-Executed-(175745081)-(1).pdf.
     \12\ See https://catnmsplan.com/faq/index.html.
---------------------------------------------------------------------------
    Active SEC involvement is critical as well. Each week, FINRA CAT 
hosts a call with SEC staff and the SRO plan participants to provide an 
update on project development and progress. FINRA CAT appreciates the 
time, investment, and insight provided by the SEC staff on all aspects 
of the CAT, and FINRA CAT has been happy to report so far that its work 
is on schedule.
    FINRA CAT recognizes that challenges are sure to arise throughout 
the industry phase-in. Prior to becoming the Chief Operating Officer of 
FINRA CAT, I worked for 25 years with FINRA's market regulation 
program, including on the successful multiphase implementation of 
FINRA's OATS reporting requirements. Today, FINRA combines OATS data 
with other regulatory data to process on average more than 78 billion 
records a day. As I and my FINRA CAT colleagues draw on our extensive 
prior experience with audit trail implementation, we welcome dialogue 
with the industry and all CAT stakeholders, particularly as we 
encounter new challenges unique to CAT reporting and prepare CAT to 
support regulators' efforts to retire existing systems like OATS.
Security and Customer Identifying Information
    Under the current CAT NMS plan approved by the SEC in 2016, \13\ 
industry members will be required to report certain customer 
identifying information, including account numbers and some personally 
identifying information, or PII. While we recognize the ongoing policy 
discussions related to the necessity of specific elements of PII to the 
success of the CAT, those requirements are ultimately matters the SRO 
consortium and the SEC must determine. However, I can assure the 
Committee that the security of PII, and of all CAT data more broadly, 
is of the utmost priority to FINRA CAT, and I can address the data 
security program that FINRA CAT has put in place to meet the CAT NMS 
Plan's requirements.
---------------------------------------------------------------------------
     \13\ See https://www.sec.gov/rules/sro/nms/2016/34-79318.pdf.
---------------------------------------------------------------------------
    In terms of FINRA CAT's overall information security program, we 
are led by a CISO who was approved by the SRO consortium who is also 
its fiduciary. Our CISO has over 20 years' experience working on 
information security at FINRA, including as a security architect and 
security engineer. The CISO is supported by a dedicated team of 
security analysts who ensure that security controls are effectively 
implemented, monitor the security of the CAT System and respond to 
anomalies, evaluate and approve access, enforce compliance with 
security policies and standards including National Institute of 
Standards and Technology (NIST) Special Publication (SP) 800-53, and 
evaluate evolving threats and security control opportunities to ensure 
that the CAT security posture remains strong. In addition, the FINRA 
CAT security team is able to leverage the security expertise and 
advanced technology solutions that FINRA has invested heavily in over 
the years, including the people, process, and technologies it has 
developed and deployed to operate a secure cloud environment that is 
comparable in scale to the fully deployed CAT solution. As the SRO 
consortium recently discussed in a presentation to the industry, the 
FINRA CAT security program includes significant layers of 
architectural-level security controls and program-level security 
controls. \14\ Examples of architectural controls include secure 
infrastructure for connecting to the CAT system and architectural 
separation between transaction data and PII. Examples of program 
controls include a full suite of information security policies, 
procedures, and standards, as well as regularly scheduled independent 
third-party system penetration testing, code reviews, and security 
control validation.
---------------------------------------------------------------------------
     \14\ See https://catnmsplan.com/news-page/cat-industry-webcast-
recording-08-28-19/.
---------------------------------------------------------------------------
    The extensive FINRA CAT security policies address a range of issues 
required by the CAT NMS Plan, including data storage and handling, 
insider risk, data connectivity and transfer, incident management, 
security logging and monitoring, and account management. FINRA CAT's 
security program is based on work product developed by the FINRA CAT 
CISO in coordination with a security working group made up of CISOs and 
security experts from each of the SRO plan participants.
    Each CAT System release is subject to the granting of an Authority 
To Operate (or ATO) by the SRO consortium. To obtain an ATO from the 
consortium, the CAT CISO presents a package of materials to the 
security working group that demonstrates the strength of the CAT 
System's security posture. This package includes the system security 
plan, internal and third-party security testing reports, and an 
independent validation and verification report confirming that security 
controls are aligned with the NIST industry standards followed by the 
Federal Government. \15\
---------------------------------------------------------------------------
     \15\ See https://catnmsplan.com/news-page/cat-industry-webcast-
recording-08-28-19/.
---------------------------------------------------------------------------
    FINRA CAT understands concerns that continue to be raised about the 
inherent risk of handling CAT data, particularly PII. Even with the 
enhanced architectural and program controls required by the plan for 
PII--such as containing PII in its own separate system with restricted 
access--there may be policy questions for the SEC and SRO consortium to 
discuss about the costs and benefits of collecting and storing 
sensitive personal data.
    FINRA CAT's job is to support the regulators' decision making on 
this issue. This includes making any modifications to the system design 
to account for current discussions between the SEC, the SRO consortium, 
and the industry. As SEC Chairman Clayton recently noted before the 
House Financial Services Committee, the SROs are refining the details 
of a recommendation to eliminate Social Security numbers, account 
numbers, and dates of birth from the CAT, filing a request last week 
with the SEC to formalize the modified approach. \16\ FINRA CAT 
continues to work closely and productively with the SEC and the SROs to 
ensure that it has the right technological solution in place for when 
customer and account information reporting begins in July 2022.
---------------------------------------------------------------------------
     \16\ See Letter from Michael Simon, CAT NMS Plan Operating 
Committee Chair, to Vanessa Countryman, SEC, Request for Exemptive 
Relief from Certain Provisions of the CAT NMS Plan related to Social 
Security Numbers, Dates of Birth, and Account Numbers (Oct. 16, 2019), 
available at https://www.catnmsplan.com/wp-content/uploads/2019/10/
CCID-and-PII-Exemptive-Request-Oct-16-2019.pdf.
---------------------------------------------------------------------------
Conclusion
    Thank you again for the opportunity to appear today. The CAT is a 
major regulatory undertaking meant to help the SEC, FINRA, and the 
exchanges better regulate our securities markets. FINRA CAT recognizes 
the role it must play as the CAT Plan Processor to make the CAT fully 
operational and secure. We are on target to complete the build on time 
and in line with the strict data security protocols established in the 
SEC-approved CAT NMS Plan. We look forward to our continued 
collaboration with Congress, the SRO consortium, the SEC, market 
participants, stakeholders and the public as we work to achieve the 
project's goals.
                                 ______
                                 
                  PREPARED STATEMENT OF JUDY MCDONALD
                 Chair, CAT NMS Plan Advisory Committee
                            October 22, 2019
    My name is Judy McDonald, I am the head of Regulatory Technology at 
Susquehanna International Group, LLP (SIG), a global quantitative 
trading firm headquartered in Bala Cynwyd, PA. In my role at SIG I have 
been evaluating the Consolidated Audit Trail (CAT) NMS Plan since its 
inception and participated in the CAT Development Advisory Group prior 
to the Plan Processor selection. Since February 2017, I have served 
along with 13 other industry participants on the Advisory Committee, 
and since March 2019 have served as the Chair of the Advisory 
Committee.
    Today I can confidently state that the effort to deliver CAT is 
moving forward in a very positive manner. Since February 2019, when 
FINRA CAT became the new Plan Processor, the Self Regulatory 
Organizations (SROs), FINRA CAT and industry members have been in a 
virtuous cycle of iterative deliverables and collaboration on the Plan. 
FINRA CAT brings subject matter expertise, depth of resources, and 
leadership to the effort. These capabilities have resulted in 
improvements ranging from well written policies and procedures, to 
capable project management, to delivery on portions of a large, 
complex, distributed system.
    The Advisory Committee is satisfied that the intermediate 
milestones of the past year have been met and that significant progress 
has been made toward processing SRO reporting and the completion of 
industry member technical specifications for the first equity and 
option reporting phases.
    However, there are a few areas of concern as the implementation of 
CAT progresses,

    1. Data Security. This is undoubtedly the most significant concern 
as the CAT will gather and store an unprecedented amount of information 
that previously has not been centrally located nor specifically 
identifiable. The concerns can be broken down into three categories: 
(a) Trading records for institutions, (b) Personally Identifiable 
Information (PII) for retail customers, and (c) the Security Policies 
of the regulators:
Trading Records
    There is significant concern about the security of the CAT data 
repository and the misuse of trading records by those with 
``authorized'' access. Trading records will be less secure than PII and 
accessible by a broader set of individuals. This highly proprietary 
information results from significant investments, and Broker-Dealers 
(BDs) are very concerned that trading strategies could be reverse-
engineered by competitors, by academics, or by rogue actors. Further, 
SROs compete with each other and BDs; this is beneficial to investors 
and could be compromised with the misuse of data.
PII Data
    We are encouraged by the progress to avoid the collection of Social 
Security numbers and other sensitive PII data. With this progress we 
believe some focus should be shifted to address the retirement of the 
legacy Electronic Blue Sheet (EBS) system, which currently collects PII 
data and is less secure than CAT.
Security Policies
    The Advisory Committee has little insight into the security 
programs at the regulators and whether security policies and procedures 
have changed commensurate with the increased value of the CAT data and 
the increased threat of compromise. We cannot emphasize enough the harm 
that could come from an external bad actor gaining access to trade 
information once data is bulk downloaded from the central FINRA CAT 
repository.
    In summary, I appreciate the critical nature of securing CAT data. 
Two of the best ways to achieve data security is to limit the number of 
people with access and to control the use of the data as tightly as 
possible. The Advisory Committee urges reconsideration of allowing the 
22 exchanges and the SEC to bulk download CAT data.

    2. Verbal and Manual Quotes. There is a significant open issue with 
respect to the capture and reporting of verbal and manual quotes. Human 
interaction with highly electronic markets is a deeply challenging 
issue that affects a small but very important part of the market and if 
disrupted, could dramatically reduce market liquidity particularly 
during periods of extraordinary volatility. The Advisory Committee 
recommends a stepwise approach for reporting verbal and manual quotes.

    3. Fees. Another area of concern is the current lack of insight 
into fees that may be applied to BDs. The absence of a fee schedule 
creates uncertainty around the effort and unnecessarily challenges 
firms budgeting to comply with CAT. It also raises the concern of 
chasing more firms out of business and imposing yet another barrier to 
entry, all to the detriment of market liquidity and competition.

    4. The SEC Proposal for Financial Accountability Milestones. The 
SEC proposal centers on the best-practice goals of increasing 
accountability and transparency of the CAT project. While we are 
supportive of these goals, legitimate unforeseen circumstances may 
occur where fixed deadlines work against the collective best interest 
of the CAT implementation. There must be some flexibility in place to 
address unforeseen situations.

    In closing, I look forward to continuing my work on the CAT project 
and will be happy to address any specific questions you have.
                                 ______
                                 
                 PREPARED STATEMENT OF MICHAEL J. SIMON
               Chairman, CAT NMS Plan Operating Committee
                            October 22, 2019
I. Introduction
    Chairman Crapo, Ranking Member Brown, and Senators of the 
Committee, thank you for the opportunity to testify before you today 
about the progress made on developing the Consolidated Audit Trail 
system (``CAT System'' or ``CAT''). As you are aware, the national 
securities exchanges and the Financial Industry Regulatory Authority 
(FINRA) (as the only national securities association) are developing 
and operating the CAT System as Participants \1\ to the National Market 
System (NMS) Plan Governing the CAT (the ``Plan''). \2\ The Securities 
and Exchange Commission (``SEC'' or ``Commission'') mandated both the 
Plan and the CAT System through adoption of Rule 613 of Regulation NMS. 
\3\
---------------------------------------------------------------------------
     \1\ The 24 Participants are: BOX Exchange LLC; Cboe BYX Exchange, 
Inc., Cboe BZX Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe EDGX 
Exchange, Inc., Cboe C2 Exchange, Inc. and Cboe Exchange, Inc.; FINRA; 
Investors' Exchange LLC IEX; Miami International Securities Exchange 
LLC, Long-Term Stock Exchange, Inc.; MIAX Emerald, LLC, MIAX PEARL, 
LLC; NASDAQ BX, Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, 
LLC, NASDAQ PHLX LLC, The NASDAQ Stock Market LLC; and New York Stock 
Exchange LLC, NYSE American LLC, NYSE Arca, Inc., NYSE Chicago, Inc. 
and NYSE National, Inc.
     \2\ National Market System Plan Governing the Consolidated Audit 
Trail, Section 1.1 available at https://www.catnmsplan.com/wp-content/
uploads/2019/09/CAT-2.0-Consolidated-Audit-Trail-LLC%20Plan-Executed-
(175745081)-(1).pdf [hereinafter the ``Plan''].
     \3\ Consolidated Audit Trail Adopting Release, Exchange Act 
Release No. 67,457, 77 FR 45,722 (Aug. 1, 2012) [hereinafter ``Rule 613 
Adopting Release''].
---------------------------------------------------------------------------
    Described broadly, the CAT requires Participants, and will require 
broker-dealers (Industry Members), to submit information to the CAT 
System related to the inception, routing, cancellation, modification, 
or execution of an order. \4\ When completely implemented, the CAT 
System will receive, validate, and process such data to create life 
cycles of orders across the markets. The Participants and the SEC will 
use the CAT System solely for regulatory purposes, querying the CAT 
System to facilitate their oversight of the securities markets and to 
help them fulfill their obligations under the Federal securities laws. 
As noted in Rule 613, the Commission expects the Participants and 
Industry Members to share in the costs of the CAT, and the Plan 
includes a funding model consistent with the cost-sharing requirement 
of Rule 613. \5\
---------------------------------------------------------------------------
     \4\ See generally Plan, supra note 2 (outlining the requirements 
of the CAT System).
     \5\ See Regulation NMS, 17 CFR 242.613(a)(1)(vii)(D) (2019).
---------------------------------------------------------------------------
    There has been significant interest in the CAT. Understandably, 
much of this interest has centered around the extent to which the 
system will include personally identifiable information (PII), the 
security of the system more generally, as well as the cost of the 
system. Before discussing these issues, I'd like to provide a little 
background on the CAT, tell you a little about the structure of the 
project and my role, and give you an update on the progress of the CAT 
System.
a. Background on CAT
    By way of background, the Commission conceived of and ultimately 
mandated the CAT System to more effectively and efficiently conduct 
cross-market supervision of trading activity. \6\ The Commission has 
explained that the regulatory data infrastructure the Commission, the 
exchanges and FINRA currently rely on is outdated, inconsistent, and 
inadequate to effectively oversee a complex, dispersed, and highly 
automated national market system. \7\ Upon complete implementation, the 
CAT system will provide a number of significant benefits, including: 
(i) consolidated trading information across all markets and (ii) the 
ability to identify the trading of specific end-customers.
---------------------------------------------------------------------------
     \6\ See Rule 613 Adopting Release, supra note 3 at 45,723.
     \7\ See id. at 45,723; Joint Industry Plan; Order Approving the 
National Market System Plan Governing the Consolidated Audit Trail, 
Exchange Act Release No. 79,318, 81 FR 84,696, at 84,697 (Nov. 23, 
2016) [hereinafter ``CAT NMS Plan Adopting Release''].
---------------------------------------------------------------------------
    One practical example of limitations of current regulatory data 
relates to regulators' ability to reconstruct and analyze market 
events. \8\ According to the Commission, the lack of direct access to 
audit trail data resulted in the Commission's inability to quickly and 
efficiently reconstruct market events during the financial crisis in 
2008 and the ``Flash Crash'' \9\ in 2010. \10\ In proposing SEC Rule 
613, the Commission noted that while the existing audit trail 
information assisted the staffs of the SEC and the self-regulatory 
organizations in their regulatory responsibility to surveil for 
compliance with self-regulatory organization rules and the Federal 
securities laws and regulations, it believed that existing audit trails 
were limited in their scope and effectiveness in varying ways. \11\
---------------------------------------------------------------------------
     \8\ See Consolidated Audit Trail Proposing Release, Exchange Act 
Release No. 62,174, 75 FR 32,556, at 32,557 (June 8, 2010) [hereinafter 
``Rule 613 Proposing Release''].
     \9\ On May 6, 2010, the prices of many U.S.-based equity products 
suddenly plummeted and recovered almost as quickly. This event is 
referred to as the ``Flash Crash''. The Commission, along with the 
Commodity Futures Trading Commission, undertook an analysis of the 
Flash Crash. The Commission has explained that the available data 
``hindered staff in determining what happened to liquidity before, 
during, and after the Flash Crash. Two major problems were the 
inability to identify and eliminate duplicate orders from the data and 
the inability to accurately sequence events across the multiple data 
sources.'' Rule 613 Adopting Release, supra note 3 at 45,732.
     \10\ CAT NMS Plan Adopting Release, supra note 7 at 84,834 n. 
2246.
     \11\ See Rule 613 Proposing Release, supra note 8 at 32,563-568.
---------------------------------------------------------------------------
    To address this need, in August, 2012, the Commission adopted Rule 
613 \12\ requiring the Participants to submit an NMS plan to create, 
implement, and maintain a consolidated audit trail for orders in NMS 
Securities. \13\ The Commission mandated that the Plan address activity 
across all markets, from the time of order inception through routing, 
cancellation, modification, execution, and allocation, in accordance 
with the requirements of Rule 613. In September, 2014, the Participants 
submitted an initial proposed NMS plan to the Commission. \14\ Over the 
course of more than 2 years, the Participants filed two amendments to 
the initial NMS plan; upon publication, the SEC received dozens of 
comment letters on the proposed NMS plan from across the industry, \15\ 
many of which focused on the security of the CAT System. In addition to 
NMS Securities mandated by Rule 613, the Participants also determined 
to include OTC Equity Securities (NMS Securities and OTC Equity 
Securities collectively are ``Eligible Securities'') within the initial 
scope of the CAT. \16\ The Participants proposed this to allow for a 
more expanded audit trail and to facilitate an expedited retirement of 
OATS (which applies to OTC Equity Securities as well as NMS stocks) as 
duplicative to CAT. In November 2016, the Commission unanimously 
approved the amended Plan developed by the Participants in accordance 
with the requirements of Rule 613. \17\
---------------------------------------------------------------------------
     \12\ See Rule 613 Adopting Release, supra note 3.
     \13\ For purposes of the Plan, ``NMS Securities'' are defined as 
``any security or class of securities for which transaction reports are 
collected, processed, and made available pursuant to an effective 
transaction reporting plan, or an effective national market system plan 
for reporting transactions in Listed Options.'' See Plan, supra note 2 
at Section 1.1.
     \14\ See Initial National Market System Plan Governing the 
Consolidated Audit Trail available at https://www.catnmsplan.com/wp-
content/uploads/2018/02/p600989.pdf. The Participants worked with the 
Development Advisory Group (DAG), which consisted of broker-dealer 
representatives, to solicit industry feedback when creating the Plan.
     \15\ See Securities and Exchange Commission File No. 4-698 
available at https://www.sec.gov/comments/4-698/4-698.shtml.
     \16\ For purposes of the Plan, ``OTC Equity Securities'' are 
defined as ``any equity security, other than an NMS Security, subject 
to prompt last sale reporting rules of a registered national securities 
association and reported to one of such association's equity trade 
reporting facilities.'' See Plan, supra note 2 at Section 1.1.
     \17\ See CAT NMS Plan Adopting Release, supra note 7.
---------------------------------------------------------------------------
    When the CAT System is fully operational it will address the 
regulatory need the Commission identified and facilitate multiple 
Participants' ability to conduct their own market surveillance. In 
particular, the more granular order attribution information that will 
be available via CAT will help Participants make their surveillance 
programs more efficient and effective. As Participants develop 
regulatory systems that interact with CAT data, they may use CAT data 
to supplement targeted queries of their own exchange data and/or to 
build new exchange-specific surveillance to bolster regulation of 
individual markets and across markets. For example, Participants will 
more easily identify exchange-specific manipulative activity, such as 
opening and closing cross-manipulation, using CAT data because a market 
participant may be entering manipulative orders on one exchange that 
are otherwise not visible to another exchange's surveillance systems.
    The CAT presents new opportunities to increase both regulatory 
effectiveness and efficiencies, and the Participants are committed to 
using the CAT System to reduce regulatory inefficiencies, including 
reducing regulatory duplication, in a manner that promotes the safety 
of the markets and the quality and effectiveness of the Participants' 
regulatory programs.
b. Structure of CAT Project
    To understand my role on the CAT project, it may be helpful to 
review the various stakeholders and contributors to the project. 
Consolidated Audit Trail LLC (CAT LLC) is a consortium of national 
securities exchanges and national securities associations. The 
Operating Committee is comprised of representatives of each 
Participant, serves as the governing body for CAT LLC and provides 
review, guidance, oversight and decision-making authority for the 
overall operations of the CAT System. The Operating Committee selects 
the Plan Processor, which is responsible for implementing and operating 
the CAT System. As mandated by Rule 613 and the Plan, the Operating 
Committee receives industry perspective and guidance from the CAT LLC 
Advisory Committee, which is a diverse group of industry 
representatives (e.g., small, medium and large broker-dealers, floor 
broker-dealers, proprietary trading firms clearing firms, service 
bureaus, buy-side traders, academicians). There also are numerous 
working groups with discreet responsibilities related to the CAT 
project.
    I have been involved with the CAT since the adoption of Rule 613, 
first as an employee of a future Participant and, since 2017, as Chair 
of the Operating Committee while also serving as an Independent Senior 
Advisor to Deloitte. I can represent to you that the Participants have 
been working, and continue to work, diligently and in good faith to 
comply with their regulatory obligations to build and operate the CAT 
in compliance with SEC Rule 613 and the Plan. In doing so, the 
Participants are working closely with staff of the SEC to ensure the 
CAT is designed and implemented in a manner consistent with regulatory 
expectations and with the Advisory Committee to ensure that the CAT is 
designed and implemented in a manner that is efficient and will benefit 
the industry-at-large.
    Throughout the process of creating and operating the CAT, the 
Participants have been deliberate about ensuring that the CAT System 
and the data within the system are secure. The Participants are 
committed to developing and implementing a fully functional and secure 
CAT System in accordance with the timeline developed by the 
Participants and FINRA CAT, which was shared with the SEC.
II. Process of Developing and Implementing the CAT
    In addition to developing the Plan that governs the overall 
operation of the CAT System, the Participants went through a rigorous 
process to identify a Plan Processor to develop, implement, and operate 
the CAT System. Understanding that this would be a challenging effort, 
the Participants began this undertaking well before the Commission 
ultimately approved the Plan. Specifically, the Participants developed 
a request for proposal (RFP) process and published a Proposed RFP 
Concept Document for public comment to get feedback on the feasibility 
and costs of implementing the CAT reporting requirements contemplated 
by the Plan. Participants also published information on the anticipated 
content and structure of the RFP so that interested bidders had the 
opportunity to review the scope of information they would have to 
provide in an RFP response. The Participants ultimately published an 
RFP in February 2013.
    In September 2013, the Participants filed a separate NMS plan with 
the Commission, entitled the Plan Governing the Process of Selecting a 
Plan Processor and Developing a Plan for the Consolidated Audit Trail 
(Selection Plan). The Selection Plan governed how the Participants 
would ultimately select the Plan Processor. The Commission approved the 
Selection Plan in February 2014. \18\ Following the process outlined in 
the Selection Plan, 10 entities submitted responses to the RFP. The 
Participants heard oral presentations from all 10 entities and 
identified three finalists. The majority of Participants ultimately 
selected Thesys Technologies LLC (Thesys) in accordance with the voting 
procedures for the selection of the initial Plan Processor under the 
Selection Plan.
---------------------------------------------------------------------------
     \18\ The Selection Plan was later incorporated into the Plan 
approved by the Commission on November 15, 2016.
---------------------------------------------------------------------------
    The relationship with Thesys did not progress in a satisfactory 
manner. After working closely with Thesys in an attempt to overcome 
what the Participants viewed as inadequacies in Thesys' performance as 
Plan Processor, the Participants determined that Thesys could not 
remedy those inadequacies in a timely and cost-effective manner. 
Thereafter, the Participants determined to engage a new Plan Processor. 
Because the Participants understood and appreciated the urgent need to 
complete the CAT System, the Participants commenced an abbreviated 
selection process, contacting the two other finalists from the initial 
selection process. Earlier this year, the Participants selected FINRA, 
operating through a subsidiary (FINRA CAT), to serve as the successor 
Plan Processor. The Participants transitioned the project to FINRA CAT 
in order to facilitate the timely development and implementation of the 
CAT. Shortly thereafter, the Participants provided the Commission an 
updated plan outlining the phased timeline for implementing the CAT 
System.
III. Progress Update
    Since transitioning the project to FINRA CAT, the Participants have 
made substantial progress toward meeting their obligations to build and 
operate the CAT. The Participants actually began submitting data to the 
CAT in November 2018, when Thesys was the Plan Processor, and have 
successfully submitted more than 13 trillion records to the CAT System 
since transitioning to FINRA CAT. Since commencing operations as Plan 
Processor, FINRA CAT has collected all data from the Participants, 
validated and linked all equity exchange data, and is on target to 
validate and link all options exchange data by February 2020. FINRA CAT 
also has completed various releases related to Participant reporting in 
a timely manner and has accelerated the delivery of multifactor 
authentication--a key aspect of the security of the CAT System--by 
several months from the planned date of May 2020. Since selecting FINRA 
CAT as Plan Processor, there have been no production outages or major 
operational issues with the first technical release.
    The Participants also have made substantial progress with regard to 
Industry Member CAT reporting (i.e., CAT reporting by broker-dealers), 
which is scheduled to commence in April 2020. Industry Member 
onboarding is in progress, and the Participants have finalized the 
Technical Specifications for Industry Member reporting for the initial 
two reporting phases. Additionally, FINRA CAT has finalized Industry 
Member connectivity and completed Industry Member registration.
    To place the progress made to date in perspective, it may be 
helpful to provide a sense of the scope and magnitude of the CAT 
project. The CAT System receives over 105 billion records per day on 
average and has processed a peak of 182 billion records from 
Participants alone on one day for options, Options Price Reporting 
Authority, options national best bid and offer, and equities exchange 
data. The Participants clearly have complied with the Commission's 
charge to build a comprehensive system designed to be dependable, 
robust, and scalable.
    Importantly, this progress has come about not only through the 
efforts of the Participants and the Plan Processor, but also due to the 
enhanced involvement of Advisory Committee members and Industry Members 
more broadly. The Participants and FINRA CAT have worked regularly and 
productively with the Advisory Committee and industry associations, 
such as the Securities Industry and Financial Markets Association 
(SIFMA), Financial Information Forum, and the Securities Traders 
Association, to gather, assess, and answer numerous interpretive 
questions, publish Frequently Asked Questions (FAQs), assess timelines 
for Industry Member technical specifications and reporting, and 
otherwise develop a workable CAT. The Participants also met with the 
Investment Company Institute on topics related to the CAT System. The 
Commission staff, who regularly attend nearly all CAT meetings and 
calls, also have played an important role in discussions related to the 
development of the CAT. With the help of these various contributors, 
the Participants have been able to make significant progress in 
developing the CAT System and preparing the industry for a fully 
functional CAT System by publishing or providing 247 pages of technical 
specifications, 226 of FAQs, 10 workflow documents including a 367 page 
Industry Member Reporting Scenarios document and a 22 page on-boarding 
guide, and 24 webinars; and registering 1,530 Industry Members.
    Beginning next month, the Participants and the Plan Processor will 
work together, using a phased approach, to expeditiously achieve the 
following milestones: (i) large Industry Member testing (December 
2019), (ii) large Industry Member reporting (April 2020), (ii) small 
Industry Member testing (December 2019), (iii) small Industry Member 
reporting (December 2021), and (iv) customer account and customer 
identifying information reporting by all firms (July 2022). \19\ The 
Participants are working to achieve all milestones, i.e., achieve 
complete implementation of the CAT System, by July 2022. \20\
---------------------------------------------------------------------------
     \19\ Customer account and customer identifying information 
reporting may be impacted by the Participants' request for exemptive 
relief. See infra note 28 and accompanying text.
     \20\ The phased implementation involves a more detailed breakdown 
of the milestones, including milestones related to OATS reporting and 
non-OATS reporting small Industry Members.
---------------------------------------------------------------------------
IV. PII
    I would like to discuss personally identifiable information. As 
noted earlier, the SEC has mandated that the CAT System be designed and 
developed to comply with the requirements of SEC Rule 613 and the Plan. 
Rule 613(c)(7)(i)(A) states that the Plan must require Participants and 
Industry Members to record and electronically report to the CAT System 
Customer-IDs for each order and each reportable event. \21\ Rule 
613(j)(5) defines Customer-ID as ``a code that uniquely and 
consistently identifies such customer for purposes of providing data'' 
to the CAT System. \22\ Rule 613 does not define what qualifies as 
customer identifying information, but in proposing and adopting Rule 
613, the SEC suggested that the CAT System ``be responsible for 
assigning a unique customer identifier in response to an input by a 
[regulator] of a customer's Social Security number or tax 
identification number'' \23\ and noted its expectation that the 
Participants ``establish a process by which [the Customer-IDs] are 
reported to the [CAT System], and how this information is linked to the 
name and address of customers as stored in the [CAT System].'' \24\ 
Accordingly, the Commission-approved Plan currently defines Customer 
Identifying Information as ``information of sufficient detail to 
identify a Customer, including, but not limited to, (a) with respect to 
individuals: name, address, date of birth, individual tax payer 
identification number (ITIN)/Social Security number (SSN), individual's 
role in the account (e.g., primary holder, joint holder, guardian, 
trustee, person with the power of attorney) . . . '' \25\
---------------------------------------------------------------------------
     \21\ Regulation NMS, 17 CFR 242.613(c)(7)(i)(A) (2019).
     \22\ Regulation NMS, 17 CFR 242.613(c)(7)(i)(A) 613(j)(5) (2019).
     \23\ Rule 613 Proposing Release, supra note 8 at 32,573.
     \24\ Rule 613 Adopting Release, supra note 3 at 45,757.
     \25\ Plan, supra note 2 at Section 1.1.
---------------------------------------------------------------------------
    It is important to note that the inclusion of PII has been a point 
of contention since the inception of the CAT System. In fact, members 
of Congress, the SEC, Participants and others in the industry have 
raised security and privacy concerns related to the nature and volume 
of information to be included in the CAT System, with particular focus 
on the use and inclusion of customer identifying information. The 
Commission made clear, however, that the utility of the CAT System 
would be significantly degraded without a means to uniquely identify 
underlying customers. \26\
---------------------------------------------------------------------------
     \26\ See Rule 613 Adopting Release, supra note 3 at 45,756-758.
---------------------------------------------------------------------------
    The need to balance facilitating effective regulation using the CAT 
System against security concerns related to the breadth of sensitive 
information that will be in the CAT System remains paramount. 
Participants have been in discussions with the SEC and the industry on 
how best to balance these competing concerns. To that end, the 
Operating Committee formed a PII Working Group to research and 
recommend potential alternatives regarding the handling of PII in the 
CAT System.
    After considering various alternatives over the course of 2018, the 
PII Working Group, in consultation with SIFMA, recommended an approach 
that would have avoided the need to have any PII in CAT. Industry 
Members would have retained such information as they have to date, and 
the SEC and Participants would have requested it from each broker-
dealer firm, as necessary, through the creation of a separate PII 
request/response system. At the suggestion of the Commission staff--
which did not favor the approach proposed by the PII Working Group--the 
PII Working Group had further discussions and ultimately recommended an 
alternative approach to the Operating Committee.
    Specifically, the Participants worked together with SIFMA to 
develop what is now referred to as the CCID Alternative. Under this 
alternative, the Plan Processor would generate a unique identifier for 
a customer (the ``CAT Customer ID'' or ``CCID'') using a two-phase 
transformation process that avoids the need to collect and maintain 
SSNs in the CAT. In the first transformation phase, Industry Member CAT 
Reporters would transform an SSN to an interim value. \27\ Industry 
Members would submit this transformed value, and not the SSN, to the 
CCID Subsystem operated by the CAT separate and apart from other 
customer and account information. The CCID Subsystem would use the 
transformed value to create a unique CCID for each customer. The 
regulatory staffs of the Participants and the SEC would then use the 
CCID in queries and analysis of CAT data.
---------------------------------------------------------------------------
     \27\ Industry Members would continue to store individual customer 
SSNs outside the CAT, as they do today. If a Participant's regulatory 
staff or the SEC staff needs to obtain a customer SSN during an 
investigation, the regulator would need to request that information 
from the CAT Reporter. If, however, a Participant's regulatory staff or 
the SEC staff has an SSN through other means, the regulator will have 
the ability to use that SSN to query the CAT. Similar to the process 
just described, the SSN would be transformed into the CCID, which, in 
turn, may be used by the regulator in queries and analyses of CAT data. 
Under this alternative, Industry Members would not maintain the 
generated CCID.
---------------------------------------------------------------------------
    The use of CCIDs would enhance the security of the CAT System while 
preserving the regulatory benefits of the system. The CAT would not 
collect or store any SSNs. Because the CAT System would only store 
CCIDs, rather than SSNs, this alternative would eliminate the risk of 
having a comprehensive aggregated source for all individual customer 
SSNs. Instead, only Industry Members would continue to collect 
individual customer SSNs, as they do currently. Moreover, the process 
to create CCIDs using, in part, SSNs would be secure. The Participants 
believe this will significantly reduce the risk that information in CAT 
could be used to facilitate identity theft and do so in a manner that 
does not compromise the regulatory benefits of the CAT.
    The Participants recognize that eliminating the collection of SSNs 
by the CAT for initial processing by the Plan Processor would cause CAT 
Reporters to assume a critical role in the accurate generation of 
CCIDs. This creates a risk to the integrity of the CCID values 
ultimately assigned to customer records in the CAT that is beyond the 
full control of the Plan Processor. The Plan Processor will consider 
methods for detecting errors in the transformed values submitted by CAT 
Reporters, some of which may be identified by functionality supporting 
the error resolution for customer data requirement of the Plan. 
Nevertheless, the Participants and the working group of Participant and 
Industry Members that developed the CCID Alternative jointly believe 
that the value of eliminating the need for CAT Reporters to transmit 
SSNs to the CAT exceeds the potential increased risk to the integrity 
of CCID assignments.
    The Participants also have developed what is now referred to as the 
Modified PII Approach that would eliminate dates of birth and account 
numbers for natural persons in the CAT System (although year of birth 
for customers would be collected and maintained in the CAT). Similar to 
SSNs, the Participants believe that dates of birth and account numbers 
are particularly sensitive from a security perspective and should not 
be included in the CAT. The Participants believe that eliminating dates 
of birth and account numbers from the CAT would further reduce the risk 
profile of data collected and stored in the CAT by eliminating the PII 
data elements that would support attempted identity theft without 
compromising the regulatory benefits of the CAT.
    To implement the CCID Alternative and the Modified PII Approach, 
the Participants have requested exemptive relief from the Commission 
from relevant aspects of the Plan. \28\
---------------------------------------------------------------------------
     \28\ See Letter from Michael Simon, CAT NMS Plan Operating 
Committee Chair, to Vanessa Countryman, SEC, Request for Exemptive 
Relief from Certain Provisions of the CAT NMS Plan related to Social 
Security Numbers, Dates of Birth and Account Numbers (Oct. 16, 2019) 
available at https://www.catnmsplan.com/wp-content/uploads/2019/10/
CCID-and-PII-Exemptive-Request-Oct-16-2019.pdf.
---------------------------------------------------------------------------
V. Security
    Since conceptualizing the Plan, the Participants have been mindful 
of security concerns related to the CAT. Excluding SSNs, dates of birth 
and account numbers from the CAT System will result in the CAT System 
being a much less attractive target for cybercriminals. Nevertheless, 
the security of the CAT System will remain a top priority. The 
Participants have taken, and will continue to take, all appropriate 
precautions to safeguard all data within the CAT System.
    Understanding the importance of information security generally, CAT 
LLC itself is structured in a manner to appropriately emphasize the 
security of the CAT. For example, CAT LLC has both a Chief Information 
Security Officer (CISO) and Chief Compliance Officer, both of whom are 
fiduciaries of CAT LLC, and are responsible for ensuring compliance 
with Plan requirements. \29\ Specifically, the CAT CISO is responsible 
for creating and enforcing appropriate policies, procedures, and 
control structures to monitor and address data security issues for the 
Plan Processor and the CAT System. \30\ The CISO also is obligated to 
review the Participants' information security policies and procedures 
that are related to the CAT System to evaluate if the Participants that 
access CAT data have an information security program comparable to the 
Plan Processor's program. \31\ Additionally, the Operating Committee 
established a Security Working Group, which is comprised of the CAT LLC 
CISO as well as CISOs and security experts from each Participant. 
Members of the working group collectively represent hundreds of years 
of experience in the information security space. The SEC staff also has 
served as an active observer to Security Working Group meetings.
---------------------------------------------------------------------------
     \29\ See Plan, supra note 2 at Section 4.6.
     \30\ See id. at Section 6.2.
     \31\ See id. at Section 6.2.
---------------------------------------------------------------------------
    In addition to structuring the oversight and responsibility of the 
CAT System in a manner that focuses on security, the Participants have 
designed the CAT System to meet stringent security standards. \32\ The 
system is subject to the robust controls framework set forth in 
National Institute of Standards and Technology (NIST) Special 
Publication (SP) 800-53 including, among other things the establishment 
of a System Security Plan and annual third-party independent 
verification and validation. \33\ This is the same standard required 
for Federal information systems under the Federal Information Security 
Management Act. The Participants designed and built the CAT System with 
both architectural-level and program-level controls. The SEC and 
Participants can only query the CAT System via dedicated private 
circuits between them and the CAT System, mitigating the risk of an 
attack via the Internet. The CAT system further requires multifactor 
authentication for regulatory use of the query tools, mitigating 
insider risk at the regulators, as well as for access to the Industry 
Member reporter portal. \34\ Additionally, the CAT System and relevant 
personnel continuously monitor regulatory access and use of the system. 
The CAT System logs every instance of access to the CAT central 
repository and will maintain a full audit trail of access to customer 
data. Additionally, the Operating Committee, the SEC, and Participants 
will periodically receive and review a list of authorized users and 
their most recent access; each user organization will regularly verify 
that its list of authorized users and the roles they are assigned 
remain accurate. \35\
---------------------------------------------------------------------------
     \32\ See id. at Appendix D Section 4.2.
     \33\ The application of NIST SP800-53 to the CAT is further 
informed by ISO 27002, NIST Cybersecurity Framework.
     \34\ See Plan, supra note 2 at Appendix D Section 4.1.4.
     \35\ See id. at Appendix D Section 4.1.4.
---------------------------------------------------------------------------
    The Participants have integrated security processes into the design 
and development of the CAT System. Threat analysis drives security 
requirements and design. Continuous automated testing along with 
rigorous security assessment by an expert team of security engineers is 
brought to bear during the design and build of the system. A highly 
qualified third-party cybersecurity testing organization regularly 
performs further security testing, including penetration testing and 
code security assessment.
    The overall CAT security program also is subject to regular third-
party review to verify that the program is operating in accordance with 
its System Security Plan and with applicable standards. The Plan 
Processor will continue to subject the CAT System to annual NIST SP 
800-53 Independent Validation and Verification (IV&V). FINRA CAT 
delivered Release 1 (June) on time and with no major security defects, 
as confirmed by both internal and third-party security testing, as well 
as the third-party security controls assessment, i.e., IV&V. FINRA CAT 
is on schedule to deploy Release 2 in November with no major defects as 
well; internal security testing is complete, third-party security 
testing is nearly complete, and a new IV&V is in progress.
    Finally, to keep Industry Members and other interested persons 
apprised of CAT security efforts, in August, CAT LLC and FINRA CAT 
hosted an industry webinar focusing on the security of CAT data. During 
the webinar the Participants shared information about how the data 
reported to the CAT System will be safeguarded to ensure the security 
and confidentiality of the data.
VI. Costs
    Developing and operating the CAT System in accordance with SEC Rule 
613 and the Plan requires a significant commitment of capital--both 
human and financial. In terms of human capital, all Participants have 
contributed the time and expertise of numerous senior-level personnel 
from their respective organizations. \36\ These individuals provide 
expertise on technology and systems engineering, legal, regulatory and 
compliance, data, and security issues. To date, the entirety of the 
financial commitment to develop and operate the CAT System has been 
borne by the Participants, notwithstanding that Rule 613 and the Plan 
specifically contemplate the CAT being funded jointly by the 
Participants and Industry Members.
---------------------------------------------------------------------------
     \36\ See id. at Section 6.2(b)(vii).
---------------------------------------------------------------------------
    To provide context, the cost associated with the CAT System 
include: (i) fixed and variable costs for the Plan Processor to build 
and operate the CAT; (ii) legal fees; (iii) consulting fees; (iv) 
insurance; and (v) costs associated with engaging other vendors, like 
financial administrators and auditors. Going forward, we estimate the 
annual budget to operate the CAT System to be upwards of $75 million. 
Note, this figure only reflects CAT LLC's direct costs. It does not 
include the cost of compliance for Participants or Industry Members nor 
the individual costs of the Participants, and CAT LLC is not in a 
position to collect or estimate those costs.
    Although the Participants have continued to independently fund the 
CAT, they have attempted to implement fees applicable to both 
Participants and Industry Members to fund the cost of the CAT as 
contemplated by Rule 613 and the Plan. In 2017, the Participants filed 
proposed rule changes and a Plan amendment to adopt a schedule to 
establish fees for Participants and Industry Members, which would have 
resulted in Industry Members helping fund the CAT. \37\ After receiving 
comments to the proposed rule changes and the Participants responding 
to the comments and filing amendments to the proposed rule changes, the 
Participants withdrew their rule changes when it became clear that the 
SEC was going to disapprove those fees, given it summarily abrogated 
the Plan amendment that would have established Participant and Industry 
Member fees. \38\
---------------------------------------------------------------------------
     \37\ See, e.g., Notice of Filing and Immediate Effectiveness of a 
Proposed Rule Change Related to Fees for Use on Bats EDGX Exchange, 
Inc., Exchange Act Release No. 80,821, 82 FR 26,177 (June 6, 2017).
     \38\ See Notice of Withdrawal of Proposed Rule Changes, as 
Modified by Amendments, To Establish Fees for Industry Members To Fund 
the Consolidated Audit Trail, Exchange Act Release No. 82,505, 83 FR 
3,043 (Jan. 22, 2018).
---------------------------------------------------------------------------
    There is still no fee structure in place and the Participants alone 
continue to fund the CAT. It remains of critical importance that the 
industry contributes to funding the development and implementation of 
the CAT System. Not only is this a reasonable approach to financing 
such a massive project, it is consistent with Rule 613 and the Plan 
that the Commission approved. Accordingly, the Participants are working 
on an amended fee proposal that they will submit to the Commission for 
its review and approval.
    Relatedly, the Commission recently issued proposed amendments to 
the Plan that would add new sections to the Plan to govern the recovery 
of any fees, costs, and expenses incurred by CAT LLC in connection with 
the development, implementation and operation of the CAT System from 
the effective date of the amendment until the Participants complete 
implementation of the Plan. \39\ Specifically, Proposed Section 11.6 
would require the Participants to meet four critical CAT implementation 
milestones by certain dates to collect the full amount of any related 
post amendment Industry Member fees established by the Operating 
Committee or implemented by the Participants. If the Participants fail 
to meet the target deadlines set forth in Proposed Section 11.6, they 
would only be entitled to collect a portion of the relevant amount, as 
determined by the amount of time by which the Participants have missed 
the target deadlines.
---------------------------------------------------------------------------
     \39\ See Proposed Amendments to the National Market System Plan 
Governing the Consolidated Audit Trail, Exchange Act Release No. 
86,901, 84 FR 48,458 (Sept. 13, 2019).
---------------------------------------------------------------------------
    The Participants understand the Commission's concerns and ultimate 
goal of providing financial incentives to complete the CAT in a timely 
manner. The Participants are reviewing the details of the proposed 
amendment and intend to provide a comment letter with considerations 
for the SEC. These comments will be based on the Participants' 
experience in designing and building the CAT System and will be aimed 
at helping achieve the SEC's goals in an efficient manner.
VII. Conclusion
    The Participants remain committed to meeting their obligation to 
build and operate the CAT System and are making significant progress in 
this regard. The Participants will continue to take all necessary 
precautions to safeguard the data within the CAT System and to promote 
the security of the system more generally. Thank you for the 
opportunity to provide testimony on this matter.
        RESPONSES TO WRITTEN QUESTIONS OF SENATOR BROWN
                       FROM SHELLY BOHLIN

Q.1. Please describe the FINRA CAT breach/intrusion 
notification process, including the entities and organizations 
that would be notified and the timetable for notification. 
Please also describe any process for notification to investors, 
or the public generally.

A.1. FINRA CAT has a sophisticated information security program 
guided by CAT NMS Plan requirements and is working to support 
the efforts of the consortium of self-regulatory organizations 
(SRO) responsible for managing the CAT (known as CAT Plan 
Participants or the SRO consortium) to limit the kinds of 
sensitive retail investor information that would be reported to 
the CAT. This program includes a formal and formally tested 
incident response plan, consistent with guidance established by 
the National Institute of Standards and Technology, and which 
addresses notification requirements applicable to the 
unauthorized access to CAT Data. These notifications are driven 
by the facts and circumstances of any breach/intrusion. If 
FINRA CAT becomes aware of actual (or potential) unauthorized 
access to CAT Data, we, working with the SRO consortium, will 
take all reasonable steps to investigate the incident and 
mitigate any technical vulnerabilities identified from 
unauthorized access to protect the integrity of the CAT system. 
We will further work with the SRO consortium to report 
unauthorized access to law enforcement, the SEC and other 
authorities, and to notify customers or other parties as 
required or as the consortium deems appropriate. Also, as an 
``SCI Entity,'' FINRA CAT is subject directly to the SEC's 
jurisdiction, including Regulation Systems Compliance and 
Integrity (Reg SCI). FINRA CAT's status as an SCI Entity 
ensures direct accountability, including cyberincident 
reporting requirements.

Q.2. Please provide the available cost estimates for (i) 
building the CAT system and (ii) annual operation of the CAT 
system, specifying current cost and costs once it is fully 
operational.

A.2. The SRO consortium is more appropriately able to provide 
public information concerning costs, as specific details of the 
financial terms of the contract between the SRO consortium and 
FINRA CAT are confidential. We understand that they are 
addressing cost-related questions in their answers to the 
Committee.

Q.3. Please identify the private and Government organizations 
and entities that would be necessary to involve in the 
development and management of a CAT system that includes U.S. 
futures data and activity.

A.3. While FINRA CAT has the systems capability to incorporate 
futures data in the CAT system, any work towards that end would 
necessarily only follow the legal and policy decisions made by 
Federal regulators, including the CFTC and the SEC. There may 
also be questions for the Federal regulators and Congress about 
whether new legislative authority is needed. These regulators 
would likely engage futures market participants, as well as 
other public and private stakeholders, such as the National 
Futures Association. Should policy makers decide to expand the 
CAT to include futures data, FINRA CAT would work expeditiously 
to support that regulatory objective.
                                ------                                


        RESPONSES TO WRITTEN QUESTIONS OF SENATOR SASSE
                       FROM SHELLY BOHLIN

Q.1. Is FINRA tied in with the Financial Sector Information 
Sharing and Analysis Center (FSISAC)?
    If not, how are you obtaining cyberthreat information?

A.1. Yes.

Q.2. Would the Commission consider setting up a test bed and 
proving to the Banking Committee Members that the ``SSN's would 
be secure''?

A.2. While we are happy to provide information to and 
coordinate demonstrations with your office and other Committee 
Members, and to work with the various stakeholders to make that 
happen, I will defer to the SEC on this particular question.
                                ------                                


       RESPONSES TO WRITTEN QUESTIONS OF SENATOR KENNEDY
                       FROM SHELLY BOHLIN

Q.1. I would like to better understand the relationship between 
FINRA and FINRA CAT.
    Who will be required to conduct independent reviews of 
FINRA's security controls?

A.1. FINRA and FINRA CAT, LLC are separate legal entities, run 
independently of each other, although FINRA CAT does contract 
with FINRA for some services. FINRA CAT, LLC is a subsidiary of 
FINRA and was created to focus solely on performing the 
functions of the CAT Plan Processor for the consortium of self-
regulatory organizations responsible for managing the CAT 
(known as CAT Plan Participants or the SRO consortium). FINRA 
CAT is part of FINRA's parent SRO umbrella and accordingly an 
SCI Entity. This means that while FINRA CAT serves as a 
contractor for the SRO consortium and is not a CAT NMS Plan 
participant itself, FINRA CAT nevertheless is subject directly 
to the SEC's jurisdiction, including compliance with Regulation 
Systems Compliance and Integrity (Reg SCI). FINRA CAT's status 
as an SCI Entity ensures direct accountability to the SEC-for 
important issues like system security, integrity, capacity, and 
business continuity. FINRA CAT's security controls are subject 
to the oversight of the CAT Plan Participants, independent 
third party assessments required pursuant to the Plan, and the 
SEC.
    Both FINRA and FINRA CAT have implemented controls to 
prevent FINRA from having an advantage over other Plan 
Participants in accessing CAT data or receiving services from 
FINRA CAT.

Q.2. Who, in the public and private sector, will have access to 
data from the CAT? Please list those entities.

A.2. CAT Data can only be accessed for regulatory purposes and 
only by authorized regulatory users from the CAT Plan 
Participants and the SEC. FINRA CAT has worked with the SRO 
consortium to develop comprehensive data access controls that 
meet regulatory requirements. In addition, as currently 
designed, only a subset of those authorized regulatory users 
will have permission to access and view Customer Account 
Information and Customer Identifying Information, which is 
stored and handled separately from the order and trade data. 
Additional access controls are discussed below in Question 
seven.
    The 24 Participants of the CAT NMS Plan are: BOX Exchange 
LLC; Cboe BYX Exchange, Inc., Cboe BZX Exchange, Inc., Cboe 
EDGA Exchange, Inc., Cboe EDGX Exchange, Inc., Cboe C2 
Exchange, Inc. and Cboe Exchange, Inc., Financial Industry 
Regulatory Authority, Inc., Investors Exchange LLC, Long-Term 
Stock Exchange, Inc., Miami International Securities Exchange 
LLC, MIAX Emerald, LLC, MIAX PEARL, LLC, Nasdaq BX, Inc., 
Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, Nasdaq PHLX 
LLC, The NASDAQ Stock Market LLC; and New York Stock Exchange 
LLC, NYSE American LLC, NYSE Arca, Inc., NYSE Chicago, Inc. and 
NYSE National, Inc. Some of these SRO Participants have the 
same parent company. Those companies include the following: BOX 
(Boston Options Exchange); Cboe; FINRA; IEX; LTSE; Nasdaq; 
NYSE; and, MIAX.

Q.3. What are you doing to ensure a secure mechanism is 
developed for the submission of data, its storage, and the 
destruction of such data once it is no longer necessary?

A.3. In terms of FINRA CAT's overall information security 
program, we are led by a CISO who was approved by the SRO 
consortium and also has a fiduciary duty to the SRO consortium. 
Our CISO has over 20 years' experience working on information 
security at FINRA, including as a security architect and 
security engineer. The CISO is supported by a dedicated team of 
security analysts who ensure that security controls are 
effectively implemented, monitor the security of the CAT System 
and respond to anomalies, evaluate and approve access, enforce 
compliance with security policies and standards including 
National Institute of Standards and Technology (NIST) Special 
Publication (SP) 800-53, and evaluate evolving threats and 
security control opportunities to ensure that the CAT security 
posture remains strong.
    In addition, the FINRA CAT security team is able to 
leverage the security expertise and advanced technology 
solutions that FINRA has invested in heavily over the years, 
including the people, process, and technologies it has 
developed and deployed to operate a secure cloud environment 
that is comparable in scale to the fully deployed CAT solution. 
As the SRO consortium recently discussed in a presentation to 
the industry (https://www.catnmsplan.com/wp-content/uploads/
2019/08/FINRA-CAT-Security-Approach-Overview--20190828.pdf), 
the FINRA CAT security program includes significant layers of 
architectural-level security controls and program-level 
security controls. Examples of architectural controls include 
secure infrastructure for connecting to the CAT system and 
architectural separation between transaction data and customer 
data. Examples of program controls include a full suite of 
information security policies, procedures, and standards, as 
well as regularly scheduled independent third-party system 
penetration testing, code reviews, and security control 
validation.
    The extensive FINRA CAT security policies address a range 
of issues required by the CAT NMS Plan, including data storage 
and handling, insider risk, data connectivity and transfer, 
incident management, security logging and monitoring, account 
management, and data destruction. FINRA CAT's security program 
is based on work product developed by the FINRA CAT CISO in 
coordination with the SRO consortium's Security Working Group, 
which is comprised of CISOs and security experts from each of 
the CAT Plan Participants.
    Each CAT System release is subject to the granting of an 
Authority To Operate (or ATO) by the SRO consortium. To obtain 
an ATO from the consortium, the CAT CISO must demonstrate the 
strength of the CAT System's security posture to the Security 
Working Group. This includes, among other things, system 
security, internal and third-party security testing, and 
independent validation confirming that security controls are 
aligned with the NIST industry standards followed by the 
Federal Government and that they have been effectively 
implemented.
    FINRA CAT understands concerns that continue to be raised 
about the inherent risk of handling CAT data, particularly PII. 
Even with the enhanced architectural and program controls 
required by the plan for PII-such as containing PII in its own 
separate system with restricted access-there may be policy 
questions for the SEC and SRO consortium to discuss about the 
costs and benefits of collecting and storing sensitive personal 
data.
    FINRA CAT's job is to support the regulators' decision 
making on this issue. This includes making any modifications to 
the system design to account for current discussions between 
the SEC, the SRO consortium, and the industry. The SROs 
recently requested exemptive relief to eliminate social 
security numbers, account numbers, and dates of birth from the 
CAT. You will find this request at the following link: https://
www.catnmsplan.com/wp-content/uploads/2019/10/CCID-and-PII-
Exemptive-Request-Oct-16-2019.pdf. FINRA CAT continues to work 
closely and productively with the SEC and the SROs to ensure 
that it has the right technological solution in place for when 
customer and account information reporting begins in July 2022.

Q.4. What security protocols are in place, or will be followed 
by the SROs and the SEC to mitigate the risk of a data breach?

A.4. FINRA CAT has a sophisticated information security program 
guided by CAT NMS Plan requirements and is working to support 
the consortium's efforts to limit the kinds of sensitive retail 
investor information that would be reported to the CAT. FINRA 
CAT has developed a System Security Plan (SSP), in accordance 
with extensive NIST 800-series Special Publication guidance on 
computer security, and follows this SSP to ensure that security 
controls, including those used to prevent, detect, and mitigate 
a data breach, are defined and effectively implemented. While 
not public for security reasons, this SSP and its effective 
implementation undergoes independent third-party evaluation on 
an annual basis. The SSP includes incident response and breach 
management controls. FINRA CAT is prepared for a variety of 
scenarios and has established and tested processes and actions 
in the event of unauthorized access to CAT data that vary 
depending on the facts and circumstances of any breach/
intrusion. If FINRA CAT becomes aware of actual (or potential) 
unauthorized access to CAT Data, we, working with the SRO 
consortium, will take all reasonable steps to investigate the 
incident and mitigate any technical vulnerabilities identified 
from unauthorized access to protect the integrity of the CAT 
system. We will further work with the SRO consortium to report 
unauthorized access to law enforcement, the SEC and other 
authorities and to notify customers or other parties as 
required or as the consortium deems appropriate.

Q.5. Have you worked with those stakeholders supplying data to 
the CAT to ensure they are comfortable with the levels of 
security surrounding the system?

A.5. FINRA CAT has worked with the SRO consortium to conduct 
substantial engagement with the reporting parties regarding 
their reporting obligations and data security measures. With 
respect to data security measures, the SRO consortium and the 
Plan Processor have sought to provide reporting parties with 
assurance that strong and appropriate security measures are in 
place, while avoiding disclosure of sensitive information about 
CAT security controls and processes that could be used in an 
attempt to circumvent those controls if it fell into the wrong 
hands. This assurance includes a robust program of regular 
independent third-party assessments, including validation that 
security controls are effectively implemented in accordance 
with NIST SP800 series standards, as well as third-party 
independent penetration testing and code security assessments. 
Meetings are regularly held, and the CAT website 
(catnmsplan.com) provides detailed, up-to-date information on 
these and other communications, including CAT alerts, regular 
podcasts, and engagement with compliance professionals at 
firms. These relationships are important to communicating and 
clarifying obligations, and to understanding the questions and 
concerns of various stakeholders.

Q.6. Will you continue to engage with industry and stakeholders 
on information security once the system is up and running?

A.6. FINRA CAT will continue to engage all stakeholders on this 
important issue after the CAT is operational. The CAT is a 
highly complex project that requires deep technological 
expertise, proactively evolving security, close regulatory 
coordination with the SEC and the SRO consortium, and full-time 
engagement with broker-dealers that ultimately must report data 
to the CAT. There are a number of industry representatives 
involved in the governance of the CAT NMS Plan through their 
participation on the Advisory Committee established by the CAT 
NMS Plan.
    The Advisory Committee established in the CAT NMS plan is 
charged with advising the Participants on the implementation, 
operation, and administration of the CAT. Under the Plan, the 
Advisory Committee has the right to attend Operating Committee 
and Subcommittee meetings generally and to submit its views 
prior to a decision by the Operating Committee. The composition 
of the Advisory Committee includes: (a) broker-dealers of 
varying sizes and types of business, including a clearing firm; 
(b) an individual who maintains a securities account; (c) an 
academic; and (d) institutional investors. This kind of 
stakeholder participation and feedback is and will continue to 
be critical to FINRA CAT's efforts in all areas, including 
information security.

Q.7. What protocols will FINRA CAT have to ensure staff that 
have access to the CAT database, and potentially the ability to 
extract this data, do not misuse it? Can you elaborate on any 
access controls, limitations, and monitoring of the extractions 
that will take place?

A.7. FINRA CAT has worked with the SRO consortium to develop 
comprehensive data access controls that meet regulatory 
requirements. For example, only authorized regulatory users 
from the Participants and the SEC will have permission to 
access CAT Data via the CAT System. And, as currently designed, 
only a subset of those authorized regulatory users will have 
permission to access and view Customer Account Information and 
Customer Identifying Information, which is stored and handled 
separately from the order and trade data. Authorized regulatory 
users outside of the SEC must execute a Safeguard of 
Information Affidavit provided by the Plan Processor, which 
provides, among other things, that authorized regulatory users 
must maintain the confidentiality and security of CAT Data and 
to use CAT Data only for regulatory purposes. In addition, 
authorized regulatory users outside of the SEC are required to 
complete the CAT Security Awareness Training Course provided by 
the Plan Processor. As the Plan Processor, however, FINRA CAT 
does not have the authority to oversee or enforce restrictions 
on the appropriate regulatory use of CAT data by those who 
access it. The obligation to monitor and enforce restrictions 
on the uses of and access to CAT data falls on each SRO that is 
part of the CAT Plan for their respective employees and the SEC 
for SEC staff. Also, the SEC is responsible for any training 
for authorized regulatory users inside the agency. FINRA CAT 
has also established monitoring controls at multiple system 
layers (e.g., data storage, application front end) designed to 
detect access anomalies. This includes the use of behavioral 
analytics designed to recognize normal and abnormal access 
patterns. All access to CAT Data is logged, in accordance with 
the Plan and subject to this monitoring. Instances of potential 
abnormal access will be flagged for the respective SRO or the 
SEC to follow up on.
    With respect to Plan Processor personnel, only those who 
need access to CAT Data to fulfill their responsibilities for 
delivery and operation of the CAT System are granted access to 
CAT Data. That access must be justified to the satisfaction of 
the CISO and CCO (who are fiduciaries to the SRO consortium) 
and approved by them. This access is subject to periodic 
review, as well as to monitoring that is attuned to the 
restricted use patterns expected of these personnel.

Q.8. Cybersecurity is one of the greatest risks facing the 
financial services industry and every sector of critical 
infrastructure in the U.S. Currently, the CAT plan does not 
require the plan processor to notify market participants of 
cyberincidents that compromise their data.
    What procedures will be followed to notify firms in the 
event of a breach of CAT data?

A.8. FINRA CAT has a sophisticated information security program 
guided by CAT NMS Plan requirements and is working to support 
the consortium's efforts to limit the kinds of sensitive retail 
investor information that would be reported to the CAT. We also 
have notification processes in the event of unauthorized access 
to CAT Data, but those vary depending on the facts and 
circumstances of any breach/intrusion. If FINRA CAT becomes 
aware of actual (or potential) unauthorized access to CAT Data, 
we, working with the SRO consortium, will take all reasonable 
steps to investigate the incident and mitigate any technical 
vulnerabilities identified from unauthorized access to protect 
the integrity of the CAT system. We will further work with the 
SRO consortium to report unauthorized access to law 
enforcement, the SEC and other authorities and to notify 
customers or other parties as required or as the consortium 
deems appropriate.

Q.9. Do you think such a notification requirement would be in 
the best interests of all parties involved? SEC registrants are 
required to have breach notification policies and procedures, 
why not FINRA CAT?

A.9. While the response to any unauthorized access to CAT Data 
will necessarily vary depending on the facts and circumstances 
of the event, FINRA CAT, working with the SRO consortium, 
developed a coordinated incident response framework. In the 
event of an incident, FINRA CAT will investigate the incident. 
We will further work with the SRO consortium to report 
unauthorized access to law enforcement, the SEC and other 
authorities and to notify customers or other parties as 
required or as the consortium deems appropriate. In addition, 
FINRA CAT, as an SCI entity under the SEC's Regulation SCI, has 
an obligation to report to the SEC ``any unauthorized entry 
into the SCI systems or indirect SCI systems of an SCI 
entity''.

Q.10. I am concerned the CAT is a likely target for those who 
wish to manipulate U.S. markets--are you confident the CAT 
system and data included within will be adequately protected 
from these threats?

A.10. I have confidence in our data security program, not only 
in the systems we have in place, but also our team's ongoing 
commitment to making data security central to our function. The 
CAT system by its nature requires deep technological expertise, 
proactively evolving security, close regulatory coordination 
with the SEC and the SRO consortium, and full-time engagement 
with broker-dealers that ultimately must report data to the 
CAT.
    FINRA CAT has policies, procedures, and a robust set of 
other security controls to ensure the security and 
confidentiality of information submitted to the CAT. Such 
policies and procedures require information barriers between 
regulatory and nonregulatory staff of the Participants with 
regard to access and use of CAT Data, a mechanism to confirm 
the identity of persons permitted to use CAT Data, and a 
comprehensive information security program. Participant 
information security policies and procedures are subject to 
review by the CAT Chief Compliance Officer and Chief 
Information Security Officer, with any deficiencies reportable 
to the CAT LLC Operating Committee. FINRA CAT's security 
program is aligned with NIST SP800-53--the Security and Privacy 
Controls for Federal Information Systems and Organizations--and 
undergoes regular third-party audits. In addition, we are 
required to subject the CAT System to regular penetration 
testing and code reviews by a qualified third-party security 
assessor. This is on top of an extensive internal cybersecurity 
program staffed by highly qualified cybersecurity personnel 
that is integrated into the development and operations life 
cycle of FINRA CAT. Among other benefits, this internal program 
implements yet another layer of threat analysis, penetration 
testing, and code assessment. In addition, FINRA's Internal 
Audit Department will conduct reviews of various aspects of the 
CAT system, procedures, and operation.
    The CAT System is designed from the ground up with 
structural controls that avoid exposure to certain common 
threats. Notably, the CAT Regulator systems are designed 
without Internet access. CAT Data is only accessible by 
Participants and the SEC via private connectivity lines, with 
their users subject to multifactor authentication. Monitoring 
augmented by behavioral analytics is used to detect and quickly 
respond to potential improper attempts to access CAT Data or 
use the CAT System in an inappropriate manner. Industry 
Members--which may only submit and correct data sent to the 
CAT--are required to submit data either via private lines, AWS 
PrivateLink or the CAT Secure Reporting Gateway; unlike 
Participants and the SEC, Industry Members are not permitted to 
query CAT Data. Reporting subsystems are architecturally 
separate from query subsystems and the underlying CAT Data 
repository; they are designed without the ability to read data 
in the CAT, and to quickly move received data into the CAT to 
greatly shield the reporting subsystem from being a viable 
target for unauthorized access to CAT Data.
    FINRA CAT's multifaceted cybersecurity program, with 
architectural constraints such as private-line-only access, 
along with multiple levels of complimentary and redundant 
security testing by both Plan Processor security staff and 
independent third parties justifies strong confidence that the 
CAT system and included data are appropriately protected from 
cybersecurity threats consistent with current standards. 
Nevertheless, FINRA CAT is cognizant that its cybersecurity 
framework must not be static; it must evolve as more effective 
cybersecurity techniques and practices emerge.
                                ------                                


        RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER
                       FROM SHELLY BOHLIN

Q.1. Irrespective of how the PII issue is ultimately resolved 
between the SEC and the consortium, do you have confidence that 
the FINRA CAT's data security program and architecture has the 
controls in place to keep whatever data is stored safe and 
secure?

A.1. I have confidence in our data security program, not only 
in the systems we have in place, but also our team's ongoing 
commitment to making data security central to our function. The 
CAT is a highly complex project that requires deep 
technological expertise, proactively evolving security, close 
regulatory coordination with the SEC and the consortium of 
self-regulatory organizations responsible for managing the CAT 
(known as CAT Plan Participants or the SRO consortium), and 
full-time engagement with broker-dealers that ultimately must 
report data to the CAT.
    FINRA CAT has policies and procedures to ensure the 
security and confidentiality of information submitted to the 
CAT. Such policies and procedures require information barriers 
between regulatory and nonregulatory staff of the Participants 
with regard to access and use of CAT Data, a mechanism to 
confirm the identity of persons permitted to use CAT Data, and 
a comprehensive information security program. Participant 
information security policies and procedures are subject to 
review by the CAT Chief Compliance Officer and Chief 
Information Security Officer, with any deficiencies reportable 
to the CAT LLC Operating Committee. FINRA CAT's security 
program is aligned with NIST SP800-53--the Security and Privacy 
Controls for Federal Information Systems and Organizations--and 
undergoes regular third-party audits. In addition, we are 
required to subject the CAT System to regular penetration 
testing and code reviews by a qualified third-party security 
assessor. This is on top of an extensive internal cybersecurity 
program staffed by highly qualified cybersecurity personnel 
that is integrated into the development and operations life 
cycle of FINRA CAT. Among other benefits, this internal program 
implements yet another layer of threat analysis, penetration 
testing, and code assessment.
    The CAT System is designed from the ground up with 
structural controls that avoid exposure to certain common 
threats. Notably, the CAT Regulator systems are designed 
without Internet access. CAT Data is only accessible by 
Participants and the SEC via private connectivity lines, with 
their users subject to multifactor authentication. Monitoring 
augmented by behavioral analytics is used to detect and quickly 
respond to attempts to access CAT Data or use the CAT System in 
an inappropriate manner. Industry Members--which may only 
submit and correct data sent to the CAT--are required to submit 
data either via private lines, AWS PrivateLink or the CAT 
Secure Reporting Gateway; unlike Participants and the SEC, 
Industry Members are not permitted to query CAT Data. Reporting 
subsystems are architecturally separate from query subsystems 
and the underlying CAT Data repository; they are designed 
without the ability to read data in the CAT, and to quickly 
move received data into the CAT to greatly shield the reporting 
subsystem as a viable target for unauthorized access to CAT 
Data.
    FINRA CAT's multifaceted cybersecurity program, with 
architectural constraints such as private-line-only access, 
along with multiple levels of complimentary and redundant 
security testing by both Plan Processor security staff and 
independent third parties justifies strong confidence that the 
CAT system and included data are appropriately protected from 
cybersecurity threats consistent with current standards. 
Nevertheless, FINRA CAT is cognizant that its cybersecurity 
framework must not be static; it must evolve as more effective 
cybersecurity techniques and practices emerge.

Q.2. What, in your view, were the causes for implementation 
delays?

A.2. As the head of FINRA CAT, I can speak only to what has 
happened since we took over as plan processor in April 2019. We 
are currently on schedule and are confident in our ability to 
meet the milestones moving forward.

Q.3. Please describe how a subsidiary of FINRA was selected 
earlier this year to replace Thesys? Was there an open bidding 
process? Were there other bidders?

A.3. FINRA provided bid information to the SRO consortium at 
the consortium's request, and the SRO consortium's selection of 
FINRA was announced on February 27, 2019. As part of the SRO 
consortium, FINRA recused itself and did not take part in the 
selection decision. After the selection, FINRA created FINRA 
CAT as a separate and distinct subsidiary to focus solely on 
performing the functions of the CAT Plan Processor. FINRA CAT 
believes that the SRO consortium is best positioned to respond 
to questions about other bidders and the operation of the 
bidding process.

Q.4. How was the SEC engaged with CAT NMS as it began 
experiencing significant delays?

A.4. FINRA CAT believes the SRO consortium is best positioned 
to respond to questions about project development and 
management before FINRA CAT assumed the role of Plan Processor. 
FINRA CAT notes that since it became the CAT Plan Processor, it 
has completed all deliverables according to schedule.

Q.5. What are SEC current authorities in compelling the 
implementation of CAT?

A.5. The CAT NMS Plan was filed with the SEC by the SRO 
consortium to meet requirements the SEC established when it 
adopted Rule 613 of Regulation NMS. In its role as CAT Plan 
Processor, FINRA CAT is committed to continuing to complete 
work according to schedule. FINRA CAT is also a part of FINRA's 
parent SRO umbrella, meaning FINRA CAT, as part the FINRA self-
regulatory organization, is subject directly to the SEC's 
jurisdiction over SROs.
                                ------                                


        RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARREN
                       FROM SHELLY BOHLIN

Q.1. The Flash Crash on May 6, 2010, briefly erased about $1 
trillion from our Nation's economy. In response, more than 2 
years later, the Securities and Exchange Commission (SEC) 
adopted a rule to create, implement, and maintain the 
Consolidated Audit Trail (CAT) to monitor securities trades in 
U.S. markets.
    The CAT would be a real-time tracking system to enhance 
regulators' efforts to oversee U.S. markets by collecting data 
about securities quotes and orders and allow the SEC to 
understand trading practices. Without the CAT and other tools 
to more quickly analyze trading data, the SEC was unnecessarily 
delayed in reporting on what caused the brief crash to U.S. 
markets. \1\ Federal regulators took 7 months to analyze and 
publicly report the causes of the Flash Crash, and it took an 
additional 5 years to analyze and publicly report that a 
London-based trader played a significant role in the crash. \2\
---------------------------------------------------------------------------
     \1\ Reuters, ``Factbox: After the Flash Crash, Changes to U.S. 
Markets'', Jonathan Spicer, September 1, 2011, https://www.reuters.com/
article/us-financial-regulation-algos-factbox/factbox-after-the-flash-
crash-changes-to-us-markets-idUSTRE7806QS20110901.
     \2\ Reuters, ``SEC Urges Completion of Long-Delayed Trading 
Database'', John McCrank, August 27, 2018, https://www.reuters.com/
article/us-usa-stocks-regulation-cat/sec-urges-completion-of-long-
delayed-trading-database-idUSKCNILC2FA.
---------------------------------------------------------------------------
    What are the risks to the market if the SEC does not have 
the tools to quickly, efficiently, and accurately track 
information about trades in the event of another Flash Crash?

A.1. The CAT is intended to enhance the regulators' ability to 
perform market analyses and market reconstruction. When the SEC 
approved the CAT NMS Plan filed by the SRO consortium, it 
discussed the benefits of such audit trail enhancements 
including to conduct surveillance and market reconstruction. In 
its role as CAT Plan Processor for the SRO consortium, FINRA 
CAT is committed to providing a CAT solution that meets the 
requirements of the CAT NMS Plan and supports the CAT's 
intended regulatory uses.

Q.2. High-frequency trading, which allows for rapid buying and 
selling based on computer formulas and complex algorithms, now 
accounts for more than half of daily trading volume. \3\
---------------------------------------------------------------------------
     \3\ CNBC, ``Just 10 Percent of Trading Is Regular Stock Picking, 
JPMorgan Estimates'', Evelyn Cheng, June 14, 2017, https://
www.cnbc.com/2017/06/13/death-of-the-human-investor-just-10-percent-of-
trading-is-regular-stock-picking-jpmorgan-estimates.html.
---------------------------------------------------------------------------
    What are the risks of not having a comprehensive regulatory 
system, such as the proposed CAT, to oversee these frequent and 
rapid securities trades?

A.2. The CAT NMS Plan includes a number of provisions designed 
to promote the accuracy of linked and sequenced order activity 
data. When the SEC approved the CAT NMS Plan filed by the SRO 
consortium, it discussed the benefits of these provisions and 
how they are designed to enhance the ability of regulators to 
oversee trading activity in the equities and options markets. 
In its role as the CAT Plan Processor for the SRO consortium, 
FINRA CAT is committed to providing a CAT solution that meets 
the requirements of the CAT NMS Plan and supports the CAT's 
intended regulatory uses.

Q.3. In 2012, the SEC approved a rule to establish the CAT. 
Nearly 10 years after the May 2010 Flash Crash, the CAT is 
still not in place to protect the U.S. economy and people 
across the country that would suffer from another major hit to 
the market. The continued lack of real-time trade reporting and 
monitoring of the securities market, however, remains a 
significant vulnerability in our regulatory system.
    Senator Brown's opening statement stated that, `` . . . the 
SEC called on [the Financial Industry Regulatory Authority 
(FINRA)] and the firms that run our Nation's stock and options 
exchanges to build the Consolidated Audit Trail, or CAT, one 
system with a beginning-to-end view of how trading happens, so 
we can prevent insider trading, market manipulation, and other 
misconduct that cheats the system.'' \4\
---------------------------------------------------------------------------
     \4\ Opening statement of Ranking Member Sherrod Brown to the U.S. 
Senate Committee on Banking, Housing, and Urban Affairs, October 22, 
2019, https://www.banking.senate.2.ov/imo/media/doc/
Brown%20Statement%2010-22-192.pdf.
---------------------------------------------------------------------------
    Please explain how the CAT would prevent these harmful and 
illegal practices in U.S. securities trades.

A.3. When the SEC approved the CAT NMS Plan filed by the SRO 
consortium, it discussed the intended use of CAT data to 
enhance the ability of regulators to surveil the equities and 
options markets, including for market manipulation, insider 
trading and violations of trading rules, among other things. 
Enhanced surveillance with CAT data will, in part, be achieved 
by including more complete and aggregated information about the 
full life cycle of orders and customer-identifying information. 
The SEC noted its belief that enhanced surveillance may reduce 
violative behavior through potential enforcement actions and 
through deterrence if market participants believe violative 
activities are more likely to be detected. In its role as the 
CAT Plan Processor for the SRO consortium, FINRA CAT is 
committed to providing a CAT solution that meets the 
requirements of the CAT NMS Plan and supports the CAT's 
intended regulatory uses.

Q.4. Despite the many benefits of the CAT, as described in your 
written testimony and the testimonies of the other witnesses, 
the securities industry and their lobbying groups have 
repeatedly pushed to delay the implementation of the CAT by 
arguing that collecting large amounts of trading data is unsafe 
due to cybersecurity concerns. \5\  \6\
---------------------------------------------------------------------------
     \5\ The Hill, Opinion, ``The National Security Risk No One Is 
Talking About'', Christopher Iacovella, July 3, 2019, https://
thehill.com/opinion/cybersecurity/451403-the-national-security-risk-no-
one-is-talking-about.
     \6\ SIFMA, ``Beware of CAT'', Randy Snook, November 30, 2017, 
https://www.sifma.org/resources/news/beware-of-cat/.
---------------------------------------------------------------------------
    You state in your written testimony, ``Given the size and 
complexity of the financial markets, the CAT must collect, 
process, and store a vast amount of data to achieve this 
goal.'' \7\
---------------------------------------------------------------------------
     \7\ Written testimony of Shelley Bohlin to the U.S. Senate 
Committee on Banking, Housing, and Urban Affairs, October 22, 2019, 
https://www.banking.senate.gov/imo/media/doc/Bohlin%20Testimony%2010-
22-192.pdf.
---------------------------------------------------------------------------
    Please explain in detail why the CAT must collect and 
maintain significant amounts of data on the entire life cycle 
of securities orders.

A.4. The SEC-approved CAT NMS Plan includes discussion of the 
surveillance and oversight benefits intended by Plan 
requirements to track the entire life cycle of orders from 
origination through routing, cancellation, modification, or 
execution. This necessarily requires that the CAT collect and 
maintain significant amounts of data. As the SEC noted in its 
order adopting Rule 613, in analyzing the events of May 6, 
2010, SEC staff were only able to create a comprehensive view 
of the order books by acquiring, processing, and aggregating 
four distinct data sets that each contained a subset of order 
book information from each of the four exchanges that could 
provide such information: Nasdaq ModelView, NYSE Openbook 
Ultra, NYSE ARCABook, and BATS Exchange (citing to the final 
joint report issued by the staffs of the CFTC and the SEC on 
September 30, 2010). The SEC further noted that this required 
the processing of an enormous volume of data. Since FINRA CAT 
assumed the role of the CAT Plan Processor and began work on a 
solution for the first scheduled phase of the CAT--the 
collection and processing of order and trade data from the 
equities and options exchanges and FINRA--it has used scalable 
technology to process, on average, over 100 billion market 
records a day.

Q.5. Please explain why the lack of this data would render the 
CAT insufficient to protect the markets from disruptions, such 
as the May 2010 Flash Crash.

A.5. If CAT does not contain order life cycles, the stated 
objectives of CAT will not be achieved--better market 
reconstruction, enhanced policymaking, and more robust 
surveillance, among other things. All of these objectives, 
which will be enhanced by the CAT, may contribute to better 
market features and rules that could further minimize the risk 
of another flash crash-type event, but the CAT itself will not 
halt or prevent market activity. The SEC-approved CAT NMS Plan 
includes a number of requirements to promote the complete, 
accurate and timely consolidation of audit trail information to 
serve these uses. In turn, the CAT is designed to better inform 
policy decisions and generally improve oversight of the 
securities markets. In its role as the CAT Plan Processor for 
the SRO consortium, FINRA CAT is committed to providing a CAT 
solution that meets the requirements of the CAT NMS Plan and 
supports the CAT's intended regulatory uses.

Q.6. A July 2019 op-ed from the head of the securities 
industry's lobbying organization argued that, ``The SEC has 
been hacked before, and it knows the CAT will put the 
[personally identifiable information (PII)] of millions of 
American investors at risk.'' \8\ The consortium in place to 
create and implement the CAT, however, recently published a 
presentation with details regarding ongoing cybersecurity 
protections. \9\
---------------------------------------------------------------------------
     \8\ The Hill, Opinion, ``The National Security Risk No One Is 
Talking About'', Christopher Iacovella, July 3, 2019, https://
thehill.com/opinion/cybersecurity/451403-the-national-security-risk-no-
one-is-talking-about.
     \9\ CAT NMS Plan, ``CAT Security Overview: Safeguarding Data 
Reported to CAT'', Accessed October 25, 2019, https://
www.catnmsplan.com/wp-content/uploads/2019/08/FINRA-CAT-Security-
Approach-Overview20190828.pdf.
---------------------------------------------------------------------------
    Please explain in detail how the CAT would protect 
sensitive personal data from data breaches or other 
cybervulnerabilities. Please also explain how the consortium 
creating and implementing the CAT would be held accountable for 
cybervulnerabilities.

A.6. The security of PII, and of all CAT data more broadly, is 
of the utmost priority to FINRA CAT. FINRA CAT has put in place 
a robust data security program to meet the CAT NMS Plan's 
requirements. This program is defined in an extensive System 
Security Plan built in accordance with the NIST SP800 series 
Special Publication with security controls specifically defined 
in accordance with NIST SP800-53. While not public for security 
reasons, this SSP is evaluated by an expert independent third-
party as an integral part of an annual Independent Verification 
and Validation (IV&V) assessment that verifies that security 
controls are well defined and effectively implemented. The SSP 
includes incident response and breach management controls. As 
the SRO consortium recently discussed in a presentation to the 
industry, the FINRA CAT security program includes significant 
layers of architectural-level security controls and program-
level security controls. Examples of architectural controls 
include secure private-line-only infrastructure for connecting 
to the CAT regulatory interfaces (designed without an Internet 
interface) and architectural separation between transaction 
data and PII. Examples of program controls include a full suite 
of information security policies, procedures and standards, an 
extensive cybersecurity program staffed by highly qualified 
cybersecurity personnel that is integrated into the full 
development and operations life cycle of FINRA CAT, and 
regularly scheduled independent third-party system penetration 
testing, code reviews, and security control validation. FINRA 
CAT also is cognizant that its cybersecurity framework must not 
be static; it must evolve as more effective cybersecurity 
techniques and practices emerge.
    FINRA CAT has notification processes in the event of 
unauthorized access to CAT Data, but those vary depending on 
the facts and circumstances of any breach/intrusion. If FINRA 
CAT becomes aware of actual (or potential) unauthorized access 
to CAT Data, we, working with the SRO consortium, will take all 
reasonable steps to investigate the incident, mitigate any 
technical vulnerabilities identified from unauthorized access 
to protect the integrity of the CAT system. We also will work 
with the SRO consortium to report unauthorized access to law 
enforcement, the SEC and other authorities and to notify 
customers as required or as the consortium deems appropriate. 
As an ``SCI Entity,'' FINRA CAT is subject directly to the 
SEC's jurisdiction, including Regulation Systems Compliance and 
Integrity (Reg SCI). FINRA CAT's status as an SCI Entity 
ensures direct accountability, including cyber incident 
reporting requirements to the SEC, as well as important issues 
like system security, integrity, capacity, and business 
continuity.

Q.7. Please explain how Federal regulators will be able to 
quickly and effectively detect and respond to malicious 
cyberactivity targeting the CAT. Please also explain how 
Federal regulators and the consortium would test and maintain 
the CAT's cybersecurity mechanisms.

A.7. The FINRA CAT System Security Plan includes controls for 
detecting and responding to malicious activity, including 
monitoring controls at multiple system layers (e.g., data 
storage, application front end) designed to detect access and 
usage anomalies. This includes the use of behavioral analytics 
designed to recognize normal and abnormal access patterns. All 
access to CAT Data is logged, in accordance with the Plan and 
subject to this monitoring. Should any such anomalies be 
detected, they will be handled in accordance with the published 
Information Security Incident Response Plan, which includes 
notification of appropriate regulatory bodies, including the 
SEC in accordance with Reg SCI.
    With respect to testing and maintaining the CAT's 
cybersecurity mechanisms, as required by the Plan, FINRA CAT 
subjects itself to the following regular independent third-
party assessments:

    Third-party security penetration testing and code 
        security assessments. These third-party assessments are 
        performed in addition to a robust suite of internal 
        security testing that is performed by highly qualified 
        security staff of the Plan Processor and embedded into 
        the system development life cycle.

    An independent validation and verification (IV&V) 
        of the controls defined in the System Security Plan 
        (SSP). The SSP encompasses the hundreds of security 
        controls defined by NIST SP800-53. The design and 
        effective implementation of these controls is 
        independently validated by the IV&V. This is the same 
        set of security controls and independent validation 
        process required for Federal Systems under the Federal 
        Information Security Management Act.

    Material security deficiencies identified by these 
        testing processes are presented to the consortium's 
        Operating Committee when it considers whether to grant 
        an Authorization To Operate (ATO) for each release. Any 
        security deficiencies identified by these testing 
        processes are presented to the consortium's Operating 
        Committee as part of the package of information it 
        considers in granting an Authorization To Operate (ATO) 
        for each release.
                                ------                                


               RESPONSES TO WRITTEN QUESTIONS OF
            SENATOR CORTEZ MASTO FROM SHELLY BOHLIN

Q.1. Will the CAT help regulators, such as FINRA, SEC, FBI, and 
the Department of Justice, catch short selling, spoofing, fake 
trades, and wire fraud more quickly?

A.1. When the SEC approved the CAT NMS Plan filed by the SRO 
consortium, it discussed the intended use of CAT data to 
enhance the regulators' ability to surveil for market 
manipulation, such as spoofing and other violations of trading 
rules, which include rules concerning short sales. In its role 
as the CAT Plan Processor for the consortium of self-regulatory 
organizations responsible for managing the CAT (known as CAT 
Plan Participants or the SRO consortium), FINRA CAT is 
committed to providing a CAT solution that meets the 
requirements of the CAT NMS Plan and supports the CAT's 
intended regulatory uses.

Q.2. Could the CAT system help investigate who is making a 
billion-dollar profit in trades made right before the Trump 
administration makes a market-moving announcement?

A.2. One of the intended uses of the CAT discussed by the SEC 
and the SRO consortium is the enhanced ability to identify 
customers who originate orders. In its role as the CAT Plan 
Processor for the SRO consortium, FINRA CAT is committed to 
providing a CAT solution that meets the requirements of the CAT 
NMS Plan and supports the CAT's intended regulatory uses.

Q.3. Will the CAT be able to help exchanges and regulators know 
if brokers are being ``unduly influenced by fees and rebates'' 
rather than the best execution outcome for investors?

A.3. When the SEC approved the CAT NMS Plan, it noted its 
belief that the Plan would facilitate enforcement of best 
execution. In addition, when the SEC adopted its Transaction 
Fee Pilot to study the effects that exchange transaction fee-
and-rebate pricing models may have on order routing behavior, 
execution quality and market quality, it discussed the 
potential for CAT data to be used to support the study. In its 
role as the CAT Plan Processor for the SRO consortium, FINRA 
CAT is committed to providing a CAT solution that meets the 
requirements of the CAT NMS Plan and supports the CAT's 
intended regulatory uses.

Q.4. Will the CAT help exchanges and regulators know if brokers 
are routing the trading interests of mutual funds, pensions, 
and endowments in a way that results in information leakage?

A.4. When the SEC approved the CAT NMS Plan, it noted its 
belief that the Plan would facilitate enforcement of trading 
rules. For example, the SEC-approved CAT NMS Plan is intended 
to enhance regulators' ability to track the entire life cycle 
of orders from origination through routing, cancellation, 
modification, or execution. In its role as the CAT Plan 
Processor for the SRO consortium, FINRA CAT is committed to 
providing a CAT solution that meets the requirements of the CAT 
NMS Plan and supports the CAT's intended regulatory uses.

Q.5. Will the CAT help exchanges and regulators identify 
sophisticated market participants who use multiple brokers and 
market centers to engage in disruptive trading?

A.5. When the SEC approved the CAT NMS Plan filed by the SRO 
consortium, it discussed the intended use of CAT data to 
enhance the regulators' ability to surveil for market 
manipulation, including by conducting surveillance across 
market centers and identifying activity originating from 
multiple market participants. In its role as the CAT Plan 
Processor for the SRO consortium, FINRA CAT is committed to 
providing a CAT solution that meets the requirements of the CAT 
NMS Plan and supports the CAT's intended regulatory uses.

Q.6. We have had a lot of discussion about how difficult it is 
to identify the beneficial owners of firms. This secrecy can 
lead to criminal activities. For example, Mr. Navinder Singh 
Sarao (the individual who initiated the 2010 flash crash) was 
not registered as a broker in the U.S. He used four firms to 
place his trades.
    Would CAT be able to find him or just his brokers?

A.6. The SEC adopted Rule 613 in the wake of the 2010 flash 
crash to require the CAT to be created. The SEC explained at 
the time that the purpose of the CAT is to create a 
comprehensive consolidated audit trail that allows regulators 
to efficiently and accurately track all activity in listed and 
unlisted equity securities and listed options throughout the 
U.S. markets to facilitate comprehensive market 
reconstructions, more robust market surveillance, and better 
analytics to support policymaking.
    Any broker-dealer that is a member of a national securities 
exchange or FINRA and receives and/or handles orders in NMS 
Securities, which includes NMS stocks and Listed Options, and/
or unlisted OTC Equity Securities--regardless of whether they 
operate in a foreign country--must report to CAT and satisfy 
clock synchronization requirements. If a non-U.S. broker-dealer 
routes an order to a U.S. broker-dealer, the receiving U.S. 
broker-dealer is required to report the receipt of an order 
from a non-U.S. broker-dealer in the same way as it would 
report the receipt of an order from a Customer. Specifically, 
the receiving U.S. broker-dealer would report the receipt of 
this order as the original receipt of the order from the non-
U.S. broker-dealer, and the receiving U.S. broker-dealer also 
would report the Firm Designated ID for the non-U.S. broker-
dealer. The U.S. broker-dealer would not report the ultimate 
customer of the non-U.S. broker-dealer. However, CAT Plan 
Participants and other regulators like the SEC could request 
the identification of the ultimate customer at the non-U.S. 
broker-dealer from the U.S. broker-dealer, and if necessary may 
be able to request the information from foreign regulators.

Q.7. The system is only as good as the exchanges who report 
concerns and ownership. How will you ensure that exchanges 
fully comply with reporting?

A.7. FINRA CAT is required by the CAT NMS Plan to develop and 
implement a comprehensive compliance program to monitor CAT 
Reporters' adherence to SEC Rule 613. The CAT Plan Processor 
must produce and provide reports to the SROs and the SEC 
containing performance and comparison statistics, as needed, on 
each CAT Reporters' compliance thresholds so that the 
Participants or the SEC may take appropriate action if a 
Participant fails to comply with its CAT reporting obligations.

Q.8. What are your views on including futures data and over-
the-counter equities in CAT?

A.8. While futures data could aid regulators in cross-market 
surveillance, the current plans for the consolidated audit 
trail (CAT) do not include this information. As a practical 
matter, while FINRA CAT has the systems capability, knowledge, 
and expertise to build out a system that could incorporate 
futures data, any work towards that end would necessarily only 
follow the legal and policy decisions made by Federal 
regulators, including the CFTC and the SEC. The current CAT NMS 
Plan already requires the reporting of over-the-counter 
equities to CAT.

Q.9. What are your views on including initial public offering 
data, clearing data, and other data into the CAT database?

A.9. FINRA CAT has the knowledge and expertise to build a 
system that can gather other forms of data, but those are 
policy decisions that would need to be made by others, 
including the SEC and the SRO consortium. Currently, clearing 
and IPO data is not within the scope of SEC Rule 613 or the CAT 
NMS Plan. However, the SRO consortium filed a public written 
assessment with the SEC concerning an expansion of the CAT to 
include certain additional data, including information on 
primary market transactions. You can find more information 
about this issue at the following link: https://
www.catnmsplan.com/wp-content/uploads/2017/06/Expansion-Report-
Final-5.15.17.pdf.

Q.10. How is CAT Advisory Committee and Operating Committee 
ensuring that CAT will remain technologically robust and 
modern?

A.10. Pursuant to the CAT NMS Plan, the CCO's annual 
assessment, which is provided to the SEC and the CAT NMS Plan 
Operating Committee, must include ``an evaluation of potential 
technology upgrades based on a review of technological 
advancements over the preceding year, drawing on technological 
expertise whether internal or external.'' For example, as cloud 
technology evolves and advances, CAT will adapt accordingly. In 
addition, the Plan Participants, with their own wealth of 
technological expertise, are actively involved with making sure 
that CAT remains technologically robust and modern. In 
addition, unless a matter is discussed in executive session, 
the Advisory Committee has an opportunity to comment on or ask 
questions about relevant topics during Operating Committee 
meetings, including the technology used to support the CAT.

Q.11. Assuming CAT is implemented in the next 3 years, what are 
the upgrades that will need to take place to ensure CAT does 
not fall behind the industry best practices?

A.11. FINRA CAT will continue to work with the industry and 
other stakeholders to not only maintain state-of-the-art 
technology and data security practices, but it will strive to 
lead the industry and anticipate technological needs and 
improvements. We will evolve as technology evolves. The 
complexity of CAT requires deep technological expertise, 
sophisticated and proactively evolving security, and close 
coordination with all stakeholders. As an ``SCI Entity,'' FINRA 
CAT is subject directly to the SEC's jurisdiction, including 
compliance with Regulation Systems Compliance and Integrity 
(Reg SCI). FINRA CAT's status as an SCI Entity ensures direct 
accountability to the SEC--for important issues like system 
security, integrity, capacity, and business continuity. We have 
built out a dedicated FINRA CAT operations staff led by me and 
a Chief Technology Officer. We also hired, with the approval of 
the SRO consortium, a Chief Information Security Officer (CISO) 
and a Chief Compliance Officer (CCO). These officers are 
responsible, respectively, for FINRA CAT's information 
technology security and governance and regulatory compliance 
programs.
                                ------                                


        RESPONSES TO WRITTEN QUESTIONS OF SENATOR SINEMA
                       FROM SHELLY BOHLIN

Q.1. Upon full implementation, the Consolidated Audit Trail 
(CAT) system will be an unprecedented database, collecting 58 
billion records and maintaining data on over 100 million 
institutional and retail accounts on a daily basis. The CAT, 
and all the unique customer data it holds, will also be 
accessible to thousands of users. Therefore, while the CAT has 
the potential to offer important oversight, it will also be a 
prime target for cyberhacks. Under current CAT requirements, 
what kind of personal information would be accessible to system 
users? Is this information already being collected by other 
audit trail systems?

A.1. Under the current CAT NMS Plan, industry members will be 
required to report certain customer identifying information, 
including account numbers and some personally identifying 
information, or PII. The consortium of self-regulatory 
organizations responsible for managing the CAT (known as CAT 
Plan Participants or the SRO consortium) has filed requests 
with the SEC to limit the Plan's PII collection requirements. 
Specifically, under the SRO consortium's requests, the CAT 
would not receive and store individuals' account numbers, 
social security numbers or dates of birth. FINRA CAT notes that 
any PII stored in the CAT is subject to heightened security 
controls, such as architectural separation in a separate PII 
subsystem with restricted user access. When the SEC approved 
the CAT NMS Plan, it discussed the extent to which customer-
identifying information is included in existing audit trail 
systems such as Electronic Blue Sheets.

Q.2. The Securities and Exchange Commission has been advised 
that the CAT system should not collect Social Security numbers, 
account numbers, and full dates of birth. Can regulators 
properly conduct market analysis, investigations, and 
enforcement if these pieces of information are not collected by 
the CAT?

A.2. FINRA CAT recognizes the ongoing policy discussions 
related to the necessity of specific elements of customer-
identifying information for the success of the CAT, which are 
ultimately matters the SRO consortium and the SEC must 
determine. FINRA CAT is committed to providing a CAT solution 
that supports the regulators' decision making on this issue.
                                ------                                


        RESPONSES TO WRITTEN QUESTIONS OF SENATOR SASSE
                       FROM JUDY MCDONALD

Q.1. Would the Commission consider setting up a test bed and 
proving to the Banking Committee Members that the ``SSN's would 
be secure''?

A.1. Provided the October 16, 2019, Request for Exemptive 
Relief is accepted, SSNs will not be stored in the CAT Customer 
and Account Information data repository. \1\ The only PII which 
will be stored will be ``phone book'' type data: name, address, 
year of birth, masked account number, account type, and the 
individual's role in the account. I encourage the Banking 
Committee to request to review the results of the third party 
security reviews including the (1) Independent Verification and 
Validation and (2) Penetration Testing results which should 
provide reasonable assurances about the security of all PII 
data.
---------------------------------------------------------------------------
     \1\ https://www.catnmsplan.com/wp-content/uploads/2019/10/CCID-
and-PII-Exemptive-Request-Oct-16-2019.pdf
---------------------------------------------------------------------------
                                ------                                


       RESPONSES TO WRITTEN QUESTIONS OF SENATOR KENNEDY
                       FROM JUDY MCDONALD

Q.1. I am concerned the CAT is a likely target for those who 
wish to manipulate U.S. markets--are you confident the CAT 
system and data included within will be adequately protected 
from these threats?

A.1. No, the AC shares your concerns with the vulnerability of 
CAT data. Although FINRA CAT has very good security in the 
FINRA CAT environment and has not only met the ``gold 
standard'' of NIST SP800-53 but has exceeded this standard by 
encrypting data at-rest and in-transit, establishing 
independent third party verification and validation, 
establishing independent penetration testing as well as 
monitoring every query and command with behavioral-based 
analysis for alerting. There is also considerable oversight of 
these security efforts.
    However, some significant concerns exist, specifically:
    1. The bulk downloading of CAT data by 23 different 
exchanges plus the SEC. Currently, each of the securities 
regulators has unfettered access to bulk down load CAT data. 
Although the SRO's have always had to satisfy security 
requirements, the AC has no insight into their security 
programs and do not know if they meet the same standards or 
practices as FINRA CAT, which is especially concerning in light 
of the increased value of the CAT data and the increased 
likelihood of compromise.
    2. There will be up to 3,000 CAT individual users 
(individual users) made up of (presumably) regulatory staff and 
academics, which once again multiplies the risk of compromise. 
\1\ These users may download CAT data to their respective PCs 
without limitation. While oversight is required, the AC has no 
insight into the criteria, quality, or frequency of that 
oversight; nor does the AC have an understanding of the 
protocols that would preclude any of the individual users from 
misappropriating the CAT data. Likewise, the AC has no insight 
into any protections of these entities from computer hacks or 
other cyber threats, and ergo have no basis for confidence in 
their security protocols. Additionally the only review SRO's 
undergo prior to enabling their employee's access to the CAT 
data is a security policy review by the FINRA CAT CISO. \2\ The 
AC is concerned that even if the security policy is well 
written, it does not provide assurance with respect to actual 
implementation.
---------------------------------------------------------------------------
     \1\ The CAT Plan does not limit access to regulatory staff, but 
rather limits access to ``regulatory purposes'', which is an undefined 
term. Accordingly, it is uncertain how each exchange may interpret the 
scope of this limitation and therefore what personnel may have access.
     \2\ The individual employees must sign A ``Safeguard of 
Information'' Affidavit however, this is independent of any SRO 
requirement.
---------------------------------------------------------------------------
    3. Unlimited access of cross-market data. Historically, the 
exchanges have always had access to the data in their own 
markets and limited access to activities in other markets; 
however, CAT will supply easy and very broad access to all 
exchange and broker-dealer data at all times.
    4. The CAT Reporter Agreement. Broker-dealers must sign the 
CAT Reporter Agreement in order to access the CAT to report 
transactions. This agreement contains provisions including 
limiting the financial liability of CAT to $500 and maintaining 
regulatory immunity for data breaches.
    In light of these issues, two of the best ways to 
strengthen data security is to (1) control the use of the data 
as tightly as possible and (2) limit the number of people with 
access to the data. The AC has developed, and continues to 
refine, a number of security recommendations that have been 
shared with the SEC and SROs including; establishing a secure 
data reviewing environment, limits on bulk-downloading, and 
improvements to cross-market data access policies and 
procedures.
                                ------                                


        RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER
                       FROM JUDY MCDONALD

Q.1. You've raised concerns with allowing the exchanges to hold 
CAT data. Given that our system currently gives SROs regulatory 
authority, would restricting the exchanges' access to CAT data 
limit the overall ability to identify bad conduct and 
reconstruct market events?

A.1. The AC is concerned about the SROs having access to cross-
market data that is beyond what they would need to meet their 
existing regulatory obligations. These obligations generally 
include monitoring their member's activities, but not for each 
of the 23 SROs to individually undertake cross-market 
surveillance, since that is already covered by FINRA. I believe 
the SROs can very effectively use CAT data to pursue issues and 
alerts that arise in the course of monitoring the activities of 
their members, including access to specific data of interest 
about a member's activities on other exchanges. Targeted access 
to cross-market data, instead of unrestricted access, will 
ensure a more secure and properly used CAT.
    The SEC has the expertise and experience to undertake 
wholesale market reconstruction. The AC is not recommending any 
restrictions on access by the SEC to any of the non-PII data in 
CAT, with the caveat that the number of staff accessing the 
system should be minimized to only those who are in fact 
working on market reconstructions, rule proposals, or specific 
exam/investigations matters, and that the nature of the queries 
should be narrowly scoped to the set of data needed to complete 
the task.

Q.2. What were the causes for implementation delays?

A.2. There are many reasons for the delay in CAT implementation 
from the aggressive initial timeline to those enumerated in the 
SRO's November 13, 2017, Request for Exemptive Relief. \1\
---------------------------------------------------------------------------
     \1\ https://www.sec.gov/comments/4-698/4698-2681993-161486.pdf

Q.3. Please describe the background of how Thesys was selected 
---------------------------------------------------------------------------
as the Plan Processor to build the CAT?

A.3. The selection of Thesys as the Plan Processor predates the 
formation of the AC, so I cannot comment the background of how 
Thesys was selected as the Plan Processor.

Q.4. What other bidders were short-listed? Why was Thesys 
selected? Which exchanges voted for Thesys?

A.4. The bidding process predates the formation of the AC, so I 
cannot comment on how Thesys was selected.

Q.5. Would you agree that a major part of the delay in the CAT 
implementation occurred from the inability of Thesys to provide 
a viable system after working on it nearly 2 years?

A.5. Yes, there are many reasons for the delay in CAT 
implementation from the aggressive initial timeline to those 
enumerated in the SRO's November 13, 2017, Request for 
Exemptive Relief. \2\ Additional information can be provided by 
other witnesses.
---------------------------------------------------------------------------
     \2\ https://www.sec.gov/comments/4-698/4698-2681993-161486.pdf

Q.6. What did other participants propose to replace Thesys 
before they were finally fired earlier this year? Why did the 
exchanges keep them on the contract for as long as they did?
    Were the exchanges in agreement on whether Thesys should be 
retained?

A.6. I have no direct knowledge of these topics.

Q.7. Please describe how a subsidiary of FINRA was selected 
earlier this year to replace Thesys? Was there an open bidding 
process? Were there other bidders?

A.7. I have no direct knowledge of these topics.

Q.8. How was the SEC engaged with CAT NMS as it began 
experiencing significant delays?

A.8. I have no direct knowledge of these interactions.

Q.9. What are SEC current authorities in compelling the 
implementation of CAT?

A.9. I am unaware of any specific authorities.

Q.10. I understand that as a member of the Advisory Committee 
you don't have a vote or seat at the operating committee.
    Are there improvements that you would make to help the 
operating committee run more effectively?

A.10. The CAT NMS Plan underlines the flaws inherent with the 
governance model for NMS Plans. NMS Plans grant SRO's sole 
authority as Operating Committee members to design, implement 
and allocate costs without providing industry members any 
representation on a decision-making body. This governance 
structure limits transparency and creates perceived conflicts 
of interest. The industry is limited to the AC which 
participates in general Operating Committee meetings but does 
not meet in executive sessions nor have a vote in any forum. 
Additionally, the AC does not participate in all working 
groups. The AC is not typically included in other meetings or 
prior to the formation of a subcommittee working group. 
Providing Broker-Dealers and Asset Management firms better 
access to contribute their expertise and experience with voting 
rights would lead to better outcomes.

Q.11. Do you think investors are adequately represented as part 
of the governance process?

A.11. No, I think investors are under-represented in the 
governance of this process.
    Under the approved CAT NMS Plan, the AC is comprised of 14 
members including one ``individual who maintains a securities 
account with a registered broker or dealer but who otherwise 
has no material business relationship with a broker or dealer 
or with a participant'' as well as three persons selected to 
``represent a registered investment company.'' These four AC 
members are particularly focused on the interests of the 
investing public.
    Members of the AC represent the industry from various 
perspectives; the AC is united on three common and deep 
concerns--that is, data security, preventing the misuse of 
information, and limiting costs which might be ultimately borne 
by the investing public. Protection of personally identifiable 
information (PII) and transactional data and minimizing costs 
are the primary goals of all members of the AC, not just those 
representing individual investors and investment companies.
    The AC itself is restricted in its power and ability to be 
effective. The AC provides as much input and feedback as the 
current structure and practice allow; however, the AC has no 
voting position on the Operating Committee, is excluded from 
Executive Sessions, and is frequently provided information in 
an untimely manner. Investors would be more fully represented 
if the AC were permitted greater involvement in the governance 
process.

Q.12. Can the SEC appoint or remove members of the operating 
committee? Does the CAT NMS Plan or Rule 613 prohibit the SEC 
from appointing or removing members of the operating committee?

A.12. No, CAT NMS Plan Section 4.2 provides for the composition 
of the operating committee which does not include provisions 
for appointment or removal of members by the SEC.

Q.13. Does Rule 613 prohibit the SEC from appointing 
independent members to the operating committee?

A.13. The CAT NMS Plan does not have any provision that 
provides for the SEC to appoint an independent member of the 
operating committee.

Q.14. What, in your view, can independent members provide to 
the operating committee? Are there benefits?

A.14. The Operating Committee is currently composed solely of 
SRO representatives which are dominated by three large exchange 
``families'' including ICE, Nasdaq, and CBOE. Each of these 
SRO's have coaligned regulatory obligations and financial 
interest in the operation and regulation conducted with CAT 
data. Absent from this committee is any insight from the 
thousands of broker-dealers, market makers, and asset managers 
whose proprietary data will be submitted to CAT, who will be 
subject to the reporting obligations of CAT, and who will in 
time significantly fund the CAT.
                                ------                                


               RESPONSES TO WRITTEN QUESTIONS OF
            SENATOR CORTEZ MASTO FROM JUDY MCDONALD

Q.1. Will the CAT help regulators, such as FINRA, SEC, FBI, and 
the Department of Justice, catch short selling, spoofing, fake 
trades, and wire fraud more quickly?

A.1. CAT data will be used by SEC and self-regulatory 
organizations (SRO's) within the definition of Section 3(a)(26) 
of the Exchange Act. The CAT data is intended to be used for, 
``surveillance and regulatory purposes,'' a broad term that has 
yet to be defined, and industry participants remained concerned 
that SRO's can take an expansive view and use this data for 
quasicommercial purposes. CAT data should enable regulatory 
personnel to better identify anomalous trading activities 
across multiple markets and accounts. Short selling, of course, 
is not illegal, but CAT should allow regulators to better 
identify manipulative strategies that involve short selling. It 
is unclear if CAT data would help in identifying wire fraud.

Q.2. Could the CAT system help investigate who is making a 
billion-dollar profit in trades made right before the Trump 
administration makes a market-moving announcement?

A.2. CAT data and analysis tools are intended to help 
regulators identify anomalous trading patterns which occur 
prior to an event and assist regulators more quickly to 
identify both the beneficial owners of those trades and persons 
with the authority to trade.

Q.3. Will the CAT be able to help exchanges and regulators know 
if brokers are being ``unduly influenced by fees and rebates'' 
rather than the best execution outcome for investors?

A.3. CAT data and analysis tools provided with CAT should, in 
addition to existing public disclosure of executing and routing 
practices reports which are already required under Rule 605 and 
606 of Regulation NMS, help regulators identify patterns of 
order routing.

Q.4. Will the CAT help exchanges and regulators know if brokers 
are routing the trading interests of mutual funds, pensions, 
and endowments in a way that results in information leakage?

A.4. CAT data and analysis tools are intended to help 
regulators identify order routing patterns which could be 
indicative of information leakage, when combined with other 
information such as financial news.

Q.5. Will the CAT help exchanges and regulators identify 
sophisticated market participants who use multiple brokers and 
market centers to engage in disruptive trading?

A.5. Market participants may use multiple brokers and trade 
across market centers for a number of legitimate reasons, 
however, one of the most significant characteristics that 
differentiates CAT from existing regulatory systems is that CAT 
will enable regulators to identify an individual or entity's 
trading patterns across multiple broker-dealers and market 
centers. All trading activity will be tracked to the individual 
or entity with a common CAT Customer ID(s).

Q.6. We have had a lot of discussion about how difficult it is 
to identify the beneficial owners of firms. This secrecy can 
lead to criminal activities. For example, Mr. Navinder Singh 
Sarao (the individual who initiated the 2010 flash crash) was 
not registered as a broker in the U.S. He used four firms to 
place his trades.
    Would CAT be able to find him or just his brokers?

A.6. The CAT Customer and Account Information combined with the 
CAT Customer ID allows for the identification of the accounts 
of U.S. citizens across broker-dealers and the beneficial 
owners of those accounts. However if the beneficial owner is 
not a U.S. citizen, the account can only be identified to the 
broker-dealer.

Q.7. The system is only as good as the exchanges who report 
concerns and ownership. How will you ensure that exchanges 
fully comply with reporting?

A.7. The SEC and SRO's are responsible for ensuring compliance 
with CAT reporting. The Advisory Committee (AC) has no power to 
enforce exchange compliance with reporting and is limited to 
providing comments on policies and procedures which could help 
motivate compliance and detect lack of compliance.

Q.8. What are your views on including futures data and over-
the-counter equities in CAT?

A.8. OTC equities will be included in CAT data. Futures are (1) 
a different asset class, (2) traded with different participants 
and for different reason than equities and options, and (3) are 
regulated by the CFTC rather than the SEC. Including futures in 
CAT would require significant input from not only financial 
services firms with CAT obligations, but also end-users 
including energy producers, agricultural, and other commodities 
participants. While including futures data in CAT would provide 
a more robust picture of some cross-asset class trading such as 
the SPY (the S&P 500 Depository Receipt) vs. S&P 500 e-mini 
contract at the Chicago Mercantile Exchange, a significant 
study of the need for futures data in CAT as well as the 
expected outcome of including futures in CAT should commence 
prior to any further action.

Q.9. What are your views on including initial public offering 
data, clearing data, and other data into the CAT database?

A.9. IPO data would provide regulatory value, however it would 
be a very expensive effort in light of the current business 
practices related to an IPO which are extremely manual, 
unstructured, and highly variable with each offering. Any 
reporting requirements are likely to change business practices. 
I suggest performing a thorough analysis prior to publishing a 
rule proposal and then taking an iterative approach, starting 
with the very basic reporting requirements and gradually 
increasing if additional information is needed and additional 
value is anticipated. Many of these ideas are more fully 
expressed in the October 28, 2019, Financial Information Forum 
comment letter. \1\
---------------------------------------------------------------------------
     \1\ https://fif.com/comment-letters
---------------------------------------------------------------------------
    Clearing data will have little regulatory value for CAT 
once allocation reporting into CAT is complete in April 2021 
for equities and December 2021 for options. CAT data will 
provide regulators with access to account information including 
the account owner of the order when it was placed, the 
beneficial owner of where the equities or options are held, 
fill reports, and final allocation instructions.

Q.10. How is CAT Advisory Committee and Operating Committee 
ensuring that CAT will remain technologically robust and 
modern?

A.10. The AC is very active and provides extensive technical 
feedback at the level of standards, procedures and practices 
and insight based on the experiences of the relative firms; 
however the AC is limited in that it can only offer comments, 
opinions, and suggestions and thus far, has not been consulted 
on technology specifics such as architecture, tools, or 
specific technical approaches.

Q.11. Assuming CAT is implemented in the next 3 years, what are 
the upgrades that will need to take place to ensure CAT does 
not fall behind the industry best practices?

A.11. The AC anticipates working with CAT LLC and the SRO's to 
ensure that CAT maintains industry best practices as it relates 
to (1) data security including adherence to industry standards, 
(2) experimentation and utilization of emerging technology, and 
(3) capacity and performance planning.
                                ------                                


        RESPONSES TO WRITTEN QUESTIONS OF SENATOR SINEMA
                       FROM JUDY MCDONALD

Q.1. Upon full implementation, the Consolidated Audit Trail 
(CAT) system will be an unprecedented database, collecting 58 
billion records and maintaining data on over 100 million 
institutional and retail accounts on a daily basis. The CAT, 
and all the unique customer data it holds, will also be 
accessible to thousands of users. Therefore, while the CAT has 
the potential to offer important oversight, it will also be a 
prime target for cyberhacks. Under current CAT requirements, 
what kind of personal information would be accessible to system 
users? Is this information already being collected by other 
audit trail systems?

A.1. Provided the October 16, 2019, Request for Exemptive 
Relief is accepted, SSNs will not be stored in the CAT Customer 
and Account Information data repository. \1\ The only PII which 
will be stored will be ``phone book'' type data: name, address, 
year of birth, masked account number, account type, and the 
individual's role in the account. Currently this information 
can only be obtained on an ad hoc basis through the use of the 
Electronic Blue Sheet System.
---------------------------------------------------------------------------
     \1\ https://www.catnmsplan.com/wp-content/uploads/2019/10/CCID-
and-PII-Exemptive-Request-Oct-16-2019.pdf
---------------------------------------------------------------------------
    In addition to PII, the CAT will also expose the valuable 
intellectual property of individual investors and trading firms 
by assembling in one place the details of all trading activity 
which were previously stored in disparate locations; this data 
could be exploited by a bad actor.

Q.2. The Securities and Exchange Commission has been advised 
that the CAT system should not collect Social Security numbers, 
account numbers, and full dates of birth. Can regulators 
properly conduct market analysis, investigations, and 
enforcement if these pieces of information are not collected by 
the CAT?

A.2. Yes, through the use of the CAT Customer Identifier and 
the Customer and Account Information data repository, the 
regulators should be able to conduct market analysis, 
investigations, and enforcement. This is the primary goal of 
the approach which underlies the Exemptive relief request. This 
approach has been broadly supported in an informal nature by 
industry members and regulators and was a result of many months 
of collaboration amongst regulators and industry members.
                                ------                                


        RESPONSES TO WRITTEN QUESTIONS OF CHAIRMAN CRAPO
                     FROM MICHAEL J. SIMON

Q.1. Early estimates for the creation of a ``real-time'' CAT 
would cost $4 billion to launch and have ongoing maintenance 
costs of $2.1 billion. What are the current cost estimates for 
initial launch costs and what are the cost estimates for 
ongoing maintenance for the ``next-day'' CAT approach?

A.1. The Consolidated Audit Trail, LLC (CAT LLC) \1\ operates 
pursuant to a budget that the Operating Committee approves on a 
quarterly basis. Based on the most recent CAT LLC budget, the 
current annualized cost for building and operating the CAT is 
approximately $60 million for calendar year 2019. The budget 
does not distinguish between build and operating costs. While 
the 2020 CAT LLC budget is under development, current estimates 
are that the annualized costs will be between $60 and $75 
million.
---------------------------------------------------------------------------
     \1\ Note, CAT NMS, LLC is the predecessor to CAT LLC.
---------------------------------------------------------------------------
    Under current budgetary projections, the FINRA CAT build 
costs will peak next year, and then decrease over the next few 
years as FINRA CAT finishes the build. On the other hand, the 
FINRA CAT costs to operate the CAT will increase substantially 
in the coming years, particularly beginning in 2021 as we 
approach full CAT functionality. We also expect legal and 
consulting costs to decrease as the CAT moves from development 
to operation. The bottom line is that the total cost to operate 
the CAT is uncertain, but unlikely to increase above $75 
million annually in the near future.
    There are a number of assumptions and qualifications to 
these projections. First, these are the costs solely borne by 
CAT LLC regarding the build and operation of the CAT. Thus, 
these costs do not include the costs to the Participants and 
the industry members to prepare for, and comply with, CAT 
requirements. Second, a number of FINRA CAT costs are variable. 
Those include the costs of cloud hosting and the customer/
account database. Thus, any estimates of such costs at this 
time is somewhat speculative. Finally, FINRA CAT costs could 
change based on changes to the current design and operation of 
the CAT system, effectuated through the change request process. 
Any such change request could add additional costs both to the 
development of the CAT and the ongoing costs of operating the 
CAT.

Q.2. As the CAT is currently designed, more than 20 SROs and 
the SEC would be allowed to download bulk data from CAT into 
their systems. In such an arrangement, there is a grave 
increase in the likelihood that sensitive information stored in 
CAT will be compromised.
    Can you explain why the transmission and downloading of 
bulk data is currently allowed under the plan? Would a 
limitation on downloading of bulk data affect the regulatory 
function of the CAT?

A.2. SEC Rule 613 requires that the Participants address data 
extraction in the CAT NMS Plan. \2\ Pursuant to this 
requirement, the CAT NMS Plan filed with and approved by the 
Commission describes the methods by which Participants may 
extract data from the CAT system, including via user-defined 
direct queries and bulk extracts. \3\ Importantly, the CAT NMS 
Plan permits the bulk extract of transaction data only; 
Customer Account Information, Customer Identifying Information 
and other personally identifiable information (PII) (as defined 
in the Plan) may not be subject to bulk extraction. In 
addition, Rule 613 and the CAT NMS Plan both require that 
Participants develop and implement surveillance systems, or 
enhance their existing surveillance systems, to make use of CAT 
Data. \4\ As discussed in the Commission's order approving the 
CAT NMS Plan, the Participants ``believe that permitting 
regulators to download/order transaction data from the Central 
Repository for regulatory use (i.e., ``bulk data extracts'') is 
important for their regulatory purposes, and that eliminating 
or limiting bulk data extracts of transaction data from the CAT 
may significantly and adversely impact the Participants' 
ability to effectively conduct surveillance of their markets 
using CAT Data.'' \5\
---------------------------------------------------------------------------
     \2\ See Regulation NMS, 17 CFR 242.613(a)(1)(i), (iii) (2019).
     \3\ See National Market System Plan Governing the Consolidated 
Audit Trail, Section 6.10(c)(i)(B) available at https://
www.catnmsplan.com/wp-content/uploads/2019/09/CAT-2.0-Consolidated-
Audit-Trail-LLC%20Plan-Executed-(175745081)-(1).pdf [hereinafter the 
``CAT NMS Plan'']. See also id. at Appendix D, Section 8.2.2 (``The 
Central Repository must provide for direct queries, bulk extraction, 
and download of data for all regulatory users. Both the user-defined 
direct queries and bulk extracts will be used by regulators to deliver 
large sets of data that can then be used in internal surveillance or 
market analysis applications.'').
     \4\ See Regulation NMS, 17 CFR 242.613(f) (2019); and CAT NMS 
Plan, supra note 3 at Appendix D, Section 6.10(a).
     \5\ See Joint Industry Plan; Order approving the National Market 
System Plan Governing the Consolidated Audit Trail, Exchange Act 
Release No. 79318 (Nov. 15, 2016), 81 FR 84696, 84757 (Nov. 23, 2018) 
[hereinafter, ``Plan Adopting Release''].
---------------------------------------------------------------------------
    The Participants are focused on the security of CAT Data, 
including with respect to bulk extracts. Access to CAT Data, 
via bulk extract or otherwise, will be subject to the CAT 
security protocols. For instance, only authorized regulatory 
users with appropriate permissions will be able to access and 
extract CAT Data, and all CAT Data returned shall be encrypted. 
\6\ Additionally, the CAT system requires multifactor 
authentication for regulatory use of the query tools, 
mitigating insider risk at the regulators, as well as for 
access to the Industry Member reporter portal. \7\
---------------------------------------------------------------------------
     \6\ CAT NMS Plan, supra note 3 at Section 6.10(c)(ii).
     \7\ See id. at Appendix D, Section 4.1.4.
---------------------------------------------------------------------------
    Access and the ability to extract PII is subject to 
additional safeguards. All PII collected by the CAT must be 
stored separately from transaction data and will not be 
eligible for bulk extract. \8\ Regulatory users must have 
special entitlements (beyond entitlements to transactional CAT 
Data) to access PII data. \9\
---------------------------------------------------------------------------
     \8\ See id. at Appendix D, Section 4.1.6.
     \9\ See id.
---------------------------------------------------------------------------
    Additionally, to balance security considerations and 
potential risks related to the bulk extraction of CAT Data, CAT 
LLC authorized FINRA CAT to develop and implement a secure 
analytics workspace (SAW), which the Participants and the SEC 
may use to analyze CAT Data and run their surveillance 
protocols. Development of the SAW is underway, and 
implementation is expected in the fall of 2020. Until SAW is 
operational, the Participants' use of CAT Data must necessarily 
take place outside of the SAW. Temporary and persistent copies 
of CAT Data may exist in an Amazon Web Services (AWS) 
environment protected by security controls, policies, and 
practices consistent with the CAT system itself. Small subsets 
of CAT Data may be extracted in support of regulatory and 
surveillance activities.
                                ------                                


        RESPONSES TO WRITTEN QUESTIONS OF SENATOR BROWN
                     FROM MICHAEL J. SIMON

Q.1. Please describe the FINRA CAT breach/intrusion 
notification process, including the entities and organizations 
that would be notified and the timetable for notification. 
Please also describe any process for notification to investors, 
or the public generally.

A.1. As required by the Plan, the CAT has a sophisticated 
information security program, which includes an incident 
response plan consistent with National Institute of Standards 
and Technology guidance. The actions taken in the event of 
unauthorized access to CAT Data will depend on the 
circumstances. If FINRA CAT becomes aware of actual (or 
potential) unauthorized access to CAT Data, FINRA CAT will work 
with the Participants and will take all reasonable steps to 
investigate the incident and mitigate any identified technical 
vulnerabilities to protect the integrity of the CAT system. CAT 
LLC will report unauthorized access to law enforcement, the 
SEC, and other authorities as required or appropriate. This 
process may result in the use of, among other things, forensic 
services, breach notification services, and/or identity/fraud 
monitoring.

Q.2. Please provide the available cost estimates for (i) 
building the CAT system and (ii) annual operation of the CAT 
system, specifying current cost and costs once it is fully 
operational.

A.2. As noted in the answer to Chairman Crapo, CAT LLC operates 
pursuant to a budget that the Operating Committee approves on a 
quarterly basis. Based on the 2019 CAT LLC budget and actuals 
to date, the current annualized cost for building and operating 
the CAT is approximately $60 million. The budget does not 
distinguish between build and operating costs. While the 2020 
CAT LLC budget is under development, current estimates are that 
the annualized costs will be between $60 and $75 million.
    Under current budgetary projections, the FINRA CAT build 
costs will peak next year, and then decrease over the next few 
years as FINRA CAT finishes the build. On the other hand, the 
FINRA CAT costs to operate the CAT will increase substantially 
in the coming years, particularly beginning in 2021. We also 
expect legal and consulting costs to decrease as the CAT moves 
from development to operation. The bottom line is that the 
total cost to operate the CAT is uncertain, but unlikely to 
increase above $75 million annually in the near future.
    There are a number of assumptions and qualifications to 
these projections. First, these are the costs solely borne by 
CAT LLC regarding the build and operation of the CAT. Thus, 
these costs do not include the costs to the Participants and 
the industry members to prepare for, and comply with, CAT 
requirements. Second, a number of FINRA CAT costs are variable. 
These include the costs of cloud hosting and the customer/
account database. Thus, any estimates of such costs at this 
time is somewhat speculative. Finally, FINRA CAT costs could 
change based on changes to the CAT system, effectuated through 
the change request process. Any such change request could add 
additional costs both to the development of the CAT and the 
ongoing costs of operating the CAT.

Q.3. Please identify the private and Government organizations 
and entities that would be necessary to involve in the 
development and management of a CAT system that includes U.S. 
futures data and activity.

A.3. A more complete assessment would be necessary to 
definitively respond to this question, particularly the type 
and number of the products underlying the futures contracts. 
For futures based on single securities, or narrow-based 
security indices (e.g., nine or fewer securities), the 
Securities Exchange Commission and the Commodity Futures 
Trading Commission (CFTC) share jurisdiction. But for futures 
contracts based on broad-based security indices or commodities, 
the CFTC is the oversight authority. Based on the nature of the 
instrument, the Participants believe that if the CAT NMS Plan 
were amended so that the CAT system included U.S. futures data 
and activity, the following private and Government 
organizations and entities, in addition to the SEC and current 
Plan Participants, likely would need to be involved: (i) the 
CFTC, (ii) the National Futures Association, (iii) relevant 
designated contract markets, (iv) relevant futures commission 
merchants, (v) relevant broker-dealers, (vi) relevant 
derivatives clearing organizations, (vii) the Futures Industry 
Association, and (viii) relevant introducing brokers.
                                ------                                


        RESPONSES TO WRITTEN QUESTIONS OF SENATOR SASSE
                     FROM MICHAEL J. SIMON

Q.1. In your testimony, you discuss the PII Working Group and 
how their initial recommendation was an approach that would 
have avoided the need to have any PII in the CAT.
    Can you tell me why the Commission staff denied this 
initial approach?
    How were the options presented by the working group 
evaluated?

A.1. The PII Working Group worked closely with SIFMA and the 
CISOs of each Participant to develop an approach that would 
have eliminated the need to maintain any PII in the CAT system. 
Commission staff was invited to all discussions on this topic. 
The approach would have involved the creation of a new request 
and response system that would allow regulators to request PII 
from Industry Member CAT Reporters rather than having such data 
included in the CAT. Commission staff requested that the PII 
Working Group develop another approach. The Participants are 
not in a position to know why the Commission staff preferred 
the development of an alternative to the initial recommendation 
of the PII Working Group.
                                ------                                


        RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER
                     FROM MICHAEL J. SIMON

Q.1. One of the concerns we've heard time and time again 
regarding the CAT is that it presents a privacy and 
cybersecurity risk. I know that the SEC has been working 
diligently on the PII issue and that the Exchanges have 
proposed ``CAT Customer IDs'' as an alternative approach to 
Social Security numbers.
    Would you agree that the data security question can be a 
very solvable issue as long as all parties work constructively 
and in good faith?

A.1. The security of CAT Data is and will remain a top priority 
of the Participants. While all systems are subject to ongoing 
security risks, the Participants have taken, and will continue 
to take, all appropriate precautions to safeguard all data 
within the CAT system. The Participants believe that data 
security and associated risks can be managed effectively with 
the assistance and good faith effort of all parties.

Q.2. My goal is to have an effective CAT up and running as soon 
as possible. Given the long history of delays and challenges 
with its implementation, I wonder if there should be some 
reforms to the operating committee so that it runs more 
efficiently.
    What were the causes for implementation delays?

A.2. The CAT is an extremely complex project. Rule 613 required 
the Participants to select a Plan Processor, contract with that 
entity and build, test and implement Participant reporting to 
the CAT within a year.
    Recognizing the challenges of the timetable, the 
Participants proposed, and the SEC approved, a supplemental 
national market system plan to provide for the selection of a 
Plan Processor while the SEC considered adoption of the overall 
CAT NMS Plan. Pursuant to the Selection Plan, \1\ the 
Participants were able to choose a Plan Processor (Thesys 
Technologies LLC) within approximately 2 months of SEC approval 
of the CAT NMS Plan, and complete the Plan Processor Agreement 
within another few months. \2\
---------------------------------------------------------------------------
     \1\ See Plan Governing the Process of Selecting a Plan Processor 
and Developing a Plan for the Consolidated Audit Trail, which was 
incorporated as Article V of the CAT NMS Plan approved by the 
Commission on November 15, 2016.
     \2\ Thesys Technologies LLC was selected by CAT NMS LLC to be the 
Plan Processor for the CAT. Thesys Technologies established its 
subsidiary, Thesys CAT (TCAT) to serve as the Plan Processor.
---------------------------------------------------------------------------
    Notwithstanding the relatively prompt selection of a Plan 
Processor, TCAT ultimately proved unable to build the system 
required under the CAT NMS Plan and the Plan Processor 
Agreement between the parties. The Participants worked in good 
faith with TCAT to begin operation of the CAT one year later 
than required under the CAT NMS Plan and Rule 613. However, 
TCAT proved unable to deliver a compliant system even with the 
additional year for development.
    After TCAT failed to deliver a contract-compliant system in 
the timeframes required and demanded significant payments in 
excess of the contract requirements, among other things, the 
Participants decided to terminate the Plan Processor Agreement 
for default and change Plan Processors, selecting and 
contracting with FINRA CAT. While this initially added time to 
the development of the CAT, the Participants believe that 
changing processors when they did actually will result in a 
fully functional CAT in a shorter time frame than if they had 
continued the project with TCAT as processor.

Q.3. Please describe the background for how Thesys was selected 
as the Plan Processor to build the CAT?

A.3. As noted in response to Question 2, the Participants 
selected Thesys Technologies LLC, which ultimately formed TCAT, 
as the Plan Processor pursuant to the provisions of the CAT NMS 
Plan and the supplemental Selection Plan discussed above. 
Technical and legal/regulatory experts from the Participants, 
working with outside consultants and legal advisors, developed 
detailed requirements for the operation of the CAT. The 
Participants then issued a request for proposal (RFP) for the 
Plan Processor. Ten entities submitted responses to the RFP. 
The Participants provided each applicant with the opportunity 
to make an oral presentation to the Participants group. From 
those 10 applicants the Participants selected three finalists 
and sought additional information from each finalist. The 
Participants ultimately selected TCAT as the Plan Processor.

Q.4. What other bidders were short-listed? Why was Thesys 
selected? Which exchanges voted for Thesys?

A.4. The other two finalists for Plan Processor were FINRA and 
Sungard/Fidelity National Information Services Inc. (Sungard/
FIS). Sungard/FIS withdrew from consideration before the final 
Participant vote for Plan Processor. The Participants then 
conducted a vote between FINRA and Thesys, and each Participant 
voted pursuant to their own selection criteria. The vote was 
via closed ballot and the only result announced was that Thesys 
won the vote; there was no announcement as to how each 
Participant voted.

Q.5. Would you agree that a major part of the delay in the CAT 
implementation occurred from the inability of Thesys to provide 
a viable system after working on it nearly 2 years?

A.5. Yes. Please see the response to Question 2, above.

Q.6. What did other participants propose to replace Thesys 
before they were finally fired earlier this year? Why did the 
exchanges keep them on the contract for as long as they did? 
Were the exchanges in agreement on whether Thesys should be 
retained?

A.6. When it became clear to the Participants that TCAT would 
be unable on its own to build the CAT system that the CAT NMS 
Plan requires, the Participants first considered providing 
supplemental support to TCAT, either from the Participants 
themselves or from a third party. However, it soon became clear 
that even with support, TCAT would not be able to build a 
compliant CAT system in a timely and cost-efficient manner. In 
light of TCAT's failure to deliver a contract-compliant system 
in the timeframes required (and other defaults), the 
Participants decided to terminate the Plan Processor Agreement 
for default and replace TCAT. The Participants' decision to 
terminate TCAT for default was unanimous.
    The Participants kept TCAT on contract as long as they did 
because they understood that changing processors necessarily 
would add time to the project. Thus, the Participants worked in 
good faith with TCAT as long as they could to try to remedy the 
defects in the deliverables and to address concerns with future 
deliverables. It was only after receiving, testing, and 
attempting to remedy the defects in TCAT's system, as well as 
other defaults by TCAT including its extracontractual payment 
demands, that the Participants concluded that TCAT could not 
meet the requirements of its Plan Processor Agreement and was, 
in any event, unwilling to do so on the agreed-upon terms and 
conditions. Upon reaching that conclusion the Participants 
promptly terminated the TCAT Plan Processor agreement for 
default.

Q.7. Please describe how a subsidiary of FINRA was selected 
earlier this year to replace Thesys? Was there an open bidding 
process? Were there other bidders?

A.7. The Participants followed the requirements in the CAT NMS 
Plan in selecting a successor Plan Processor. Specifically, 
under Section 6.1(t) of the CAT NMS Plan, CAT NMS, LLC formed a 
Selection Committee and established a process to evaluate and 
review bids. That process, which took into account the 
applicable time constraints, was to contact FINRA and FIS, the 
two other finalists in the initial process, to gauge their 
interest in bidding on the CAT project. Both entities submitted 
proposals. FINRA proposed specifics as to how they would build 
a system compliant with the CAT NMS Plan, together with a cost 
proposal. FIS proposed an interim step in which CAT NMS, LLC 
would hire them as consultants to review the system to 
determine how best they could provide services moving forward. 
Based on these proposals, the Selection Committee recommended 
FINRA to the Operating Committee, which voted to approve FINRA 
as the Plan Processor. Note, FINRA recused itself and did not 
take part in the selection decision.

Q.8. How was the SEC engaged with CAT NMS as it began 
experiencing significant delays?

A.8. The SEC and its staff have been engaged with CAT LLC \3\ 
and the Participants throughout the entire life of the project. 
When the problems with TCAT became apparent, Chairman Clayton 
convened a meeting of the presidents or CEOs of the 
Participants on April 9, 2018, to express his concerns with the 
delays in the project. Brett Redfearn, Director of the Division 
of Trading and Markets also communicated the importance of 
getting the project back on track.
---------------------------------------------------------------------------
     \3\ Note, CAT NMS, LLC is the predecessor to CAT LLC.
---------------------------------------------------------------------------
    In response to the requests of Chairman Clayton and the 
staff, the Participants submitted a comprehensive Master Plan 
to the staff that included all material steps to implement all 
phases of the project. The Participants also created a 
Leadership Team of four Participant representatives to help 
streamline decision making on day-to-day issues that did not 
raise policymaking concerns.
    More fundamentally, the SEC has been actively monitoring 
all CAT activities. The SEC staff participates in Operating 
Committee, Compliance Committee and most working group calls, 
including the Security Working Group. In January of this year 
Chairman Clayton hired Manisha Kimmel as Senior Policy Advisor 
for Regulatory Reporting to coordinate the SEC's oversight of 
the creation and implementation of the CAT. Ms. Kimmel 
previously was the Chair of the CAT Advisory Committee and, 
among other things, holds weekly calls with the CAT Leadership 
Team. The staff of the Division of Trading and Markets works 
closely with Ms. Kimmel in overseeing CAT matters.

Q.9. What are SEC current authorities in compelling the 
implementation of CAT?

A.9. The SEC compels the implementation of the CAT through Rule 
613, and the CAT NMS Plan adopted under that rule, and via its 
oversight role over the Participants. The SEC has not amended 
Rule 613 since its adoption. With respect to the CAT NMS Plan, 
the SEC recently has proposed amendments to the CAT NMS Plan 
regarding transparency and cost recovery.

Q.10. What is the SEC's typical engagement with the operating 
committee?

A.10. As provided under Section 4.4 of the CAT NMS Plan, the 
SEC staff may attend, and does attend, all Operating Committee 
meetings, including both regular and executive sessions. In 
addition, as noted above, the SEC staff also participate in 
Compliance Committee and most working group calls. While most 
interaction between the SEC and the Participants is informal, 
the SEC conducts all formal communications with the Operating 
Committee through letters and other communications.

Q.11. Has the SEC attended any of the operating committee 
meetings?
    Does the SEC have access to the meeting transcripts?

A.11. As noted above, the SEC staff attends Operating Committee 
meetings. The Operating Committee does not record or otherwise 
transcribe its meetings. However, the Operating Committee does 
draft minutes of its meetings, and the SEC staff receives those 
minutes.

Q.12. Does the CAT NMS Plan or Rule 613 prohibit the SEC from 
appointing or removing members of the operating committee?

A.12. There is no provision in either Rule 613 or the CAT NMS 
Plan giving the SEC the authority either to appoint or remove 
members of the Operating Committee. Rule 613 broadly addresses 
some operational and administrative requirements related to the 
CAT, such as requiring the CAT NMS Plan to include provisions 
related to the fair representation of Participants, the 
administration of the CAT NMS Plan and an Advisory Committee. 
However, Rule 613 does not otherwise dictate the specific 
manner in which the Participants would govern CAT LLC. In 
implementing Rule 613, the Participants provided in the CAT NMS 
Plan for the governance of CAT LLC through an Operating 
Committee. The CAT NMS Plan specifies that each Participant 
appoints one voting member, plus an alternate, to the Operating 
Committee. The SEC approved those provisions in approving the 
CAT NMS Plan.

Q.13. Does Rule 613 prohibit the SEC from appointing other 
independent members to the operating committee?

A.13. As noted in the answer to the previous question, Rule 613 
does not grant the SEC the ability to appoint members of the 
Operating Committee. The CAT NMS Plan controls the composition 
of the Operating Committee and it does not include any 
provision regard the appointment of independent members to the 
committee.

Q.14. What, in your view, can independent members provide to 
the operating committee? Are there benefits?

A.14. Rule 613 specifically requires the Participants establish 
an Advisory Committee ``to advise the plan sponsors on the 
implementation, operation, and administration of the central 
repository.'' The Participants implemented that provision in 
the CAT NMS Plan by providing for an Advisory Committee 
consisting of 14 representatives from the industry, academia 
and the public. Under Rule 613, Advisory Committee members 
``have the right to attend any meetings of the plan sponsors 
[other than in executive session], to receive information 
concerning the operation of the central repository, and to 
provide their views to the plan sponsors.'' The CAT NMS Plan 
and Commission guidance acknowledge the need for appropriate 
limitations on the role of the Advisory Committee. In excluding 
Advisory Committee members from executive session meetings, for 
example, the Commission explained that ``meet[ing] in 
[E]xecutive [S]ession without members of the Advisory Committee 
appropriately balances the need to provide a mechanism for 
industry input into the operation of the central repository, 
against the regulatory imperative that the operations and 
decisions regarding the consolidated audit trail be made by 
[Participant]s who have a statutory obligation to regulate the 
securities markets, rather than by members of the 
[Participant]s, who have no corresponding statutory obligation 
to oversee the securities markets.'' \4\
---------------------------------------------------------------------------
     \4\ Plan Adopting Release, supra note 5 at 84732-3.
---------------------------------------------------------------------------
    Thus, the Participants, which, as self-regulatory 
organizations, have the regulatory obligation to develop and 
implement the CAT, have voting membership on the Operating 
Committee. The independent members of the Advisory Committee 
have a vehicle to provide their views to the Operating 
Committee in a structured manner. The Participants believe that 
this establishes the appropriate balance in the governance and 
oversight of the CAT.

Q.15. As we look forward, assuming CAT is implemented in the 
next 3 years, what are the upgrades that will need to take 
place to ensure CAT does not fall behind the industry best 
practices?

A.15. As required by Rule 613 and the CAT NMS Plan, the CAT 
system is designed to be flexible, scalable, and 
technologically robust and modern. Rule 613(a)(1)(v) requires 
that the CAT be flexible and scalable, including the capacity 
``to efficiently incorporate, in a cost-effective manner, 
improvements in technology, additional capacity, additional 
order data, information about additional securities or 
transactions, changes in regulatory requirements, and other 
developments.'' The CAT NMS Plan also requires that the CAT be 
flexible and scalable, and that it ``employ[s] optimal 
technology for supporting (1) scalability to increase capacity 
to handle a significant increase in the volume of data 
reported, (2) adaptability to support future technology 
developments and new requirements, and (3) maintenance and 
upgrades to ensure that technology is kept current, supported, 
and operational.'' \5\ The CAT system has been designed with 
these requirements in mind.
---------------------------------------------------------------------------
     \5\ CAT NMS Plan, supra note 3 at Appendix C-Section 5(a). The CAT 
NMS Plan further requires: ``Participants will provide metrics and 
forecasted growth to facilitate Central Repository capacity planning. 
The Plan Processor will maintain records of usage statistics to 
identify trends and processing peaks. The Central Repository's capacity 
levels will be determined by the Operating Committee and used to 
monitor resources, including CPU power, memory, storage, and network 
capacity.'' Id. As a baseline, the CAT must have capacity requirements 
``based on twice (2X) the historical peaks for the most recent 6 years, 
and the Plan Processor must be prepared to handle peaks in volume that 
could exceed this baseline for short periods.'' Id. at Appendix D, 
Section 1.1. Note that Appendix D includes additional information on 
the technical architecture of the CAT.
---------------------------------------------------------------------------
    The Operating Committee has the responsibility to ensure 
that CAT remains technologically robust and modern. In doing 
so, the Operating Committee works closely with the Advisory 
Committee, FINRA CAT, the technology staffs of the 
Participants, industry organizations (such as Securities 
Industry and Financial Markets Association (SIFMA) and 
Financial Information Forum (FIF)) and the SEC. To oversee 
these efforts, the Operating Committee has established a 
Technology Working Group that works closely with FINRA CAT to 
oversee the technological development and operation of the CAT. 
Furthermore, the CAT NMS Plan requires the Plan Processor to 
engage an Independent Auditor to conduct an annual audit of the 
Plan Processor's policies, procedures and control structures. 
Through these vehicles, the various groups can make 
recommendations to the Operating Committee to help ensure that 
CAT remains technologically robust and modern.
    Finally, the CCO's annual written assessment must consider, 
among other things, ``an evaluation of potential technology 
upgrades based on a review of technological advancements over 
the preceding year, drawing on technological expertise whether 
internal or external.'' \6\ Based on his review, the CCO may 
recommend potential technology upgrades to the Operating 
Committee. Thus, in addition to being designed in a manner that 
is intended to be flexible, scalable, and technically robust, 
the technology used in the CAT is separately assessed at least 
annually.
---------------------------------------------------------------------------
     \6\ Id. at Section 6.6(b)(ii)(B)(1).
---------------------------------------------------------------------------
                                ------                                


               RESPONSES TO WRITTEN QUESTIONS OF
           SENATOR CORTEZ MASTO FROM MICHAEL J. SIMON

Q.1. Will the CAT help regulators, such as FINRA, SEC, FBI, and 
the Department of Justice, catch short selling, spoofing, fake 
trades, and wire fraud more quickly?

A.1. The CAT system is designed to make data available to the 
SEC and Participants to perform surveillance or analyses, or 
for other purposes as part of their regulatory or oversight 
responsibilities. The CAT system will facilitate the ability of 
regulators to surveil for suspicious activity. The data that 
will be available in the CAT system may assist the SEC and 
Participants in more quickly identifying manipulative activity, 
including manipulative short selling, spoofing, and fake 
trades, for example. Although the FBI and Department of Justice 
will not have access to the CAT system or the data within it, 
the FBI and Department of Justice may benefit from such 
information to the extent either body is engaged in a joint 
investigation with a regulator with such access, e.g., a joint 
investigation with the SEC.

Q.2. Could the CAT system help investigate who is making a 
billion-dollar profit in trades made right before the Trump 
administration makes a market-moving announcement?

A.2. As noted in response to Question 1, the CAT system is 
designed to make data available to the SEC and Participants to 
perform surveillance or analyses, or for other purposes as part 
of their regulatory or oversight responsibilities. The data 
that will be available in the CAT system may assist the SEC and 
Participants in more quickly identifying various forms of 
potentially suspicious trading activity.

Q.3. Will the CAT be able to help exchanges and regulators know 
if brokers are being ``unduly influenced by fees and rebates'' 
rather than the best execution outcome for investors?

A.3. Both SEC Rule 613 and the CAT NMS Plan expressly require 
that the Participants and their employees use CAT Data only for 
surveillance and regulatory purposes. \1\ In Particular, 
Appendix D of the CAT NMS Plan states: ``The Plan Processor 
must provide Participants' regulatory staff and the SEC with 
access to all CAT Data for regulatory purposes only. 
Participants' regulatory staff and the SEC will access CAT Data 
to perform functions, including economic analyses, market 
structure analyses, market surveillance, investigations, and 
examinations.'' \2\ In light of this permitted use of CAT Data, 
the Participants believe that CAT Data can be used to conduct 
economic and market structure analyses that may assist 
regulators in studying many issues including, for example, fees 
and rebates.
---------------------------------------------------------------------------
     \1\ Regulation NMS, 17 CFR 242.613(e)(4)(i)(A) (2019); CAT NMS 
Plan, supra note 3 at Section 6.5(g), Appendix C-Section 4(b), and 
Appendix D-Section 8.1.
     \2\ CAT NMS Plan, supra note 3 at Appendix D-Section 8.1.

Q.4. Will the CAT help exchanges and regulators know if brokers 
are routing the trading interests of mutual funds, pensions, 
---------------------------------------------------------------------------
and endowments in a way that results in information leakage?

A.4. As designed, the CAT system will include detailed 
information with respect to the handling of orders. For 
example, CAT Reporters will be required to provide information 
with respect to the routing of orders within an individual 
reporting firm as well as between reporting firms. In addition, 
CAT Reporters will be required to record the identification of 
information barriers for certain order events, including when 
an order is received or originated, transmitted to a department 
within a firm, and when it is modified. Thus, while the ability 
to identify information leakage will vary based on the facts 
and circumstances in any instance, CAT will provide regulators 
with the complete life cycle of an order, which will help in 
examinations or investigations related to the appropriate 
handling of orders.

Q.5. Will the CAT help exchanges and regulators identify 
sophisticated market participants who use multiple brokers and 
market centers to engage in disruptive trading?

A.5. As discussed in the response to Question 3 above, the 
Participants must use CAT Data only for regulatory purposes, 
including economic analyses, market structure analyses, market 
surveillance, investigations, and examinations. In practice, 
the CAT will allow Participants and the SEC to investigate, 
among other things, potentially suspicious trading activity 
that may be dispersed across broker-dealers and market centers.

Q.6. We have had a lot of discussion about how difficult it is 
to identify the beneficial owners of firms. This secrecy can 
lead to criminal activities. For example, Mr. Navinder Singh 
Sarao (the individual who initiated the 2010 flash crash) was 
not registered as a broker in the U.S. He used four firms to 
place his trades.
    Would CAT be able to find him or just his brokers?

A.6. While the CAT system is designed to have information on 
U.S. broker-dealers and their customers, it will not have 
information on foreign customers in all instances. For example, 
a U.S. broker-dealer receiving an order is required to report 
the receipt of the order and the Firm Designated ID (i.e., 
trading account information) of the customer. Where a U.S. 
broker-dealer receives an order from a foreign broker-dealer, 
the U.S. broker-dealer reporting information to the CAT system 
is required to report the foreign broker-dealer involved in the 
trade rather than the ultimate customer of such foreign broker-
dealer (whose identity may not be known to the U.S. broker-
dealer).

Q.7. The system is only as good as the exchanges who report 
concerns and ownership. How will you ensure that exchanges 
fully comply with reporting?

A.7. Under Rule 613 and the CAT NMS Plan, the national 
securities and options exchanges have a regulatory obligation 
to report data to the CAT system and the SEC will be able to 
examine the exchanges' compliance with Rule 613 and the CAT NMS 
Plan. The SEC also is able to enforce compliance with Rule 
613's and the CAT NMS Plan's reporting obligations. In addition 
to being subject to the SEC's examination and enforcement 
authority, the Plan Processor must provide the Operating 
Committee with reporting metrics related to Participant 
performance. These metrics will assist the Operating Committee 
in identifying and addressing potential Participant reporting 
issues. Note, the SEC also will receive these metrics.

Q.8. What are your views on including futures data and over-
the-counter equities in CAT?

A.8. The reporting requirements of the CAT NMS Plan apply to 
all ``Eligible Securities,'' which includes all NMS Securities 
and all OTC Equity Securities. \3\ The CAT NMS Plan currently 
does not apply to futures or other products that are not NMS 
Securities or OTC Equity Securities. \4\
---------------------------------------------------------------------------
     \3\ See id. at Section 1.1.
     \4\ On May 15, 2017, the Participants filed with the Commission a 
report discussing the potential expansion of the CAT to include primary 
market transactions in securities that are not NMS Securities or OTC 
Equity Securities, and debt securities. See Discussion of the Potential 
Expansion of the Consolidated Audit Trail pursuant to Section 6.11 of 
the CAT NMS Plan (May 15, 2017), available at https://catnmsplan.com/
wp-content/uploads/2017/06/Expansion-Report-Final-5.15.17.pdf. At the 
time, the Participants declined to expand the scope of the CAT and 
explained:
      As a result of their analysis, the Participants believe that it 
would be premature to expand the CAT to include such transactions at 
this time. The Participants believe that further consideration of 
whether to include such transactions should be based on data derived 
from Participants' and Industry Members' actual experience with CAT 
reporting, as well as a consideration of the costs required to build 
systems to enable CAT reporting.
---------------------------------------------------------------------------
    The Participants believe that they must gain experience 
with CAT reporting and CAT Data before determining to 
potentially expand the scope of the CAT. Note that any 
expansion of the CAT would be subject to public notice and 
comment, and Commission approval. Separately, each year the 
Chief Compliance Officer of CAT LLC (CCO) is required to 
complete a written assessment of the Plan Processor's 
performance, which typically includes, among other things, a 
consideration of whether the CCO believes that the CAT should 
be expanded to include additional data elements or products. 
\5\
---------------------------------------------------------------------------
     \5\ See CAT NMS Plan, supra note 3 at Section 6.6(b).

Q.9. What are your views on including initial public offering 
---------------------------------------------------------------------------
data, clearing data, and other data into the CAT database?

A.9. As discussed in the response to Question 8 (including 
footnote 4), the Participants believe that they must gain 
experience with CAT reporting and CAT Data before determining 
to potentially expand the scope of the CAT. Note that any 
expansion of the CAT would be subject to public notice and 
comment, and Commission approval.

Q.10. How is CAT Advisory Committee and Operating Committee 
ensuring that CAT will remain technologically robust and 
modern?

A.10. As required by Rule 613 and the CAT NMS Plan, the CAT 
system is designed to be flexible, scalable, and 
technologically robust and modern. Rule 613(a)(1)(v) requires 
that the CAT be flexible and scalable, including the capacity 
``to efficiently incorporate, in a cost-effective manner, 
improvements in technology, additional capacity, additional 
order data, information about additional securities or 
transactions, changes in regulatory requirements, and other 
developments.'' The CAT NMS Plan also requires that the CAT be 
flexible and scalable, and that it ``employ[s] optimal 
technology for supporting (1) scalability to increase capacity 
to handle a significant increase in the volume of data 
reported, (2) adaptability to support future technology 
developments and new requirements and (3) maintenance and 
upgrades to ensure that technology is kept current, supported 
and operational.'' \6\ The CAT system has been designed with 
these requirements in mind.
---------------------------------------------------------------------------
     \6\ Id. at Appendix C-Section 5(a). The CAT NMS Plan further 
requires: ``Participants will provide metrics and forecasted growth to 
facilitate Central Repository capacity planning. The Plan Processor 
will maintain records of usage statistics to identify trends and 
processing peaks. The Central Repository's capacity levels will be 
determined by the Operating Committee and used to monitor resources, 
including CPU power, memory, storage, and network capacity.'' Id. As a 
baseline, the CAT must have capacity requirements ``based on twice (2X) 
the historical peaks for the most recent 6 years, and the Plan 
Processor must be prepared to handle peaks in volume that could exceed 
this baseline for short periods.'' Id. at Appendix D, Section 1.1. Note 
that Appendix D includes additional information on the technical 
architecture of the CAT.
---------------------------------------------------------------------------
    The Operating Committee has the responsibility to ensure 
that CAT remains technologically robust and modern. In doing 
so, the Operating Committee works closely with the Advisory 
Committee, FINRA CAT, the technology staffs of the 
Participants, industry organizations (such as Securities 
Industry and Financial Markets Association (SIFMA) and 
Financial Information Forum (FIF)) and the SEC. To oversee 
these efforts, the Operating Committee has established a 
Technology Working Group that works closely with FINRA CAT to 
oversee the technological development and operation of the CAT. 
Furthermore, the CAT NMS Plan requires the Plan Processor to 
engage an Independent Auditor to conduct an annual audit of the 
Plan Processor's policies, procedures and control structures. 
Through these vehicles, the various groups can make 
recommendations to the Operating Committee to help ensure that 
CAT remains technologically robust and modern.
    Finally, the CCO's annual written assessment, discussed in 
the response to Question 8, must consider, among other things, 
``an evaluation of potential technology upgrades based on a 
review of technological advancements over the preceding year, 
drawing on technological expertise whether internal or 
external.'' \7\ Based on his review, the CCO may recommend 
potential technology upgrades to the Operating Committee. Thus, 
in addition to being designed in a manner that is intended to 
be flexible, scalable, and technically robust, the technology 
used in the CAT is separately assessed at least annually.
---------------------------------------------------------------------------
     \7\ Id. at Section 6.6(b)(ii)(B)(1).

Q.11. Assuming CAT is implemented in the next 3 years, what are 
the upgrades that will need to take place to ensure CAT does 
---------------------------------------------------------------------------
not fall behind the industry best practices?

A.11. Please see the response to Question 10 above, which 
discusses measures designed to ensure that the CAT remains 
flexible, scalable, and technically robust and modern going 
forward.
                                ------                                


        RESPONSES TO WRITTEN QUESTIONS OF SENATOR SINEMA
                     FROM MICHAEL J. SIMON

Q.1. Upon full implementation, the Consolidated Audit Trail 
(CAT) system will be an unprecedented database, collecting 58 
billion records and maintaining data on over 100 million 
institutional and retail accounts on a daily basis. The CAT, 
and all the unique customer data it holds, will also be 
accessible to thousands of users. Therefore, while the CAT has 
the potential to offer important oversight, it will also be a 
prime target for cyberhacks. Under current CAT requirements, 
what kind of personal information would be accessible to system 
users? Is this information already being collected by other 
audit trail systems?

A.1. Under Rule 613, and in addition to certain transaction 
data, Participants and broker-dealers must record and 
electronically report Customer Identifying Information and 
Customer Account Information to the CAT system. \1\ Currently, 
the Commission-approved CAT NMS Plan defines Customer 
Identifying Information as ``information of sufficient detail 
to identify a Customer, including, but not limited to, (a) with 
respect to individuals: name, address, date of birth, 
individual tax payer identification number (ITIN)/social 
security number (SSN), individual's role in the account (e.g., 
primary holder, joint holder, guardian, trustee, person with 
the power of attorney).'' \2\ Rule 613(j)(4) and the CAT NMS 
Plan generally define Customer Account Information as ``account 
number, account type, customer type, date account opened, and 
large trader identifier (if applicable).'' \3\ Pursuant to the 
CAT NMS Plan, Customer Identifying Information and Customer 
Account Information are segregated from other general 
transaction data. \4\ Additionally, the SEC and the 
Participants cannot bulk extract such information and 
regulatory users must have special entitlements to access such 
data. \5\ As mentioned during testimony, the Participants have 
requested exemptive relief from the Commission from relevant 
aspects of the CAT NMS Plan to eliminate the requirement that 
CAT LLC collect and retain SSNs, dates of birth, and account 
numbers.
---------------------------------------------------------------------------
     \1\ Regulation NMS, 17 CFR 242.613(c)(7)(i)(A) (2019).
     \2\ CAT NMS Plan, supra note 3 at Section 1.1.
     \3\ Regulation NMS, 17 CFR 242.613(j)(5) (2019); CAT NMS Plan, 
supra note 3 at Section 1.1.
     \4\ CAT NMS Plan, supra note 3 at Appendix D-Section 4.1.6.
     \5\ Id.
---------------------------------------------------------------------------
    Currently, broker-dealers are required to provide this type 
of information, except for date of birth, to the SEC or a 
Participant in response to an electronic blue sheet (EBS) 
request from the requesting regulator.

Q.2. The Securities and Exchange Commission has been advised 
that the CAT system should not collect Social Security numbers, 
account numbers, and full dates of birth. Can regulators 
properly conduct market analysis, investigations, and 
enforcement if these pieces of information are not collected by 
the CAT?

A.2. Yes. The Participants believe that the proposed 
alternative to collecting SSNs, account numbers, and full dates 
of birth will enhance the security of the CAT system while 
preserving the regulatory benefits of the CAT. Under the 
proposed alternative, regulators would continue to have the 
capability to create a reliable and accurate CAT Customer ID 
(CCID) that is unique for each customer, and to use the unique 
CCID to track orders from any customer throughout the order's 
life cycle, regardless of what brokerage account was used to 
enter the order. This approach would eliminate the risk of 
having a comprehensive aggregated source for all individual 
customer SSNs without having an adverse impact on the effective 
use of the CAT by regulators, including the ability of 
regulators to identify customers and their related trading 
activity.
              Additional Material Supplied for the Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                             [all]