CAT Outdated Design Since 2012

We praise the honorable goals of the Consolidated Audit Trail (CAT) as a means to prevent future flash crashes and in doing so allow the SEC and other market regulators to “rapidly reconstruct trading activity and quickly analyze both suspicious trading behavior and unusual market events”. We argue against the limitation of liability proposal and the revised funding model NOT BECAUSE we have any dislike for the CAT processor and its participants (i.e. FINRA, CAT LLC, and the Exchange Groups). Indeed, have mercy on them because every constituent (including industry members) seems individually bound to achieve the following goals concurrently: (a) fulfill the SEC’s mandate to regulate/ promote the safety and soundness of market, (b) the public interest – address the civic concerns about Massive Government Surveillance, (c) uphold and the continue pursuant of National cybersecurity and privacy protection best practices [see Endnote at bottom], and (d) comply with the Fourth Amendment of US Constitution, the Department of Justice’s latest edition of the Privacy Act of 1974 and other applicable laws and new bills introduced recently.

The CAT’s technical design since 2012 as a golden-source while well intended (or a “gigantic data-vault”) is out-of-date. It will take “forever” to come up with a “golden” unified “single source of truth”. By the time a common standard is adhered, the value of the data will subside to almost worthless within the context of market surveillance. Analysts need sensors, not an encyclopedia. A good decision, made now and pursued aggressively, is substantially superior to a perfect decision made too late. The CAT project is outsized and is a Money Pit. Not only in terms of building and on-going operating costs, but it also introduces huge wastages and is non-environmental friendly according to Six-Sigma. 

In particular, frequent transmittal of data in-and-out and within CAT, unnecessary data-in-motion traffic, is wastage and more susceptible to defects. When data is ‘at-rest’ rather than ‘in-use’, it serves no value other than one has to pay for storage of the data. Data is redundantly stored at industry members’ systems and at the CAT system and then is regurgitated in bulk to CAT participants’ systems, all causing significant wastages. Real-time analytic platform (RTAP) and modern techniques could be applied closest to the original source of the data to avoid the multiplicity of storage and data protection costs. Nevertheless, real-time or velocity of data serves to provide higher value than veracity of data during a ‘market crash’. “T+5 days” regulatory access means unproductive idle time. Timely action in curbing potential abuse, protecting investors, and/or regulating an abnormal market event is missed. Prior to addressing these wastages, it is unfair and premature to ask for funding of this CAT.

The outdated design of CAT with all the non-essential data ‘at-rest’ and ‘in-motion’ makes it more vulnerable to security threats than modernized RTAP. Data-vault, data-lake, and ‘golden source of data’ are indeed attractive targets for hackers to treasure hunt. Hackers do not necessary come from outside; compromised internal executive(s) and staff(s) and contractors may pose even higher dangers because of potential cover ups and abilities to profit off any stolen data [11]. The Central Intelligence Agency – Edward Snowden case [12] is a prime example, i.e. NOT a hypothetical “black swan” cyber breach. Additionally, the Director of National Intelligence has warned about China and Russia being the biggest threats to the U.S. in the latest assessment report. An insecure and breached CAT can cause the destabilization of the U.S. capital market, which trades in trillion dollars daily. CAT must up its game for security protection against infiltration and foreign adversaries or else it could become a threat to National Security. 

The CAT NMS Plan failed to address the following causes for potential information leak: Membership Inference Attacks, Reconstruction Attacks, Property Inference Attacks, and Model Extraction. It lacks scenario planning to counter different implementation of attacks (Centralized/ Distributed Learning). The trading and investment communities are concerned that User Defined Direct Query and bulk extraction increase the vulnerability of data being misused for impermissible purposes. We are not convinced that non-public data and PII will be safeguarded properly if measured against our suggested minimum requirements (please see Table 1 of our November 30, 2020 comments). Without embedding appropriate analytical framework into the design of CAT as we have pointed out since our comments in 2016, CAT may be a useless gigantic vault that does nothing other than cause disturbances to all industry members wasting valuable time and energy in data submission and causing worry about security and compliance. 

Why would large Exchange Groups with robust surveillance systems and linked to market data feeds at nanosecond precision need a “50± millisecond tolerance” CAT system? “If” one would play the devil advocate of using CAT data for non-regulatory purpose (i.e. function creep), CAT will not save Exchanges from subscribing to other peer Exchange feeds given the T+5 access for CAT, but what if these non-public data and PII offer valuable insights to help Exchanges target to attract order flow? Would countless buy and sell-side broker-dealers and market makers be cut-out from the industry value chain?

CAT participants and industry members seem to address themselves to the parable of the blind men and an elephant and/or hustle to seek shelter – immunity and/or defer until “accommodate the unending demands of the industry”. Frankly, the only parties that stand to gain from an ever growing size of CAT may be the vendors. These cloud storage, security, infrastructure, data processing vendors and other big law or compliance consultant firms add layers of costs to the industry without adding much value to the monitoring and analytical aspects of CAT, how sad!

ENDNOTE: NIST’s CISP revision 4 of SP800-53 has been superseded by revision 5 since September 2020. Also, NIST’s recommended best practices alongside other Cybersecurity and Privacy protection standards/ guidelines, such as ISO/IEC 27001 and 27032, Gramm-Leach-Bliley Act §6801, and FINRA’s cybersecurity rules and guidance, etc. may continue to have updates and new added contents. We have multiple concerns if CISP is referencing to a particular NIST publication, including: (i) potential of complying with the bear minimal requirements rather than pursuing the best practices; (ii) new emerging cyber/ A.I. threats that the corresponding mitigation method(s) have yet to be incorporated in newer standard – i.e. the in-between time awaiting to adopt new policy; (iii) non-synchronize with international rules, such as the EU’s General Data Protection Regulation (GDPR).

At Data Boiler, we see big to continuously boil down the essential improvements that fit for your purpose. Between my patented inventions and the wealth of experience of my partner, Peter Martyn, we are about finding rare but high-impact values in controversial matters, straight talk of control flaws, leading innovation and change, creation of viable paths toward sustainable development and economic growth.

#MarketStructure #ConsolidatedAuditTrail #FlashCrash #Surveillance #SuspiciousActivities #BigData #SEC #FINRA #CapitalMarkets #Trading #RegulatoryAffairs