CAT: Elephant in Room, Out of Everyone’s Pocket, Invading Everyone’s Privacy

By Kelvin To, Founder and President, Data Boiler Technologies

Five years ago, “CAT’s out of the bag” and Thesys was selected as the Consolidated Audit Trail (CAT) processor in Jan 2017. Two years ago, FINRA replaced Thesys’ role to continue the CAT project. Some called this processor replacement a “90 million train wreck”. Worst, the CAT operating committee asks for funding of $132.5 million in CAT 2021’s budgeted costs plus unknown amounts in the future from everyone. Further attempts to “allocate” risks (shift liabilities disproportionally) to industry members who are NOT users of CAT and have NO control over potential security breaches caused by CAT participants and external hackers, or in the case of a CAT system failure is UNFAIR. The cost to build and maintain CAT will be like the financial transaction tax – unwelcomed by the industry. 

Outdated design of CAT being the “elephant in the room”, it poses a national security threat and is a money pit

We want to see CAT being a functional CAT (not an elephant) to serve its intended purposes, i.e. prevent future flash crashes and quickly analyze both suspicious trading behavior and unusual market events. Yet, CAT turned into a gigantic data-vault. Non-essential data ‘at-rest’ and ‘in-motion’ makes it more vulnerable to security threats. In our January 2021 comment letter, we rebut the CAT operating committee whom cited the Charles River Associates’ Economic Analysis on their estimates of “greater than $100 million damage or 95% percentile loss may misguide policy makers info falsely believing the risks may possibly be accepted when it should not”. The Director of National Intelligence has warned about infiltration and foreign (China and Russia) adversaries in the latest assessment report. An insecure and breached CAT can cause the destabilization of the U.S. capital market. 

The CAT NMS Plan failed to address the following causes for potential information leakMembership Inference AttacksReconstruction AttacksProperty Inference Attacks, and Model Extraction. It lacks scenario planning to counter different implementations of attacks (Centralized/ Distributed Learning). The trading and investment communities are concerned that User Defined Direct Query and bulk extraction by CAT participants, including the SEC, increase the vulnerability of data being misused for impermissible purposes (i.e. function creep) and the realism of various adverse scenarios.

Contrast to serving public interest, CAT raises civic concerns about Massive Government Surveillance 

This is America, not a communist country that controls and coerces its own citizens — by using big data analytics, surveillance, and propaganda. According to a recent National Security Commission on Artificial Intelligence Report, “Personal and commercial vulnerabilities become national security weaknesses as adversaries map individuals, networks, and social fissures in society (financial situation, patterns of daily life, relationships, health, and even emotions); predict responses to different stimuli; and model how best to manipulate behavior or cause harm.” According to M.I.T. professor Gary Marx’s statements in this Stanford University’s study, “…most people in our society would object to this solution, not because they wish to commit any wrongdoings, but because it is invasive and prone to abuse … fails to take into consideration a number of important issues when collecting personally identifiable data or recordings … such practices create an archive of information that is vulnerable to abuse by trusted insiders … In addition, allowing surreptitious surveillance of one form, even limited in scope and for a particular contingency, encourages government to expand such surveillance programs in the future. It is our view that the danger of a ‘slippery slope’ scenario cannot be dismissed as paranoia …” CAT has an Outdated Design and is an Outsized Elephant. National security and privacy ordinance matters are Outside the Jurisdiction of the SEC and the SROs. The unbearable building and on-going operating costs of CAT Outweigh its Benefits.

Inconsistent with §11A of Exchange Act, the 4th Amendment, Privacy Act of 1974, and other applicable rules

CAT’s Limitation of Liability Provision, Revised Funding Model, and Enhanced Data Security proposals if adopted are inconsistent with §11A of the Exchange Act, the Fourth Amendment of US Constitution, the Department of Justice’s latest edition of the Privacy Act of 1974 and other applicable laws and new bills. Neither the SEC nor the Self-Regulatory Organizations (SROs), the CAT Participants, have rights above the law. The constitutional right to be free of unwarranted search or seizure, is recognized by the Supreme Court as protecting a general right to privacy. No-one wants his/her data to be used by regulator(s) to develop policies that potentially may discriminate against him/her. Suspicion of crime or anticipation of market turmoil should begin with some basis or require a ‘search warrant’ before the permissible collection or surveillance of information that would otherwise be considered as private. Unlike census, collection of non-public and PII by CAT for all trade activities without express consent by the investors is an intrusion of one’s privacy. 

If the CAT participants argue that CAT fee setting, collection, and dispute resolution are common commercial practices that they should have full discretion over, then CAT would not be part of their arbitral and prosecutorial authority. Hence, the SROs should not enjoy immunity related to their private businesses and the industry members shall then have choice (under antitrust laws), including rights to opt-out of CAT given they are not users of the CAT system. If CAT fee/ minimum is a “pay to play” bundled cost to participate in a market, then this is a “tax” and is a barrier of entry which is inconsistent with the competition, capital formation, and other goals of the Exchange Act

Outside delegate authorities, NOT immune, and dis-incentivized the continue pursuant of best practices

The SROs’ immunity from private civil actions applies ONLY when they are acting within their delegated authority. If in the case of SROs’ executive(s) or staff(s) or contractor(s) willful misconduct, gross negligence, bad faith or criminal acts related to CAT, SROs should NEVER be immune under those circumstances because these are not part of their arbitral and prosecutorial authority. Given FINRA replaced Thesys (a private company) as the CAT processor indeed signified that FINRA and CAT LLC are in effect conducting private business. We argue such commercial conducts must be subject to corresponding risks and civil claims in the case of liability, according to Weissman and Sparta Surgical Corp.’s court cases against National Association of Securities Dealers.

To be consistent with §11A of the Exchange Act, we advocate that the SEC pursue and demand better Suspicious Activity Report (SAR) from Broker-Dealers (BDs) and/or mandate improvements of BDs’ trade controls and compliance requirements. We also recommend that the SEC adopts the “A-Z” clauses that we included in Table 1 of our Nov 2020 comment letter, as part of the minimum requirements for CAT NMS Plan’s principle based rules rather than the Enhanced Data Security proposal which makes specific reference to an outdated revision 4 of SP800-53 by the NIST.

Bifurcated Cost Allocation is Inequitable, avoid exacerbates inequalities in the market 

If the CAT fee is related to supporting the SEC to “rapidly reconstruct market events/ trading activity” beyond using the public available data, then the Commission may subscribe to the SROs’ proprietary feeds and summon under appropriate search warrant to obtain further information, such as OBO/ NOBO shareholder data directly from broker-dealers or indirectly from Broadridge. If the CAT fee is related to “facilitating risk-based examinations” and/or “improving abilities for evaluating tips, complaints and referrals of potential misconduct made to regulators, monitoring and evaluating changes to market structure”, then the SEC and SROs may go back to the Congress for funding or pay for it using collected fines, penalties, and intragovernmental fees, but not “user fees”

If the CAT fee is related to “better identification of potentially manipulative trading activity, increased efficiency of cross-market and principal order surveillance”, then private surveillance businesses affiliated with Exchange Groups stand to receive benefits from CAT; they should pay the most if not all of such CAT costs. The SEC and other SROs shall have choice to use peers’ surveillance system, or build their own or buy from other private vendors. CAT has no reason to allocate an inequitable 75% of CAT cost to Industry Members. The plan is simplytolling everyone in the industry, which will ultimately be passed-down to the end-investors. We question why the CAT operating committee, a governing body composed of ONLY representatives of the SROs, would hold concentrated power on the Funding Authority as set out in the CAT NMS Plan Exhibit A Article XI §11.1? Rulemaking to seek sole benefit for the government agency or the affiliated SROs should be prohibited.

Who receives the most benefits, who operates at the edge should pay more, NO private party among the elites 

Why should the public (industry members would ultimately pass down the cost to end investors) pay for anything(recover 75% or ~$145 million incurred in Period 1) that may be allowed to capitalize on as the CAT LLC/ FINRA/ CAT Operating Committee’s private asset”? If past development work by Thesys is considered as “public asset”, then why wasn’t there a full disclosure of all CAT’s budgeted building and operating costs for the public to review before cost is incurred? If it is a “sunk cost”, why are industry members asked to bear the consequences of procurement decisions that they were not part of, and are not and will not be ‘users’ of the CAT system information?   

We argued against both the original “execution venue” concept and the proposed “message traffic” concept. If CAT is constituted as one of the “user fees” imposed by the SEC/ SRO, then 31 U.S.C. §9701 compliance has not been met. Perhaps, a large portion of the CAT funding model could be driven mainly by fines and settlements. To preserve the equitable, non-biased, fair, and non-discriminatory principles and fend off public concerns about alleged favoritism to industry elites and CAT participants with fee cap, maximum, and adjustments, we suggested adding a new CAT funding principle 11.2(g). We proposed that costs and their allocation should be in proportion with specific public benefits received, i.e. not private benefits of CAT participants; and those that have higher implicit risk and vulnerability to potential conflicts of interest must be charged higher fees than others. These fees would cover what is not already funded by fines and settlements from abuse or other securities law violation cases. 

Surveillance without kicking the can down the road – learn from the IRS

We have argued against the SEC proposals NOT BECAUSE we have any dislike the CAT processor and participants. We also want to emphasis that we despise “kicking the can down the road”.  For some time, we have been suggesting an innovative design that draws an analogy to the IRS’s successful ‘my free tax initiative’ (see Appendix 2 of our May 2021 comment letter). To resolve CAT’s challenges, it takes not just cooperation and collaboration, but development and deployment efforts. Our suggested solutions would analyze suspicious trading behavior and unusual market events directly and quickly, as well as yield substantial savings while enhancing security for all parties

In turn, the essential data stored at CAT would be much more manageable, data control would be more robust, and insurers should be more willing to provide liability coverage for CAT processor. It will allow the SEC and CAT Participants to focus on those high-risk candidates with scrutinized exams. We envisage a model to reduce unknown unknowns. Other benefits of our recommendations are: (a) Dramatically reducing the CAT footprint or data storage and traffic by avoiding unnecessary redundant copies of data and minimize ‘data-in-motion’; (b) Confining access to CAT data to ‘targeted search’ of relevant data that fits the ‘defined purposes’; and (c) Providing better intelligence for market monitoring by enabling and rewarding the crowd for identifying early warning signals to potential flash crash or other trade irregularities. We hope our “win-win” solution will help everyone charging forward on CAT and receive bipartisan support.