[Federal Register Volume 91, Number 75 (Monday, April 20, 2026)]
[Proposed Rules]
[Pages 20945-20968]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2026-07651]
=======================================================================
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
17 CFR Parts 240 and 242
[Release No. 34-105251; File No. S7-2026-12]
RIN 3235-AN54
Concept Release on Consolidated Audit Trail and Other Audit
Trails and Data Sources
AGENCY: Securities and Exchange Commission.
ACTION: Concept release; request for comments.
-----------------------------------------------------------------------
SUMMARY: The Securities and Exchange Commission (the ``Commission'') is
publishing this concept release to solicit comments in support of a
comprehensive review of the Consolidated Audit Trail and other audit
trails and related data sources currently used in the regulation of
U.S.
[[Page 20946]]
securities markets, including comments regarding the funding mechanisms
for these audit trails and/or related data sources. There have been
several developments since the Commission last evaluated the scope and
sufficiency of these audit trails and related data sources. These
developments have prompted the Commission to consider whether changes
should be made to the rules and regulations governing existing audit
trails and related data sources to better respond to and reflect
current market conditions; demonstrated regulatory needs; civil
liberty, privacy, and confidentiality concerns; cost-efficient
technology solutions; and cybersecurity considerations.
DATES: Comments should be received on or before June 22, 2026.
ADDRESSES: Comments may be submitted by any of the following methods:
Electronic Comments
Use the Commission's internet comment form (https://www.sec.gov/rules/submitcomments.htm); or
Send an email to [email protected]. Please include
File Number S7-2026-12 on the subject line.
Paper Comments
Send paper comments to Secretary, Securities and Exchange
Commission, 100 F Street NE, Washington, DC 20549-1090.
All submissions should refer to File Number S7-2026-12. This file
number should be included on the subject line if email is used. To help
the Commission process and review your comments more efficiently,
please use only one method of submission. The Commission will post all
comments on the Commission's website (https://www.sec.gov/rules-regulations/rulemaking-activity). All comments received will be posted
without change. Do not include personally identifiable information in
submissions; you should submit only information that you wish to make
available publicly. The Commission may redact in part or withhold
entirely from publication submitted material that is obscene or subject
to copyright protection.
Studies, memoranda, or other substantive items may be added by the
Commission or staff to the comment file during this rulemaking. A
notification of the inclusion in the comment file of any such materials
will be made available on the Commission's website. To ensure direct
electronic receipt of such notifications, sign up through the ``Stay
Connected'' option at www.sec.gov to receive notifications by email.
FOR FURTHER INFORMATION CONTACT: David Hsu, Assistant Director, and
Erika Berg, Special Counsel, at (202) 551-5500, Office of Market
Supervision, Division of Trading and Markets, Securities and Exchange
Commission, 100 F Street NE, Washington, DC 20549.
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Introduction
II. Current Audit Trails and Data Sources Utilized by Regulators
A. The CAT
B. EBS System
C. Other Audit Trails and Related Data Sources
III. Request for Comment
A. Regulatory Purpose of the CAT
B. Structure and Governance of the CAT
CAT NMS Plan
Operating Committee
Advisory Committee
C. CAT Funding and Cost Management
Cost Management
Funding Model and Allocation of Fees
Reserve Funds
Section 31 Fees and Alternative Methods of Funding the CAT
D. CAT Design and Scope
Scope
General Functionality
Lifecycle Linkage and Processing Timelines
Data Storage and Retention
CCID Generation
E. Previous Changes to CAT Requirements
Verbal Activity on Exchange Floors
Not Immediately Actionable Electronic Requests for Quotes
Port-Level Settings
Representative Order Linkage
F. Potential Changes to Other Data Sources and Related Rules
Retirement of Partially Duplicative Systems
Modification and/or Replacement of the EBS System
LTID
G. Civil Liberties and Privacy Considerations
H. Cybersecurity
The CAT
EBS
R&R System
LOPR
Other Audit Trails and/or Related Data Sources
I. Transparency and Process of Comprehensive Review
IV. General Request for Comment
V. Other Matters
VI. Conclusion
I. Introduction
The Securities and Exchange Act of 1934 (the ``Exchange Act''), as
amended,\1\ tasks the Commission with overseeing the U.S. securities
markets, including supervising certain market participants such as
broker-dealers, clearing agencies, and national securities
exchanges.\2\ The Exchange Act further provides that specified
entities, including national securities exchanges and registered
securities associations, fall within the definition of a self-
regulatory organization (``SRO'').\3\ As an SRO, each national
securities exchange and national securities association must comply,
and enforce the compliance by its members and associated persons, with
the Exchange Act, the Commission's rules and regulations thereunder,
and the SRO's own rules.\4\
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78a et seq.
\2\ See, e.g., 15 U.S.C. 78b, 78f, 78i, 78j, 78k, 78k-1, 78o,
78o-3, and 78s.
\3\ 15 U.S.C. 78c(a)(26). The national securities exchange and
registered securities association SROs, also referred to herein as
``the Participants,'' include 24X National Exchange, BOX Exchange
LLC, Cboe BYX Exchange, Inc., Cboe BZX Exchange, Inc., Cboe C2
Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe EDGX Exchange, Inc.,
Cboe Exchange, Inc. (``Cboe''), Financial Industry Regulatory
Authority, Inc. (``FINRA''), Investors Exchange LLC, Long-Term Stock
Exchange, Inc., MEMX LLC, Miami International Securities Exchange
LLC, MIAX Emerald, LLC, MIAX PEARL, LLC, MIAX Sapphire, LLC, Nasdaq
GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, Nasdaq PHLX LLC, The
Nasdaq Stock Market LLC (``Nasdaq''), Nasdaq Texas, LLC, New York
Stock Exchange LLC (``NYSE''), NYSE American LLC, NYSE Arca, Inc.,
NYSE National, Inc., and NYSE Texas, Inc.
\4\ 15 U.S.C. 78f(b)(1); 15 U.S.C. 78o-3(b)(2); 15 U.S.C.
78s(g)(1). FINRA currently is the only national securities
association. As a national securities association, FINRA is also
responsible for enforcing compliance by its members and associated
persons with the rules of the Municipal Securities Rulemaking Board
(``MSRB'').
---------------------------------------------------------------------------
Effective market oversight by the Commission and SROs relies on,
among other things, access by regulatory users at the Commission and
the SROs to accurate and timely market data. Because the vast majority
of securities transactions in modern markets occur electronically, at
high speeds and volumes and across trading venues, cross-market audit
trails and related data sources have come to play an important role in
the oversight of securities markets. Such audit trails and related data
sources aid regulators in conducting robust cross-market surveillances,
investigations, enforcement activities, and engaging in cross-market
reconstructions and analyses, as appropriate.
For several decades, broker-dealers furnished information to the
Commission and the SROs through questionnaires known as ``blue sheets''
due to the color on which the forms were printed. In the late 1980s, as
the volume of trading and securities transactions dramatically
increased, the Commission and the SROs worked together to develop and
implement a request-and-response system with a universal electronic
format, commonly known as the ``electronic blue sheet'' or
[[Page 20947]]
``EBS'' system, to replace the paper-based process.\5\ The Commission
and the SROs also obtained data through other methods--including manual
requests to market participants, daily reports produced by clearing
agencies that provide aggregated information to the SROs and the
Commission, market-specific matching engines and/or order book feeds,
market-specific audit trails, trade reporting facilities, proprietary
data feeds made available by SROs and/or off-exchange trading venues,
and publicly-available consolidated data feeds provided by securities
information processors.\6\
---------------------------------------------------------------------------
\5\ See Securities Exchange Act Release No. 44494 (June 29,
2001), 66 FR 35836 (July 9, 2001) (``EBS Adopting Release'').
\6\ See 15 U.S.C. 78c(a)(22)(A) (``The term `securities
information processor' means any person engaged in the business of
(i) collecting, processing, or preparing for distribution or
publication, or assisting, participating in, or coordinating the
distribution or publication of, information with respect to
transactions in or quotations for any security (other than an
exempted security) or (ii) distributing or publishing (whether by
means of a ticker tape, a communications network, a terminal display
device, or otherwise) on a current and continuing basis, information
with respect to such transactions or quotations.'').
---------------------------------------------------------------------------
Regulators also obtained data through audit trails. For example, in
1996, the National Association of Securities Dealers (n/k/a FINRA) was
required, pursuant to a settled order, to design and implement an audit
trail to provide an accurate, time-sequenced record of orders and
transactions on Nasdaq-listed equities, which came to be known as the
Order Audit Trail System (``OATS'').\7\ OATS was later expanded to
include over-the-counter equity securities \8\ and all NMS stocks.\9\
FINRA also created an internal process by which it augmented the data
it collected via OATS with order and trade execution data collected
from other SROs with which it had regulatory services agreements.\10\
Similarly, in 2000, a group of options exchanges was required, pursuant
to a settled order, to design and implement an audit trail to provide
an accurate, time-sequenced record of orders, quotations, and
transactions on those options exchanges.\11\ That audit trail became
known as the Consolidated Options Audit Trail System (``COATS'') and
was later expanded to incorporate reporting for activity on additional
options exchanges.\12\
---------------------------------------------------------------------------
\7\ In the Matter of National Association of Securities Dealers,
Inc., Administrative Proceeding File No. 3-9056, Securities Exchange
Act Release No. 37358 (Aug. 8, 1996), available at https://www.sec.gov/files/litigation/admin/3437538.txt.
\8\ See Securities Exchange Act Release No. 67457 (July 18,
2012), 77 FR 45722, 45728 (Aug. 1, 2012) (``Rule 613 Adopting
Release''); see also Securities Exchange Act Release No. 62174 (May
26, 2010), 75 FR 32556, 32558-59 (June 8, 2010) (``Rule 613
Proposing Release'').
\9\ To avoid duplicative reporting requirements after OATS
expansion to all NMS stocks, NYSE-affiliated exchanges replaced
their market-specific audit trail requirements for members that were
also members of either FINRA or Nasdaq--and therefore already
reporting to OATS--with rules that allowed these members to satisfy
their reporting obligations by meeting the new OATS reporting
requirements in 2011. See, e.g., Rule 613 Adopting Release, supra
note 8, at 45728; 17 CFR 242.600(65) (defining ``NMS stock'' as
``any NMS security other than an option'').
\10\ See, e.g., Rule 613 Adopting Release, supra note 8, at
45729.
\11\ See In the Matter of Certain Activities of Options
Exchanges, Administrative Proceeding File No. 3-10282, Securities
Exchange Act Release No. 43268 (Sept. 11, 2000), available at
https://www.sec.gov/enforcement-litigation/administrative-proceedings/34-43268.
\12\ See Staff Paper on Cross-Market Regulatory Coordination,
available at https://www.sec.gov/about/divisions-offices/division-trading-markets/staff-paper-cross-market-regulatory-coordination.
---------------------------------------------------------------------------
Although these audit trails and related data sources were useful,
they did not produce a comprehensive cross-market audit trail. Even
with augmented OATS data, assembling a consolidated audit trail from
the various data sources described above was a cumbersome, complex, and
time-consuming process that was prone to error.\13\
---------------------------------------------------------------------------
\13\ See, e.g., Rule 613 Adopting Release, supra note 8, at
45728 (``Although these developments with respect to the scope of
FINRA's OATS rules reduce the number of audit trails with disparate
requirements, they still do not result in a comprehensive audit
trail that provides regulators with accurate, complete, accessible,
and timely data on the overall markets for which regulators have
oversight responsibilities.''); see also, e.g., Securities Exchange
Act Release No. 77724 (Apr. 27, 2016), 81 FR 30614, 30670 (May 17,
2016) (``Regardless of whether order lifecycle reports are reflected
in the same or different data sources, the process of linking
lifecycle events is complex and can create inaccuracies. Merging
different data sources often involves translating the data sources
into the same format, which can be a complex process that is prone
to error. Linking records within or across data sources also
requires the sources to share `key fields' that facilitate linkage,
along with a successful linking algorithm. Regulators may be unable
to link some data source combinations accurately because the data
sources do not have key fields in common or the key fields are not
sufficiently granular. . . . The inability to link all records
affects the accuracy of the resulting data and can force an
inefficient manual linkage process that would delay the completion
of the data collection and analysis portion of the examination,
investigation, or reconstruction.'' (citations omitted)).
---------------------------------------------------------------------------
To improve the accuracy, completeness, accessibility, and
timeliness of the data available to regulators, in 2012, the Commission
adopted Rule 613 to require the SROs to jointly develop and submit to
the Commission a national market system plan to create, implement, and
maintain a consolidated audit trail (the ``CAT'').\14\ In proposing and
adopting Rule 613, the Commission stated that the increasingly high-
speed, electronic, and widely dispersed markets had given rise to a
need for efficient access to a more robust and comprehensive, cross-
market audit trail, explaining that existing audit trails and/or data
sources were otherwise limited in their scope and effectiveness.\15\
The national market system plan submitted by the SROs--the CAT NMS
Plan--was approved by the Commission in 2016.\16\ On July 15, 2024, the
SROs represented to the Commission that the CAT had been fully
implemented.\17\
---------------------------------------------------------------------------
\14\ See Rule 613 Adopting Release, supra note 8; 17 CFR
242.613.
\15\ See, e.g., Rule 613 Adopting Release, supra note 8, at
25722-23.
\16\ See Securities Exchange Act Release No. 79318 (Nov. 15,
2016), 81 FR 84696 (Nov. 23, 2016) (``CAT NMS Plan Approval
Order''). The CAT NMS Plan is Exhibit A to the CAT NMS Plan Approval
Order. See CAT NMS Plan Approval Order, at 84943-85034.
\17\ See CAT Q2 & Q3 2024 Quarterly Progress Report (July 29,
2024), available at https://catnmsplan.com/sites/default/files/2024-07/CAT_Q2-and-Q3-2024-QPR.pdf. On April 20, 2020, the Commission
granted conditional exemptive relief to allow for the implementation
of phased Industry Member reporting to the CAT across five phases.
See Securities Exchange Act Release No. 88702, 85 FR 23075 (Apr. 24,
2020) (``Phased Reporting Exemptive Relief Order'').
---------------------------------------------------------------------------
There have been a number of developments in the nearly ten years
since the Commission approved the CAT NMS Plan. Chief amongst these
developments is the implementation and operation of the CAT itself in
accordance with the CAT NMS Plan and its amendments. Once it was able
to determine that its members were effectively reporting to the CAT and
that the CAT's accuracy and reliability met certain standards, FINRA
retired OATS, effective as of September 1, 2021.\18\ Other data
sources, such as the EBS system, remain operational. The Commission has
also provided exemptive relief and approved amendments to the CAT NMS
Plan to enable the SROs to remove personally-identifiable information
(``PII'') from the CAT, meaning that regulators have continued to rely
on alternative data sources (including the EBS system) for fulfilling
their regulatory obligations compared to what was contemplated by the
Commission when it approved the CAT NMS Plan in 2016.\19\
---------------------------------------------------------------------------
\18\ See, e.g., FINRA Regulatory Notice 21-21, ``FINRA
Eliminates the Order Audit Trail System (OATS) Rules'' (June 17,
2021), available at https://www.finra.org/rules-guidance/notices/21-21. The CAT is currently the only audit trail and/or data source
that provides cross-market order-level information to regulators.
\19\ See, e.g., Securities Exchange Act Release No. 88393 (Mar.
17, 2020), 85 FR 16152 (Mar. 20, 2020) (the ``2020 PII Exemptive
Relief Order'') (providing conditional exemptive relief from CAT NMS
Plan requirements obligating the SROs to collect social security
numbers (``SSNs'') and/or individual tax payer identification
numbers (``ITINs''), dates of birth, and account numbers associated
with natural persons); Securities Exchange Act Release No. 102386
(Feb. 10, 2025), 90 FR 9642, 9643 (Feb. 14, 2025) (the ``2025 PII
Exemptive Relief Order'') (providing conditional exemptive relief
from CAT NMS Plan requirements obligating the SROs to collect names,
addresses, and years of birth for U.S. natural persons); Securities
Exchange Act Release No. 104586 (Jan. 13, 2026), 91 FR 2164 (Jan.
16, 2026) (the ``CAIS Order'') (codifying the 2020 PII Exemptive
Relief Order and the 2025 PII Exemptive Relief Order and, among
other things, enabling the SROs to eliminate: (1) historical
customer and account-level data, including, among other things,
names, addresses, and years of birth, (2) names, addresses, and
years of birth (where applicable) for foreign natural persons, for
legal entities, and for authorized traders, and (3) employer
identification numbers).
---------------------------------------------------------------------------
[[Page 20948]]
Importantly, the annual costs of maintaining and operating the CAT
have grown well beyond the Commission's 2016 estimate of approximately
$55.8 million,\20\ increasing to over $248 million per year in the 2025
budget initially approved by the SROs.\21\ Markets have experienced
much higher volumes and more trading activity than the Commission
anticipated in 2016, which has contributed to increased costs
associated with storage, data processing, and message traffic.\22\
Recently, trading venues have also pushed to extend trading hours,\23\
which could further increase trading volumes.\24\ Although steps have
been taken by the Commission and the SROs to manage and contain
costs,\25\ the 2026 budget approved by the SROs of approximately $156
million \26\ remains significantly in excess of the operational costs
estimated by the Commission when it approved the CAT NMS Plan in
2016.\27\
---------------------------------------------------------------------------
\20\ See, e.g., CAT NMS Plan Approval Order, supra note 16, at
84918-20.
\21\ See https://catnmsplan.com/sites/default/files/2024-11/11.20.24-CAT-LLC-2025-Financial_and_Operating-Budget.pdf.
\22\ For example, the CAT NMS Plan approved in 2016 anticipates
that the CAT will process and load more than 58 billion records a
day, or approximately 14.6 trillion records a year. (58,000,000,000
x 252 trading days = 14,616,000,000,000). See CAT NMS Plan, supra
note 16, at Appendix D, Section 1.3 n.262. However, current CAT data
volumes are and have been significantly higher than this initial
estimate. See e.g., Securities Exchange Act No. 103960 (Sept. 12,
2025), 90 FR 44910 (Sept. 17, 2025) (``2025 Funding Model
Amendment'') (stating that CAT data volumes have grown 41% over a
three-year period--109 trillion events in 2022, 116 trillion events
in 2023, and 154 trillion events in 2024); Cboe, ``Growth of U.S.
Equities Volumes and Rise of Retail'' (Nov. 14, 2024), available at:
https://www.cboe.com/insights/posts/growth-of-u-s-equities-volumes-and-rise-of-retail (stating that U.S. equities average daily volume
has grown steadily since 2018, and that the average daily volume is
at a new norm of over 10 billion shares post-COVID-19 pandemic).
There have also been dramatic increases in quoting activity on
Listed Options. See 17 CFR 242.600(b)(52) of Regulation NMS
(defining ``Listed Option'' as ``any option traded on a registered
national securities exchange or automated facility of a national
securities association''); see also CAT NMS Plan, supra note 16, at
Section 1.1. (defining a ``Listed Option'' as having ``the meaning
set forth in Rule 600(b)(35) of Regulation NMS,'' which provision
has been redesignated as Rule 600(b)(52) without any changes to its
terms). According to SEC staff calculations, the median daily
Options Price Reporting Authority (``OPRA'') quote count in January
2017 was approximately 8.8 billion, whereas the median daily OPRA
quote count by March 2025 was approximately 243.8 billion--an
increase of approximately 2,670 percent.
\23\ See, e.g., Securities Exchange Act Release No. 101777 (Nov.
27, 2024), 89 FR 97092, 97104-06 (Dec. 6, 2024) (order approving 24X
National Exchange's Form 1 application, but stating that a proposed
rule change must be filed with the Commission pursuant to Section
19(b) of the Exchange Act and approved before 24X National Exchange
can provide the 24X Market Session); Securities Exchange Act Release
No. 102400 (Feb. 11, 2025), 90 FR 9794 (Feb. 18, 2025) (order
approving proposal by NYSE Arca, Inc. to lengthen the hours of its
extended trading sessions, but stating that a proposed rule change
must be filed with the Commission pursuant to Section 19(b) of the
Exchange Act and approved before such changes can be made); DTCC,
``DTCC's NSCC to Increase Clearing Hours to Support Extended
Trading'' (Mar. 18, 2025), available at https://www.dtcc.com/news/2025/march/18/dtccs-nscc-to-increase-clearing-hours-to-support-extended-trading (stating that NSCC will increase clearing hours to
support overnight trading activity from alternative trading systems
and exchanges, with implementation targeted for Q2 2026).
\24\ See, e.g., Letter from Stephen John Berger, Managing
Director, Global Head of Government & Regulatory Policy, Citadel
Securities LLC (``Citadel''), to Vanessa A. Countryman, Secretary,
Commission (Oct. 17, 2025), at 5, available at https://www.sec.gov/comments/4-698/4698-669947-2018874.pdf (``Citadel Letter I'').
\25\ See Part III.D infra for further discussion of these steps.
\26\ See https://catnmsplan.com/sites/default/files/2025-12/12.08.25-CAT-LLC-2026-Financial_and_Operating_Budget.pdf.
\27\ See Securities Exchange Act Release No. 105003 (Mar. 16,
2026), 91 FR 13410 (Mar. 19, 2026) (the ``2026 Funding Model
Order''), at Part IV. A.1, for a full discussion of realized costs
to build and operate the CAT.
---------------------------------------------------------------------------
In addition, the Commission has received suggestions from the SROs
and other market participants about potential considerations for, and
improvements to, audit trails and/or related data sources,\28\
including petitions for rulemaking related to the operation and funding
of the CAT.\29\
---------------------------------------------------------------------------
\28\ See, e.g., Letter from Joanna Mallers, Secretary, FIA
Principal Traders Group (``PTG''), to Hon. Paul S. Atkins, Chairman,
Commission (June 26, 2025), available at https://www.sec.gov/comments/4-853/4853-618547-1815754.pdf (``PTG Letter I''); Letter
from James Toes, President and CEO, Security Traders Association, to
Hon. Paul S. Atkins, Chairman, Commission (June 25, 2025), available
at https://www.sec.gov/comments/4-853/4853-616887-1809874.pdf (``STA
Letter''); Letter from Joseph Corcoran, Managing Director and
Associate General Counsel, and Gerald O'Hara, Vice President and
Assistant General Counsel, Securities Industry and Financial Markets
Association (``SIFMA''), to Hon. Paul S. Atkins, Chairman,
Commission (June 6, 2025), available at https://www.sec.gov/comments/4-698/4698-610487-1785814.pdf (``SIFMA Letter I''); Letter
from Howard Meyerson, Managing Director, Financial Information Forum
(``FIF''), to Commission (July 14, 2025), available at https://www.sec.gov/comments/4-698/4698-625367-1847814.pdf (``FIF Letter
I''); Letter from Jaime Klima, General Counsel, New York Stock
Exchange, to Hon. Paul S. Atkins, Chairman, Commissioner (Apr. 24,
2025), available at https://www.sec.gov/comments/4-698/4698-598195-1737842.pdf. See also, e.g., Securities Exchange Act Release No.
104504 (Dec. 23, 2025), 90 FR 61506, 61553-36 (Dec. 31, 2025)
(identifying, without formally proposing, two potential cost-savings
measures for the Commission's consideration). Although some
suggestions were beyond the scope of the Commission's consideration
in other contexts, nothing precludes the Commission from evaluating
such suggestions in the context of this review.
\29\ See, e.g., Letter from Stephen John Berger, Managing
Director, Global Head of Government & Regulatory Policy, Citadel, to
Vanessa A. Countryman, Secretary, Commission (Jan. 15, 2026),
available at https://www.sec.gov/files/rules/petitions/2026/petn4-878.pdf (``Citadel Petition''); Letter from J. Matthew DeLesDernier,
Deputy Secretary, Commission, to Stephen John Berger, Global Head of
Government and Regulatory Policy, Citadel (Feb. 18, 2026), available
at https://www.sec.gov/files/rules/petitions/2026/4-878_rulemaking-petition-letter.pdf (``Response to Citadel Petition''). See also,
e.g., Letter from Tyler Gellasch, President and CEO, Healthy Markets
Association, to Hon. Gary Gensler, Chair, Commission (Sept. 19,
2024), available at https://www.sec.gov/files/rules/petitions/2024/petn4-843.pdf (``Healthy Markets Petition''); Letter from John A.
Zecca, Executive Vice President, Global Chief Legal, Risk &
Regulatory Officer, Nasdaq, and J. Patrick Sexton, Executive Vice
President, General Counsel & Corporate Secretary, Cboe, to Hon. Paul
S. Atkins, Chairman, Commission (Apr. 24, 2025), available at
https://www.sec.gov/comments/4-698/4698-598775-1738922.pdf. There
have also been legal challenges to the CAT, including to the
Commission's authority to require the SROs to implement and operate
the CAT. See, e.g., Amended Class-Action Compliant for Declaratory,
Injunctive, and Mandamus Relief, Davidson et al. v. Atkins, No.
6:24-cv-00197 (W.D. Tex. Jan. 13, 2025). On February 4, 2026, the
Court granted the Commission's motion to continue to hold the case
in abeyance until July 15, 2026. Text Order, Davidson et al. v.
Atkins, No. 6:24-cv-00197 (W.D. Tex. Feb. 4, 2026). In addition,
market participants have challenged the CAT's funding model. See Am.
Sec. Ass'n et al. v. SEC, No. 26-10936 (11th Cir. Mar. 24, 2026);
see also Am. Sec. Ass'n v. SEC, 147 F.4th 1264 (11th Cir. 2025)
(11th Cir. 2025) (vacating an order that implemented a modified
funding model for the CAT and remanding the matter to the Commission
for further proceedings consistent with its opinion).
---------------------------------------------------------------------------
To further consider these market developments, as well as
suggestions received from and concerns raised by the SROs and other
market participants, the Commission has determined to conduct a
comprehensive review of the CAT and other audit trails and related data
sources currently used by securities regulators, including regulatory
users at the SROs. This review will allow the Commission to examine the
effectiveness, regulatory use, and costs of these data sources and to
obtain crucial feedback regarding whether changes should be made to
their structure, scope, functionality, and security, including changes
that would strike a different balance between privacy considerations
and regulatory need.
This concept release begins with a brief overview of the audit
trails and data sources used by the Commission
[[Page 20949]]
and the SROs to meet market oversight responsibilities. The release
then solicits comments on whether changes should be made to the rules
and regulations governing existing audit trails and related data
sources to better respond to and reflect current market conditions,
demonstrated regulatory needs, civil liberty and privacy concerns,
cost-efficient technology solutions, and cybersecurity considerations.
II. Current Audit Trails and Data Sources Utilized by Regulators
Pursuant to Section 17 of the Exchange Act,\30\ the Commission can
request books and records to monitor and oversee trading in the
securities markets under its jurisdiction. Each SRO has its own
recordkeeping rules and similarly can request books and records from
its members.\31\ The Commission and the SROs have used these powers to
create audit trails and/or data sources and/or to obtain data for
market oversight purposes as follows.
---------------------------------------------------------------------------
\30\ 15 U.S.C. 78q(a)(1) (requiring every national securities
exchange, member thereof, broker or dealer who transacts a business
in securities through the medium of any such member, registered
securities association, and registered broker or dealer, among other
parties, to make and keep for prescribed periods such records,
furnish such copies thereof, and make and disseminate such reports
as the Commission, by rule, prescribes as necessary or appropriate
in the public interest, for the protection of investors, or
otherwise in furtherance of the purposes of this chapter). Specific
books and records requirements, including storage and retention
requirements, are set forth for the SROs and broker-dealers in rules
promulgated by the Commission. See, e.g., 17 CFR 240.17a-1; 17 CFR
240.17a-3; 17 CFR 240.17a-4; 17 CFR 240.17a-6; 17 CFR 240.17a-7.
\31\ See, e.g., Nasdaq Options 6E, Section 1; Cboe Rule 7.1;
NYSE Rule 440. Under Section 19(b) of the Exchange Act, SROs
generally must file proposed rule changes with the Commission for
notice, public comment, and Commission review, prior to
implementation. See 15 U.S.C. 78s; 17 CFR 240.19b-4.
---------------------------------------------------------------------------
A. The CAT
The CAT is intended to furnish both the Commission and the SROs
with timely access to a comprehensive, uniform, accurate, and linked
set of trading data that allows them to efficiently retrieve relevant
information about the full lifecycle of all orders in NMS and OTC
Equity Securities \32\ across the markets and trading centers that
comprise the national market system.\33\ The CAT collects data from
both SROs and Industry Members \34\ about the original receipt or
origination of an order, the routing of an order and the receipt of an
order that has been routed, executions, modifications, and
cancellations.\35\ The Plan Processor,\36\ FINRA CAT, LLC (``FINRA
CAT''), uses this data to ``link and create the order lifecycle'' using
a ``daisy chain approach,'' in which ``a series of unique order
identifiers, assigned to all order events handled by CAT Reporters[,]
are linked together by the Central Repository[\37\] and assigned a
single CAT-generated CAT-Order-ID that is associated with each
individual order event and used to create the complete lifecycle of an
order.'' \38\ In addition to this linked data, the CAT is required to
provide regulators with SIP Data.\39\
---------------------------------------------------------------------------
\32\ An ``NMS Security'' means ``any security or class of
securities for which transaction reports are collected, processed,
and made available pursuant to an effective transaction reporting
plan, or an effective national market system plan for reporting
transactions in Listed Options.'' An ``OTC Equity Security'' means
``any equity security, other than an NMS Security, subject to prompt
last sale reporting rules of a registered national securities
association and reported to one of such association's equity trade
reporting facilities.'' See CAT NMS Plan, supra note 16, at Section
1.1.
\33\ See, e.g., Rule 613 Adopting Release, supra note 8, at
45723, 45726.
\34\ See also CAT NMS Plan, supra note 16, at Section 1.1
(defining ``Industry Member'' as ``a member of a national securities
exchange or a member of a national securities association'').
\35\ Rule 613 and the CAT NMS Plan identify the information that
must be reported by the SROs and the information that the SROs must
obligate their members to report through compliance rules. See,
e.g., 17 CFR 242.613(c)(7); CAT NMS Plan, supra note 16, at Sections
6.3-6.4. Further guidance about how to report to the CAT is provided
by detailed technical specifications available on the CAT NMS Plan
website. See https://catnmsplan.com/specifications/participants;
https://catnmsplan.com/specifications/im.
\36\ ``Plan Processor'' means ``the Initial Plan Processor or
any other Person selected by the Operating Committee pursuant to SEC
Rule 613 and Sections 4.3(b)(i) and 6.1, and with regard to the
Initial Plan Processor, the Selection Plan, to perform the CAT
processing functions required by SEC Rule 613 and set forth in this
Agreement.'' See CAT NMS Plan, supra note 16, at Section 1.1; see
also id. (defining ``Operating Committee'' as ``the governing body
of the Company designated as such and described in Article IV'').
\37\ ``Central Repository'' means ``the repository responsible
for the receipt, consolidation, and retention of all information
reported to the CAT pursuant to SEC Rule 613 and this Agreement.''
Id. at Section 1.1.
\38\ Id. at Appendix D, Section 3. The ``CAT-Order-ID'' is ``a
unique order identifier or series of unique order identifiers that
allows the central repository to efficiently and accurately link all
reportable events for an order, and all orders that result from the
aggregation or disaggregation of such order.'' See also 17 CFR
242.613(j)(1).
\39\ ``SIP Data'' means: ``(A) information, including the size
and quote condition, on quotes including the National Best Bid and
National Best offer for each NMS Security; (B) Last Sale Reports and
transaction reports reported pursuant to an effective transaction
reporting plan filed with the SEC pursuant to, and meeting the
requirements of, SEC Rules 601 and 608; (C) trading halts, Limit Up/
Limit Down price bands, and Limit Up/Limit Down indicators; and (D)
summary data or reports described in the specifications for each of
the SIPs and disseminated by the respective SIP.'' Id. at Section
6.5(a)(ii); see also 17 CFR 242.613(e)(7). Although the CAT was
originally required to link SIP Data with other transactional data
reported to the CAT, the Commission has granted exemptive relief
from that requirement. See, e.g., 2025 Cost Savings Exemptive Relief
Order, supra note 25, at 47856-57.
---------------------------------------------------------------------------
Although the CAT is no longer required to collect customer and
account-level information pursuant to an amendment to the CAT NMS Plan
approved by the Commission on January 13, 2026,\40\ the CAT's
architecture of identifiers and lifecycle linkage enables regulators
with a specific regulatory purpose to analyze a particular customer's
trading activity for Eligible Securities \41\ across markets, brokers,
and/or accounts through generation of a CAT Customer ID (``CCID'').\42\
This transactional data may only be associated with customer and
account-level information if such information is obtained separately
from Industry Members through a manual request.\43\
---------------------------------------------------------------------------
\40\ See CAIS Order, supra note 19.
\41\ ``Eligible Security'' includes ``(a) all NMS Securities and
(b) all OTC Equity Securities.'' See CAT NMS Plan, supra note 16, at
Section 1.1.
\42\ See 2020 PII Exemptive Relief Order, supra note 19, for
further explanation of how CCIDs are generated.
\43\ See Part III.F, Modification and/or Replacement of the EBS
System infra for further discussion of this process.
---------------------------------------------------------------------------
B. EBS System
Requests for data outside of the CAT system are predominantly made
through the EBS system. In 2001, the Commission adopted Rule 17a-25
under the Exchange Act to codify and enhance the EBS system.\44\ Rule
17a-25 requires firms to report to the Commission standard data
elements for proprietary securities transactions such as security
symbol, date executed, amount traded, type of transaction, transaction
price, account number, execution venue, and identification information
for the parties on either side of the transaction.\45\ For customer
securities transactions, Rule 17a-25 further requires firms to include
the customer name, address, branch office number, registered
representative number, type of order, date account opened, taxpayer
identification number, employer name, and the role of the intermediary
(agent or principal) if any.\46\ This kind of customer information is
no longer required to be collected or stored by the CAT and is
therefore only accessible through the EBS system or manual
requests.\47\
---------------------------------------------------------------------------
\44\ See EBS Adopting Release, supra note 5, at 35837; 17 CFR
240.17a-25.
\45\ 17 CFR 240.17a-25(a)(1).
\46\ Id. at (a)(2). Rule 17a-25 also requires certain prime
brokerage identifiers, average price account identifiers, and
identifiers used by depository institutions to be reported upon
request. Id. at (b).
\47\ See CAIS Order, supra note 19.
---------------------------------------------------------------------------
The EBS system is also used to process requests made by the
Commission for account-level
[[Page 20950]]
information and transactional data pursuant to Rule 13h-1,\48\ which
sets forth broker-dealer record-keeping, reporting, and monitoring
requirements for large traders.\49\ This rule is designed to enable the
Commission to promptly and efficiently identify significant market
participants and to collect data on their trading activity so that
Commission staff can reconstruct market events and conduct
investigations.\50\ Under Rule 13h-1, large traders are required to
identify themselves to the Commission and to make certain disclosures
on Form 13H.\51\ Upon receipt of Form 13H, the Commission issues a
unique identification number to the large trader (``LTID''), which the
large trader is then required to provide to those broker-dealers
through which it trades.\52\ Rule 13h-1 enables the Commission to
request account-level information and transactional data from broker-
dealers for large traders (as well as Unidentified Large Traders \53\)
via the EBS system and using the EBS reporting template.
---------------------------------------------------------------------------
\48\ See 17 CFR 240.13h-1.
\49\ Id. at (a)(1) (defining ``large trader'' as ``any person
that: (i) [d]irectly or indirectly, including through other persons
controlled by such person, exercises investment discretion over one
or more accounts and effects transactions for the purchase or sale
of any NMS security for or on behalf of such accounts, by or through
one or more registered broker-dealers, in an aggregate amount equal
to or greater than the identifying activity level; or (ii)
[v]oluntarily registers as a large trader by filing electronically
with the Commission Form 13H''); id. at (a)(7) (defining
``identifying activity level'' as ``aggregate transactions in NMS
securities that are equal to or greater than: (i) [d]uring a
calendar day, either two million shares or shares with a fair market
value of $20 million; or (ii) [d]uring a calendar month, either
twenty million shares or shares with a fair market value of $200
million'').
\50\ See, e.g., Rule 613 Adopting Release, supra note 8, at
45733.
\51\ 17 CFR 240.13h-1(b).
\52\ Id. at (b)(2).
\53\ Id. at (a)(9) (``Unidentified Large Trader'' means ``each
person who has not complied with the identification requirements''
of Rule 13h-1(b)(1) and (b)(2) ``that a registered broker-dealer
knows or has a reason to know is a large trader'').
---------------------------------------------------------------------------
Information retrievable through the EBS system is limited to
executed trades and does not contain information on orders or quotes,
and thus does not contain information on routes, modifications, and
cancellations.\54\ Such information is available through the CAT and is
used to investigate various forms of potential market manipulation like
layering and spoofing.
---------------------------------------------------------------------------
\54\ See also notes 182-191 and associated text infra for
additional discussion of the data accessible through the EBS system.
---------------------------------------------------------------------------
C. Other Audit Trails and Related Data Sources
Regulators may make manual requests for books and records
information--for example, by sending emails to broker-dealers
requesting the relevant data.\55\ In addition, the Commission and the
SROs also rely on other data sources to fulfill their regulatory
obligations.
---------------------------------------------------------------------------
\55\ See notes 30-31 and associated text supra.
---------------------------------------------------------------------------
One such data source is the National Securities Clearing
Corporation's (``NSCC'') equity cleared report,\56\ which is generated
on a daily basis by the SROs and provided to the NSCC in a database
accessible by the Commission. It shows the number of trades and daily
volume of all equity securities transacted, sorted by clearing member
and searchable by security name and CUSIP number.\57\ The Options
Clearing Corporation (``OCC'') \58\ provides several other reports to
regulators, including: (1) the OCC Trades report, which provides
similar data as the NSCC's equity cleared report for options
securities; (2) the OCC End-of-Day Positions File, which provides the
current aggregate position for customer, firm, and market-maker
clearing ranges; and (3) the Large Options Position Report (``LOPR''),
which provides start-of-day and end-of-day positions per option
security on a customer and account-level basis, along with several
other reports. OCC generates these reports on a daily basis and
provides them to the SROs; the Commission then accesses OCC reports
through the FINRA regulatory portal.\59\
---------------------------------------------------------------------------
\56\ NSCC is a subsidiary of the Depository Trust and Clearing
Corporation and provides centralized clearing information and
settlement services to broker-dealers for trades involving equities,
corporate and municipal debt, American depository receipts, exchange
traded funds, and unit investment trusts.
\57\ A CUSIP number is a unique alphanumeric identifier assigned
to a security.
\58\ OCC provides clearing and settlement services for equity
derivatives, options, futures, and securities lending transactions.
\59\ The high-level, end-of-day, and often netted nature of
these NSCC and OCC reports, and the limited information they
provide, means that they typically serve only as a starting point
for certain types of investigations--a tool that regulators use to
narrow down the parties to contact for additional information on
certain transactions.
---------------------------------------------------------------------------
Regulators may also obtain data from privately- and publicly-
available market data feeds. Specifically, SROs may leverage data feeds
from their own, market-specific matching engines and/or order book
feeds, data from their own audit trails \60\ or other trade reporting
or display facilities,\61\ data from proprietary feeds made available
by other SROs and/or off-exchange execution venues, and/or publicly-
available consolidated data feeds provided by various securities
information processors that provide top-of-the-book information like
quotes, National Best Bid and Offer (``NBBO''), and trade- or last
sale-data.\62\ The Commission maintains a tool called the Market
Information Data Analytics System (``MIDAS'') that similarly collects
and processes equity data from the consolidated data feeds as well as
from separate proprietary feeds.\63\ Even when combined in a tool like
MIDAS, though, these data feeds do not provide a comprehensive, cross-
market audit trail that would enable regulators to track an order
through its entire lifecycle, from order origination through routing
and on to execution, modification, or cancellation, because each of the
above-described audit trails and/or related data sources has its own
limitations.
---------------------------------------------------------------------------
\60\ In addition to market-specific audit trails, the SROs have
maintained COATS. OATS, however, was retired as of September 1,
2021. See note 18 and associated text supra.
\61\ FINRA maintains trade reporting facilities that provide a
mechanism for the reporting of transactions in listed equity
securities effected otherwise than on a national securities
exchange, as well as an over-the-counter reporting facility and an
alternative display facility (collectively, ``FINRA Facilities'').
See, e.g., FINRA Rules 6200, 6300, 6600, 7100, 7200, and 7300.
\62\ These consolidated data feeds include: (1) the Consolidated
Tape System (``CTS'') and the Consolidated Quote System (``CQS'')
(Tape A and Tape B); the UTP Quotation Data Feed (``UQDF'') and the
UTP Trade Data Feed (``UTDF'') (Tape C); and OPRA.
\63\ See https://www.sec.gov/securities-topics/market-structure-analytics/midas-market-information-data-analytics-system.
---------------------------------------------------------------------------
III. Request for Comment
The Commission encourages comment from all interested parties,
including, but not limited to, SROs, broker-dealers, retail and
institutional investors and those who represent their interests,
academics, economists, technology experts and service providers, trade
associations, and civil liberties groups. While the release poses a
number of general and specific questions, the Commission also welcomes
comments on any other aspects of the audit trails and related data
sources currently in use (or comments on any potential audit trails and
related data sources that should be created), particularly on any
costs, burdens, or benefits that may result from the possible
regulatory responses identified in this release or otherwise proposed
by commenters.
A. Regulatory Purpose of the CAT
1. What are the regulatory use cases that must be enabled for the
Commission and the SROs to fulfill their statutory obligations? Is the
CAT necessary to enable those use cases? For example, is the CAT
necessary to inform any regulatory decision-making and/or policy-
making? Are other audit trails and/or related data sources sufficient
to
[[Page 20951]]
enable necessary regulatory use cases? Why or why not?
2. Are there features of the CAT that could be eliminated because
they are unnecessary or because they could be replaced by other
currently-existing audit trails and/or related data sources in an
efficient and/or cost-effective manner? If so, please identify such
features, explain why they could be eliminated, and, if relevant,
identify the alternative data sources that could replace such features.
3. Should the Commission eliminate the CAT in favor of developing a
different audit trail and/or data source to enable necessary regulatory
use cases? Why or why not? How should a new audit trail and/or data
source differ from the CAT? What improvements could be gained by
developing a new audit trail and/or data source that could not be
achieved through incremental improvement to the CAT?
B. Structure and Governance of the CAT
Historically, the structure and governance of audit trails and/or
related data sources has varied. OATS and COATS, for example, were
owned, implemented, and operated by the SROs. Commission staff could
obtain access to the data supplied by these systems through ad hoc
requests. With respect to the EBS system, the Commission promulgated a
rule to require broker-dealers to electronically submit specified data
to the Commission upon request, in a format set by the SROs,\64\ but
did not otherwise specify how systems that collect EBS data from
broker-dealers should be structured. Currently, Commission staff access
EBS data through a system owned, implemented, and operated by FINRA,
which licenses use of the system to the Commission. Rule 613 of
Regulation NMS,\65\ on the other hand, is more specific about the
structure of the CAT. It requires the SROs to act jointly to develop a
national market system plan to implement the CAT to collect specified
data from the SROs and their members \66\ and to provide access to such
data to each SRO and the Commission ``for the purpose of performing . .
. regulatory and oversight responsibilities pursuant to the federal
securities laws, rules, and regulations.'' \67\ The rule further
requires that each SRO be a sponsor of the CAT NMS Plan \68\ and that
the CAT NMS Plan ``include a governance structure to ensure fair
representation of the plan sponsors, and administration of the central
repository, including the selection of the plan processor.'' \69\
---------------------------------------------------------------------------
\64\ See, e.g., 17 CFR 240.17a-25. As discussed above, the SROs
have similar rules that enable them to obtain data from their
members. See, e.g., note 31 supra.
\65\ See 17 CFR 242.613.
\66\ Id. at (a)(1), (c).
\67\ Id. at (e)(1).
\68\ Id. at (a)(4).
\69\ Id. at (b)(1).
---------------------------------------------------------------------------
CAT NMS Plan
Under the CAT NMS Plan developed by the SROs and approved by the
Commission, the CAT collects data that can be accessed by authorized
regulatory users from the SROs and the Commission in a system that is
jointly owned by the SROs,\70\ but implemented and operated by the Plan
Processor. FINRA CAT--a subsidiary of FINRA--is the current Plan
Processor and, as such, acts as a vendor to the SROs.
---------------------------------------------------------------------------
\70\ The CAT NMS Plan functions as the limited liability company
agreement of Consolidated Audit Trail, LLC, the jointly owned
limited liability company formed under Delaware state law through
which the SROs conduct the activities of the CAT (``CAT LLC'' or the
``Company''). Each SRO is a member of the Company and jointly owns
the Company on an equal basis. See CAT NMS Plan, supra note 16.
---------------------------------------------------------------------------
4. What are the advantages and disadvantages of structuring the CAT
as a national market system plan (an ``NMS plan'')? Should the CAT
continue to be structured as an NMS plan? Does the fact that both the
SROs and the Commission rely on the CAT to fulfill their regulatory
functions counsel for or against structuring the CAT as an NMS Plan?
5. If the CAT should not continue to be structured as an NMS plan,
how should the Commission and/or the SROs direct and oversee the
operation of the CAT? \71\ What specific benefits, actions, and costs
would be associated with transitioning to an alternative structure?
Would transitioning to an alternative structure for the CAT provide
offsetting benefits to the costs of transitioning? For example, would
replacing the CAT NMS Plan with an SEC rule requiring the reporting of
certain information to the Commission and/or the SROs strengthen the
Commission's ability to control the scope and associated costs of the
CAT?
---------------------------------------------------------------------------
\71\ See, e.g., Healthy Markets Petition, supra note 29, at 2
n.2 (suggesting that the Commission ``end the CAT NMS Plan'' and
instead ``contract with a third party, including FINRA CAT, LLC, to
continue to develop, maintain, and operate the CAT''); Letter from
Katie Kolchin, CFA, Managing Director, Head of Equity & Options
Market Structure, and Joseph Corcoran, Managing Director & Associate
General Counsel, SIFMA, to Vanessa A. Countryman, Secretary,
Commission (Mar. 12, 2026), at 7-8, available at https://www.sec.gov/comments/4-698/4698-722187-2261374.pdf (``SIFMA Letter
II'') (``SIFMA continues to believe that the CAT structure as an NMS
plan is a very inefficient way to manage the equity and listed
options audit trail that CAT represents. . . . We continue to
believe that the audit trail the CAT represents can be run more
efficiently by the Commission.'').
---------------------------------------------------------------------------
Operating Committee
The CAT is governed by the Operating Committee, which is composed
of one voting member for each SRO.\72\ The CAT NMS Plan, however, does
not specify or provide any constraints on who each SRO may choose as
its voting member. The Operating Committee generally meets on a bi-
weekly basis; except as otherwise provided in the CAT NMS Plan, the
Operating Committee makes all decisions and authorizes all actions
taken by the Company.\73\ Because the CAT NMS Plan allocates votes on
the Operating Committee by SRO, affiliated SRO groups may exert a level
of control over the operations of the CAT that is not required to be
correlated with their market share or their share of operating
expenses.\74\
---------------------------------------------------------------------------
\72\ See CAT NMS Plan, supra note 16, at Section 4.1; see also
id. at Section 4.2(a) (stating that one voting member may have the
right to vote on behalf of multiple affiliated SROs and that an
alternate voting member representing each SRO shall have a right to
vote in the absence of that SRO's voting member).
\73\ Id.
\74\ For instance, FINRA ``has repeatedly questioned the voting
structure that governs the CAT NMS Plan,'' which it states allows
``large voting blocks for affiliated exchanges to impose costs on
other SROs.'' According to FINRA, ``four blocks of affiliated
exchanges together represent 21 out of 27 votes, resulting in voting
dynamics that are susceptible to outcomes that favor some
Participants at the expense of the broader securities industry.''
See Letter from Steffen N. Johnson, Wilson Sonsini Goodrich & Rosati
P.C., to Vanessa Countryman, Secretary, Commission (Oct. 17, 2025),
at 16, available at https://www.sec.gov/comments/4-698/4698-670027-2019234.pdf.
---------------------------------------------------------------------------
6. Should the Commission amend the CAT NMS Plan to implement a
different voting structure? If so, what should this voting structure be
and why? What are the advantages and disadvantages, for example, of
allocating one vote to each affiliated SRO group and each non-
affiliated SRO,\75\ as opposed to the current structure of allocating
one vote to each SRO regardless of affiliation? \76\
[[Page 20952]]
If votes should be allocated to each affiliated SRO group and each non-
affiliated SRO, are there any circumstances in which an affiliated SRO
group or non-affiliated SRO should be given extra votes? \77\ If so,
please explain what these circumstances are and why they should affect
the voting structure of the CAT NMS Plan.
---------------------------------------------------------------------------
\75\ The national market system plan regarding the consolidated
equity market data (the ``CT Plan'') takes a similar approach,
stating that the CT Plan operating committee ``shall include one
Voting Representative designed by each SRO Group and each Non-
Affiliated SRO to vote on behalf of such SRO Group or such Non-
Affiliated SRO'' and that ``[e]ach Voting Representative shall be
authorized to cast one vote on behalf of the SRO Group or Non-
Affiliated SRO that he or she represents . . . .'' See Securities
Exchange Act Release No. 101672 (Nov. 20, 2024), 89 FR 94924 (Nov.
29, 2024), at Sections 4.2(a) and 4.3(a).
\76\ See, e.g., Letter from Stephen John Berger, Managing
Director, Global Head of Government & Regulatory Policy, Citadel, to
Vanessa A. Countryman, Secretary, Commission (July 14, 2023), at 3,
available at https://www.sec.gov/comments/4-698/4698-224499-470142.pdf (``Citadel Letter II'') (recommending that the Commission
``[a]llocate voting rights similar to the NMS Plan for consolidated
equity market data'').
\77\ See, e.g., CT Plan, supra note 74, at Section 4.3(a)
(``[E]ach Voting Representative representing an SRO Group or Non-
Affiliated SRO whose combined market center(s) have consolidated
equity market share of more than fifteen (15) percent during four of
the six calendar months preceding an Operating Committee vote shall
be authorized to cast two votes.'').
---------------------------------------------------------------------------
7. Action of the Operating Committee is authorized either by a
Majority Vote \78\ or a Supermajority Vote \79\ of these voting
members, as specified by the CAT NMS Plan.\80\ Should the Commission
amend the CAT NMS Plan to require a different vote threshold--for
example, a Majority Vote, Supermajority Vote, or a unanimous vote--for
any specific action? \81\ If so, what should that vote threshold be,
for which actions, and why?
---------------------------------------------------------------------------
\78\ ``Majority Vote'' is defined as ``the affirmative vote of
at least a majority of all of the members of the Operating Committee
or any Subcommittee, as applicable, authorized to cast a vote with
respect to a matter presented for a vote (whether or not such a
member is present at any meeting at which a vote is taken) by the
Operating Committee or any Subcommittee, as applicable (excluding,
for the avoidance of doubt, any member of the Operating Committee or
any Subcommittee, as applicable, that is recused or subject to a
vote to recuse from such matter pursuant to Section 4.3(d)).'' See
CAT NMS Plan, supra note 16, at Section 1.1.
\79\ ``Supermajority Vote'' is defined as ``the affirmative vote
of at least two-thirds of all of the members of the Operating
Committee or any Subcommittee, as applicable, authorized to cast a
vote with respect to a matter presented for a vote (whether or not
such a member is present at any meeting at which a vote is taken) by
the Operating Committee or any Subcommittee, as applicable
(excluding, for the avoidance of doubt, any member of the Operating
Committee or any Subcommittee, as applicable, that is recused or
subject to a vote to recuse from such matter pursuant to Section
4.3(d)); provided that if two-thirds of all of such members
authorized to cast a vote is not a whole number then that number
shall be rounded up to the nearest whole number.'' Id.
\80\ Id. at Section 4.3.
\81\ See, e.g., Citadel Letter II, supra note 75, at 3 (``All
actions relating to funding should require authorization by a
Supermajority vote.'').
---------------------------------------------------------------------------
8. Are there measures that could increase transparency and
accountability around CAT NMS Plan voting while protecting sensitive
information? For example, should more information be made public about
the Operating Committee's deliberations? Are there any privacy or
security concerns regarding disclosure of such information?
Advisory Committee
Rule 613 requires that the CAT NMS Plan ``include an Advisory
Committee,'' whose purpose ``shall be to advise the plan sponsors on
the implementation, operation, and administration of the central
repository.'' \82\ The rule states that ``[m]embers of the Advisory
Committee shall have the right to attend any meetings of the plan
sponsors, to receive information concerning the operation of the
central repository, and to provide their views to the plan sponsors;
provided, however, that the plan sponsors may meet without the Advisory
Committee members in executive session if, by affirmative vote of a
majority of the plan sponsors, the plan sponsors determine that such an
executive session is required.'' \83\ Members of the Advisory Committee
do not have the right to vote,\84\ which market participants have
stated limits their ability to influence CAT operations.\85\ However,
in addressing the questions below, commenters are requested to take
notice of a decision of the United States Court of Appeals for the
District of Columbia Circuit,\86\ which held that Section 11A of the
Exchange Act \87\ does not allow non-SRO representatives to serve as
voting representatives on the operating committee of an NMS plan.
---------------------------------------------------------------------------
\82\ See 17 CFR 242.613(b)(7).
\83\ Id. at (b)(7)(ii).
\84\ Id. at Section 4.13(d).
\85\ See, e.g., PTG Letter I, supra note 28, at 2 (``[M]arket
participants have no meaningful representation on the Operating
Committee charged with designing and operating the CAT and, thus,
have been excluded from key decisions regarding design, scope, and
budget.''); Citadel Letter II, supra note 75, at 6. (``Industry
Members lack even a single representative on the CAT Operating
Committee and, therefore, cannot vote on the design, implementation,
or funding of CAT. While there is a separate Advisory Committee that
contains industry representation, its recommendations are non-
binding and thus can be (and have been) completely ignored by the
CAT Operating Committee.'').
\86\ See Nasdaq Stock Mkt. LLC v. SEC, 38 F.4th 1126 (D.C. Cir.
2022).
\87\ 15 U.S.C. 78k-1.
---------------------------------------------------------------------------
9. What powers, responsibilities, or rights should be given to the
CAT Advisory Committee? How would such powers, responsibilities, or
rights affect the SROs' ability to govern the CAT? Would such powers,
responsibilities, or rights raise concerns about conflicts of interest,
given that the members of the CAT Advisory Committee are parties
regulated by the SROs?
10. Should the membership of the CAT Advisory Committee be reserved
for representatives of certain interests or individuals with specific
experience? Should the membership of the CAT Advisory Committee be
expanded to include any other market participants not currently
represented, such as operators of alternative trading systems
(``ATSs''), technology experts, or those with technical and operational
expertise related to the management of trading, trade processing, and/
or trade data management systems? If so, in what way should
representation be apportioned?
11. While the CAT Advisory Committee is entitled to ``receive the
same information concerning the operation of the Central Repository as
the Operating Committee,'' the Operating Committee ``may withhold
information it reasonably determines requires confidential treatment.''
\88\ What non-public information should the CAT Advisory Committee have
access to and how should confidentiality of this information be
maintained? What is the correct balance between providing the public
with transparency into the recommendations of the CAT Advisory
Committee (and the Operating Committee's responses to these
recommendations) and maintaining the confidentiality of potentially
sensitive information about CAT operations?
---------------------------------------------------------------------------
\88\ Id. at Section 4.13(e).
---------------------------------------------------------------------------
12. Should additional information about the operation of the CAT,
including security measures taken by the SROs to protect CAT Data,\89\
be provided to Industry Members beyond those representatives that sit
on the Advisory Committee? If so, what information should be provided?
How would disclosure of such information affect the security of the
CAT?
---------------------------------------------------------------------------
\89\ ``CAT Data'' means ``data derived from Participant Data,
Industry Member Data, SIP Data, and such other data as the Operating
Committee may designate as ``CAT Data'' from time to time.'' See CAT
NMS Plan, supra note 16, at Section 1.1.
---------------------------------------------------------------------------
13. Should the Commission form a separate advisory committee to
provide advice and recommendations to it on topics related to the CAT?
If so, what are appropriate topics for the advisory committee to
consider? For example, should the advisory committee counsel the
Commission on matters relating to the CAT's scope, functionality,
design, security, cost management, and/or civil liberties and privacy
protections? Who should participate as members of this advisory
committee? Should it include market participants and others with
technical and operational expertise related to the management of
trading, trade processing, and/or trade data management systems? Should
it include civil liberty and privacy advocates? Should it include
representatives of other relevant constituencies? What non-public
information should such an advisory committee have access to and
[[Page 20953]]
how should the confidentiality of this information be maintained?
C. CAT Funding and Cost Management
The CAT is funded by both SROs and Industry Members, in accordance
with the funding model recently approved by the Commission (the ``2026
Funding Model Order'').\90\ There have been legal challenges to the CAT
and its funding model,\91\ but the Commission has taken the position
that it has the requisite authority under Section 17 and Section 11A of
the Exchange Act to direct the creation of the CAT.\92\ It also
maintains that the CAT funding model approved by the 2026 Funding Model
Order is a reasonable approach that satisfies the relevant standards
set forth in federal statutes, rules, and regulations.
---------------------------------------------------------------------------
\90\ See 2026 Funding Model Order, supra note 27.
\91\ See, e.g., note 29 supra.
\92\ 15 U.S.C. 78k-1; 15 U.S.C. 78q.
---------------------------------------------------------------------------
The funding model approved by the 2026 Funding Model Order is based
on executed equivalent share volumes of transactions in Eligible
Securities. Fees would be paid evenly by the SROs, executing brokers
representing buyers, and executing brokers representing sellers.\93\
Pursuant to this funding model, no Participant may file with the
Commission a proposed rule change under Section 19(b) of the Exchange
Act \94\ and Rule 19b-4 \95\ thereunder that would establish a new fee
for directly passing through to its members the CAT fee charged to such
Participant.\96\ This funding model also includes a sunset provision,
stating that the Plan Processor and the Participants will not be
permitted to bill or otherwise request CAT fees from Industry Members
after March 31, 2028.\97\ In approving this sunset provision, the
Commission explained that it would be premature to adopt a permanent
funding model while engaged in a comprehensive review of the CAT and
that ensuring the continued existence and funding of the CAT during
this interim period would avoid potential destabilization.\98\
---------------------------------------------------------------------------
\93\ See id.
\94\ 15 U.S.C. 78s(b).
\95\ 17 CFR 240.19b-4.
\96\ See, e.g., 2026 Funding Model Order, supra note 27, at
13412-13.
\97\ Id. at 13412-14.
\98\ Id. at 13412.
---------------------------------------------------------------------------
Cost Management
14. Is there sufficient transparency with respect to CAT costs and
expenses? If not, what additional information should be made public?
What is the correct balance between providing public transparency into
CAT costs and expenses and protecting potentially sensitive information
about CAT operations?
15. The Commission has recently approved amendments to the CAT NMS
Plan that would implement a spending cap.\99\ Are there any additional
cost management controls that should be required for the CAT? If so,
please describe such controls and explain why they would be
appropriate.\100\ Does the answer depend on how the CAT is structured
and/or funded? For example, are there any aspects of CAT operations
that could be performed more cost-effectively by SRO staff instead of
by the Plan Processor or other third-party service providers? If so,
please identify those tasks, explain why it would be more cost
effective for such tasks to be performed by SRO staff, and describe
reasonable costs for those tasks.
---------------------------------------------------------------------------
\99\ See Securities Exchange Act Release No. 105107 (Mar. 27,
2026), 91 FR 16284, 16307 (Apr. 1, 2026) (``2026 Cost Savings
Order'').
\100\ See, e.g., Citadel Letter II, supra note 75, at 3 (setting
forth proposed independent cost review mechanisms).
---------------------------------------------------------------------------
Funding Model and Allocation of Fees
16. Should the Commission set fees for the SROs and Industry
Members? Would a different funding model help the Commission to weigh
more carefully the costs and benefits associated with the CAT? What
features should a new funding model have? Does the answer depend on
whether or not the CAT should continue to be structured as an NMS plan?
17. The 2026 Funding Model Order approves a CAT funding model which
provides that no SRO will file with the Commission a proposed rule
change pursuant to Section 19(b) of the Exchange Act \101\ and Rule
19b-4 \102\ thereunder that would establish a new fee for directly
passing through to its members the CAT fee charged to each SRO.\103\
Should a new funding model explicitly allow the SROs to directly pass
through the fees allocated to the SROs that are related to the build or
operation of the CAT to their members, subject to Commission review of
Rule 19b-4 fee filings?\104\ Why or why not?
---------------------------------------------------------------------------
\101\ See 15 U.S.C. 78s(b).
\102\ See 17 CFR 240.19b-4.
\103\ See, e.g., 2026 Funding Model Order, supra note 27, at
13412-13.
\104\ As discussed in the 2026 Funding Model Order, the Exchange
Act already expressly contemplates the ability of the SROs to recoup
the costs of fulfilling their statutory obligations by indirectly
passing costs associated with regulatory activities through to their
members. This process is cabined by the Rule 19b-4 fee filing
process and the necessity for a SRO to establish that an increase in
any existing fee is, among other things, reasonable, equitable, and
not unfairly discriminatory. See, e.g., id. at 13422; 17 CFR
240.19b-4.
---------------------------------------------------------------------------
18. How should fees be allocated to and among SROs and/or Industry
Members? Is there a specific percentage of cost that the SROs should
bear? Does the answer depend on whether the SRO is a non-profit or for-
profit entity? Does the answer depend on whether the SRO is a national
securities exchange for equities or options? If so, please explain how
these factors and any other such factors should be taken into account.
Is there a specific percentage of cost that Industry Members should
bear? Does the answer depend on whether the Industry Member is
facilitating or engaging in trading with respect to equities or
options? Does the answer depend on the business model of the Industry
Member--for example, whether the Industry Member is acting as a market
maker? If so, please explain how these and any other such factors
should be taken into account. Should ATSs be treated like execution
venues or Industry Members for purposes of establishing CAT fees? Why?
19. Should fees be based on the burden that each party places on
the CAT system? If so, what is the appropriate way to calculate the
burden that each party places on the CAT system? Market share? Message
traffic? Regulatory use? Are there other appropriate measures of
burden? If so, please identify such measures and explain why they would
provide an appropriate metric to calculate the burden that each party
places on the CAT. For example, should CAT Reporters be charged for
late reporting, given the costs associated with re-processing late-
received data? If fees should not be based on the burden that each
party places on the CAT system, what are other guiding principles that
should be used to create an appropriate funding model for the CAT?
Should fees continue to be based on executed equivalent share volumes
of transactions in Eligible Securities, for example? Would executed
notional value be a better measure? Why? Please identify any
appropriate guiding principles and explain why those principles should
inform the structure of a CAT funding model.
Reserve Funds
On September 6, 2023, the Commission approved a proposal that
amended the method by which CAT fees would be calculated and
implemented a funding model to allocate costs between SROs and Industry
Members (the ``2023 Funding Model Order'').\105\ On July 25, 2025,
however, the United States Court of Appeals for the Eleventh Circuit
issued
[[Page 20954]]
an opinion vacating the 2023 Funding Model Order and remanding the
matter to the Commission for further proceedings consistent with its
opinion.\106\ After the 2023 Funding Model Order was vacated, the SROs
determined to use liquidity reserve funds previously collected pursuant
to that Order to fund the continued operations of the CAT.\107\
---------------------------------------------------------------------------
\105\ See Securities Exchange Act Release No. 98290 (Sept. 6,
2023), 88 FR 62628 (Sept. 12, 2023).
\106\ See Opinion, ASA v. Commission, No. 23-113396 (11th Cir.
July 25, 2025).
\107\ See https://catnmsplan.com/sites/default/files/2025-12/12.08.25-CAT-LLC-2026-Financial_and_Operating_Budget.pdf.
---------------------------------------------------------------------------
On January 15, 2026, Citadel submitted a rule-making petition to
the Commission raising concerns about and requesting amendments to the
CAT NMS Plan to address CAT LLC's accumulation and use of these reserve
funds.\108\ On February 18, 2026, the Commission responded to the
petition, stating that it raised important questions as to whether
additional limits on the accumulation and use of any operational
reserve may be appropriate and that the Commission would specifically
consider those issues in its ongoing review of the CAT.\109\ But the
Commission stated that it would not engage in an immediate rulemaking
focused on the use of the current reserve.\110\ The Commission
subsequently stated, in the 2026 Funding Model Order, that it does not
agree that the SROs were prohibited from using the reserve funds to
fund the continued operations of the CAT either by the Eleventh
Circuit's decision vacating the 2023 Funding Model Order or by the
terms of the CAT NMS Plan.\111\ While the reserve provisions approved
in the 2026 Funding Model Order are reasonable and satisfy the relevant
standards set forth in federal statutes, rules, and regulations, to the
extent that the Commission should establish a new funding model for the
CAT, the Commission seeks additional feedback regarding the
accumulation and use of reserve funds.
---------------------------------------------------------------------------
\108\ See Citadel Petition, supra note 29.
\109\ See Response to Citadel Petition, supra note 29.
\110\ Id.
\111\ See 2026 Funding Model Order, supra note 27, at 13444.
---------------------------------------------------------------------------
20. Should the SROs be allowed to collect a reserve to fund CAT
operations? For what purposes should the SROs be able to use CAT
reserves?
21. What are appropriate controls to place around the amount of
reserve funds that the SROs may collect? Should the Commission require
that the SROs seek and obtain Commission approval before using the CAT
reserves?
22. Under what circumstances should CAT reserves be returned to
Industry Members and SROs? Explain what processes should be used to
return funds to Industry Members and SROs.
Section 31 Fees and Alternative Methods of Funding the CAT
Several market participants have suggested that the Commission
should include the CAT in its budget, because the CAT ``is a regulatory
system used by the SEC.'' \112\ These market participants believe that
the CAT ``should be subject to the checks and balances of the
Congressional appropriations process used to fund the SEC's budget,''
which would ``serve to better align incentives to control CAT costs and
address longstanding concerns about ineffective CAT governance.'' \113\
---------------------------------------------------------------------------
\112\ See SIFMA Letter I, supra note 28, at 6. See also, e.g.,
Letter from Joanna Mallers, Secretary, PTG, to Vanessa A.
Countryman, Secretary, Commission (Nov. 24, 2025), at 3, available
at https://www.sec.gov/comments/4-698/4698-678568-2084374.pdf (``PTG
Letter II''); Citadel Letter I, supra note 24, at 3; Healthy Market
Petition, supra note 29, at 2-3.
\113\ See SIFMA Letter I, supra note 28, at 6. See also, e.g.,
PTG Letter II, supra note 111, at 3 (``Re-architecting CAT's budget
in this way would be significant improvement from the status quo,
addressing many of the governance failures and conflicts of interest
that persist under the current structure.''); Citadel Letter I,
supra note 24, at 13 (stating that the Commission ``must include the
CAT in its appropriated budget'' to provide ``meaningful checks and
balances as part of the governance process--the Commission will be
incentivized to carefully oversee the size of the CAT budget and
carefully weigh the costs and benefits of required functionality,
while Congress will have a clear role in order to protect against
waste and regulatory overreach''); Healthy Markets Petition, supra
note 29, at 2 (``[E]nsure that the funding for this essential
governmental tool would be subject to Congressional
appropriations[.]'').
---------------------------------------------------------------------------
The Commission is interested in exploring further the advantages or
disadvantages of the Commission using appropriated funds to cover costs
with respect to the CAT. Section 31(a) of the Exchange Act states that
the Commission shall ``collect transaction fees and assessments that
are designed to recover the costs to the Government of the annual
appropriation to the Commission by Congress.'' \114\ These Section 31
fees are imposed on SROs,\115\ and Section 31 does not address the
manner or extent to which covered SROs may seek to recover the costs of
their Section 31 obligations from their members or to which members of
the SROs may seek to pass on these costs to their customers. ``In
practice,'' the Commission has previously observed, ``the covered SROs
obtain the funds for these fees and assessments by assessing charges on
their members, and the members in turn pass these charges to their
customers.'' \116\
---------------------------------------------------------------------------
\114\ See 15 U.S.C. 78ee(a) (``The Commission shall, in
accordance with this section, collect transaction fees and
assessments that are designed to recover the costs to the Government
of the annual appropriation to the Commission by Congress.'').
\115\ 17 CFR 240.31.
\116\ See Securities Exchange Act Release No. 49928 (June 28,
2004), 69 FR 41060, 41072 (July 7, 2004) (further stating that
``Section 31 places no obligation on members of covered SROs or
their customers, and it is misleading to suggest that a customer or
an SRO member incurs an obligation to the Commission under Section
31'').
---------------------------------------------------------------------------
23. What are the advantages and disadvantages, relative to the
funding model approved by the 2026 Funding Model Order, of the
Commission being appropriated additional funds to cover costs with
respect to the CAT?
24. Should the Commission own and operate the CAT itself? If the
Commission were to own the CAT, what changes would the Commission need
to make to the CAT's structure, governance, and operations? Please
discuss ownership structures the Commission should consider for the
CAT. If the Commission were to own the CAT, how would the roles,
rights, and responsibilities of the Operating Committee and/or the
Advisory Committee need to evolve? Are there any alternative methods by
which the Commission and/or the SROs could direct and oversee the
operation of the CAT if the Commission were to request additional
appropriated funds to cover costs with respect to the CAT? Please
identify such alternative methods and explain, in detail, how the CAT
would be owned, operated, and funded pursuant to such alternative
methods. For example, could an SRO assume sole ownership of the CAT and
contract with regulators to provide regulatory services and/or access
to the CAT?
25. If the Commission were appropriated funds to cover costs with
respect to the CAT, what constraints could be used to protect against
cost overruns and budget inflation?
26. If the Commission owned and operated the CAT, how would that
affect the contractual relationship between FINRA CAT and the SROs?
27. If the Commission owned and operated the CAT, would that affect
the SROs' ability to access the system? Would it be appropriate for the
SROs, most of which are for-profit entities with their own regulatory
obligations, to have cost-free access to a system that is owned and
operated by the Commission and funded in full through appropriated
funds? Should the Commission instead license use of the CAT to the SROs
if the CAT is owned and operated by the Commission? Would such a
structure raise any conflicts of interest concerns,
[[Page 20955]]
given that the SROs are parties that the Commission regulates?
D. CAT Design and Scope
Both the Commission and the SROs have taken steps to manage and
contain CAT costs. For instance, on December 12, 2024, the Commission
approved an amendment to the CAT NMS Plan proposed by the SROs that was
designed to cut costs by relaxing certain CAT functionality and storage
requirements (the ``2024 Cost Savings Order'').\117\ Specifically, the
2024 CAT Cost Savings Order approved: (1) provisions that changed
processing, query, and storage requirements for Options Market Maker
quotes in Listed Options (``OMM Quotes''); \118\ (2) provisions that
permitted the Plan Processor to move raw unprocessed data and interim
operational copies of CAT Data older than 15 days to more cost-
effective storage tiers; and (3) provisions that codified and expanded
exemptive relief previously provided by the Commission related to
certain recordkeeping and data retention requirements for industry
testing data.\119\
---------------------------------------------------------------------------
\117\ See Securities Exchange Act Release No. 101901 (Dec. 12,
2024), 89 FR 103033 (Dec. 18, 2024).
\118\ An ``Options Market Maker'' is a ``broker-dealer
registered with an exchange for the purpose of making markets in
options contracts on the exchange.'' See CAT NMS Plan, supra note
16, at Section 1.1. Each Participant has also promulgated rules for
its members that generally govern what constitutes a ``market maker
quote'' and/or ``market maker quotation'' for that Participant. See,
e.g., The Nasdaq Stock Market LLC Rules, Options 2, Section 5,
``Market Maker Quotations''; Cboe Exchange, Inc. Rule 5.52, ``Market
Maker Quotes''; NYSE Arca, Inc. Rule 6.37AP-O, ``Market Maker
Quotations.'' See also note 22 supra.
\119\ 2024 CAT Cost Savings Amendment, supra note 116.
---------------------------------------------------------------------------
Additional cost savings measures were enabled by certain
conditional exemptive relief issued by the Commission sua sponte on
September 30, 2025 (the ``2025 Cost Savings Exemptive Relief
Order'').\120\ The 2025 Cost Savings Exemptive Relief Order was
designed to further reduce CAT costs by enabling the SROs to relax
requirements related to: (1) deadlines for the creation of lifecycle
linkages; (2) re-processing of late records; (3) the online targeted
query tool (``OTQT''); and (4) data storage and retention.\121\
---------------------------------------------------------------------------
\120\ See Securities Exchange Act Release No. 104144 (Sept. 30,
2025), FR 90 47853, 47854-55 (Oct. 2, 2025).
\121\ Id.
---------------------------------------------------------------------------
These steps have reduced CAT costs significantly. The CAT budget
initially approved by the SROs for 2025 exceeded $248 million.\122\
This budget was reduced to approximately $228 million in May 2025 \123\
and then again to approximately $188 million in November 2025 \124\ due
to the implementation of cost savings measures approved by the
Commission and other optimizations made by the SROs and the Plan
Processor. The CAT budget approved for 2026 is approximately $156
million \125\--a decrease of approximately $92 million from the budget
originally approved for 2025.
---------------------------------------------------------------------------
\122\ See https://catnmsplan.com/sites/default/files/2024-11/11.20.24-CAT-LLC-2025-Financial_and_Operating-Budget.pdf.
\123\ See https://catnmsplan.com/sites/default/files/2025-05/05.19.25-CAT-LLC-2025-Financial_and_Operating-Budget.pdf.
\124\ See https://catnmsplan.com/sites/default/files/2025-11/11.07.25-CAT-LLC-2025-Finacial_and_Operating-Budget.pdf.
\125\ See https://catnmsplan.com/sites/default/files/2025-12/12.08.25-CAT-LLC-2026-Financial_and_Operating_Budget.pdf.
---------------------------------------------------------------------------
Furthermore, in early 2026, the Commission approved certain
proposed amendments to the CAT NMS Plan submitted by the SROs to codify
and expand exemptive relief previously granted by the Commission,
including amendments that would implement a spending cap
provision.\126\ These cost savings measures have not been fully
implemented yet, but the SROs have estimated that such measures will
generate additional savings on top of the reduced costs already enabled
by the 2024 Cost Savings Order and the 2025 Cost Savings Exemptive
Relief Order.\127\ The recent cost savings achieved are important first
steps to creating a more efficient and cost-effective CAT, but the
costs of operating the CAT remain significantly higher than originally
estimated by the Commission. The Commission therefore seeks feedback
regarding additional changes that could be made to the design and scope
of the CAT to make it more efficient and cost-effective.
---------------------------------------------------------------------------
\126\ See 2026 Cost Savings Order, supra note 98; see also CAIS
Order, supra note 19.
\127\ See Securities Exchange Act Release No. 104504 (Dec. 23,
2025), 90 FR 61506, 61506-08 (Dec. 31, 2025) (``2025 Cost Savings
Amendment''); see also, e.g., CAIS Order, supra note 19, at 2186-88.
---------------------------------------------------------------------------
Scope
28. From which market participants should the CAT collect
information? Should information be provided by parties who originate,
route, and/or send orders, as well as parties that receive and/or
execute orders? Please explain whether the CAT should maintain two-
sided reporting requirements, whether the application of two-sided
reporting requirements should depend on the underlying product and/or
asset class, and from which parties the CAT should require reporting if
two-sided reporting is eliminated.\128\ What are the costs and benefits
associated with one-sided reporting versus two-sided reporting? Is
there a material difference in accuracy between one-sided reporting and
two-sided reporting? Are there regulatory use cases enabled by two-
sided reporting that would not be possible with one-sided reporting?
---------------------------------------------------------------------------
\128\ See, e.g., PTG Letter I, supra note 28, at 3 (urging the
Commission to ``[e]liminate duplicative reporting of orders and
cancellations sent to exchanges''); Citadel Letter I, supra note 24,
at 13 (``Reduce, simplify, and streamline the data fields required
to be reported, rely on TRF or exchange-reported data when possible,
and eliminate unnecessary records.'').
---------------------------------------------------------------------------
29. What quote, order origination, routing, request, modification,
cancellation, reject, trade, and/or allocation events should be
captured by the CAT? What features or data elements of a quote, order
origination, routing, request, modification, cancellation, reject,
trade, and/or allocation event should be captured by the CAT? What
level of detail should be reported for each kind of event? Are certain
kinds of events costly, burdensome, or otherwise difficult to collect?
What are material terms for quote, order origination, routing, request,
modification, cancellation, reject, trade, and/or allocation events?
30. Should the Commission optimize and/or simplify CAT reporting
requirements? \129\ Please specifically identify any proposed
optimizations, describe the costs and benefits associated with such
optimizations (including any potential impact on data accuracy and/or
regulatory use), explain whether such optimizations would require
changes to existing trading workflows and/or reporting processes, and
explain how such optimizations should be developed and/or implemented.
What are the current costs for Industry Members to report to the CAT?
What are the current costs for SROs to report to the CAT?
---------------------------------------------------------------------------
\129\ See, e.g., PTG Letter I, supra note 28, at 3 (``Optimize
overall reporting requirements.''); SIFMA Letter I, supra note 28,
at 6 (``Optimize CAT Reporting.'').
---------------------------------------------------------------------------
31. Should any changes be made to the CAT Reporting Technical
Specifications for Industry Members? \130\
[[Page 20956]]
Should any changes be made to the CAT Industry Member Reporting
Scenarios? \131\ Should any changes be made to the CAT Reporting
Technical Specifications for Plan Participants? \132\ If so, please
specifically identify changes to the technical specifications and/or
reporting scenarios that should be made, describe the costs and
benefits associated with those changes (including any potential impact
on data accuracy and/or regulatory use), explain how those changes
could affect existing reporting processes and/or trading workflows, and
explain how those changes should be developed and/or implemented. If
the recommended changes involve eliminating transaction, error, and/or
data fields or elements, please explain whether such fields and/or
elements can be obtained from an alternative source, identify that
alternative source, and describe any costs or burdens associated with
obtaining such fields and/or elements from that alternative source.
---------------------------------------------------------------------------
\130\ See note 35 supra; see also, e.g., See SIFMA Letter I,
supra note 28, at 6 (``CAT transaction technical specifications and
resulting database are unnecessarily large and complex. They could
be scaled back to include only essential transactions, errors, and
data elements.''); PTG Letter I, supra note 28, at 3 (``The CAT
database (and associated technical specifications) can be optimized
and should only include essential transaction, error, and data
elements to reduce compute and storage costs.''); Citadel Letter I,
supra note 24, at 13 (``Reduce, simplify, and streamline the data
fields required to be reported, rely on TRF or exchange-reported
data when possible, and eliminate unnecessary records.'').
\131\ See Industry Member Reporting Scenarios, available at
https://catnmsplan.com/specifications/imreportingscenarios.
\132\ See note 35 supra.
---------------------------------------------------------------------------
General Functionality
32. Would structural and/or architectural changes to the CAT
enhance its efficiency and/or reduce costs? What information would be
helpful to help commenters analyze measures that could enhance
efficiency and/or reduce costs?
33. How frequently should market participants be required to report
data to the CAT? Does the answer depend on the product and/or asset
class? What are the costs and benefits associated with altering the
CAT's current reporting requirements? What are the potential regulatory
impacts of collecting data on a less-than-daily basis? Would reporting
data less often reduce costs?
34. FINRA CAT currently accepts data from CAT Reporters in a range
of formats, meaning that FINRA CAT must expend computing power to
normalize the data for regulatory use. In the experience of Commission
staff, this can create downstream issues for processing and
interpreting data, which makes regulatory use less efficient. Should a
common and/or unified industry data standard with a common data
taxonomy be used for submission of data to the CAT and/or pre-
submission data quality validations? For example, should the CAT
leverage the Financial Information eXchange (``FIX'') protocol or
another industry data standard? If so, how?
35. Are there transaction, error, or data fields and/or elements
that are currently reported to the CAT that are not captured by the FIX
protocol or other industry data standards? If so, please identify these
fields and/or elements and explain how such fields and/or elements
would be captured if the FIX protocol or another industry data standard
was used for CAT reporting. Should the FIX protocol or another industry
data standard only be leveraged with respect to some events? If so,
which events? Should the FIX protocol or another industry data standard
only be leveraged with respect to some underlying products and/or asset
classes? If so, which products and/or asset classes? What are the costs
and benefits associated with leveraging the FIX protocol or another
industry data standard for CAT reporting? \133\ Would the CAT Reporter
Portal need to be altered in any way to enable a different reporting
regime? What changes would be required to FINRA CAT's processes to
accommodate a different reporting regime? What changes to the existing
trading workflows and/or reporting processes of CAT Reporters would be
required to accommodate a different reporting regime? Would leveraging
the FIX protocol or another industry data standard reduce or increase
the costs to operate the Central Repository? By how much? How would
such an approach affect data accuracy and/or regulatory use?
---------------------------------------------------------------------------
\133\ See, e.g., Letter from Joseph Corcoran, Managing Director,
Associate General Counsel, SIFMA, Ellen Greene, Managing Director,
Equities & Options Market Structure, SIFMA, and Howard Meyerson,
Managing Director, FIF, to Commission (July 31, 2023), at 17,
available at https://www.sec.gov/comments/4-698/4698-238359-498762.pdf (``SIFMA and FIF Letter'') (indicating that the use of
``common FIX standards as the data format, and deriving industry
members' CAT reports from their FIX engines, rather than their
downstream ``ticket'' systems'' may have better enabled two-sided
reporting).
---------------------------------------------------------------------------
36. Should the CAT be required to comply with a specified error
rate? If so, what is an appropriate error rate and how should that
error rate be calculated? Do the answers depend on the kind of data
collected and/or from whom the data is collected?
37. What kind of validations, linkages, corrections, or other
processing should be performed on data reported to the CAT? Should data
be validated, linked, and/or processed centrally by the Plan Processor
for the CAT or should that task be left to individual regulatory users?
Does the answer depend on the completeness of the data contained in the
CAT? Should data that is received after the deadline for corrections be
validated, linked, and/or processed in the same manner as data that is
timely received? If not, what manner of validation, linkage, and/or
processing should be performed, and what are the costs and benefits
associated with that choice?
Lifecycle Linkage and Processing Timelines
The CAT NMS Plan requires the Plan Processor to ``link and create
the order lifecycle'' using a ``daisy chain approach,'' in which ``a
series of unique order identifiers, assigned to all order events
handled by CAT Reporters[,] are linked together by the Central
Repository and assigned a single CAT-generated CAT-Order-ID that is
associated with each individual order event and used to create the
complete lifecycle of an order.'' \134\ The CAT NMS Plan further sets
forth a linkage and processing timeline. Data for each CAT Trading Day
\135\ is required to be reported to the CAT by T+1 (transaction date +
one day) at 8 a.m. Eastern Time (``ET'').\136\ The Plan Processor must
perform initial validations and provide error feedback to CAT Reporters
by T+1 at 12 p.m. ET.\137\ Prior to 8:00 a.m. ET on T+2 (transaction
date + two days), raw unprocessed data must be made available to
regulators.\138\ CAT Reporters must resubmit corrected data to the CAT
by 8 a.m. ET on T+3 (transaction date + three days).\139\ Corrected and
linked data is then required to be made available to regulators by 8
a.m. ET on T+6 (transaction day + six days).\140\
---------------------------------------------------------------------------
\134\ See CAT NMS Plan, supra note 16, at Appendix D, Section 3;
see also id. at Section 1.1 (defining ``CAT Reporter'' as ``each
national securities exchange, national securities association and
Industry Member that is required to record and report information to
the Central Repository pursuant to SEC Rule 613(c)'').
\135\ According to the CAT NMS Plan, ``Trading Day'' shall
``have such meaning as is determined by the operating Committee. For
the avoidance of doubt, the Operating Committee may establish
different Trading Days for NMS Stocks . . . , Listed Options, OTC
Equity Securities, and any other securities that are included as
Eligible Securities from time to time.'' See id. at Section 1.1.
Currently, the Trading Day for Industry Members runs from 4:15 p.m.
ET on one trade to 4:15 p.m. on the next trade date, and the Trading
Day for Participants runs from midnight on one trade date to
midnight on the next trade date. See https://catnmsplan.com/specifications/participants; https://catnmsplan.com/specifications/im.
\136\ See CAT NMS Plan, supra note 16, at Appendix D, Section
6.1.
\137\ Id. at Appendix D, Section 6.1.
\138\ Id. at Appendix D, Section 6.2; see also 2026 Cost Savings
Order, supra note 98, at 16300-01.
\139\ See CAT NMS Plan, supra note 16, at Appendix D, Section
6.1.
\140\ Id.; see also 2026 Cost Savings Order, supra note 98, at
16300-01.
---------------------------------------------------------------------------
38. How quickly should regulators be able to access raw, unlinked
data? How
[[Page 20957]]
quickly should regulators be able to access data that has been
validated, processed, and linked, but not corrected? How quickly should
regulators be able to access validated, processed, linked, and
corrected data? How much time should market participants have to
correct data that has been reported to the CAT? What are the costs and
benefits of altering these requirements?
39. In the 2025 Cost Savings Amendment, the SROs sought public
comment on, but did not formally propose, changes that would reduce the
amount of linkage processing performed by the Plan Processor. Under
this approach, error feedback would only be provided twice to Industry
Members--once on T+2 at 8:00 a.m. ET for linkage errors discovered for
on-time submissions and again on T+3 at 8:00 a.m. ET for later-
discovered errors.\141\ The SROs stated that ``Industry Members would
be permitted to submit corrections outside of this 24-hour window and
would receive reconciliation credit. However, these submissions would
be marked late and would not receive any feedback indicating whether
the correction was successful.'' \142\ In seeking public comment, the
SROs stated that ``members of the CAT Advisory Committee and other
Industry Member groups had previously raised issues with the shortened
amount of time that would be available to Industry Members to review
and provide corrected data under the reduced linkage timeline,'' which
they were concerned may increase regulatory compliance risks and costs
for Industry Members and reduce the accuracy of CAT Data.\143\ These
concerns were duly reflected in a comment letter that the Commission
subsequently received in connection with the 2025 Cost Savings
Amendment.\144\ However, the Commission is interested in gathering
feedback from market participants as to whether there may be other ways
to alter the CAT's existing processing and/or linkage timelines that
would both preserve core regulatory functionality and achieve cost
savings. Should the Commission extend or otherwise alter the processing
and/or linkage timelines set forth in the CAT NMS Plan? If so, how? Are
there other ways to reduce or optimize the amount of linkage processing
performed by the Plan Processor?\145\
---------------------------------------------------------------------------
\141\ See 2025 Cost Savings Amendment, supra note 126, at 61535-
36.
\142\ Id. at 61535 n.139.
\143\ Id. at 61535.
\144\ See, e.g., Letter from Howard Meyerson, Managing Director,
FIF, to Commission (Feb. 10, 2026), at 4, available at https://www.sec.gov/comments/4-698/4698-702007-2205454.pdf (``FIF Letter
III'').
\145\ See, e.g., PTG Letter I, supra note 28, at 3 (``The CAT
linkage processes are overly complex and costly. We recommend
optimizing the linkage process and extending associated timelines to
reduce costs and increase efficiency.''); SIFMA Letter I, supra note
28, at 6 (``We recommend a set of detailed changes that would
optimize linkage processing based on regulatory utility and need,
resulting in significantly decreased processing times and costs.'');
Citadel Letter I, supra note 24, at 14 (``Optimize the linkage
process, including by eliminating the production of all interim
linkage data by FINRA CAT.'').
---------------------------------------------------------------------------
40. SIFMA has requested that the SROs work with Industry Members
with the ``goal of reducing `late to the lifecycle' linkage errors . .
. while still allowing for firms to confirm successful repairs within a
reasonable window.'' \146\ Are there changes that could be made to the
CAT Reporting Technical Specifications and/or the CAT NMS Plan to
reduce ``late to the lifecycle'' linkage errors? Alternatively, or in
addition, should the CAT NMS Plan and/or other compliance rules,
regulations, standards, and/or guidance regarding error thresholds,
error corrections, and/or reconciliation credits be amended to relax
requirements relating to correction and/or accuracy of late-submitted
historical data? Would such amendments require increased reliance on
other audit trails and/or data sources for corrected historical data?
If so, what are the costs associated with that increased reliance?
---------------------------------------------------------------------------
\146\ See SIFMA Letter I, supra note 28, at 5 n.18.
---------------------------------------------------------------------------
Data Storage and Retention
41. How should the Plan Processor store historical data? How
quickly should data be moved to medium- and long-term storage? For how
long should data be stored? Does the answer depend on how and/or what
kind of data is stored?
42. The 2026 Cost Savings Order approved amendments to the CAT NMS
Plan that would reduce data storage and retention requirements.
Specifically, the amendments permit the SROs to: (1) delete all CAT
Data older than three years; (2) delete OMM Quotes older than six
months; (3) delete Interim Operational Data \147\ older than 15 days;
and (4) delete Options SIP Data \148\ older than six months.\149\ Are
there further optimizations that should be made to the CAT NMS Plan
data storage and retention requirements to reduce costs? If so, please
identify those optimizations, explain why such optimizations are
appropriate, describe the costs and/or benefits associated with such
optimizations (including any impact on data accuracy and/or regulatory
use), and, if such optimizations involve eliminating requirements to
collect and/or store certain kinds of data, explain whether such
optimizations would require increased reliance on other audit trails
and/or data sources for those kinds of data and describe any costs
associated with that increased reliance.
---------------------------------------------------------------------------
\147\ ``Interim Operational Data'' means ``all processed,
validated and unlinked data made available to regulators by T+2 at
8:00 a.m. ET and all iterations of processed data made available to
regulators between T+2 and T+6, but excludes the final version of
corrected data that is made available at T+6 at 8:00 a.m. ET'' as
well as processed data relating to OMM Quotes that is made available
to regulators by T+2 at 8:00 a.m. ET. See CAT NMS Plan, supra note
16, at Appendix D, Section 6.4.
\148\ ``Options SIP Data'' means ``quote and NBBO data included
in the SIP Data from the OPRA Plan or any successor SIP for Listed
Options.'' See id.
\149\ See 2026 Cost Savings Order, supra note 98, at 16288-92.
---------------------------------------------------------------------------
CCID Generation
Currently, a CCID is generated for each customer using a two-phase
transformation process that was developed by the SROs in consultation
with Commission staff and security experts from SIFMA members to avoid
the collection by and storage in CAT of social security numbers
(``SSNs'') and/or individual tax payer identification numbers
(``ITINs'') that was originally required by the CAT NMS Plan.\150\ In
the first phase, a CAT Reporter transforms an SSN and/or ITIN into an
interim value known as a Transformed Identifier or ``TID.'' The TID,
and not the SSN and/or ITIN, is reported to and stored in an isolated,
secure database called the CCID Subsystem, separate from any other
information reported to the CAT.\151\ In the second phase, the CCID
Subsystem again transforms the TID to create a unique CCID for each
customer.\152\
---------------------------------------------------------------------------
\150\ See, e.g., Letter from Michael Simon, CAT NMS Plan
Operating Committee Chair, to Vanessa Countryman, Secretary,
Commission (Jan. 29, 2020), available at https://catnmsplan.com/sites/default/files/2020-02/Amended-Exemptive-Request-CCID-and-Modified-PII-Approaches%28Final%29.pdf.
\151\ See, e.g., 2020 PII Exemptive Relief Order, supra note 19,
at 16152; see also Letter from Brandon Becker, CAT NMS Plan
Operating Committee Chair, to Vanessa Countryman, Secretary,
Commission (July 25, 2025), at 8 n.30, available at https://www.sec.gov/comments/4-698/4698-632107-1870294.pdf.
\152\ See, e.g., 2020 PII Exemptive Relief Order, supra note 19,
at 16152-53. The Commission has recognized that ``there is a risk
that the CAT may not reliably generate unique CCIDs for foreign
Customers, as a unique foreign Customer may have multiple government
issued IDs used across multiple broker-dealers to generate . . .
multiple CCIDs.'' See CAIS Order, supra note 19, at 2174. The
``potential existence of multiple CCIDs for one customer may make it
more difficult for regulators to identify the full extent of such
persons' trading activity. . . .'' Id. at 2174-75.
---------------------------------------------------------------------------
In the 2025 Cost Savings Amendment, the SROs sought public comment
on,
[[Page 20958]]
but did not formally propose, changes that would fully eliminate
requirements related to the generation of CCIDs.\153\ In seeking public
comment, the SROs stated that ``members of the Advisory Committee and
members of other Industry Member groups had previously raised concerns
regarding this alternative, including the potential for increased
Electronic Blue Sheet and other inquiries from the Participants and the
SEC that may occur without the ability to track Customer activity
across market, brokers, accounts using the CCID, and the increased
costs related to such requests.'' \154\ These concerns were duly
reflected in a comment letter that the Commission subsequently received
in connection with the 2025 Cost Savings Amendment.\155\ However, the
Commission is interested in gathering feedback from market participants
as to whether there may be ways to enhance or improve the current
process of generating CCIDs and/or alternative methods of generating
unique customer identifiers that could be used to track a particular
customer's trading activity across markets, brokers, and/or accounts
that would be more cost-effective.
---------------------------------------------------------------------------
\153\ See 2025 Cost Savings Amendment, supra note 126, at 61534-
35.
\154\ Id. at 61534.
\155\ See, e.g., FIF Letter III, supra note 143, at 2-3. See
also, e.g., Letter from Jaime Klima, General Counsel, NYSE, to
Vanessa Countryman, Secretary, Commission (July 22, 2025), available
at https://www.sec.gov/comments/4-698/4698-598195-1737842.pdf (``At
this time, CCIDs are needed for the NYSE Exchanges to comply
effectively with their SRO obligations, and we presume the same
holds true for other exchange and association SROs. Transitioning to
a CAT without CCIDs would bring further increased costs to both the
SROs and the industry to allow for changes to the CAT system and to
meet new reporting requirements.'').
---------------------------------------------------------------------------
43. Are there enhancements or improvements that could be made to
the current process of generating CCIDs? Please identify such
enhancements or improvements with specificity, describe the costs and
benefits associated with the implementation of such enhancements or
improvements, and describe any privacy, confidentiality, and security
measures or controls that should be implemented in connection with
enhancements and improvements.
44. Are there any alternative methods of generating unique customer
identifiers that could be used to analyze a particular customer's
trading activity across markets, brokers, and/or accounts, when
regulatory users have a specific regulatory purpose? Please identify
such alternative methods, describe the costs and benefits associated
with the implementation of such alternative methods, explain what
information would need to be gathered from market participants to
enable the generation of the alternative unique customer identifier,
and describe any privacy, confidentiality, and security measures or
controls that should be implemented to protect that information and the
alternative unique customer identifiers generated.
45. Are there different considerations the Commission should take
into account with respect to the generation of unique customer
identifiers for non-US persons and/or legal entities?
E. Previous Changes to CAT Requirements
The Commission has previously acted to change certain requirements
of the CAT NMS Plan, both by approving proposed amendments to the CAT
NMS Plan and by issuing orders providing exemptive relief to the SROs.
The Commission seeks comment as to whether and how such previous
amendments and/or exemptive relief orders should be expanded and/or
codified in the CAT NMS Plan.\156\
---------------------------------------------------------------------------
\156\ Some market participants have already generally urged the
Commission to ``codify its orders granting temporary exemptive
relief for certain CAT requirements that are unreasonable and
burdensome,'' but such comments were received before the most recent
exemptive relief was granted by the Commission. See PTG Letter I,
supra note 28, at 4; see also, e.g., SIFMA Letter I, supra note 28,
at 5 (``The SEC should review all of its orders granting temporary
exemptive relief from CAT reporting requirements with a view to
making them permanent (e.g., representative order, verbal
quotes).'').
---------------------------------------------------------------------------
Verbal Activity on Exchange Floors
On June 16, 2025, the Commission approved amendments to the CAT NMS
Plan that provided that ``floor broker verbal announcements of firm
orders on an exchange that are otherwise reported as systematized
orders'' and ``market maker verbal announcements of firm quotes on an
exchange trading floor''--collectively referred to herein as ``verbal
activity on exchange floors''--were not reportable to the CAT under
Section 6.3(d) and Section 6.4(d) of the CAT NMS Plan until July 31,
2030.\157\ Although the SROs had proposed to permanently exclude verbal
activity on exchange floors from CAT reporting requirements, the
Commission modified the amendments after determining that the SROs had
not met their burden to ``establish that providing a permanent
exception to reporting obligations for verbal activity on exchange
floors is necessary or appropriate.'' \158\
---------------------------------------------------------------------------
\157\ See Securities Exchange Act Release No. 103275 (June 16,
2025), 90 FR 26337 (June 20, 2025) (the ``Verbal Quotes Order''). In
issuing the Verbal Quotes Order, the Commission recognized that CAT
LLC disputes that verbal activity on exchange floors is required to
be reported under Section 6.3(d) of the CAT NMS Plan. The Commission
stated that it did not intend the Verbal Quotes Order to ``establish
any new Plan requirements or to resolve any dispute over whether
[verbal activity on exchange floors] is required under the Plan.''
Rather, the Commission stated its understanding that the Verbal
Quotes Order excluded verbal activity on exchange floors until July
31, 2030, to the extent that such data is reportable under Section
6.3(d) of the CAT NMS Plan. See id. at 26341 n.63.
\158\ See id. at 26342.
---------------------------------------------------------------------------
The Commission explained, in the Verbal Quotes Order, that the cost
estimates provided by commenters in connection with the amendments
proposed by the SROs had been based not only on verbal activity on
exchange floors, but also on upstairs verbal and manual activity.\159\
The Commission stated that costs for upstairs verbal and manual
activity were distinct, because ``much of the relevant information that
would be reported to CAT'' for verbal activity on exchange floors ``is
already systematized, floor brokers and floor market makers have
handheld and other electronic devices to facilitate the open outcry
process, and floor verbal activity is governed by exchange rules.''
\160\ The Commission also stated its view that the SROs and Industry
Members ``could establish methods for capturing verbal order and quote
information communicated on exchange floors that are more cost-
effective and efficient than the proposal that each floor participant
be required to hire a full-time employee solely for CAT reporting.''
\161\
---------------------------------------------------------------------------
\159\ Id.
\160\ Id.
\161\ Id. at 26342-43.
---------------------------------------------------------------------------
46. Should the Commission permanently exclude information about
verbal activity on exchange floors from CAT reporting requirements?
Should the Commission extend the deadline set forth in the CAT NMS Plan
for reporting such activity past July 31, 2030?
47. What are the benefits and/or regulatory value provided by
collecting information about verbal activity on exchange floors? What
is the additive value of collecting information about verbal activity
on exchange floors when certain order information is already required
to be systematized pursuant to SRO rules? Would it be duplicative to
require market participants to report information about verbal activity
on exchange floors to the CAT?
48. What are the costs associated with reporting information about
verbal activity on exchange floors to the CAT? Please provide specific
data. Should the Commission conduct an industry survey to obtain this
information?
49. Other than requiring each floor participant to hire a full-time
employee solely for CAT reporting, are there alternative data sources
and/or
[[Page 20959]]
alternative methods of surveilling verbal activity on exchange floors,
including, if applicable, any artificial intelligence or algorithmic
technology solutions? \162\ Are those data sources and/or methods more
cost-effective or efficient than requiring that such data be reported
to the CAT? Is it possible to develop and implement such methods before
July 31, 2030? If not, please explain how long it would take to develop
and implement such methods. Would these methods necessarily collect
information beyond reportable verbal activity on exchange floors and,
if so, what measures could be introduced to prevent the storage,
reporting, and/or use of such information?
---------------------------------------------------------------------------
\162\ In the Verbal Quotes Order, the Commission observed that
the ``scenarios, examples, and discussion of the challenges of
natural language processing'' provided by commenters had all related
to upstairs verbal and manual activity. Id. at 26342.
---------------------------------------------------------------------------
Not Immediately Actionable Electronic Requests for Quotes
On January 23, 2026, the Commission provided exemptive relief from
certain reporting requirements in Section 6.4(d) of the CAT NMS Plan
relating to the reporting of bids and/or offers made in response to a
request for quote (``RFQ'') or other form of solicitation response
provided in standard electronic format (e.g., FIX) that is not
``immediately actionable'' (i.e., further action is required by the
responder providing the quote to execute or cause a trade to be
executed) (the ``NIA Electronic RFQ Exemptive Relief Order'').\163\
This relief was granted without conditions and without an expiration
date.\164\ In granting such relief, the Commission stated that ``the
regulatory value of this information does not justify the difficulty
and costs associated with collecting and reporting such information.''
\165\
---------------------------------------------------------------------------
\163\ See Securities Exchange Act Release No. 104662 (Jan. 23,
2026), 91 FR 3572 (Jan. 27, 2026).
\164\ Id.
\165\ Id. at 3573.
---------------------------------------------------------------------------
In addition, the Commission stated that ``regulators will still
have insight into the RFQ process, because any follow-up order activity
subsequent to the transmission of NIA Electronic RFQ Responses that
results in an execution[ ] will be reported to the CAT.'' \166\ The
Commission stated that the NIA Electronic RFQ Responses that are
subject to this exemptive relief are: (1) ``those that satisfy the
definition of an `order' as defined in Rule 613(j)(8) and the CAT NMS
Plan''; (2) those that ``do not include RFQ responses that were
required to be reported commencing in Phase 2c and Phase 2d'' of CAT
implementation; \167\ and (3) those that ``do not include activity that
is subject to section 6.3(g) of the CAT NMS Plan.'' \168\
---------------------------------------------------------------------------
\166\ Id. at 3573-74.
\167\ Pursuant to the Phased Reporting Exemptive Relief Order,
any bid or offer in response to a request for quote or other form of
solicitation response provided in standard electronic format (e.g.,
FIX) that required no further action by the responder providing the
quote to execute or cause a trade to be executed was reportable in
Phase 2c for equities and in Phase 2d for options. Phased Reporting
Exemptive Relief Order, supra note 17, at 23079. The exemption did
not specifically address NIA Electronic RFQ Responses.
\168\ See NIA Electronic RFQ Exemptive Relief Order, supra note
162, at 3574.
---------------------------------------------------------------------------
50. Do market participants agree that the regulatory value of NIA
Electronic RFQ Responses does not justify the difficulty and costs
associated with collecting and reporting such information? Are there
any alternative data sources for such information, or, if not, is it
sufficient that regulators will still have insight into the RFQ process
through any follow-up order activity? Are there any technology
solutions in use and/or in development that would make it easier for
Industry Members to capture and report NIA Electronic RFQ Responses?
51. Should the Commission codify the NIA Electronic RFQ Exemptive
Relief Order? If so, should any changes be made to its scope?
Port-Level Settings
Port-level settings are used by Industry Members and the SROs as
one method of communicating various Material Terms of the Order,
including, in some cases, special handling instructions.\169\ When
port-level settings are used to communicate Material Terms of the
Order, Rule 613 and the CAT NMS Plan require those port-level settings
to be reported for that order by both senders and receivers.\170\
---------------------------------------------------------------------------
\169\ ``Material Terms of the Order'' includes ``the NMS
Security or OTC Equity Security symbol; security type; price (if
applicable); size (displayed and non-displayed); side (buy/sell);
order type; if a sell order, whether the order is long, short, short
exempt; open/close indicator (except on transactions in equities);
time in force (if applicable); if the order is for a Listed Option,
option type (put/call), option symbol or root symbol, underlying
symbol, strike price, expiration date, and open/close (except on
market maker quotations); and any special handling instructions.''
See CAT NMS Plan, supra note 16, at Section 1.1.
\170\ See 17 CFR 242.613(c)(7); CAT NMS Plan, supra note 16, at
Sections 6.3(d)(i)(F), 6.3(d)(ii)(G), 6.3(d)(iii)(F), 6.3(d)(iv)(E),
and 6.4(d)(i).
---------------------------------------------------------------------------
On November 2, 2023, the Commission issued an order that granted
conditional exemptive relief from several requirements of the CAT NMS
Plan (the ``November 2023 Order''),\171\ including, among other things,
the requirements as applied to port-level settings that are set forth
in Rule 613(c)(7) and the CAT NMS Plan for six specific handling
instructions (the ``Exempted Port-Level Settings'').\172\ The November
2023 Order stated that the SROs would ``not be required to obligate
Industry Members to report these six special handling instructions when
an Industry Member routes an order to a national securities exchange
over an exchange port that is configured for one of these special
handling instructions,'' \173\ on the condition that the SROs report
the Exempted Port-Level Settings in the order receipt record,
regardless of whether such Exempted Port-Level Settings are
``triggered'' or ``applied.'' \174\
---------------------------------------------------------------------------
\171\ See Securities Exchange Act Release No. 98848 (Nov. 2,
2023), 88 FR 77128, 77131-32 (Nov. 8, 2023).
\172\ These settings included: (1) ATT--Attributable; (2) DNI--
Do Not Increase; (3) DNR--Do Not Reduce; (4) DNRT--Do Not Route; (5)
RLO--Retail Liquidity Order; and (6) STP--Self Trade Prevention. Id.
\173\ Id. at 77131.
\174\ Id. at 77132. In addition, the exemptive relief was
subject to a condition that the SROs maintain and communicate to
Industry Members via a CAT Alert a mapping of each exchange-specific
port-level setting related to the Exempted Port-Level Settings,
substantially in the form of the draft mapping that the SROs had
previously provided to the Commission. Id.
---------------------------------------------------------------------------
The conditional exemptive relief granted by the November 2023 Order
was limited to the Exempted Port-Level Settings and did not extend
exemptive relief to port-level settings on ATSs or broker-dealer port-
level settings--or to any other special handling instructions that may
be set at the port-level at a national securities exchange and that may
constitute Material Terms of the Order.\175\ Accordingly, to supplement
the November 2023 Order, the Commission granted additional exemptive
relief on January 23, 2026 from the requirements as applied to port-
level settings that are set forth in Rule 613 and the CAT NMS Plan (the
``Port-Level Settings Exemptive Relief Order'').\176\ Pursuant to the
Port-Level Settings Exemptive Relief Order, the SROs are no longer
required to obligate Industry Members to report port-level settings
that are used to communicate Material Terms when an Industry Member
routes an order through a port that is configured to apply port-level
settings, regardless of whether the port is an exchange or a port
maintained by an ATS or a broker-dealer.\177\ The
[[Page 20960]]
Commission stated, however, that such relief did not ``alter the
obligation of the recipient of the order that utilizes a port-level
setting to communicate a Material Term of the Order to report the port-
level setting as part of the same order receipt record.'' \178\
---------------------------------------------------------------------------
\175\ Id. at 77131.
\176\ See Securities Exchange Act Release No. 104664 (Jan. 23,
2026), 91 FR 3557 (Jan. 27, 2026).
\177\ Id. at 3559.
\178\ Id. In issuing the Port-level Settings Exemptive Relief
Order, the Commission stated that ``the regulatory benefits'' of
two-sided reporting of port-level settings that communicate Material
Terms of the Order ``are not sufficient to justify the
implementation costs and technical difficulty of accurate reporting
of port-level settings by both the sender and receiver of an
Order.'' Id. The Commission observed that port-level settings are
not generally part of standard order messages (e.g., FIX messages)
sent by firms, that firms do not have the relevant data in their
books and records, and that implementing reporting of port-level
settings would likely require a costly industry-wide effort. Id.
---------------------------------------------------------------------------
52. Does the regulatory value of two-sided reporting for port-level
settings that communicate Material Terms of the Order justify the
difficulty and costs associated with collecting and reporting such
information? What are the costs and benefits of collecting such
information on a two-sided basis? Is it sufficient that regulators will
still have insight into port-level settings that communicate Material
Terms of the Order from order receipt records? Why or why not?
53. Are there any technology solutions in use and/or in development
that would make it easier for Industry Members and/or SROs to capture
and report port-level settings? If so, please identify such technology
solutions, describe the costs associated with implementation of such
solutions, and explain when they would be expected to become available
to market participants.
54. Should the Commission align the conditions attached to the
exemptive relief granted in the November 2023 Order with the conditions
attached to the exemptive relief granted in the Port-Level Settings
Exemptive Relief Order? If so, please explain which features of each
order should be retained, why those features are appropriate, and what
costs and benefits would be associated with retaining those features
and discarding others. For example, should all port-level settings that
communicate Material Terms of the Order be reported by recipients of an
order, regardless of whether such port-level settings are ``triggered''
or ``applied''?
55. Should the Commission amend the CAT NMS Plan to make permanent
and codify all or part of the November 2023 Order and/or the Port-Level
Settings Exemptive Relief Order? If so, please explain which features
of each order should be codified, why those features are appropriate,
and what costs and benefits would be associated with retaining those
features and discarding others.
56. The Commission understands that some SROs and Industry Members
may disagree with the Commission's position that port-level settings
are required to be reported to the CAT NMS Plan.\179\ Should the CAT
NMS Plan be amended to eliminate the requirement that SROs and Industry
Members report Material Terms of the Order that are set at the port-
level? What are the costs and benefits associated with reporting such
information? Can regulators sufficiently and accurately understand
trading activity if certain (and potentially unknown) Material Terms of
the Order have been excluded from the data set? Are there any
alternative data sources that would provide regulators with insight
into Material Terms of the Order that are set at the port level?
---------------------------------------------------------------------------
\179\ See, e.g., November 2023 Order, supra note 170, at 77131
n.26; PTG Letter I, supra note 28, at 3 (``The Commission should
confirm that port-level settings are not required CAT records.'');
SIFMA Letter I, supra note 28, at 5 (``The SEC should issue
immediate permanent exemptive relief related to the reporting of so-
called ``Port Settings,'' which, despite the SEC staff's historical
insistence, the industry does not believe is required to be reported
under the CAT NMS Plan.'').
---------------------------------------------------------------------------
Representative Order Linkage
On January 23, 2026, the Commission granted temporary conditional
exemptive relief until January 1, 2028 from certain reporting
requirements set forth in Appendix D, Section 3 of the CAT NMS Plan
regarding lifecycle linkages between customer orders and representative
orders for scenarios in which Industry Members do not have a systematic
or direct link between their order management systems and execution
management systems (the ``Representative Order Exemptive Relief
Order'').\180\ In granting such relief, the Commission acknowledged
that some market participants believed there were ``unresolved issued
related to reporting these orders, including, but not limited to, the
absence of a method to report linkage for some specific types of
representative orders.'' \181\ The Commission therefore determined that
``additional time is needed to identify and evaluate appropriate long-
term solutions for certain trading scenarios.'' \182\
---------------------------------------------------------------------------
\180\ See Securities Exchange Act Release No. 104663 (Jan. 23,
2026), 91 FR 3601 (Jan. 27, 2026). The Commission clarified that
such relief was not limited to any specific type of CAT-reportable
security. Id. at 3602 n.23.
\181\ Id. at 3602. See also SIFMA and FIF Letter, supra note
132, at 20-23.
\182\ See Representative Order Exemptive Relief Order, supra
note 179, at 3602.
---------------------------------------------------------------------------
57. Should the Commission extend the exemptive relief already
granted and, if so, for how much longer should exemptive relief be
provided? Should the Commission instead amend the CAT NMS Plan to make
permanent and codify the Representative Order Exemptive Relief Order?
58. If the Commission should either codify or extend the
Representative Order Exemptive Relief Order, should any changes be made
to its scope? For example, are there specific trading workflows and/or
linkage scenarios involving representative orders, beyond those
workflows and/or scenarios in which Industry Members do not have a
systematic or direct link between their order management systems and
execution management systems, that should be exempted or excluded from
the reporting and linkage requirements of the CAT NMS Plan?
F. Potential Changes to Other Data Sources and Related Rules
The Commission stated in the CAT NMS Plan Approval Order that
duplicative reporting through systems like EBS would ``impose
significant burdens and costs on broker-dealers, that certain SEC rules
require the reporting of some information that will also be collected
through CAT, and that certain SEC rules may need to be modified or
eliminated in light of CAT'' when it approved the CAT NMS Plan in
2016.\183\ However, consideration of retiring EBS, as a practical
matter, was not timely until the CAT's Customer and Account Information
System (the ``CAIS'') was fully implemented to provide an alternative
source for the customer and account-level data that regulators can
otherwise request through the EBS system. The Commission, the SROs, and
market participants also required time to develop familiarity with the
full scope of the CAT's functionality, including the CAIS, before EBS
could be retired. Because the SROs did not represent to the Commission
that the CAIS was fully implemented until July 15, 2024,\184\ the
Commission, the SROs, and market participants were not previously able
to review whether the data provided by the CAT meets minimum standards
of accuracy and reliability.\185\
---------------------------------------------------------------------------
\183\ See CAT NMS Plan Approval Order, supra note 16, at 84777.
\184\ See, e.g., note 17 supra.
\185\ The Commission directed staff to develop a proposal for
Commission consideration, within six months of the effective date of
the CAT NMS Plan Approval Order, to amend Rule 17a-25 and Rule 13h-1
to eliminate the components of EBS that are redundant of CAT, among
other things, at such time as CAT Data meets minimum standards of
accuracy and reliability. See CAT NMS Plan Approval Order, supra
note 16, at 84777. The SROs' Plan to Eliminate Existing Rules and
Systems, set forth in Appendix C of the CAT NMS Plan, stated that,
to the extent the Commission modified or eliminated Commission rules
that require information that is duplicative of information
available through the Central Repository, such as Rule 17a-25 and
Rule 13h-1, each SRO would analyze its own rules and systems to
determine whether any modifications are necessary. See CAT NMS Plan,
supra note 16, at Appendix C, Section 9. This Plan further provided
that each SRO should complete its analysis within three months and
that the SROs would coordinate with the Commission regarding
modification of the CAT NMS Plan to include information sufficient
to eliminate or modify Commission rules or systems that the
Commission deemed appropriate. Id.
---------------------------------------------------------------------------
[[Page 20961]]
The EBS system provides regulators at the Commission and the SROs
with access to certain data that is not captured by the CAT. Retiring
EBS requires consideration of how transactional and customer and
account-level information accessible through EBS, but not collected by
or stored in the CAT, could be obtained by regulators. With respect to
transactional information, the EBS system provides access to
transactional information for Eligible Securities that is either not
reported to CAT in the first place \186\ or that is older than the data
stored in the CAT.\187\ This data is otherwise accessible only through
manual requests for books and records. While there is some
transactional information in the CAT that overlaps with transactional
information that can also be requested through the EBS system, the way
that EBS data and CAT Data are used by regulators differs. This is, in
large part, the case because the EBS system provides access not only to
transactional information, but also to customer and account-level
information that is no longer required to be reported to the CAT. The
EBS system also provides access to customer and account-level
information about transactions in fixed income securities that are
otherwise reported to FINRA's Trade Reporting and Compliance Engine
(``TRACE'') \188\ or the MSRB's Real-Time Transaction Reporting
System.\189\
---------------------------------------------------------------------------
\186\ As one example, Rule 13h-1(d) sets forth record-keeping
and reporting requirements with respect to certain information
regarding primary offerings. See 17 CFR 240.13h-1(a)(6)(ii). Such
information is not currently reported to the CAT.
\187\ See 2025 Cost Savings Exemptive Relief Order, supra note
119, at 47857-58 (permitting the SROs to delete all CAT Data older
than five years and other changes to data retention requirements);
see also, e.g., 17 CFR 240.17a-4 (requiring broker-dealers to
preserve certain records that could be requested via EBS for six
years).
\188\ TRACE facilitates the mandatory reporting of over-the-
counter transactions in eligible fixed income securities. See FINRA
Rule 6700.
\189\ Municipal securities dealers submit data about all
transactions to the MSRB. Transaction information collected by the
MSRB is made public on its website and is available on a
subscription basis. See MSRB Rule G-14; see also https://www.msrb.org/Trade-Data.
---------------------------------------------------------------------------
Additionally, pursuant to recent Commission action, the CAT is no
longer required to collect certain customer and account-level
information, including, among other things, SSNs/ITINS, names,
addresses, dates and years of birth, and LTIDs.\190\ The loss of the
above-described data from the CAT means that regulators will need to
rely on other methods of obtaining customer and account-level
information from broker dealers--namely, the EBS system and/or manual
requests for books and records data. As this information is still
necessary to conduct market oversight, examinations, and enforcement,
continued and/or increased regulatory reliance on the EBS system and/or
manual requests for books-and-records data could, in turn, impose
certain reporting costs on broker-dealers beyond those anticipated by
the Commission when it evaluated and approved the CAT NMS Plan in
2016,\191\ although the Commission did consider such costs in approving
the CAIS Order, the 2026 Cost Savings Order, and other related
exemptive relief, as well as measures that could potentially mitigate
such costs, like the development of a more efficient request-and-
response system.\192\
---------------------------------------------------------------------------
\190\ See note 19 supra; see also 2026 Cost Savings Order, supra
note 98, at 16301-07. The SROs are still in the process of
implementing the changes to the CAT made possible by the CAIS Order
and the 2026 Cost Savings Order.
\191\ See, e.g., CAT NMS Plan Notice, supra note 13, at 30728
(estimating that a period of duplicative reporting would last for up
to 2.5 years); CAT NMS Plan Approval Order, supra note 16, at 84865-
66 (estimating that a period of duplicative reporting would last
less than 2.5 years). The Commission did not anticipate that CAT
implementation would take 8 years. Nor did the Commission anticipate
that the CAT would not contain customer and account-level
information. However, while costs associated with reporting this
information through the EBS system may increase due to the
implementation of the CAIS Order, costs associated with maintaining
and operating the CAIS will decrease. See, e.g., CAIS Order, supra
note 19, at 2186-88.
\192\ See, e.g., CAIS Order, supra note 19, at 2169, 2179-93;
2026 Cost Savings Order, supra note 98, at 16308; 2025 PII Exemptive
Relief Order, supra note 19, at 9645.
---------------------------------------------------------------------------
Retirement of Partially Duplicative Systems
59. Are there audit trails and/or related data sources that contain
partially duplicative information to the CAT, such that overlapping
requirements should be eliminated, modified, or replaced? If so, please
explain why or under what circumstances those requirements should be
eliminated, modified, or replaced and identify any potential costs and
benefits associated with such elimination, modification, or
replacement.\193\
---------------------------------------------------------------------------
\193\ See, e.g., PTG Letter I, supra note 28, at 3 (suggesting
that the Commission ``[e]liminate overlapping requirements such as .
. . reporting regulatory information to the FINRA Trade Reporting
Facilities'').
---------------------------------------------------------------------------
Modification and/or Replacement of the EBS System
CCIDs, once generated, are associated with transactional data
through the use of FDIDs \194\--persistent identifiers that are
reported by each individual broker-dealer for its transactional
records.\195\ Regulators can thus use CCIDs to identify all of the
FDIDs associated with a particular customer and then make manual
requests to broker-dealers for information associated with a particular
set of FDIDs to obtain customer and account-level data.\196\
---------------------------------------------------------------------------
\194\ ``FDID'' or ``Firm Designated ID'' means ``(1) a unique
and persistent identifier for each trading account designated by
Industry Members for purposes of providing data to the Central
Repository provided, however, such identifier may not be the account
number for such trading account if the trading account is not a
proprietary account; (2) a unique and persistent relationship
identifier when an Industry Member does not have an account number
available to its order handling and/or execution system at the time
of order receipt, provided, however, such identifier must be masked;
or (3) a unique and persistent entity identifier when an employee of
an Industry Member is exercising discretion over multiple client
accounts and creates an aggregated order for which a trading account
number of the Industry Member is not available at the time of order
origination, where each such identifier is unique among all
identifiers from any given Industry Member.'' See CAT NMS Plan,
supra note 16, at Section 1.1. Unlike CCIDs, FDIDs are not designed
or intended to be consistent values across broker-dealers.
\195\ See 2025 PII Exemptive Relief Order, supra note 19, at
9643.
\196\ Broker-dealers do not have access to CCIDs; moreover, the
EBS system does not require broker-dealers to report FDIDs. See,
e.g., FINRA Rule 8211 (``Automated Submission of Trading Data
Requested by FINRA''); FINRA Regulatory Notice 20-19, FINRA and ISG
Announce the Update of Blue Sheet Data Elements and Repositioning of
Exchange Code Field (June 23, 2020), available at https://www.finra.org/rules-guidance/notices/20-19.
---------------------------------------------------------------------------
Some market participants have explicitly recognized that the
``removal of PII from CAIS raises the question of how regulators can
link transactional data to the associated customer information going
forward . . . because EBS does not contain FDIDs or CCIDs. . . .''
\197\ FIF proposed that EBS therefore be ``replaced by a process and
system that is specifically focused on enabling regulators to link
FDIDs and CCIDs to customer information.'' \198\ The Commission agrees
that a request-and-response system (an ``R&R System'') ``could decrease
regulators' reliance on
[[Page 20962]]
EBS, which could facilitate the eventual elimination of EBS and could
reduce the cost and burdens to Industry Members and increase
efficiencies.'' \199\
---------------------------------------------------------------------------
\197\ See FIF Letter I, supra note 28, at 2. According to FIF,
its participants include broker-dealers, exchanges, back office
service bureaus, and market data, regulatory reporting and other
technology vendors in the securities industry. Id. at 1 n.1.
\198\ Id. at 2, 4. See also, e.g., PTG Letter II, supra note
111, at 3 (``The Commission should also retire duplicative and
costly legacy reporting systems, including the electronic blue
sheets system (`EBS').''); Citadel Letter I, supra note 24, at 14
(``Retire the Electronic Blue Sheets system.'').
\199\ See CAIS Order, supra note 19, at 2169.
---------------------------------------------------------------------------
Market participants have suggested different methods of
implementing an R&R System. FIF, for example, suggested that ``the
Commission and the SROs, in consultation with Industry Members, should
implement a request and response system operated by FINRA that the
Commission and the SROs would use to request from Industry Members
customer data associated to specified FDIDs. FINRA would direct the
Industry Member responses to the requesting party, and the responses
would be stored by the requesting party. This system should use the
data format of the CAIS system (prior to the removal of PII).'' \200\
SIFMA, on the other hand, suggested that an R&R System could be part of
the CAT System \201\ and facilitated by the Plan Processor.
Specifically, SIFMA proposed that ``a regulatory user that wanted to
know the identity of a customer to a trade'' could ``submit a FDID and
trade date(s) request through the CAT Processor into a secure file
transfer protocol (FTP) that would in turn direct the PII request to an
Industry Member acting as a CAT Reporter. . . . The Industry Member
would then direct the encrypted data through the FTP back into the CAT
control environment for the requesting regulatory user to analyze and
use the data.'' \202\
---------------------------------------------------------------------------
\200\ Id. at 3. See also, e.g., FINRA Blog, supra note 220
(``[O]ver the years there have been concerns about the efficiency
and design of Blue Sheets, and consideration could be given to
creating a new request and response utility operated in conjunction
with CAT to facilitate and streamline the information collection
process for both regulators and the impacted broker-dealers.'').
\201\ ``CAT System'' means ``all data processing equipment,
communications facilities, and other facilities, including
equipment, utilized by the Company or any third parties acting on
the Company's behalf in connection with operation of the CAT and any
related information or relevant systems pursuant to this
Agreement.'' See CAT NMS Plan, supra note 16, at Section 1.1.
\202\ See Letter from Joseph Corcoran, Managing Director &
Associate General Counsel, and Gerald O'Hara, Vice President and
Assistant General Counsel, to Vanessa Countryman, Secretary,
Commission (May 30, 2025), at 3 n.11, available at https://www.sec.gov/comments/4-698/4698-608327-1776534.pdf (``SIFMA Letter
III''); see also, e.g., SIFMA Letter II, supra note 70, at 5
(suggesting that an R&R System ``rely on the systems and processes
used by Industry Members to previously report PII to the CAIS
database in CAT'').
---------------------------------------------------------------------------
Previously, the Commission has urged the SROs to ``work with
industry members to establish such a request-response system by taking
advantage of the systems industry members have already established to
format and submit customer information consistent with CAT
specifications,'' \203\ and the Commission understands that such
efforts are currently underway.\204\
---------------------------------------------------------------------------
\203\ See CAIS Order, supra note 19, at n.83.
\204\ See, e.g., Letter from Robert Walley, CAT NMS Plan
Operating Committee Chair, to Vanessa Countryman, Secretary,
Commission (Mar. 10, 2026), at 8, available at https://www.sec.gov/comments/4-698/4698-721247-2258814.pdf (``FINRA is currently
considering how such a request-response system might be developed
and has stated during recent meetings with industry that their input
would be welcomed.'').
---------------------------------------------------------------------------
60. Will CAT data be sufficiently accurate and reliable to prove an
adequate substitute data source for transactional data otherwise
obtainable through the EBS system? What criteria should the Commission
use to evaluate this question?
61. Should an R&R System be implemented? If so, what functionality
should an R&R System have? Does the answer depend on which regulators
have access to the system? Does the answer depend on how the system is
funded? Does the answer depend on the extent to which an R&R System is
intended to replace the EBS system? Does the answer depend on whether
an R&R System should be part of the CAT System or separate from it?
62. Should the Commission direct the creation of an R&R System? If
it should be separate from the CAT System, should the creation and
implementation of an R&R System be structured as a national market
system plan and, if so, how should it be funded and governed?
63. If an R&R System should not be structured as a national market
system plan or included as part of the CAT System, is there another
method by which the Commission should direct the creation of such a
system? Should the Commission, for example, promulgate a data
collection rule that leaves the SROs with discretion as to how to
structure and fund an R&R System? If so, please explain what
requirements should be included in such a rule and why those
requirements are appropriate. Does the answer depend on the parties
that would own and/or operate the system? Does the answer depend on the
parties that would use the system? Does the answer depend on which
parties would fund the system?
64. If an R&R System should be implemented separate from the CAT
System, who should own and/or operate the system? What kind of staff
and/or expertise is needed to own, operate, or maintain such a system?
What kinds of technological capabilities are needed to own, operate, or
maintain such a system? Should the Commission license use of a
Commission-owned R&R System to the SROs? If so, how should the
Commission determine the rates at which an R&R System is licensed out
to the SROs? How would such a licensing arrangement work? Would the
SROs seek to recoup any of those licensing costs from their members?
Would this approach raise any conflicts of interest concerns, given
that the SROs are parties that the Commission regulates?
65. If an R&R System should be implemented separate from the CAT
System, should the Commission and/or one or more SROs contract with a
third-party service provider to create and develop an R&R System? If
so, how should decisions on an R&R System's functionality, funding, and
other items be made?
66. What are the advantages and disadvantages if the Commission
were appropriated funds to cover costs with respect to an R&R System?
Does the answer depend on which parties would have access to the
system?
67. If an R&R System should be implemented separate from the CAT
System, should the SROs and/or their members fund part or all of the
costs associated with an R&R System? Should the Commission establish a
funding model that allocates fees amongst the SROs and their members?
Does the answer depend on how the R&R System is structured and/or
governed? If the Commission should establish a funding model that
allocates fees amongst the SROs and their members, what features should
that model have? How should fees be allocated to and amongst SROs and/
or their members?
68. Is it feasible to link CAT Data with customer and account
information obtained from an R&R System in the manner that market
participants have suggested--i.e., using the CAT to identify relevant
CCIDs and related FDIDs, populating an R&R System's request form with
those FDIDs, sending that request through an R&R System to the
appropriate broker-dealers, and then associating any customer and
account-level information received from those broker-dealers with CAT
transactional data? Would it be beneficial to automate the process for
receiving and responding to regulatory requests for customer and
account information? For instance, is it possible to automate regulator
queries to an R&R System and in what fashion? Is it possible for
broker-dealers to automate their responses to an R&R System? What
technology build would be required at the broker-dealer level? What
technology build would be required for regulators at the Commission
and/or the SROs? What issues does an automated response process create
or solve?
[[Page 20963]]
69. What data should be accessible through an R&R System? Should an
R&R System only cover the securities currently required to be reported
to the CAT \205\ or should it also cover other types of securities
currently accessible through EBS (e.g., fixed income)? Are there
customer and account fields from the existing EBS template that should
be accessible through an R&R System? Are there any fields from the
existing CAIS template (or from a previous CAIS template) that should
be accessible through an R&R System? Should SSNs, ITINs, and/or legal
entity identifiers be accessible through an R&R System? Should names,
addresses, dates of birth, and employer names be accessible through an
R&R System? Should information about authorized traders be accessible
through an R&R System? Should FDIDs be accessible through an R&R
System? Should the large trader identification numbers assigned by the
Commission pursuant to Rule 13h-1 \206\ be accessible through an R&R
System? Do the answers depend on the security measures put in place for
an R&R System? Are there any data elements that are not currently
included in an existing audit trail and/or data source that should be
accessible through an R&R System? What data elements would be required
to properly enable customer and account information accessible through
an R&R System to be linked to transactional CAT Data?
---------------------------------------------------------------------------
\205\ See note 32 supra.
\206\ See 17 CFR 240.13h-1.
---------------------------------------------------------------------------
70. How should data be requested and provided through an R&R
System? Does the answer depend on whether an R&R System is part of the
CAT System?
71. How should regulators at the Commission and the SROs be able to
submit requests for data through an R&R System? For example, should an
R&R System provide regulators with a web interface or an application
programming interface? What are the advantages and disadvantages
associated with either approach? What kinds of queries should
regulators be able to submit through an R&R System?
72. How should requests for data be communicated to responding
broker-dealers? How should broker-dealers be able to respond to
requests received through an R&R System? For example, should an R&R
System provide broker-dealers with a web interface or an application
programming interface? What are the advantages and disadvantages
associated with either approach? Should broker-dealers receive email
alerts or other reminders regarding the existence of requests made via
an R&R System? What format should data accessible through an R&R System
be provided in? Is there a specific template that should be used by
broker-dealers? How long should broker-dealers be given to respond to a
request received through an R&R System? \207\
---------------------------------------------------------------------------
\207\ With respect to EBS requests, firms submit requested
information to the Commission and/or FINRA within 10 business days
of the request. See, infra, note 231 and accompanying text.
---------------------------------------------------------------------------
73. What are the costs and benefits associated with implementing an
R&R System? Please provide specific estimates of any cost savings or
burdens that would flow from the implementation of an R&R System,
explain whether those estimates are premised on full or partial
retirement of the EBS system, and the extent to which the EBS system
would have to be retired and/or modified to align with those estimates.
To what extent would broker-dealers have to re-program their systems to
report through an R&R System? How long would it take broker-dealers to
re-program their systems? To what extent would regulators have to
adjust their regulatory programs to use an R&R System instead of the
EBS system? Are there use cases made possible by the EBS system that
would not be possible through linking CAT Data with customer data
retrieved from an R&R System? Please identify these use cases and
explain why they would not be possible utilizing the R&R system
approach suggested by market participants. What costs are associated
with the development of new workflows to properly link CAT Data with
customer data that may be reported to an R&R System? How long would it
take regulators to make any necessary adjustments?
LTID
Rule 13h-1 currently sets forth certain record-keeping and
reporting requirements for large traders. When it approved the CAT NMS
Plan in 2016, the Commission stated that it believed the CAT would
provide ``the additional transaction data captured in connection with
Rule 13h-1 concerning large traders,'' which data can otherwise be
requested by regulators via the EBS system.\208\ The transaction
reporting aspects of Rule 13h-1 are not independent of EBS, as they
were implemented through the addition of new fields in the EBS
reporting template to capture the LTID number and the time of
execution. Relatedly, Rule 13h-1 involves periodic monitoring of
customer activity by broker-dealers to alert customers when trading in
their accounts may indicate large trader status.
---------------------------------------------------------------------------
\208\ See 17 CFR 240.13h-1.
---------------------------------------------------------------------------
74. Should the Commission amend Rule 13h-1 to eliminate and/or
modify any of its transaction reporting and/or record-keeping
requirements or the customer monitoring safe harbor? If so, please
specifically identify the reporting, record-keeping, and/or monitoring
requirements that should be eliminated and/or modified, explain why it
is appropriate to eliminate and/or modify those requirements, explain
whether the data provided by those requirements is otherwise contained
in or ascertainable from the CAT, and describe any costs and/or
benefits associated with the recommended amendments.\209\
---------------------------------------------------------------------------
\209\ See FIF Letter II, supra note 143, at 6 (recommending that
the Commission ``engage in a cost-benefit analysis as to whether to
retain, modify or retire large trader reporting in light of CAT and
CAIS data now being available,'' including a consideration of ``any
current reliance on EBS and whether and how the replacement of EBS
would impact the Commission's current use of large trader reporting
data'').
---------------------------------------------------------------------------
75. Will CAT data be sufficiently accurate and reliable to prove an
adequate substitute data source for Rule 13h-1 transaction data
otherwise obtainable via EBS? What criteria should the Commission use
to evaluate this question?
76. In the CAT NMS Plan Approval Order, the Commission stated that
``Form 13H collects information to identify a large trader, its
securities affiliates, and its operations, and does not collect audit
trail data on effected transactions.'' \210\ The Commission therefore
stated that the ``self-identification and other Form 13H filing
requirements of Rule 13h-1'' would not be ``duplicated by or redundant
of CAT.'' \211\ Nevertheless, to achieve cost savings in connection
with Form 13H, should the identifying activity levels of Rule 13h-1 be
increased to classify fewer persons as large traders? For example,
should the current thresholds be increased from 2 million shares or $20
million per day to 10 million shares or $100 million per day; and from
20 million shares or $200 million per month to 100 million shares or $1
billion per month? If so, please explain by how much the current
thresholds should be increased, explain how those higher thresholds
would be more appropriate given recent market developments, and explain
whether those higher thresholds would continue to appropriately
identify persons whose trading activity in NMS securities merits
classification as a large trader. Should
[[Page 20964]]
additional exceptions be considered from large trader status, such as
one-time or infrequent transactions? Are there other elements of Form
13H that could be eliminated and/or modified to achieve cost savings?
If so, please specifically identify the elements that should be
eliminated and/or modified, explain why it is appropriate to eliminate
and/or modify those elements, explain whether the data provided by
those elements is otherwise contained in the CAT or available via an
alternative data source, and describe any costs and/or benefits
associated with the recommended modifications to Form 13H. Is the
information provided by the CAT or the alternative data source
sufficiently accurate and reliable to prove an adequate substitute data
source for the information provided on Form 13H? What criteria should
the Commission use to evaluate this question?
---------------------------------------------------------------------------
\210\ See CAT NMS Plan Approval Order, supra note 16, at 84778.
\211\ Id.
---------------------------------------------------------------------------
77. Rule 13h-1 sets forth record-keeping and reporting requirements
not only for large traders, but also for ``Unidentified Large
Traders''--i.e. a person who has not complied with the identification
requirements for large traders, but who ``a registered broker-dealer
knows or has reason to know is a large trader.'' \212\ Rule 13h-1
further specifies that a ``registered broker-dealer shall be deemed not
to know or have reason to know that a person is a large trader if it
does not have actual knowledge that a person is a large trader and it
establishes policies and procedures reasonably designed to: (1)
[i]dentify persons who have not complied with the identification
requirements [for large traders] but whose transactions effected
through an account or a group of accounts carried by such broker-dealer
or through which such broker-dealer executes transactions, as
applicable (and considering account name, tax identification number, or
other identifying information available on the books and records of
such broker-dealer) equal or exceed the identifying activity level; (2)
[t]reat any persons identified in [item 1] as an Unidentified Large
Trader for purposes of this section; and (3) [i]nform any person
identified in [item 1] of its potential obligation under this
section.'' \213\ For the purposes of Rule 13h-1, ``a registered broker-
dealer need take into account only transactions in NMS securities
effected by or through such broker-dealer.'' \214\ One commenter has
stated that the ``approach for monitoring large trader reporting
adopted by the Commission is ineffective because a broker-dealer would
not know about a customer's trading activity at other broker-dealers.''
\215\ This commenter believed that the Commission, using information
already reported to the CAT, could ``readily determine if any CCID has
exceeded the applicable trading thresholds for large trader reporting
and an LTID has not been reported for the FDIDs to which the CCID is
associated.'' \216\ The commenter stated that the availability of such
data through the CAT ``obviates the need for broker-dealers to create
identifiers for unidentified large traders and to report them to CAT.''
\217\ Should the Commission eliminate record-keeping, reporting, and/or
monitoring requirements from Rule 13h-1 for Unidentified Large Traders?
What costs do broker-dealers incur to monitor for and comply with Rule
13h-1 requirements for Unidentified Large Traders? Please provide
specific data. Could the Commission surveil for Unidentified Large
Traders by determining whether any CCID has exceeded the applicable
trading thresholds for large trader reporting and whether an LTID has
been reported for the FDIDs to which that CCID is associated now that
LTIDs have been removed from the CAT by the amendments approved in the
2026 Cost Savings Order? \218\ Is there an alternative method of
finding Unidentified Large Traders using CAT Data?
---------------------------------------------------------------------------
\212\ See 17 240.13h-1(a)(9); see also id. at (d)-(e) for the
record-keeping and reporting requirements of Rule 13h-1.
\213\ Id. at (f).
\214\ Id. at (a)(9).
\215\ See FIF Letter II, supra note 143, at 3.
\216\ Id. at 5.
\217\ Id.
\218\ See, e.g., 2026 Cost Savings Order, supra note 98, at
16302; see also, e.g., FIF Letter II, supra note 143, at 4-5.
---------------------------------------------------------------------------
G. Civil Liberties and Privacy Considerations
Market participants have questioned whether the scope of the CAT's
collection of market data raises privacy and civil liberties
concerns.\219\ For example, one commenter asserts that the CAT's
previous collection of PII violates Americans' Fourth Amendment right
to privacy.\220\ The Commission is committed to ensuring that the CAT
and other audit trails and related data sources used by regulators
comply with all relevant constitutional and statutory limits and takes
seriously concerns related to the appropriateness of government
surveillance.
---------------------------------------------------------------------------
\219\ See, e.g., Letter from Christopher A. Iacovella, President
& Chief Executive Officer, American Securities Association, to
Vanessa Countryman, Secretary, Commission (Oct. 31, 2025), at 2,
available at https://www.sec.gov/comments/4-698/4698-672447-2037474.pdf.
\220\ Id. at 2; see also note 29 supra. The CAIS Order removed
requirements that the CAT collect PII from the CAT NMS Plan. See
note 19 supra,
---------------------------------------------------------------------------
78. Does the CAT's collection and/or transmission of transactional
information without associated customer and account-level information
raise confidentiality, privacy, and/or civil liberties concerns? If so,
what are they, and how should those concerns be addressed?
79. Does enabling the transmission of customer and account-level
information to regulators through the EBS System or an R&R System raise
confidentiality, privacy, and/or civil liberties concerns? If so, what
are those concerns, and how should they be addressed? Does the answer
depend on the type of interface that enables the transmission of this
data--for instance, whether a request for specific information from a
regulator is required before such data is requested, transmitted, and/
or collected? Does the answer depend on the scope of the data
requested, transmitted, and/or collected? Does the answer depend on the
purpose for which the data is requested, transmitted, and/or collected?
Does the answer depend on the extent of automation involved in
requesting, transmitting and/or collecting the data?
80. To the extent that imposing additional limits on the collection
and/or transmission of market data to address potential
confidentiality, privacy, and/or civil liberties concerns creates
trade-offs with costs, efficiency, and data security, such as any
additional burdens that would be imposed if data was provided by
broker-dealers upon request rather than through the CAT or another
audit trail or data source, how should the Commission weigh those
trade-offs?
81. What other confidentiality, privacy, and/or civil liberties
considerations should be taken into account?
H. Cybersecurity
The CAT NMS Plan sets forth robust requirements designed to protect
the data reported to and retained in the Central Repository.\221\ In
light of the
[[Page 20965]]
constantly shifting cybersecurity and threat management landscape, the
Commission seeks comment on the security requirements governing the
CAT.
---------------------------------------------------------------------------
\221\ See, e.g., Securities Exchange Act Release No. 89632 (Aug.
21, 2020), 85 FR 65990, 65991 (Oct. 16, 2020) (``CAT Data reported
to and retained in the Central Repository is thus subject to what
the Commission believes are stringent security policies, procedures,
standards, and controls.''); see also Robert Cook, President and
CEO, FINRA, ``CAT Should Be Modified to Cease Collecting Personal
Information on Retail Investors'' (Jan. 17, 2025), available at
https://www.finra.org/media-center/blog/cat-should-be-modified-to-cease-collecting-personal-information-on-retail-investors (``FINRA
Blog'') (``CAT has extensive controls in place to address data
security concerns that are continually being evaluated and
enhanced.'').
---------------------------------------------------------------------------
The CAT
82. Are there enhancements that should be made to the security
requirements set forth in the CAT NMS Plan? Are there technological
changes that could be made to the Central Repository to enhance its
protection? If so, please identify these enhancements, explain how such
enhancements would improve the security of the CAT and/or CAT Data, and
identify the costs associated with implementing such enhancements.
83. Are there enhancements that could be made to the measures that
protect the CCID Subsystem and/or to the process for generating CCIDs
\222\ that would further strengthen the protection of the information
used by the Plan Processor to generate CCIDs? If so, please identify
these enhancements, explain how such enhancements would improve the
privacy, confidentiality, and security of the CAT and/or CAT Data, and
identify the costs associated with implementing such enhancements.
---------------------------------------------------------------------------
\222\ See, e.g., FIF Letter I, supra note 28, at 9-10 (raising
potential security and privacy concerns regarding the retention of
certain information used to generate CCIDs); see also CAIS Order,
supra note 19, at 2167-69 (approving proposed amendments that codify
the current approach to generating CCIDs, but stating that the
Commission is engaged in a comprehensive review of the CAT and
expected to engage with the CCID creation process as part of that
review).
---------------------------------------------------------------------------
84. The CAT NMS Plan already sets forth a non-exclusive list of
industry standards for information security with which the CAT is
required to comply, including standards promulgated by the U.S.
National Institute of Standards and Technology (``NIST'') regarding
security and privacy controls for information systems and organizations
\223\ and providing a cybersecurity framework.\224\ Are there
additional security, privacy, or confidentiality controls that should
be implemented to secure the CAT? Are there additional industry
standards for information security with which the CAT should be
required to comply--for example, NIST standards for zero trust
architecture? \225\ What are the benefits and costs associated with the
implementation of or compliance with such additional security, privacy,
or confidentiality controls and/or industry standards for information
security?
---------------------------------------------------------------------------
\223\ U.S. NIST, Special Publication 800-53, Rev. 5, Security
and Privacy Controls for Information Systems and Organizations
(Sept. 2020), available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf (``NIST SP 800-53'').
\224\ U.S. NIST, The NIST Cybersecurity Framework (CSF) 2.0
(Feb. 26, 2024), available at https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf.
\225\ U.S. NIST, Special Publication 800-207, Zero Trust
Architecture (Aug. 2020), available at https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-207.pdf. According to NIST,
``[z]ero trust security models assume that an attacker is present in
the environment and that an enterprise-owned environment is no
different--or no more trustworthy--than any nonenterprise-owned
environment. In this new paradigm, an enterprise must assume no
implicit trust and continually analyze and evaluate the risks to its
assets and business functions and then enact provisions to mitigate
these risks. In zero trust, these protections usually involve
minimizing access to resources (such as data and compute resources
and applications/services) to only those subjects and assets
identified as needing access as well as continually authenticating
and authorizing the identity and security posture of each access
request.''). Id. at 1.
---------------------------------------------------------------------------
85. The CAT NMS Plan already requires the Chief Information
Security Officer \226\ to ``review the information security policies
and procedures of the Participants that are related to the CAT to
ensure that such policies and procedures are comparable to the
information security policies and procedures applicable to the Central
Repository.'' \227\ Instead of ``comparable'' policies and procedures,
should uniform security policies and/or procedures be imposed on all
parties that may access and/or use the CAT? Does some measure of
variance in security policies and/or procedures provide more protection
to the underlying data? What are the costs and/or benefits associated
with providing flexibility with respect to the application of specified
security requirements? Should the CAT NMS Plan impose any additional
requirements to control how CAT Data is retained, stored, and/or
tracked once it is downloaded from the CAT? For how long should data be
stored? Does the answer depend on how and/or what kind of data is
stored? Does the answer depend on the potential use of artificial
intelligence to analyze CAT Data? Should the SROs be required to
implement zero trust architecture for CAT Data? Does the answer depend
on how this approach would impact regulatory use? Does the answer
depend on the costs associated with this approach?
---------------------------------------------------------------------------
\226\ ``Chief Information Security Officer'' means ``the
individual then serving (even on a temporary basis) as the Chief
Information Security Officer pursuant to Section 4.6, Section
6.1(b), and Section 6.2(b).'' See CAT NMS Plan, supra note 16, at
Section 1.1.
\227\ Id. at Section 6.2(b)(vii) (``If the Chief Information
Security Officer, in consultation with the Chief Compliance Officer,
finds that any such policies and procedures are not comparable to
the policies and procedures applicable to the CAT System, and the
issue is not promptly addressed by the applicable Participant, the
Chief Information Security Officer, in consultation with the Chief
Compliance Officer, will be required to notify the Operating
Committee of such deficiencies.'').
---------------------------------------------------------------------------
86. The CAT NMS Plan currently sets forth robust access control
requirements for the CAT and for CAT Data. It requires both the SROs
and the Plan Processor to implement various safeguards to secure access
and use of the CAT, including: (1) role-based access controls; (2)
authentication of individual users; (3) multi-factor authentication and
password controls; (4) implementation of information barriers to
prevent unauthorized staff from accessing CAT Data; (5) data encryption
and use of secure connectivity methods; (6) security-driven monitoring
and logging; (7) escalation procedures for non-compliance and/or
security events; and (8) remote access controls.\228\
---------------------------------------------------------------------------
\228\ See, e.g., id. at Section 6.5(c)(i), Section 6.5(f), and
Appendix D, Sections 4.1, 8.1, 8.2.2
---------------------------------------------------------------------------
a. Should additional access control measures be implemented for the
CAT? What kinds of controls should be put in place to manage and review
access entitlements and regulatory use? Please identify any additional
access control measures that should be implemented, explain how such
measures would enhance the security of the CAT and/or CAT Data, and
identify any costs associated with implementing such measures.
b. Should the existing logging requirements of the CAT NMS Plan be
enhanced? For example, are there artificial intelligence or algorithmic
technology solutions that could assist either the Plan Processor and/or
regulators to detect misuse of CAT Data? If so, please identify such
technology solutions, explain how they would help the Plan Processor
and/or regulators to detect misuse of CAT Data, and describe any costs
or challenges associated with their implementation.
c. What types of audit procedures should be put in place to assess
whether CAT Data has been used appropriately by regulatory users?
d. What types of access control measures are necessary to prevent a
bad actor at the Commission or the SROs from using the CAT to target an
individual(s) for monitoring based on personal, competitive, or
political animus?
87. Rule 613 and the CAT NMS Plan prohibit the use of CAT Data for
commercial purposes, as well as the use of CAT Data by parties that are
not regulators and in non-regulatory contexts--for example, by private
[[Page 20966]]
litigants.\229\ Should the Commission further reinforce or enhance
these restrictions on how CAT Data can be used?
---------------------------------------------------------------------------
\229\ See, e.g., 17 CFR 242.613(e)(4)(i)(A) (requiring the CAT
NMS Plan to include policies and procedures that require the SROs
and the Plan Processor to ``agree not to use such data for any
purpose other than surveillance and regulatory purposes, provided
that nothing in this paragraph (e)(4)(i)(A) shall be construed to
prevent a plan sponsor from using the data that it reports to the
central repository for regulatory, surveillance, commercial, or
other purposes as otherwise permitted by applicable law, rule, or
regulation''). See also, e.g., CAT NMS Plan, supra note 16, Section
6.5(c)(i) (``[T]he Plan Processor shall provide Participants and the
SEC access to the Central Repository (including all systems operated
by the Central Repository), and access to and use of CAT Data stored
in the Central Repository, solely for the purpose of performing
their respective regulatory and oversight responsibilities pursuant
to the federal securities laws, rules and regulations or any
contractual obligations.''); id. at Section 6.5(f) (``[T]he Plan
Processor shall . . . require all individuals who have access to the
Central Repository . . . to agree . . . not to use CAT Data stored
in the Central Repository for purposes other than surveillance and
regulation in accordance with such individual's employment duties;
provided that a Participant will be permitted to use the Raw Data it
reports to the Central Repository for regulatory, surveillance,
commercial or other purposes as permitted by applicable law, rules,
or regulation . . . .''); id. at Appendix D, Section 8.1 (``The Plan
Processor must provide Participants' regulatory staff and the SEC
with access to all CAT Data for regulatory purposes only.
Participants' regulatory staff and the SEC will access CAT Data to
perform functions, including economic analyses, market structure
analyses, market surveillance, investigations, and examinations.'').
---------------------------------------------------------------------------
88. In addition to the existing requirement that CAT Data only be
used for regulatory purposes,\230\ what security measures or controls
would further strengthen protections that prevent regulatory users at
the Commission and/or the SROs from using the CAT for inappropriate or
illegal purposes, such as targeting an individual for monitoring based
on personal, competitive, or political animus? For example, should the
Commission further restrict the way that regulatory users can use the
CAT to support regulatory activities? If so, how? What standards should
be satisfied before a regulatory user can access and/or use CAT Data?
Does the answer depend on whether the regulatory user is Commission
staff or SRO staff? Does the growing use of artificial intelligence
affect this analysis? If so, how?
---------------------------------------------------------------------------
\230\ See, e.g., id.
---------------------------------------------------------------------------
89. Should information about the policies, procedures, and/or
controls that govern the regulatory use of the CAT be made public? For
example, should the Commission and/or the SROs publish information
regarding the internal controls and/or safeguards that govern access to
or use of CAT Data, information about how the Commission, the SROs and/
or FINRA CAT monitor the storage and/or usage of CAT Data, information
about the number of regulatory users at the Commission and/or the SROs
and/or the regulatory purposes for which they are using CAT Data? Would
disclosure of such information pose security or confidentiality
concerns?
90. Under what circumstances, if any, should the Commission make
CAT Data available to interested market participants in the rulemaking
context? What conditions and/or controls should apply? At what level of
data aggregation should the data be made available? What are the costs
and benefits associated with releasing such data? Does the answer
depend on the type of data relied upon? Does the answer depend on the
costs of making such data available?
EBS
The Commission and/or FINRA typically make EBS requests via a
regulatory portal maintained by FINRA. Firms then submit requested
information to the Commission and/or FINRA via one of the file sharing
options provided by FINRA \231\ within 10 business days of the
request.\232\ NYSE maintains its own separate system that provides it
with similar functionality. Some market participants have expressed
concern about the security of PII made available through the EBS
system. One commenter stated, for example, that the ``response to a
single EBS request could contain tens or hundreds of thousands of
plaintext SSNs,'' that ``the transmission of SSNs and account numbers
in plaintext risks the unauthorized disclosure of personal data,'' and
that they ``are not aware of any EBS controls to require the encrypted
storage of SSNs and other PII.'' \233\ This commenter also stated that
``the EBS system provides for the reporting of SSNs and other PII in
association to specific transactions,'' unlike the CAT.\234\
---------------------------------------------------------------------------
\231\ Firms may transmit the requested information to the
Securities Industry Automation Corporation (``SIAC''), which will
then route the information to the Commission or to an SRO as
applicable; alternatively, firms may transmit the requested
information using Request Manager, an information exchange
application made available via a regulatory portal maintained by
FINRA, or FINRA fileX, a secure file sharing solution maintained by
FINRA. See, e.g., https://www.finra.org/filing-reporting/electronic-blue-sheets-ebs#overview.
\232\ See EBS Adopting Release, supra note 5, at 35836 (``Firms
are requested to submit, within ten business days, information
concerning transactions by all proprietary and customer accounts
that bought or sold a security during a specified review period.'');
FINRA Regulatory Notice 05-58, ``Intermarket Surveillance Group
Requires Validation of Electronic Blue Sheets Submissions'' (Sept.
7, 2025), available at https://www.finra.org/rules-guidance/notices/05-58 (``In general, blue sheet submissions are to be received by a
requesting organization within ten (10) business days following the
date of the request for such information.'').
\233\ See FIF Letter I, supra note 24, at 4; see also SIFMA
Letter III, supra note 201, at 4 (stating that SIFMA members believe
EBS ``has long-standing security concerns, such as unmasked SSNs and
other PII, that have not been addressed'').
\234\ See FIF Letter I, supra note 24, at 4
---------------------------------------------------------------------------
91. Should information about the policies, procedures, and/or
controls that govern the regulatory use of the EBS system be made
public? For example, should the Commission and/or the SROs publish
information regarding the internal controls and/or safeguards that
govern access to or use of the EBS system, information about how the
Commission and/or the SROs monitor the storage and/or usage of data
accessed through the EBS system, information about the number of
regulatory users at the Commission and/or the SROs and/or the
regulatory purposes for which they are using data accessed through the
EBS system? Would disclosure of such information pose security,
privacy, or confidentiality concerns?
92. What confidentiality, privacy, and security measures or
controls would further strengthen protections that prevent regulatory
users at the Commission and/or the SROs from using the EBS system for
inappropriate or illegal purposes, such as targeting an individual for
monitoring based on personal, competitive, or political animus? For
example, should the Commission further restrict the way that regulatory
users can use the EBS system to support regulatory activities? If so,
how? What standards should be satisfied before a regulatory user can
access and/or use data using the EBS system? Does the answer depend on
whether the regulatory user is Commission staff or SRO staff? Does the
answer depend on whether the regulatory user is accessing transactional
data or customer and account-level information?
93. What security, privacy, and confidentiality controls protect
data transmitted and/or stored through the EBS system? What encryption
protections secure EBS data that is transmitted and/or stored? Are
there additional security measures that should be implemented to
protect data transmitted and/or stored by FINRA's and/or NYSE's EBS
systems? For example, are there more secure methods of transmitting
and/or storing data than those currently employed by regulators to
request and receive EBS data? If so, please identify any such methods,
[[Page 20967]]
explain why they would be more appropriate, and describe any costs
associated with implementing and/or maintaining such methods of
transmission, including any costs associated with burdens on regulatory
use.
94. Should the Commission require the creation and/or
implementation of specific data retention policies that would shorten
the amount of time that EBS data may be retained and/or control the way
that such data may be stored by the SROs? What are the costs and
benefits associated with such an approach? How would shortened data
retention policies interact with federal rules and regulations
governing record retention? Would shortening data retention policies
potentially lead to duplicative requests? Are there policies and
procedures regarding the storage and/or retention of data that could
potentially decrease the number of duplicative requests made via the
EBS system?
R&R System
95. If an R&R System is implemented, what security standards or
controls should govern it? For instance, should an R&R System be
required to comply with any particular industry standards or controls
for information security, like standards promulgated by NIST regarding
security and privacy controls for information systems and
organizations, providing a cybersecurity framework, or implementing
zero trust architecture? \235\ Does the answer depend on the parties
that have access to the system? Does the answer depend on the
functionality provided by the system--for example, the extent to which
requests and responses are automated?
---------------------------------------------------------------------------
\235\ See notes 222-224 supra.
---------------------------------------------------------------------------
96. FIF has suggested that FINRA could ``provide a secure method''
for broker-dealers to respond to requests made by regulators through an
R&R System.\236\ What would constitute a secure method for broker-
dealers to respond to requests? What would constitute a secure method
for regulators to make requests? Please specifically identify secure
methods that could be used to request and provide data, explain why
those methods are appropriate, and identify any costs or benefits
associated with those methods.
---------------------------------------------------------------------------
\236\ See FIF Letter I, supra note 24, at 7.
---------------------------------------------------------------------------
97. Should requests and/or responses made via an R&R System be
encrypted? Does the answer depend on the data that is required to be
reported via an R&R System? If data should be encrypted, please
identify appropriate encryption protocols and explain why they should
be applied to data provided through an R&R System. What are the costs
and benefits that would be associated with such a measure? To what
extent would broker-dealers have to re-program their systems to encrypt
this data? To what extent would regulators have to adjust their
regulatory programs if the information sent through an R&R System was
encrypted?
98. What access and use controls or measures should be implemented
for an R&R System? \237\ Do the answers depend on how particular
security measures or controls would impact regulatory use? Do the
answers depend on the costs associated with particular security
measures or controls? Do the answers depend on the type of data or the
volume of data being accessed or used? For example, should customer and
account information be protected with different security measures or
controls than those applied to transactional data? Should security
policies and/or procedures be uniform across all SROs that access and/
or use an R&R System? Does some measure of variance in security
policies and/or procedures provide more protection to the underlying
data?
---------------------------------------------------------------------------
\237\ See, e.g., FIF Letter I, supra note 24, at 8 (suggesting
that an R&R System should implement policies that address . . .
[c]ategories of personnel that can access the data in the system and
for what purpose[, a]ccess controls[, s]urveillance and audit'').
---------------------------------------------------------------------------
99. What security measures or controls would prevent regulatory
users at the Commission and/or the SROs from using an R&R System for
inappropriate or illegal purposes, such as targeting an individual for
monitoring based on personal, competitive, or political animus? For
example, should the Commission restrict the way that regulatory users
can use an R&R System to support regulatory activities? If so, how?
What policies, procedures, or controls should govern the regulatory use
of an R&R System and should information about those policies,
procedures, or controls be made public? What standards should be
satisfied before a regulatory user can access and/or use data using an
R&R System? Does the answer depend on whether the regulatory user is
Commission staff or SRO staff?
100. How long should the SROs be able to retain data obtained from
an R&R System? \238\ Does the answer depend on the type or volume of
data obtained? Does the answer depend on how the data is downloaded,
accessed, analyzed, tracked, logged, and/or stored? Does the answer
depend on data privacy or confidentiality considerations? For example,
should customer and account information be stored separately from and
for different periods of time than transactional data? Does the answer
depend on the particular regulatory use case for the data? Does the
answer depend on federal rules and regulations governing record
retention and statute of limitations periods applicable to enforcement
actions? Should data retention policies and/or procedures be uniform
across all SROs that may access and/or use an R&R System? Does some
measure of variance in security policies and/or procedures provide more
protection to the underlying data? Could shorter data retention periods
and/or more restrictive use policies increase the likelihood of
duplicative and/or repetitive requests being made to broker-dealers?
---------------------------------------------------------------------------
\238\ See, e.g., id. (suggesting that data requested through an
R&R System should be deleted ``upon the termination of the
applicable investigation'' and that there should be ``oversight
processes to monitor for compliance'').
---------------------------------------------------------------------------
101. What breach management procedures should be required for an
R&R System? Which parties, if any, should the owners and/or operators
of an R&R System be required to notify in the event of a breach? What
kinds of events should constitute a breach?
LOPR
FINRA Rule 2360 requires FINRA member firms to report large options
positions to the LOPR, which FINRA uses to surveil for potentially
manipulative behavior, including attempts to corner the market in the
underlying equity, leverage an option position to affect the price, or
move the underlying equity to change the value of a large option
position.\239\
---------------------------------------------------------------------------
\239\ See Securities Exchange Act Release No. 98738 (Oct. 13,
2023), 88 FR 75100, 75108 n.78 (Nov. 1, 2023).
---------------------------------------------------------------------------
102. FIF has expressed concern about the ``plaintext reporting of
SSNs and other PII'' in OCC's LOPR data, urging the Commission to
direct the removal of PII from this data set.\240\ What are the costs
and benefits associated with such an approach? Would removal of
customer and account level data from LOPR make its regulatory use less
efficient? For example, would regulators have to obtain the required
information through an alternative (and potentially manual) method that
could involve requesting information from a larger number of broker-
dealers? Would this raise costs for broker-dealers? If so, please
identify and quantify the burdens associated with this alternative
approach. Are there alternative methods for enhancing the security of
LOPR
[[Page 20968]]
data? If so, please identify any such measures and explain why it would
be appropriate to implement such measures.
---------------------------------------------------------------------------
\240\ See, e.g., FIF Letter I, supra note 24, at 8.
---------------------------------------------------------------------------
Other Audit Trails and/or Related Data Sources
103. If not eliminated, modified, and/or replaced, do any other
audit trails and/or related data sources raise cybersecurity, privacy,
and/or civil liberties concerns? If so, how should the Commission
address these concerns?
I. Transparency and Process of Comprehensive Review
The Commission seeks input from commenters as to whether, in
addition to seeking comment through this release, there are other
meaningful ways for it to gather information and/or for market
participants to provide feedback regarding the CAT and other existing
audit trails and/or related data sources.
104. Are there any other methods of gathering information from
market participants regarding any potential changes that should be made
to the functionality of existing audit trails and/or related data
sources? For example, should the Commission issue industry surveys to
broker-dealers and SROs? If so, please describe what the content of
these surveys should be and to which parties such surveys should be
distributed. Should the Commission hold a roundtable conference and/or
establish a working group? Please identify any measures the Commission
should take to gather information and explain why such measures are
appropriate.
105. Several market participants have suggested that the Commission
should ``require the CAT Operating Committee to engage an independent
technology firm to review the operations and technological design of
CAT to identify further opportunities to optimize CAT and reduce
costs.'' \241\ Should the Commission require an independent audit of
the CAT's technological design? If so, please describe what the scope
of such an audit should be,\242\ explain why that scope would be
appropriate, and describe any criteria that should be used to select
the party conducting the independent audit. Does the answer depend on
the costs of such an independent audit? Does an independent audit pose
any security risks? Should an independent audit be conducted for any
other existing audit trail and/or data source? Should the results of
the independent audit be made public? Would making such information
public compromise the security of the CAT?
---------------------------------------------------------------------------
\241\ See PTG Letter I, supra note 28, at 4. See also SIFMA
Letter I, supra note 28, at 6 (``[T]he SEC should require the SROs
to engage an independent external technology firm at their expense
(subject to appropriate security measures to protect CAT data and
processes), with input from industry-member experts, to complete a
holistic review of the current operations of CAT--including its
regulatory uses by the SEC and SROs--to identify ways to further
optimize and improve CAT and reduce its costs.''); Citadel Letter I,
supra note 24, at 13 (``Engage a third-party technology firm to
perform an independent review of the technological design of CAT to
identify opportunities to optimize and reduce costs.'').
\242\ The CAT NMS Plan already requires the Plan Processor to
create and implement an annual audit plan that includes a review of
all Plan Processor policies, procedures, control structures, and
tools that monitor and address data security. See, e.g., CAT NMS
Plan, supra note 16, at Section 6.2(a)(v)(C) (``The Chief Compliance
Officer shall . . . in collaboration with the Chief Information
Security Officer, and consistent with Appendix D, Data Security, and
any other applicable requirements related to data security and
Reference Data, identify and assist the Company in retaining an
appropriately qualified independent auditor (based on specialized
technical expertise, which may be the Independent Auditor or subject
to the approval of the Operating [Committee] by Supermajority Vote,
another appropriately qualified independent auditor), and in
collaboration with such independent auditor, create and implement an
annual audit plan (subject to the approval of the Operating
Committee), which shall at a minimum include a review of all Plan
Processor policies, procedures and control structures, and real time
tools that monitor and address data security issues for the Plan
Processor and the Central Repository.''); see id. at Section 1.1
(defining ``Chief Compliance Officer'' as ``the individual then
serving (even on a temporary basis) as the Chief Compliance Officer
pursuant to Section 4.6, Section 6.1(b), and Section 6.2(a)''). See
also, e.g., id. at Appendix D, Section 4.1.3 (``The Plan Processor
must include penetration testing and an application security code
audit by a reputable (and named) third party prior to launch as well
as periodically as defined in the SLA(s).''); id. at Appendix D,
Section 5.3 (``The Plan Processor must conduct third party risk
assessments at regular intervals to verify the security controls
implemented are in accordance with NIST SP 800-53.'').
---------------------------------------------------------------------------
IV. General Request for Comment
We request and encourage any interested person to submit comments
on any aspect of this concept release, other matters that might have an
impact on the topics discussed in this concept release, and any
suggestions for additional changes or improvements to existing audit
trails and related data sources. Please be as specific as possible in
your discussion and analysis of any additional issues. We particularly
welcome comments on any costs, burdens, or benefits that may result
from possible regulatory responses related to the items identified in
this release or otherwise proposed by commenters.
V. Other Matters
This concept release and request for comment is a significant
regulatory action under section 3(f)(1) of Executive Order 12866, as
amended, and has been reviewed by the Office of Management and Budget.
VI. Conclusion
The Commission is interested in the public's views regarding the
matters discussed in this concept release. The existing audit trails
and/or data sources discussed above serve a critical role in protecting
our markets, but it is important to assess whether these audit trails
and data sources respond to and reflect current market conditions,
demonstrated regulatory needs, civil liberty, privacy, and
confidentiality concerns, cost-efficient technology solutions, and
cybersecurity considerations. The Commission therefore encourages all
interested parties to submit comments on the topics being considered in
this concept release. If possible, please reference the specific
question numbers or sections of this release when submitting comments.
By the Commission.
Dated: April 16, 2026.
Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2026-07651 Filed 4-17-26; 8:45 am]
BILLING CODE P