90 FR 52 pgs. 12845-12856 - Joint Industry Plan; Notice of Filing of Amendment to the National Market System Plan Governing the Consolidated Audit Trail Regarding the Proposed Customer and Account Information System Amendment
Type: NOTICEVolume: 90Number: 52Pages: 12845 - 12856
Pages: 12845, 12846, 12847, 12848, 12849, 12850, 12851, 12852, 12853, 12854, 12855, 12856Docket number: [Release No. 34-102665; File No. 4-698]
FR document: [FR Doc. 2025-04516 Filed 3-18-25; 8:45 am]
Agency: Securities and Exchange Commission
Official PDF Version: PDF Version
[top]
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-102665; File No. 4-698]
Joint Industry Plan; Notice of Filing of Amendment to the National Market System Plan Governing the Consolidated Audit Trail Regarding the Proposed Customer and Account Information System Amendment
March 13, 2025.
I. Introduction
On March 7, 2025, the Consolidated Audit Trail, LLC ("CAT LLC"), on behalf of the following parties to the National Market System Plan Governing the Consolidated Audit Trail (the "CAT NMS Plan" or "Plan"):? 1 BOX Exchange LLC; Cboe BYX Exchange, Inc., Cboe BZX Exchange, Inc., Cboe C2 Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe EDGX Exchange, Inc., Cboe Exchange, Inc., Financial Industry Regulatory Authority, Inc., Investors Exchange LLC, Long-Term Stock Exchange, Inc., MEMX, LLC, Miami International Securities Exchange LLC, MIAX Emerald, LLC, MIAX PEARL, LLC, MIAX Sapphire, LLC, Nasdaq BX, Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, Nasdaq PHLX LLC, The NASDAQ Stock Market LLC, New York Stock Exchange LLC, NYSE American LLC, NYSE Arca, Inc., NYSE Chicago, Inc., and NYSE National, Inc. (collectively, the "Participants," "self-regulatory organizations," or "SROs") filed with the Securities and Exchange Commission ("SEC" or "Commission") pursuant to Section 11A(a)(3) of the Securities Exchange Act of 1934 ("Exchange Act"), 2 and Rule 608 thereunder, 3 a proposed amendment to the CAT NMS Plan to reduce the amount of Customer? 4 information in the CAT Customer and Account Information System (the "CAIS Amendment"). 5 Exhibit A sets forth the cumulative changes proposed to be made to the CAT NMS Plan. The Commission is publishing this notice to solicit comments from interested persons on the proposed CAIS Amendment.
Footnotes:
1 ?In July 2012, the Commission adopted Rule 613 of Regulation NMS, which required the Participants to jointly develop and submit to the Commission a national market system plan to create, implement, and maintain a consolidated audit trail (the "CAT"). See Securities Exchange Act Release No. 67457 (July 18, 2012), 77 FR 45722 (Aug. 1, 2012 ("Rule 613 Adopting Release"); 17 CFR 242.613. On November 15, 2016, the Commission approved the CAT NMS Plan. See Securities Exchange Act Release No. 78318 (Nov. 15, 2016), 81 FR 84696 (Nov. 23, 2016) ("CAT NMS Plan Approval Order"). The CAT NMS Plan is Exhibit A to the CAT NMS Plan Approval Order. See CAT NMS Plan Approval Order, at 84943-85034.
2 ?15 U.S.C 78k-1(a)(3).
3 ?17 CFR 242.608.
4 ?A "Customer" means "the account holder(s) of the account at a registered broker-dealer originating the order; and any person from whom the broker-dealer is authorized to accept trading instructions for such account, if different from the account holder(s). See CAT NMS Plan, supra note 1 at Section 1.1.
5 ? See Letter from Brandon Becker, CAT NMS Plan Operating Committee Chair, to Vanessa Countryman, Secretary, Commission, dated March 7, 2025 ("Transmittal Letter").
II. Description of the Plan
Set forth in this Section II is the description of the proposed CAIS Amendment, along with information required by Rule 608(a) under the Exchange Act, 6 as prepared and submitted by the Participants to the Commission. 7
Footnotes:
6 ? See 17 CFR 242.608(a).
7 ? See Transmittal Letter, supra note 5. Unless otherwise defined herein, capitalized terms used herein are defined as set forth in the CAT NMS Plan.
[top] On February 10, 2025, the SEC published an order (the "CAIS Exemption Order") granting sua sponte exemptive relief from certain requirements of the CAT NMS Plan related to the reporting of names, addresses and years of birth for natural persons reported with transformed social security numbers ("SSNs")/individual tax payer identification numbers ("ITINs") to the Customer and
Footnotes:
8 ? See Securities Exchange Act Release No. 102386 (Feb. 10, 2025), 90 FR 9642 (Feb. 14, 2025), https://www.sec.gov/files/rules/sro/nms/2025/34-102386.pdf.
CAT LLC believes that there are additional steps that would reduce the amount of Customer information in the CAT and achieve significant annual savings in CAT operating costs. Therefore, CAT LLC respectfully submits this CAIS Amendment to codify and build on the CAIS Exemption Order in the following ways:
• First, while the CAIS Exemption Order applies to the reporting of the exempted Customer information going forward, this CAIS Amendment would require the deletion of previously reported Customer information already in the CAT.
• Second, while the CAIS Exemption Order is permissive, allowing Industry Members to choose whether to continue reporting the exempted Customer information to the CAT (and therefore requiring the CAT to continue to be prepared to accept that information), this CAIS Amendment would prohibit the continued reporting of the exempted Customer information to the CAT.
• Third, while the CAIS Exemption Order applies to some natural persons, this CAIS Amendment would cover all natural persons (including, for example, foreign natural persons that are not reported with transformed SSNs or ITINs) and all legal entity Customers.
• Fourth, while the CAIS Exemption Order would not result in cost savings, the CAIS Amendment would allow CAT LLC to achieve an estimated $12 million in annual cost savings. 9
Footnotes:
9 ?All cost savings projections provided in this CAIS Amendment are the Plan Processor's best estimates based on costs actually incurred in 2024 ("2024 Actuals") and are subject to change based on ongoing improvements to AWS that may reduce current AWS costs.
CAT LLC respectfully urges the Commission to approve this CAIS Amendment expeditiously in order to build on the CAIS Exemption Order to further address the considerations cited by the SEC in the CAIS Exemption Order? 10 while also facilitating significant annual cost savings.
Footnotes:
10 ?CAIS Exemption Order at 9643-44 (noting that the CAIS Exemption Order would ensure "the protection of individual investors' PII" in light of "the increasing sophistication of cybercriminals and bad actors").
Specifically, CAT LLC proposes to amend the CAT NMS Plan to (i) formally incorporate and codify the existing CCID Exemption Order to the CAT NMS Plan, 11 which was published by the SEC on March 17, 2020, and has since prohibited Industry Members from reporting SSNs/ITINs, dates of birth, and account numbers to the CAT, and (ii) newly eliminate requirements that Industry Members report Customer names, Customer addresses, account names, account addresses, years of birth, and authorized trader names (collectively, "Name, Address, and YOB") to the CAT ((i) and (ii), together, the "Proposed Changes"). 12 The Proposed Changes would apply to all Customers-including all natural person Customers and all legal entity Customers-at both the Customer and account level.
Footnotes:
11 ? See Securities Exchange Act Release No. 88393 (Mar. 17, 2020), 85 FR 16152 (Mar. 20, 2020), https://www.govinfo.gov/content/pkg/FR-2020-03-20/pdf/2020-05935.pdf ("CCID Exemption Order").
12 ?The Plan Processor would make conforming changes to the CAT Reporting Customer & Account Technical Specifications for Industry Members to eliminate any fields related to the Proposed Changes.
As discussed in more detail herein, the CAIS Amendment should be approved because:
• The Proposed Changes would allow CAT LLC to achieve significant cost savings of approximately $12 million per year as compared to 2024 Actuals, which would materially advance CAT LLC's ongoing efforts to reduce CAT operating costs. 13
Footnotes:
13 ?Last year, CAT LLC proposed, and the Commission approved, separate cost savings amendments that are expected to result in approximately $21 million in new annual cost savings in the first year with limited impact on the regulatory function of the CAT, which cost savings were estimated based on then-estimated 2024 costs. See Order Approving Amendments to the National Market System Plan Governing the Consolidated Audit Trail Designed to Implement Cost Savings Measures, Securities Exchange Act Release No. 101901 (Dec. 12, 2024), 89 FR 103033 (Dec. 18, 2024).
• In addition to cost savings, the Proposed Changes would build on the CCID Exemption Order and the CAIS Exemption Order by affirmatively eliminating Name, Address, and YOB from the CAT while preserving regulators' ability to conduct cross-market, cross-broker, and cross-account surveillance of an individual Customer through a unique Customer-ID, which was one of the primary regulatory purposes of SEC Rule 613. 14 As was the case prior to CAT, regulatory users could contact Industry Members directly to obtain any sensitive Customer information, including Names, Addresses, and YOBs.
Footnotes:
14 ? See, e.g. Securities Exchange Act Release No. 67457 (July 18, 2012), 77 FR 45722, 45757 (Aug. 1, 2012) ("CAT Adopting Release") ("The Commission . . . believes that unique customer identifiers are vital to the effectiveness of the consolidated audit trail. The inclusion of unique customer identifiers should greatly facilitate the identification of the orders and actions attributable to particular customers and thus substantially enhance the efficiency and effectiveness of the regulatory oversight provided by the SROs and the Commission. Without the inclusion of unique customer identifiers, many of the benefits of a consolidated audit trail . . . would not be achievable."); CCID Exemption Order at 16156 n.78 ("[I]n the Commission's view, without the Customer-ID, the value and usefulness of the CAT would be significantly diminished.").
• Because the Proposed Changes would allow CAT LLC to achieve significant cost savings and would eliminate Name, Address, and YOB from the CAT while preserving the core regulatory objectives of SEC Rule 613, the benefits of the Proposed Changes significantly outweigh their costs, and CAT LLC strongly urges the Commission to approve the CAIS Amendment.
The proposed changes to the CAT NMS Plan to implement the CAIS Amendment are set forth in Exhibit A to this filing.
Requirements Pursuant to Rule 608(a)
A. Description of the Proposed Amendments to the CAT NMS Plan
1. Permanently Exclude Customer Names, Addresses, and YOBs From CAT Reporting
a. CAT Reporting Requirements
Under the CAT NMS Plan, the Participants must require Industry Members to report Customer Identifying Information and Customer Account Information to the CAT for each of their Customers. 15 Customer Identifying Information is defined in Section 1.1 of the CAT NMS Plan to mean:
Footnotes:
15 ? See Sections 6.4(d)(ii)(C) and 6.4(d)(iv) of the CAT NMS Plan.
information of sufficient detail to identify a Customer, including, but not limited to, (a) with respect to individuals: name, address, date of birth, individual tax payer identification number ("ITIN")/social security number ("SSN"), individual's role in the account ( e.g., primary holder, joint holder, guardian, trustee, person with the power of attorney); and (b) with respect to legal entities: name, address, Employer Identification Number ("EIN")/Legal Entity Identifier ("LEI") or other comparable common entity identifier, if applicable; provided, however, that an Industry Member that has an LEI for a Customer must submit the Customer's LEI in addition to other information of sufficient detail to identify a Customer. 16
Footnotes:
16 ?Section 1.1 of the CAT NMS Plan.
[top]
Customer Account Information is defined in Section 1.1 of the CAT NMS Plan to include, but not be limited to:
account type, customer type, date account opened, and large trader identifier (if applicable); except, however, that (a) in those circumstances in which an Industry Member has established a trading relationship with an institution but has not established an account with that institution, the Industry Member will (i) provide the Account Effective Date in lieu of the "date account opened"; (ii) provide the relationship identifier in lieu of the "account number"; and (iii) identify the "account type" as a "relationship"; (b) in those circumstances in which the relevant account was established prior to the implementation date of the CAT NMS Plan applicable to the relevant CAT Reporter (as set forth in Rule 613(a)(3)(v) and (vi)), and no "date account opened" is available for the account, the Industry Member will provide the Account Effective Date in the following circumstances: (i) where an Industry Member changes back office providers or clearing firms and the date account opened is changed to the date the account was opened on the new back office/clearing firm system; (ii) where an Industry Member acquires another Industry Member and the date account opened is changed to the date the account was opened on the post-merger back office/clearing firm system; (iii) where there are multiple dates associated with an account in an Industry Member's system, and the parameters of each date are determined by the individual Industry Member; and (iv) where the relevant account is an Industry Member proprietary account. 17
Footnotes:
17 ?Section 1.1 of the CAT NMS Plan.
Accordingly, as originally approved by the Commission, the CAT NMS Plan requires the CAT to capture and store certain Customer Identifying Information and Customer Account Information in the Central Repository, including social security numbers, dates of birth, and account numbers. 18 In 2018, the Participants submitted a request for exemptive relief from certain reporting provisions of the CAT NMS Plan (the "CCID Exemption Request"). 19 The CCID Exemption Request was the product of close coordination between the Participants, Industry Members, and the Commission to develop alternatives to reporting Customer information while maintaining sufficient information to preserve CAT's intended regulatory uses. The Commission granted the CCID Exemption Request on March 17, 2020, 20 which is described in more detail below.
Footnotes:
18 ?Section 9.1 of Appendix D of the CAT NMS Plan.
19 ? See Letter from Michael Simon, CAT NMS Plan Operating Committee Chair, to Vanessa Countryman, Secretary, Commission (Jan. 29, 2020), https://www.catnmsplan.com/sites/default/files/2020-02/Amended-Exemptive-Request-CCID-and-Modified-PII-Approaches%28Final%29.pdf.
20 ? See supra note 11.
b. CCID Exemption Order
On March 17, 2020, the Commission granted exemptive relief related to the reporting of SSNs/ITINs, dates of birth, and account numbers to the CAT. The CCID Exemption Order allows the Plan Processor to generate a unique identifier for a Customer, called a CAT Customer-ID ("CCID"), using a two-phase transformation process that avoids the requirement to have SSNs/ITINs reported to the CAT as originally contemplated by SEC Rule 613 and the CAT NMS Plan. In addition, instead of reporting dates of birth and account numbers, Industry Members are required to report years of birth and FDIDs. 21
Footnotes:
21 ?The term "Firm Designated ID" is defined in the CAT NMS Plan as: "(1) a unique and persistent identifier for each trading account designated by Industry Members for purposes of providing data to the Central Repository provided, however, such identifier may not be the account number for such trading account if the trading account is not a proprietary account; (2) a unique and persistent relationship identifier when an Industry Member does not have an account number available to its order handling and/or execution system at the time of order receipt, provided, however, such identifier must be masked; or (3) a unique and persistent entity identifier when an employee of an Industry Member is exercising discretion over multiple client accounts and creates an aggregated order for which a trading account number of the Industry Member is not available at the time of order origination, where each such identifier is unique among all identifiers from any given Industry Member." Section 1.1 of the CAT NMS Plan.
The CAIS Amendment would incorporate the CCID Exemption Order into the CAT NMS Plan and would go further by eliminating Name, Address, and YOB from the CAT while preserving one of the primary objectives of the CAT, i.e., the ability for regulators to conduct cross-market surveillance of a specific Customer. As the Commission explained in the CCID Exemption Order:
[t]he ability to efficiently and accurately identify individual Customers will allow regulators to establish those that might be responsible for illegal conduct, or to identify those that might be the victim of fraudulent activity. Indeed, one of the hallmarks of the CAT is the ability to provide customer attribution of order and trade activity even if such trading activity spans multiple broker-dealers. Pursuant to the Plan, the identification of Customers is achieved by the creation and use of the Customer-ID, a code that uniquely and consistently identifies every Customer. The Commission continues to believe, as it did when it approved the Plan, that the ability to link the full life cycle of every order as that order travels across broker-dealers and market centers to a specific Customer through the use of a Customer-ID will greatly facilitate the regulatory and surveillance efforts of regulators. For the Commission in particular, this ability to identify a Customer through the use of a CCID will also facilitate the Commission's efforts in the areas of market reconstruction, market analysis and rule-making support. Indeed, in the Commission's view, without the Customer-ID, the value and usefulness of the CAT would be significantly diminished. 22
Footnotes:
22 ?CCID Exemption Order at 16156 n.78.
c. CAIS Exemption Order
On February 10, 2025, the Commission published the CAIS Exemption Order sua sponte, granting exemptive relief related to the reporting of names, addresses, and years of birth for natural persons reported with transformed SSNs or ITINs to CAIS. Additional steps would further CAT LLC's efforts to reduce CAT operating costs and the SEC's considerations in granting the CAIS Exemption Order.
First, CAT LLC and the Participants understand that the CAIS Exemption Order is permissive at the discretion of Industry Members (meaning that Industry Members may choose to take advantage of the exemptive relief or choose to continue reporting names, addresses, and years of birth for natural persons reported with transformed SSNs or ITINs to CAIS) and only applies to natural persons reported with transformed SSNs or ITINs, and not to natural persons reported without transformed SSNs/ITINs, including foreign nationals, or to legal entities. As a result, the Plan Processor must maintain all software that is required to continue to accept such Customer information for those Industry Members who choose to continue reporting it, as well as to support regulatory queries of Name, Address, and YOB data for non-exempted persons. Consequently, the CAIS Exemption Order will not result in any cost savings. This CAIS Amendment proposes to fully eliminate the requirement to report Names, Addresses, and YOBs for all natural person and legal entity Customers to CAIS. Doing so would permanently eliminate Name, Address, and YOB from CAT reporting while also allowing the Plan Processor to eliminate the software that is required to support regulatory queries of Name, Address, and YOB, which would result in significant annual cost savings.
[top] Second, in granting its CAIS Exemption Order, the SEC cited security considerations, concluding that the benefits of reporting names, addresses, and years of birth for natural persons reported with transformed SSNs or ITINs no longer justify the potential risks. 23 However, the CAIS Exemption Order only applies to the reporting of such Customer information after of the date of the order, and only to the extent
Footnotes:
23 ? See CAIS Exemption Order at 9643-44.
d. Proposed Revisions to the CAT NMS Plan
To incorporate the Proposed Changes, CAT LLC proposes certain revisions to the CAT NMS Plan, including Appendix D of the CAT NMS Plan, which are described below. 24
Footnotes:
24 ?Because the Commission has acknowledged that Appendix C was not intended to be continually updated once the CAT NMS Plan was approved, CAT LLC is not proposing to update Appendix C to reflect the proposed amendments. See Exchange Act Rel. No. 89632 (Aug. 21, 2020), 85 FR 65990 (Oct. 16, 2020).
i. Revisions to the CAT NMS Plan
CAT LLC proposes adding certain new defined terms to Section 1.1 of the CAT NMS Plan. Specifically, CAT LLC would add new defined terms for "CAIS," "CCID Subsystem," and "Transformed Identifier" or "TID," which would read as follows:
"?` CAIS ' means the customer and account information system of the CAT.
`CCID Subsystem ' means the isolated subsystem of CAIS that exists solely to transform input TID values into CCID values.
` Transformed Identifier ' or ` TID ' means the transformed version of the individual tax payer identification number (`ITIN') or social security number (`SSN') submitted by Industry Members in place of an ITIN or SSN."
CAT LLC would also add the phrase "or `CAT Customer-ID' or `CCID'?" to the current definition of "Customer-ID." The revised definition would read as follows:
"?` Customer-ID ' or ` CAT Customer-ID ' or ` CCID ' has the same meaning provided in SEC Rule 613(j)(5)."
In addition to these new defined terms, CAT LLC also proposes revising certain defined terms in the Plan to incorporate existing reporting requirements that are currently outlined in the CCID Exemption Order and to remove references to Name, Address, and YOB. First, CAT LLC proposes to eliminate from the definition of "Customer Account Information" prior references to "account number" and to insert the parenthetical phrase, "(excluding, for the avoidance of doubt, account number)," to clarify that account numbers are not reportable to the CAT pursuant to the CCID Exemption Order. 25 As an additional clarification, CAT LLC proposes to add the sentence, "For the avoidance of doubt, Industry Members are required to provide a Firm Designated ID in accordance with this Agreement" to the end of the definition. Additionally, CAT LLC proposes to change the defined term from "Customer Account Information" to "Account Attributes" to more accurately describe the information that can be attributed to a Customer's account under this definition. Relatedly, CAT LLC proposes to eliminate the term "Customer Account Information" and to replace that term with "Account Attributes" throughout the CAT NMS Plan. 26 As revised, the proposed definition of "Account Attributes" would read as follows:
Footnotes:
25 ?Under the FDID definition, see supra note 21, Industry Members may elect to use an actual account number for any proprietary account of the firm when reporting an FDID.
26 ?With respect to FAM-related defined terms, CAT LLC proposes to add a footnote in the definition of "Full Availability and Regulatory Utilization of Transactional Database Functionality" stating that "[e]ffective [DATE], `Customer Account Information' as used in the Financial Accountability Milestones (Initial Industry Member Core Equity Reporting; Full Implementation of Core Equity Reporting; Full Availability and Regulatory Utilization of Transactional Database Functionality; and Full Implementation of CAT NMS Plan Requirements) is no longer a defined term and has been superseded by the new defined term `Account Attributes'." This language is intended to address any confusion caused by the use of "Customer Account Information" in the Plan after that defined term is changed to "Account Attributes" in Section 1.1.
"?` Account Attributes ' shall include, but not be limited to, account type, customer type, date account opened, and large trader identifier (if applicable) (excluding, for the avoidance of doubt, account number); except, however, that (a) in those circumstances in which an Industry Member has established a trading relationship with an institution but has not established an account with that institution, the Industry Member will (i) provide the Account Effective Date in lieu of the `date account opened'; and (ii) identify the `account type' as a `relationship'; (b) in those circumstances in which the relevant account was established prior to the implementation date of the CAT NMS Plan applicable to the relevant CAT Reporter (as set forth in Rule 613(a)(3)(v) and (vi)), and no `date account opened' is available for the account, the Industry Member will provide the Account Effective Date in the following circumstances: (i) where an Industry Member changes back office providers or clearing firms and the date account opened is changed to the date the account was opened on the new back office/clearing firm system; (ii) where an Industry Member acquires another Industry Member and the date account opened is changed to the date the account was opened on the post-merger back office/clearing firm system; (iii) where there are multiple dates associated with an account in an Industry Member's system, and the parameters of each date are determined by the individual Industry Member; and (iv) where the relevant account is an Industry Member proprietary account. For the avoidance of doubt, Industry Members are required to provide a Firm Designated ID in accordance with this Agreement.
Second, CAT LLC proposes revising the definition of "Customer Identifying Information" to reflect reporting practices described in the CCID Exemption Order and to remove references to Name, Address, and YOB from the definition. Additionally, CAT LLC proposes to change the defined term from "Customer Identifying Information" to "Customer Attributes" to more accurately describe the information that could be attributable to a Customer in light of the proposal to remove Name, Address, and YOB from the definition. Relatedly, CAT LLC proposes to eliminate the term "Customer Identifying Information" and to replace that term with "Customer Attributes" throughout the CAT NMS Plan. 27 As revised, the proposed definition of "Customer Attributes" would read as follows:
Footnotes:
27 ?With respect to FAM-related defined terms, CAT LLC proposes to add a footnote in the definition of "Full Availability and Regulatory Utilization of Transactional Database Functionality" stating that "[e]ffective [DATE], `Customer Identifying Information' as used in the Financial Accountability Milestones (Initial Industry Member Core Equity Reporting; Full Implementation of Core Equity Reporting; Full Availability and Regulatory Utilization of Transactional Database Functionality; and Full Implementation of CAT NMS Plan Requirements) is no longer a defined term and has been superseded by the new defined term `Customer Attributes'." This language is intended to address any confusion caused by the use of "Customer Identifying Information" in the Plan after that defined term is changed to "Customer Attributes" in Section 1.1.
[top] "?` Customer Attributes ' means information attributed to a Customer, including, but not limited to, (a) with respect to individuals: TID and the individual's role in the account ( e.g., primary holder, joint holder, guardian, trustee, person with the power of attorney); and (b) with respect to legal entities: Employer Identification Number (`EIN')/Legal Entity Identifier (`LEI') or other comparable common entity identifier, if applicable; provided, however, that an Industry Member
Finally, CAT LLC proposes adding a new defined term "Customer and Account Attributes" to replace the defined term "PII" throughout the CAT NMS Plan. This new defined term would refer, collectively, to all of the attributes in the definitions of "Customer Attributes" and "Account Attributes" described above. This term is a useful and efficient way to refer to all of the data attributes associated with a Customer (whether a natural person or a legal entity) that must be reported to the CAT. Furthermore, CAT LLC believes that it is appropriate to delete the defined term "PII" from the CAT NMS Plan and to replace it with the defined term "Customer and Account Attributes" because that term would more accurately describe the data attributes related to Customers and Customer accounts that must be reported to the CAT now that Customer name, Customer address, account name, account address, authorized trader names list, account number, day of birth, month of birth, year of birth, and ITIN/SSN would be eliminated from the CAT under this CAIS Amendment. Therefore, CAT LLC proposes to delete the definition of "PII" from the Plan and to replace it with the defined term "Customer and Account Attributes" throughout the CAT NMS Plan. Specifically, the term "Customer and Account Attributes" would replace the term "PII" in Sections 6.2(b)(v)(F) and 6.10(c)(ii), and Appendix D, Sections 4.1; 4.1.2; 4.1.4; 6.2; 8.1.1; 8.1.3; 8.2; and 8.2.2. 28 The new term "Customer and Account Attributes" would be defined as follows:
Footnotes:
28 ?Additionally, the term "Customer and Customer Account Information," which is used in Sections 9 and 10 of Appendix D, would be updated to "Customer and Account Attributes" in each instance for consistency and to clarify the scope of information contemplated by those Sections.
"?` Customer and Account Attributes ' shall mean the data elements in Account Attributes and Customer Attributes."
ii. Revisions to Appendix D
CAT LLC also proposes revising certain provisions of Appendix D of the CAT NMS Plan to incorporate the CCID Exemption Order and to remove references to Name, Address, and YOB.
First, CAT LLC proposes revising Section 9.1 of Appendix D to make clear that, at a minimum, the CAT must capture Transformed Identifiers with respect to individuals and Legal Entity Identifiers with respect to legal entities. Additionally, CAT LLC proposes certain conforming changes to Section 9.1 of Appendix D relating to (a) Plan Processor data validation processes; and (b) the Plan Processor's procedures for assigning a unique CCID to each Customer. These conforming changes are intended to reflect reporting practices and the scope of reportable data contemplated by the CCID Exemption Order and the other Proposed Changes described in this amendment ( i.e., eliminating Name, Address, and YOB from CAIS). Finally, references in Section 9.1 to "Customer and Customer Account Information" have been changed to "Customer and Account Attributes" consistent with the new defined term described above. As revised, Section 9.1 of Appendix D would read as follows:
"9.1 Customer and Account Attributes Storage
The CAT must capture and store Customer and Account Attributes in a secure database physically separated from the transactional database. The Plan Processor will maintain certain information attributed to each Customer across all CAT Reporters, and associated accounts from each CAT Reporter. At a minimum, the CAT must capture Transformed Identifiers.
For legal entities, the CAT must capture Legal Entity Identifiers (LEIs) (if available).
The Plan Processor must maintain valid Customer and Account Attributes for each trading day and provide a method for Participants' regulatory staff and the SEC to easily obtain historical changes to that information.
The Plan Processor will use the Transformed Identifier submitted by all broker-dealer CAT Reporters to the isolated CCID Subsystem to assign a unique Customer-ID for each Customer. The Customer-ID must be consistent across all broker-dealers that have an account associated with that Customer. This unique CAT-Customer-ID will not be returned to CAT Reporters and will only be used internally by the CAT.
Broker-Dealers will initially submit full account lists for all active accounts to the Plan Processor and subsequently submit updates and changes on a daily basis. In addition, the Plan Processor must have a process to periodically receive full account lists to ensure the completeness and accuracy of the account database. The Central Repository must support account structures that have multiple account owners and associated Customer information (joint accounts, managed accounts, etc.), and must be able to link accounts that move from one CAT Reporter to another ( e.g., due to mergers and acquisitions, divestitures, etc.)."
Second, CAT LLC proposes revising Section 9.2 of Appendix D to make clear that the Central Repository will not accept data attributes related to an account owner's name, mailing address, or tax identifier. Additionally, the proposed revisions would indicate that the Central Repository must accept Transformed Identifiers with respect to Customers that are individuals and EINs with respect to Customers that are legal entities. As revised, Section 9.2 of Appendix D would read as follows:
"9.2 Required Data Attributes for Customer Information Data Submitted by Industry Members
At a minimum, the following Customer information data attributes must be accepted by the Central Repository:
• Transformed Identifier (with respect to individuals) or EIN (with respect to legal entities);
• Market Identifiers (Larger Trader ID, LEI);
• Type of Account;
• Firm Identifier Number;
? The number that the CAT Reporter will supply on all orders generated for the Account;
• Prime Broker ID;
• Bank Depository ID; and
• Clearing Broker."
Third, CAT LLC proposes revising Section 9.3 of Appendix D to incorporate the existing process by which the Plan Processor determines a unique CAT-Customer-ID for each Customer under the CCID Exemption Order. As revised, Section 9.3 of Appendix D would read as follows:
"9.3 Customer-ID Tracking
The Plan Processor will assign a CAT-Customer-ID for each unique Customer. The Plan Processor will generate and assign a unique CAT-Customer-ID for each Transformed Identifier submitted by broker-dealer CAT Reporters to the isolated CCID Subsystem. Once a CAT-Customer-ID is assigned, it will be added to each linked (or unlinked) order record for that Customer.
Participants and the SEC must be able to use the unique CAT-Customer-ID to track orders from any Customer or group of Customers, regardless of what brokerage account was used to enter the order."
[top] Fourth, CAT LLC proposes revising Section 9.4 of Appendix D to eliminate the requirement that the Plan Processor design and implement procedures and mechanisms to handle minor and material inconsistencies in Customer information. Minor data discrepancies refer specifically to variations in road name abbreviations for Customer addresses. Because this amendment would eliminate Name, Address, and YOB, the Plan requirement that the Central Repository be able to accommodate minor data discrepancies related to Customer addresses is no longer relevant. More broadly the inconsistency checks that are currently performed by the Plan Processor to handle both minor and material inconsistencies provide minimal value and impose unnecessary costs on Participants and Industry Members. As
"9.4 Error Resolution for Customer Data
The Central Repository must have an audit trail showing the resolution of all errors. The audit trail must, at a minimum, include the:
• CAT Reporter submitting the data;
• Initial submission date and time;
• Data in question or the ID of the record in question;
• Reason identified as the source of the issue;
• Date and time the issue was transmitted to the CAT Reporter, included each time the issue was re-transmitted, if more than once;
• Corrected submission date and time, including each corrected submission if more than one, or the record ID(s) of the corrected data or a flag indicating that the issue was resolved and corrected data was not required; and
• Corrected data, the record ID, or a link to the corrected data."
Finally, CAT LLC proposes adding a new Section 9.5 to Appendix D, which would require CAT LLC to direct the Plan Processor to delete from CAIS all existing Customer data and information contemplated by the Proposed Changes and clarify that such Customer data and information do not constitute records that CAT LLC must retain under Exchange Act Rule 17a-1. Furthermore, to the extent that either CAT LLC or the Plan Processor becomes aware through self-reporting or otherwise that an Industry Member has improperly reported any such Customer data or information, this CAIS Amendment would permit its deletion. The new Section 9.5 of Appendix D would be entitled "Deletion from CAIS of Certain Reported Customer Data" and would read as follows:
"9.5 Deletion From CAIS of Certain Reported Customer Data
Notwithstanding any other provision of the CAT NMS Plan, this Appendix D, or the Exchange Act, CAT LLC shall direct the Plan Processor to develop and implement a mechanism to delete from CAIS, or otherwise make inaccessible to regulatory users, the following data attributes: Customer name, Customer address, account name, account address, authorized trader names list, account number, day of birth, month of birth, year of birth, and ITIN/SSN. For the avoidance of doubt, such data attributes do not constitute records that must be retained under Exchange Act Rule 17a-1. CAT LLC or the Plan Processor shall be permitted to delete any such information that has been improperly reported by an Industry Member to the extent that either becomes aware of such improper reporting through self-reporting or otherwise."
To the extent that the Commission deems it necessary to grant exemptive relief from the recordkeeping and data retention requirements of Rule 17a-1 under the Exchange Act in order to effectuate the Proposed Changes, the Participants request such exemptive relief with respect to the deletion of such reported data described above on a retroactive and prospective basis.
2. Justifications for the CAIS Amendment
a. The CAIS Amendment Would Result in an Estimated $12 Million in Cost Savings Each Year
The CAT's operating budget for 2025 includes approximately $35.5 million in CAIS-related costs, which includes: (1) $20.7 million in operating fees payable to the Plan Processor to operate and maintain CAIS;? 29 (2) a $2.8 million CAIS-related annual license fee payable to the Plan Processor; and (3) approximately $12 million in CAIS-related cloud hosting services fees.
Footnotes:
29 ?This CAIS operating fee is separate and in addition to a $30.8 million operating fee payable to the Plan Processor to operate and maintain the transaction database for the CAT.
In total, the CAIS Amendment would allow CAT LLC to achieve approximately $10 million to $12 million in cost savings each year as compared to 2024 Actuals. First, the Plan Processor has proposed reducing its CAIS operating fees by approximately $5 million per year if the Proposed Changes are adopted. 30 As a result, CAIS operating fees payable to the Plan Processor would be reduced from approximately $20.7 million to $15.7 million annually. The $2.8 million annual license fee payable to the Plan Processor would be unaffected by this CAIS Amendment. Second, the Plan Processor estimates approximately $5 million to $7 million in savings per year related to cloud hosting services fees. 31 Accordingly, the CAIS-related cloud hosting services fees, based on 2024 Actuals, would be reduced from approximately $12 million to approximately $5 million to $7 million. These cost savings estimates are based on certain assumptions and the current scope of the CAT, and may vary based on, among other things, the details of the requirements in any final amendment approved by the Commission.
Footnotes:
30 ?The CAIS annual operating fee payable to the Plan Processor for 2025, which includes fees to pay for software that is required to support regulatory queries of CAIS data, is approximately $20.7 million per year. By eliminating the software that is required to support regulatory queries of Name, Address, and YOB data, the CAIS annual operating fee would be reduced to approximately $15.7 million per year, which is a difference of approximately $5 million per year.
31 ?CAT LLC currently budgets $12 million per year for CAIS cloud hosting services fees. Under the CAIS Amendment, CAIS cloud hosting services fees would total between approximately $5 million and $7 million per year, which represents a savings of between $5 million and $7 million per year.
To implement the CAIS Amendment, the Plan Processor has proposed a one-time change request implementation fee of approximately $4.5 million to $5.5 million. 32 One-time implementation costs will generally consist of Plan Processor labor costs associated with coding and software development, as well as any related cloud fees associated with the development, testing, and load testing of the Proposed Changes. Even accounting for this one-time implementation cost, the CAIS Amendment would allow CAT LLC to achieve approximately $5.5 million in cost savings in the first year followed by approximately $10 million to $12 million in cost savings each year thereafter, based on 2024 Actuals.
Footnotes:
32 ?The Plan Processor estimates that it would take approximately 9 to 12 months to fully implement the Proposed Changes.
[top] CAT operating costs are estimated to approach $250 million in 2025 as data volumes continue to reach record highs. 33 CAT LLC and the Plan Processor have put significant effort into reducing CAT costs that are within their control given the strict reporting requirements in the CAT NMS Plan, but additional cost savings measures-like those contemplated in this CAIS Amendment-require Commission action to permit their implementation. While the Commission recently approved a cost savings proposal from CAT LLC, it is critical to continue thinking carefully about ways to further reduce CAT costs while preserving the CAT's intended regulatory uses. The CAIS Amendment would do just that. The potential cost savings associated with the amendment are significant and would materially advance CAT LLC's ongoing cost savings efforts? 34 without impacting the ability of regulators to perform cross-market surveillance or to otherwise use the CAT for its intended regulatory purposes. Therefore, CAT LLC urges the Commission to approve the CAIS Amendment to allow for
Footnotes:
33 ?On March 4, 2025, data volumes exceeded 1 trillion reportable events for the first time.
34 ?For example, CAT LLC filed a cost savings amendment, which the Commission recently approved on December 12, 2024, that will permit approximately $21 million in annual cost savings, which cost savings were estimated based on then-estimated 2024 costs. See Letter from Brandon Becker, CAT NMS Plan Operating Committee Chair, to Vanessa Countryman, Secretary, Commission (Mar. 27, 2024); Letter from Brandon Becker, CAT NMS Plan Operating Committee Chair, to Vanessa Countryman, Secretary, Commission (Sept. 20, 2024); Order Approving Amendments to the National Market System Plan Governing the Consolidated Audit Trail Designed to Implement Cost Savings Measures, Securities Exchange Act Release No. 101901 (Dec. 12, 2024), 89 FR 103033 (Dec. 18, 2024).
b. The CAIS Amendment Also Would Build on the CCID Exemption Order and the CAIS Exemption Order to Further Address the SEC's Stated Security Considerations
In addition to allowing CAT LLC to achieve significant annual cost savings, the CAIS Amendment reflects a continuation of prior efforts to reduce Customer information in the CAT. Specifically, the CAIS Amendment would build on the CCID Exemption Order, which currently prohibits Industry Members from reporting SSNs/ITINs, dates of birth, and account numbers to the CAT. This CAIS Amendment would remove additional data attributes from the CAT, i.e., Name, Address, and YOB, while preserving the regulatory goals of SEC Rule 613 because the Plan Processor would continue to create a unique CCID allowing regulators to conduct cross-market, cross-broker, and cross-account surveillance.
Furthermore, the CAIS Amendment would further address the security-related considerations cited by the SEC in the CAIS Exemption Order with respect to all Customers. As discussed in more detail above, the CAIS Exemption Order grants relief from the requirement to report names, addresses, and years of birth for natural persons reported with transformed SSNs or ITINs to CAIS, but it does not address the deletion of existing data currently stored in CAIS. Therefore, the CAIS Exemption Order only addresses new natural persons reported with transformed SSNs or ITINs added to CAIS after the date of the order. It does not address the SEC's cited security considerations with respect to (1) existing natural persons reported with transformed SSNs or ITINs with data already stored in CAIS; (2) natural persons who are not reported with transformed SSNs or ITINs, including foreign nationals; or (3) legal entity Customers. This proposed CAIS Amendment addresses the SEC's security considerations with respect to all Customers-including all natural person and all legal entity Customers, both new and existing-by fully eliminating the requirement to report Names, Addresses, and YOBs to CAIS for all Customers and by requiring CAT LLC to direct the Plan Processor to delete all such information that is currently stored in the CAT.
c. The Proposed Changes Would Preserve the Core Regulatory Purposes of CAIS
Under this CAIS Amendment, Industry Members would continue reporting basic Customer and account information ( e.g., TID, account type) to CAIS, but the information reported would no longer include Name, Address, and YOB. Industry Members would also continue reporting Transformed Identifiers to the CCID Subsystem in the same manner as they do today pursuant to the CCID Exemption Order.
Similarly, the Plan Processor would continue creating a CCID for each unique Transformed Identifier in the same way that it does today. As such, a daily mapping of CCID to FDID would continue to be provided to the transactional database by the CAT System to provide CCID enrichment of transaction data. Additionally, the CAIS query tool would continue to be provided to allow the subset of regulatory users that have been authorized to access the CAIS database to search basic Customer and account information, minus Name, Address, and YOB. As was the case before CAT, regulatory users would need to contact Industry Members directly to obtain any more sensitive Customer information, including Name, Address, and YOB.
In short, the proposed CAIS Amendment would not impact how the Plan Processor provides CCID enrichment of transaction data. It would simply remove certain unnecessary Customer information ( i.e., Name, Address, and YOB) from the CAT in order to achieve significant cost savings while building on the existing CCID Exemption Order and the CAIS Exemption Order. Because the Plan Processor would continue to provide CCID enrichment of transaction data, the proposed CAIS Amendment would not impact the ability of regulators to track a Customer's trading activity across accounts, broker-dealers, and markets. By preserving regulators' ability to perform such cross-market, cross-broker, and cross-account surveillance, the CAIS Amendment would achieve significant cost savings and reduce unnecessary Customer information in the CAT without impacting a key aspect of CAT's intended regulatory uses.
d. The Benefits of the Proposed Changes Significantly Outweigh Their Costs
The benefits of the CAIS Amendment significantly outweigh its costs. As described above, the CAIS Amendment would further address the SEC's security considerations noted in the CAIS Exemption Order by reducing the amount of Customer information in the CAT. In addition, the CAIS Amendment would allow CAT LLC to achieve an estimated $12 million in cost savings each year as compared to 2024 Actuals, which would materially advance CAT LLC's ongoing efforts to reduce CAT operating costs. It would also build on CAT LLC's prior efforts to reduce Customer information in the CAT and the CAIS Exemption Order by eliminating the Plan requirement to report Name, Address, and YOB to CAIS for all Customers. At the same time, other than one-time implementation costs of approximately $4.5 million to $5.5 million (which would be fully offset by savings in the first year), the costs associated with the CAIS Amendment are minimal. If adopted, the CAIS Amendment would not change the Plan Processor's practices related to creating a unique CCID for each Customer and performing CCID enrichment of transaction data. While regulatory users would no longer be able to use the CAIS query tool to search for Name, Address, and YOB information, they would still be able to track Customer trading activity across accounts, broker-dealers, and markets without access to that information by using a CCID because the Plan Processor would continue performing CCID enrichment of transaction data in the same way that it does today. Furthermore, if it becomes necessary for a regulatory user to obtain Name, Address, and YOB data, that information could still be obtained directly from Industry Members. In this way, the CAIS Amendment would not affect how regulators use the CAT, and any added cost associated with obtaining Name, Address, and YOB information from Industry Members is significantly outweighed by the estimated $12 million in cost savings that the proposed CAIS Amendment would allow CAT LLC to recognize each year as compared to 2024 Actuals.
For all of these reasons, CAT LLC strongly urges the Commission to approve the CAIS Amendment.
B. Governing or Constituent Documents
Not applicable.
C. Implementation of Amendment
[top] The Participants propose to implement the proposal upon approval of the proposed amendment to the CAT NMS Plan by directing the Plan Processor to make the technological changes to CAIS reporting required to effectuate the Proposed Changes and by amending their individual CAT
D. Development and Implementation Phases
Subject to SEC approval of this CAIS Amendment, the Participants and the Plan Processor, in consultation with Industry Members, will determine and communicate an implementation schedule to effectuate the Proposed Changes.
E. Analysis of Impact on Competition
CAT LLC does not believe that the CAIS Amendment would result in any burden on competition that is not necessary or appropriate in furtherance of the purposes of the Exchange Act. Indeed, CAT LLC believes that the CAIS Amendment will have a positive impact on competition, efficiency and capital formation. The CAIS Amendment will provide significant savings in CAT costs and will eliminate Name, Address, and YOB from the CAT while imposing minimal impact on the regulatory use of CAT Data. Such substantial cost savings would inure to the benefit of all participants in the markets for NMS Securities and OTC Equity Securities, including Participants, Industry Members, and most importantly, the investors.
In addition to providing significant cost savings, the CAIS Amendment would incorporate the existing CCID Exemption Order and build on the CAIS Exemption Order, both of which the Commission found to be appropriate in the public interest and consistent with the protection of investors. 35 Because this CAIS Amendment would build on the CCID Exemption Order and the CAIS Exemption Order to further reduce the amount of Customer-and-account-related information in the CAT by eliminating Name, Address, and YOB without impacting the intended regulatory goals of SEC Rule 613, CAT LLC believes that the CAIS Amendment is appropriate in the public interest and consistent with the protection of investors. In this way, the CAIS Amendment would enhance the markets for NMS Securities and OTC Equity Securities for all market participants.
Footnotes:
35 ? See CCID Exemption Order at 16156; CAIS Exemption Order at 9646.
Furthermore, the CAIS Amendment would provide significant cost savings and build on the CCID Exemption Order and the CAIS Exemption Order without creating any disparate impact among Industry Members with Customers. This is because the CAIS Amendment would require all Industry Members to report the same narrower scope of Customer-and-account-related information to the CAT. Therefore, the CAIS Amendment would have the same effect on all Industry Members with Customers.
For all of these reasons, CAT LLC does not believe that the CAIS Amendment would result in any burden on competition that is not necessary or appropriate in furtherance of the purposes of the Exchange Act.
F. Written Understanding or Agreements Relating to Interpretation of, or Participation in Plan
Not applicable.
G. Approval by Plan Sponsors in Accordance With Plan
Section 12.3 of the CAT NMS Plan states that, subject to certain exceptions, the CAT NMS Plan may be amended from time to time only by a written amendment, authorized by the affirmative vote of not less than two-thirds of all of the Participants, that has been approved by the SEC pursuant to Rule 608 of Regulation NMS under the Exchange Act or has otherwise become effective under Rule 608 of Regulation NMS under the Exchange Act. In addition, the proposed amendment was discussed during Operating Committee meetings. The Participants, by a vote of the Operating Committee taken on March 4, 2025, have authorized the filing of this proposed amendment with the SEC in accordance with the CAT NMS Plan.
H. Description of Operation of Facility Contemplated by the Proposed Amendment
Not applicable.
I. Terms and Conditions of Access
Not applicable.
J. Method of Determination and Imposition, and Amount of, Fees and Charges
Not applicable.
K. Method and Frequency of Processor Evaluation
Not applicable.
L. Dispute Resolution
Not applicable.
III. Solicitation of Comments
The Commission seeks comment on the amendment. Interested persons are invited to submit written data, views and arguments concerning the foregoing, including whether the amendment is consistent with the Exchange Act. Comments may be submitted by any of the following methods:
Electronic Comments
• Use the Commission's internet comment form ( http://www.sec.gov/rules/sro.shtml ); or
• Send an email to rule-comments@sec.gov. Please include File Number 4-698 on the subject line.
Paper Comments
• Send paper comments in triplicate to Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090.
All submissions should refer to File Number 4-698. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's internet website ( http://www.sec.gov/rules/sro.shtml ). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed plan amendment that are filed with the Commission, and all written communications relating to the amendment between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10:00 a.m. and 3:00 p.m. Copies of the filing also will be available for inspection and copying at the Participants' offices. All comments received will be posted without change. Persons submitting comments are cautioned that we do not redact or edit personal identifying information from comment submissions. You should submit only information that you wish to make available publicly. All submissions should refer to File Number 4-698 and should be submitted on or before April 9, 2025.
Footnotes:
36 ?17 CFR 200.30-3(a)(85).
For the Commission, by the Division of Trading and Markets, pursuant to delegated authority. 36
Sherry R. Haywood,
Assistant Secretary.
[top]
Exhibit A
Proposed Revisions to the CAT NMS Plan
Additions italicized; deletions [bracketed]
Article I
Definitions
Section 1.1. Definitions.
"[Customer ]Account Attributes [Information]" shall include, but not be limited to, [account number, ]account type, customer type, date account opened, and large trader identifier (if applicable) (excluding, for the avoidance of doubt, account number); except, however, that (a) in those circumstances in which an Industry Member has established a trading relationship with an institution but has not established an account with that institution, the Industry Member will (i) provide the Account Effective Date in lieu of the "date account opened"; [(ii) provide the relationship identifier in lieu of the "account number"; ]and (ii[i]) identify the "account type" as a "relationship"; (b) in those circumstances in which the relevant account was established prior to the implementation date of the CAT NMS Plan applicable to the relevant CAT Reporter (as set forth in Rule 613(a)(3)(v) and (vi)), and no "date account opened" is available for the account, the Industry Member will provide the Account Effective Date in the following circumstances: (i) where an Industry Member changes back office providers or clearing firms and the date account opened is changed to the date the account was opened on the new back office/clearing firm system; (ii) where an Industry Member acquires another Industry Member and the date account opened is changed to the date the account was opened on the post-merger back office/clearing firm system; (iii) where there are multiple dates associated with an account in an Industry Member's system, and the parameters of each date are determined by the individual Industry Member; and (iv) where the relevant account is an Industry Member proprietary account. For the avoidance of doubt, Industry Members are required to provide a Firm Designated ID in accordance with this Agreement.
"CAIS" means the customer and account information system of the CAT.
"CCID Subsystem" means the isolated subsystem of CAIS that exists solely to transform input TID values into CCID values.
"Customer and Account Attributes" shall mean the data elements in Account Attributes and Customer Attributes.
"Customer Attributes [Identifying Information]" means information [of sufficient detail to identify ] attributed to a Customer, including, but not limited to, (a) with respect to individuals: [name, address, date of birth, individual tax payer identification number ("ITIN")/social security number ("SSN"),] TID and the individual's role in the account ( e.g., primary holder, joint holder, guardian, trustee, person with the power of attorney); and (b) with respect to legal entities: [name, address, ]Employer Identification Number ("EIN")/Legal Entity Identifier ("LEI") or other comparable common entity identifier, if applicable; provided, however, that an Industry Member that has an LEI for a Customer must submit the Customer's LEI[ in addition to other information of sufficient detail to identify a Customer].
"Customer-ID" or "CAT Customer-ID" or "CCID" has the same meaning provided in SEC Rule 613(j)(5).
" Full Availability and Regulatory Utilization of Transactional Database Functionality " means the point at which: (a) reporting to the Order Audit Trail System ("OATS") is no longer required for new orders; (b) Industry Member reporting for equities transactions and simple electronic options transactions, excluding Customer Account Information,* Customer-ID, and Customer Identifying Information,* with sufficient intra-firm linkage, inter-firm linkage, national securities exchange linkage, trade reporting facilities linkage, and representative order linkages (including any equities allocation information provided in an Allocation Report) to permit the Participants and the Commission to analyze the full lifecycle of an order across the national market system, from order origination through order execution or order cancellation, is developed, tested, and implemented at a 5% Error Rate or less; (c) Industry Member reporting for manual options transactions and complex options transactions, excluding Customer Account Information, Customer-ID, and Customer Identifying Information, with all required linkages to permit the Participants and the Commission to analyze the full lifecycle of an order across the national market system, from order origination through order execution or order cancellation, including any options allocation information provided in an Allocation Report, is developed, tested, and fully implemented; (d) the query tool functionality required by Section 6.10(c)(i)(A) and Appendix D, Sections 8.1.1-8.1.3, Section 8.2.1, and Section 8.5 incorporates the data described in conditions (b)-(c) and is available to the Participants and to the Commission; and (e) the requirements of Section 6.10(a) are met. This Financial Accountability Milestone shall be considered complete as of the date identified in a Quarterly Progress Report meeting the requirements of Section 6.6(c).
Footnotes:
*? Effective [DATE], "Customer Account Information" as used in the Financial Accountability Milestones (Initial Industry Member Core Equity Reporting; Full Implementation of Core Equity Reporting; Full Availability and Regulatory Utilization of Transactional Database Functionality; and Full Implementation of CAT NMS Plan Requirements) is no longer a defined term and has been superseded by the new defined term "Account Attributes".
*? Effective [DATE], "Customer Identifying Information" as used in the Financial Accountability Milestones (Initial Industry Member Core Equity Reporting; Full Implementation of Core Equity Reporting; Full Availability and Regulatory Utilization of Transactional Database Functionality; and Full Implementation of CAT NMS Plan Requirements) is no longer a defined term and has been superseded by the new defined term "Customer Attributes".
["PII" means personally identifiable information, including a social security number or tax identifier number or similar information; Customer Identifying Information and Customer Account Information.]
" Transformed Identifier" or "TID" means the transformed version of the individual tax payer identification number ("ITIN") or social security number ("SSN") submitted by Industry Members in place of an ITIN or SSN.
Article VI
Functions and Activities of CAT System
Section 6.2. Chief Compliance Officer and Chief Information Security Officer
(a) Chief Compliance Officer.
(v) The Chief Compliance Officer shall:
[top] (C) in collaboration with the Chief Information Security Officer, and consistent with Appendix D, Data
(b) Chief Information Security Officer.
(v) Consistent with Appendices C and D, the Chief Information Security Officer shall be responsible for creating and enforcing appropriate policies, procedures, and control structures to monitor and address data security issues for the Plan Processor and the Central Repository including:
(F) [PII] Customer and Account Attributes data requirements, including the standards set forth in Appendix D, [PII] Customer and Account Attributes Data Requirements;
Section 6.4. Data Reporting and Recording by Industry Members
(d) Required Industry Member Data.
(ii) Subject to Section 6.4(c) and Section 6.4(d)(iii) with respect to Options Market Makers, and consistent with Appendix D, Reporting and Linkage Requirements, and the Technical Specifications, each Participant shall, through its Compliance Rule, require its Industry Members to record and report to the Central Repository the following, as applicable (" Received Industry Member Data " and collectively with the information referred to in Section 6.4(d)(i) " Industry Member Data "):
(C) for original receipt or origination of an order, the Firm Designated ID for the relevant Customer, and in accordance with Section 6.4(d)(iv), Customer and Account Attributes [Information and Customer Identifying Information] for the relevant Customer; and
Section 6.10. Surveillance
(c) Use of CAT Data by Regulators.
(ii) Extraction of CAT Data shall be consistent with all permission rights granted by the Plan Processor. All CAT Data returned shall be encrypted, and [PII] Customer and Account Attributes data shall be masked unless users have permission to view the CAT Data that has been requested.
Appendix D
CAT NMS Plan Processor Requirements
4. Data Security
4.1 Overview
The Plan Processor must provide to the Operating Committee a comprehensive security plan that covers all components of the CAT System, including physical assets and personnel, and the training of all persons who have access to the Central Repository consistent with Article VI, Section 6.1(m). The security plan must be updated annually. The security plan must include an overview of the Plan Processor's network security controls, processes and procedures pertaining to the CAT Systems. Details of the security plan must document how the Plan Processor will protect, monitor and patch the environment; assess it for vulnerabilities as part of a managed process, as well as the process for response to security incidents and reporting of such incidents. The security plan must address physical security controls for corporate, data center, and leased facilities where Central Repository data is transmitted or stored. The Plan Processor must have documented "hardening baselines" for systems that will store, process, or transmit CAT Data or [PII] Customer and Account Attributes data.
4.1.2 Data Encryption
Storage of unencrypted [PII] Customer and Account Attributes data is not permissible. [PII] Customer and Account Attributes encryption methodology must include a secure documented key management strategy such as the use of HSM(s). The Plan Processor must describe how [PII] Customer and Account Attributes encryption is performed and the key management strategy ( e.g., AES-256, 3DES).
4.1.4 Data Access
The Plan Processor must provide an overview of how access to [PII] Customer and Account Attributes and other CAT Data by Plan Processor employees and administrators is restricted. This overview must include items such as, but not limited to, how the Plan Processor will manage access to the systems, internal segmentation, multi-factor authentication, separation of duties, entitlement management, background checks, etc.
Any login to the system that is able to access [PII] Customer and Account Attributes data must follow [non-PII ]password rules for data that does not constitute Customer and Account Attributes and must be further secured via multi-factor authentication (" MFA" ). The implementation of MFA must be documented by the Plan Processor. MFA authentication capability for all logins is required to be implemented by the Plan Processor.
4.1.6 [PII] Customer and Account Attributes Data Requirements
[PII] Customer and Account Attributes data must not be included in the result set(s) from online or direct query tools, reports or bulk data extraction. Instead, results will display existing [non-PII] unique identifiers ( e.g., Customer-ID or Firm Designated ID) that do not constitute Customer and Account Attributes. The [PII] Customer and Account Attributes corresponding to these identifiers can be gathered using the [PII] Customer and Account Attributes workflow described in Appendix D, Data Security, [PII] Customer and Account Attributes Data Requirements. By default, users entitled to query CAT Data are not authorized for [PII] access to Customer and Account Attributes. The process by which someone becomes entitled for [PII] access to Customer and Account Attributes, and how they then go about accessing [PII] Customer and Account Attributes data, must be documented by the Plan Processor. The chief regulatory officer, or other such designated officer or employee at each Participant must, at least annually, review and certify that people with [PII] access to Customer and Account Attributes have the appropriate level of access for their role.
Using the RBAC model described above, access to [PII] Customer and Account Attributes data shall be configured at the [PII attribute] Customer and Account Attribute level, following the "least privileged" practice of limiting access as much as possible.
[top] [PII] Customer and Account Attributes data must be stored separately from other CAT Data. It cannot be stored with the transactional CAT Data, and it must not be accessible from public internet connectivity. A full audit trail of [PII] access to Customer and Account Attributes (who accessed what data, and when) must be maintained. The Chief Compliance Officer and the Chief Information Security Officer shall have access to daily [PII] Customer and Account Attributes reports that list all users who are entitled for [PII] access to Customer and Account Attributes, as well as the audit trail of all [PII] access to Customer and Account
6.2 Data Availability Requirements
Figure B: Customer and Account Attributes [Information (Including PII)]
[Federal Register graphic "EN19MR25.021" is not available. Please view the graphic in the PDF version of this document.]
CAT [PII] Customer and Account Attributes data must be processed within established timeframes to ensure data can be made available to Participants' regulatory staff and the SEC in a timely manner. Industry Members submitting new or modified Customer information must provide it to the Central Repository no later than 8:00 a.m. Eastern Time on T+1. The Central Repository must validate the data and generate error reports no later than 5:00 p.m. Eastern Time on T+1. The Central Repository must process the resubmitted data no later than 5:00 p.m. Eastern Time on T+4. Corrected data must be resubmitted no later than 5:00 p.m. Eastern Time on T+3. The Central Repository must process the resubmitted data no later than 5:00 p.m. Eastern Time on T+4. Corrected data must be available to regulators no later than 8:00 a.m. Eastern Time on T+5.
Customer information that includes [PII] Customer and Account Attributes data must be available to regulators immediately upon receipt of initial data and corrected data, pursuant to security policies for retrieving [PII] Customer and Account Attributes.
8. Functionality of the CAT System
8.1 Regulator Access
8.1.1 Online Targeted Query Tool
The tool must provide a record count of the result set, the date and time the query request is submitted, and the date and time the result set is provided to the users. In addition, the tool must indicate in the search results whether the retrieved data was linked or unlinked ( e.g., using a flag). In addition, the online targeted query tool must not display any [PII] Customer and Account Attributes data. Instead, it will display existing [non-PII] unique identifiers ( e.g., Customer-ID or Firm Designated ID) that do not constitute Customer and Account Attributes. The [PII] Customer and Account Attributes corresponding to these identifiers can be gathered using the [PII] Customer and Account Attributes workflow described in Appendix D, Data Security, [PII] Customer and Account Attributes Data Requirements. The Plan Processor must define the maximum number of records that can be viewed in the online tool as well as the maximum number of records that can be downloaded. Users must have the ability to download the results to .csv, .txt, and other formats, as applicable. These files will also need to be available in a compressed format ( e.g., .zip, .gz). Result sets that exceed the maximum viewable or download limits must return to users a message informing them of the size of the result set and the option to choose to have the result set returned via an alternate method.
8.1.3 Online Targeted Query Tool Access and Administration
Access to CAT Data is limited to authorized regulatory users from the Participants and the SEC. Authorized regulators from the Participants and the SEC may access all CAT Data, with the exception of [PII] Customer and Account Attributes data. A subset of the authorized regulators from the Participants and the SEC will have permission to access and view [PII] Customer and Account Attributes data. The Plan Processor must work with the Participants and SEC to implement an administrative and authorization process to provide regulator access. The Plan Processor must have procedures and a process in place to verify the list of active users on a regular basis.
A two-factor authentication is required for access to CAT Data. [PII] Customer and Account Attributes data must not be available via the online targeted query tool or the user-defined direct query interface.
8.2 User-Defined Direct Queries and Bulk Extraction of Data
The Central Repository must provide for direct queries, bulk extraction, and download of data for all regulatory users. Both the user-defined direct queries and bulk extracts will be used by regulators to deliver large sets of data that can then be used in internal surveillance or market analysis applications. The data extracts must use common industry formats.
Direct queries must not return or display [PII] Customer and Account Attributes data. Instead, they will return existing [non-PII] unique identifiers ( e.g., Customer-ID or Firm Designated ID) that do not constitute Customer and Account Attributes. The [PII] Customer and Account Attributes corresponding to these identifiers can be gathered using the [PII] Customer and Account Attributes workflow described in Appendix D, Data Security, [PII] Customer and Account Attributes Data Requirements.
8.2.2 Bulk Extract Performance Requirements
Extraction of data must be consistently in line with all permissioning rights granted by the Plan Processor. Data returned must be encrypted, password protected and sent via secure methods of transmission. In addition, [PII] Customer and Account Attributes data must be masked unless users have permission to view the data that has been requested.
[top]
9. CAT Customer and [Customer] Account Attributes [Information]
9.1 Customer and [Customer] Account Attributes [Information] Storage
The CAT must capture and store Customer and [Customer] Account Attributes [Information] in a secure database physically separated from the transactional database. The Plan Processor will maintain certain information [of sufficient detail to uniquely and consistently identify] attributed to each Customer across all CAT Reporters, and associated accounts from each CAT Reporter. [The following attributes, a] A t a minimum, the CAT must capture Transformed Identifiers. [be captured:]
• [Social security number (SSN) or Individual Taxpayer Identification Number (ITIN);]
• [Date of birth;]
• [Current name;]
• [Current address;]
• [Previous name; and]
• [Previous address.]
For legal entities, the CAT must capture Legal Entity Identifiers (LEIs) (if available). [the following attributes:]
• [Legal Entity Identifier (LEI) (if available);]
• [Tax identifier;]
• [Full legal name; and]
• [Address.]
The Plan Processor must maintain valid Customer and [Customer] Account Attributes [Information] for each trading day and provide a method for Participants' regulatory staff and the SEC to easily obtain historical changes to that information[ ( e.g., name changes, address changes, etc.)].
[The Plan Processor will design and implement a robust data validation process for submitted Firm Designated ID, Customer Account Information and Customer Identifying Information, and must continue to process orders while investigating Customer information mismatches. Validations should:
• Confirm the number of digits on a SSN,
• Confirm date of birth, and
• Accommodate the situation where a single SSN is used by more than one individual.]
The Plan Processor will use the [Customer information] Transformed Identifier submitted by all broker-dealer CAT Reporters to the isolated CCID Subsystem to assign a unique Customer-ID for each Customer. The Customer-ID must be consistent across all broker-dealers that have an account associated with that Customer. This unique CAT-Customer-ID will not be returned to CAT Reporters and will only be used internally by the CAT.
Broker-Dealers will initially submit full account lists for all active accounts to the Plan Processor and subsequently submit updates and changes on a daily basis. In addition, the Plan Processor must have a process to periodically receive full account lists to ensure the completeness and accuracy of the account database. The Central Repository must support account structures that have multiple account owners and associated Customer information (joint accounts, managed accounts, etc.), and must be able to link accounts that move from one CAT Reporter to another ( e.g., due to mergers and acquisitions, divestitures, etc.).
9.2 Required Data Attributes for Customer Information Data Submitted by Industry Members
At a minimum, the following Customer information data attributes must be accepted by the Central Repository:
• [Account Owner Name;]
• [Account Owner Mailing Address;]
• [Account Tax Identifier (SSN, TIN, ITN)] Transformed Identifier (with respect to individuals) or EIN (with respect to legal entities);
• Market Identifiers (Larger Trader ID, LEI);
• Type of Account;
• Firm Identifier Number;
? The number that the CAT Reporter will supply on all orders generated for the Account;
• Prime Broker ID;
• Bank Depository ID; and
• Clearing Broker.
9.3 Customer-ID Tracking
The Plan Processor will assign a CAT-Customer-ID for each unique Customer. The Plan Processor will [determine] generate and assign a unique CAT- Customer -ID [using information such as SSN and DOB for natural persons or entity identifiers for Customers that are not natural persons and will resolve discrepancies] for each Transformed Identifier submitted by broker-dealer CAT Reporters to the isolated CCID Subsystem. Once a CAT-Customer-ID is assigned, it will be added to each linked (or unlinked) order record for that Customer.
Participants and the SEC must be able to use the unique CAT-Customer-ID to track orders from any Customer or group of Customers, regardless of what brokerage account was used to enter the order.
9.4 Error Resolution for Customer Data
[The Plan Processor must design and implement procedures and mechanisms to handle both minor and material inconsistencies in Customer information. The Central Repository needs to be able to accommodate minor data discrepancies such as variations in road name abbreviations in searches. Material inconsistencies such as two different people with the same SSN must be communicated to the submitting CAT Reporters and resolved within the established error correction timeframe as detailed in Section 8.]
The Central Repository must have an audit trail showing the resolution of all errors. The audit trail must, at a minimum, include the:
• CAT Reporter submitting the data;
• Initial submission date and time;
• Data in question or the ID of the record in question;
• Reason identified as the source of the issue[, such as:] ;
? [duplicate SSN, significantly different Name;]
? [duplicate SSN, different DOB;]
? [discrepancies in LTID; or]
? [others as determined by the Plan Processor;]
• Date and time the issue was transmitted to the CAT Reporter, included each time the issue was re-transmitted, if more than once;
• Corrected submission date and time, including each corrected submission if more than one, or the record ID(s) of the corrected data or a flag indicating that the issue was resolved and corrected data was not required; and
• Corrected data, the record ID, or a link to the corrected data.
9.5 Deletion From CAIS of Certain Reported Customer Data
Notwithstanding any other provision of the CAT NMS Plan, this Appendix D, or the Exchange Act, CAT LLC shall direct the Plan Processor to develop and implement a mechanism to delete from CAIS, or otherwise make inaccessible to regulatory users, the following data attributes: Customer name, Customer address, account name, account address, authorized trader names list, account number, day of birth, month of birth, year of birth, and ITIN/SSN. For the avoidance of doubt, such data attributes do not constitute records that must be retained under Exchange Act Rule 17a-1. CAT LLC or the Plan Processor shall be permitted to delete any such information that has been improperly reported by an Industry Member to the extent that either becomes aware of such improper reporting through self-reporting or otherwise.
10. User Support
10.1 CAT Reporter Support
The Plan Processor must develop tools to allow each CAT Reporter to:
• Manage Customer and [Customer] Account Attributes [Information];
10.3 CAT Help Desk
CAT Help Desk support functions must include:
• Supporting CAT Reporters with data submissions and data corrections, including submission of Customer and [Customer] Account Attributes [Information];
[FR Doc. 2025-04516 Filed 3-18-25; 8:45 am]
BILLING CODE 8011-01-P