We praise the honorable goals of the Consolidated Audit Trail (CAT) as a means to prevent future flash crashes[i] and in doing so allow the SEC and other market regulators to “rapidly reconstruct trading activity and quickly analyze both suspicious trading behavior and unusual market events”[ii]. We argue against the limitation of liability proposal and the revised funding model NOT BECAUSE we have any dislike for the CAT processor and its participants (i.e. FINRA, CAT LLC, and the Exchange Groups). Indeed, have mercy on them because every constituent (including industry members) seems individually bound to achieve the following goals concurrently: (1) fulfill the SEC’s mandate to regulate/ promote the safety and soundness of market, (2) the public interest [address the civic concerns about Massive Government Surveillance][iii], (3) uphold and the continue pursuant of National cybersecurity and privacy protection best practices,[iv] and (4) comply with the Fourth Amendment of US Constitution[v], the Department of Justice’s latest edition of the Privacy Act of 1974[vi] and other applicable laws and new bills[vii] introduced recently.
The CAT’s technical design since 2012[viii] as a golden-source while well intended (or a “gigantic data-vault”) is out-of-date. It will take “forever” to come up with a “golden” unified “single source of truth”. By the time a common standard is adhered, the value of the data will subside to almost worthless within the context of market surveillance. Analysts need sensors, not an encyclopedia. A good decision, made now and pursued aggressively, is substantially superior to a perfect decision made too late. The CAT project is outsized and is a Money Pit. Not only in terms of building and on-going operating costs, but it also introduces huge wastages and is non-environmental friendly according to LEAN Six-Sigma[ix].
The outdated design of CAT with all the non-essential data ‘at-rest’ and ‘in-motion’ makes it more vulnerable to security threats than modernized RTAP. Data-vault, data-lake, and ‘golden source of data’ are indeed attractive targets for hackers to treasure hunt. Hackers do not necessary come from outside; compromised internal executive(s) and staff(s) and contractors may pose even higher dangers because of potential cover ups and abilities to profit off any stolen data.[i] The Central Intelligence Agency – Edward Snowden case[ii] is a prime example, i.e. NOT a hypothetical “black swan”[iii] cyber breach. Additionally, the Director of National Intelligence has warned about China and Russia being the biggest threats to the U.S. in the latest assessment report.[iv]. An insecure and breached CAT can cause the destabilization of the U.S. capital market, which trades in trillion dollars daily. CAT must up its game for security protection against infiltration and foreign adversaries or else it could become a threat to National Security.
The CAT NMS Plan failed to address the following causes for potential information leak: Membership Inference Attacks, Reconstruction Attacks, Property Inference Attacks, and Model Extraction.[v] It lacks scenario planning to counter different implementation of attacks (Centralized/ Distributed Learning). The trading and investment communities are concerned that User Defined Direct Query and bulk extraction increase the vulnerability of data being misused for impermissible purposes. We are not convinced that non-public data and PII will be safeguarded properly if measured against our suggested minimum requirements (please see Table 1 of our November 30, 2020 comments[vi]). Without embedding appropriate analytical framework into the design of CAT as we have pointed out since our comments in 2016,[vii] CAT may be a useless gigantic vault that does nothing other than cause disturbances to all industry members wasting valuable time and energy in data submission and causing worry about security and compliance.
Why would large Exchange Groups with robust surveillance systems and linked to market data feeds at nanosecond precision need a “50± millisecond tolerance” CAT system? “If” one would play the devil advocate of using CAT data for non-regulatory purpose (i.e. function creep), CAT will not save Exchanges from subscribing to other peer Exchange feeds given the T+5 access for CAT, but what if these non-public data and PII offer valuable insights to help Exchanges target to attract order flow? Would countless buy and sell-side broker-dealers and market makers be cut-out from the industry value chain[viii]?
CAT participants and industry members seem to address themselves to the parable of the blind men and an elephant[ix] and/or hustle to seek shelter – immunity[x] and/or defer until “accommodate the unending demands of the industry”[xi]. Frankly, the only parties that stand to gain from an ever growing size of CAT may be the vendors. These cloud storage, security, infrastructure, data processing vendors and other big law or compliance consultant firms add layers of costs to the industry without adding much value to the monitoring and analytical aspects of CAT, how sad!
By Kelvin To, Founder and President of Data Boiler Technologies