Data Sensitivity and the CAT
Helping you rapidly assess your data, systems & processes to prepare for the CAT
Regulatory reporting is an intrinsic part of a financial firm’s daily activities. As reporting requirements evolve, so do the specifications firms must adhere to in order to meet these reporting obligations. With regulators interested in analysing a wider scope of the data attributes, firms have to integrate more and more systems and data streams into their regulatory reporting infrastructure to satisfy these large, complex data requirements.
The SEC Rule 613 Consolidated Audit Trail (CAT) is set to be one of the largest repositories of options and equity quotes, orders, executions and allocations in the world1. All U.S.-based self regulatory organization’s (SRO’s) and broker-dealers must ensure the accurate, complete and timely submission of this data to the Thesys CAT Processor. In addition, they must frame these datasets with an initial submission of all customer account and personal identifying information (PII).
The requirement to send the customer and account details has brought with it a set of new technical, operational and governance considerations for firms to think about as they prepare for CAT. Notable areas for firms to reflect on when setting the foundation for their regulatory reporting program of work include:
- The technical integration and centralization of all customer and account information
- The security and protection of all customer and account information
- Establishing the appropriate legal framework that alerts customers to the usage of their personal data.
Each one of these areas present a new hurdle for reporting firms in establishing a robust, secure and scalable framework to support regulatory reporting initiatives. So what can firms do to ensure full compliance with CAT, alleviate workload and mitigate risks in undergoing these tasks? Are there any existing implementations that can be leveraged to support firms in complying with this new mandate?
Technical Integration and Centralization
The legal structure and set up of organizations come in a number of different constructs and dimensions; branches, subsidiaries, affiliates, domestic, international, there is no one-size fits all model. Each internal group boundary could represent differing technical frameworks, different governance and legal procedures, different operational models and varying budgets.
Historically, high volume, transaction or trade based regulatory reporting regimes have seldom requested personal identifying information. However, as regulators become more interested in the decision makers and investment beneficiaries, so PII is a more common request under new or updated legislations. As a result, data flows no longer primarily come from order management systems (OMS) or trade management systems, but human resources and accounting applications are now also being integrated into the reporting work stream. This area of business will now be more involved in the regulatory reporting process, as the data that they are responsible and accountable for is being distributed outside of the firm and forming the basis of regulatory investigation in the identification of market abuse and manipulation.
When it comes to establishing a repository or data feed of account and customer details for CAT reporting, if there is not a common data model across the firm, the challenge in consolidating this information is clear. It is set to become a task not only for technology and compliance teams, but other stakeholders who will be involved in the review and cleansing of this information.
A number of questions will need to be addressed, and a common ground established across the organization that ensures compliance with the CAT data mandates. For example, what fields have been made mandatory in the firm’s customer on-boarding process? If there has not been a mutual requirement to mandate the collection of a zip or postal code across the organization, there is already a gap in the data set required for submission to the CAT Processor. What standards have been used in the completion of certain data fields, has an ISO standard country code been used, or an internal reference unique to the business unit? Has the usage of the title ‘Master’, ‘Ms.’ or ‘Dr.’ been supported in some data templates, and if so, how does this then get normalized without losing the lower level granularity being used in that particular part of the organization. These are just some of the questions that will be part of the CAT preparation discussion for firms, and if not all parts of the group are aligned in their response, there will be a large, onerous and risky clean up exercise for firms.
Secondary to this completeness check and normalization exercise is the confirmation of data accuracy. Firms will need to review and validate the logical linkage between the customer data fields to ensure logical accuracy. For example, does the zip code 10020 relate to an address in New Jersey as specified in the customer record? Does the street name exist in the specified state? If the on-boarding process does not include these types of validations, the clean up exercise will be complicated and convoluted when trying to establish to correct baseline field to trace backwards to the correct customer identifiers.
Another aspect that will need to be addressed in the clean up and centralization exercise will be the identification of duplicative data. Duplications inside and across business units need to be pin-pointed and rectified so there is a unique reference for the customer when reporting. Reconciliation tools will be key in supporting the identification of this issue, using fuzzy logic to identify near match items and proposing the potential duplicates.
The preparation of this data is going to take some time, and firms should begin the analysis of this information sooner rather than later. Commissioning the relevant technology tools and consultancy efforts that will enable the firm to look at the data holistically, enter errors and discrepancies into a structured case management workflow, and proactively resolve and manage the erroneous and incomplete datasets.
Security and Protection
With customer and account data requiring details such as name, date of birth, passport number, social security number or tax identifier number, this highly sensitive information needs to be protected from misuse within the reporting process. This data has been stored and maintained securely in HR applications, but is subject to being made visible to technology and operations staff managing the CAT reporting process. Although the submission and maintenance of customer and account data is being reported to the CAT Processor separate from the trade details and physically being stored in a separate database, firms will consider and most likely aim to consolidate the management of these data streams into a single process for efficiency and consistency.
Technology tools that support the ability to segregate this information from business user access in the upload, maintenance and submission to the CAT Processor are going to be key in establishing a secure working model to manage this dataset. The masking of data elements, or protecting the data fields via user profile permissions, whilst still giving the flexibility to review and manage the other data elements aids in the safeguarding of this data is just one way technology can help. A full audit on user activity, data export restrictions, data encryption at rest and in transit will also be added to the agenda of the technology platform’s mandatory capabilities.
The fact that customer identifying information is leaving the organization to be stored in an external data warehouse is something to be addressed with each client. There is the possibility firms would consider the need to adjust their legal framework to divulge who will have access to the customer data and for what purpose. This adds an additional level of intricacy due to numerous privacy and data protection laws around the globe to ensure the confidentiality and security of an individual’s details within a firm. Sharing information on how the CAT Processer will consume, store and use the customer and account information will be of interest to clients, so firms will need to identify and assess the need to communicate this information to their client base. What will the CAT Processor do to protect this information and what will the reporting firm do to protect this information? What will be the procedure in case a breach in security occurs? What cybersecurity measure will protect this information?
Between sourcing, validating and storing the data, to managing the security and legal aspects to obtaining and submitting this information to external sources, CAT is certainly going to drive change across the organization.
Leveraging existing projects
In the last year we have seen more regulations mandate the provision of PII data in their reporting requirements. Consultants and technology vendors have drawn many parallels between CAT and the European Union’s Markets in Financial Instruments Regulation (MiFIR) commonly referred to as MiFID II, due to go live January 2018. Businesses that have been subject to MiFIR will see similarities in the implementation process and reporting requirements defined under MiFIR to CAT. The requirement to provide PII data for traders and decision makers of executed transactions means firms have already done most of the legwork involved in generating this new reporting dataset. As a result, these firms will be able to leverage the existing infrastructure and procedures already put in place to support MiFIR to additionally support CAT. Scalable technology tools that can be extended to support CAT allows firms to use a proven framework that can only aid the timeliness of the project delivery and promote processing consistency throughout the organization.
The key messages here are for firms to start early with their program of work to prepare their data for reporting, especially the customer and account information. Where possible, firms should opt to utilize existing frameworks built to support other regimes, such as MiFIR, recycling as much of the technology, governance processing and operational efficiencies as possible. CAT is expected to extend to 2,000 firms and 19 SRO’s who will change their existing reporting models to meet new, complex reporting requirements across the globe.