Joint Industry Plan; Order Approving an Amendment to the National Market System Plan Governing the Consolidated Audit Trail, as Modified by Amendment Nos. 1 and 2 and by the Commission, Regarding the Customer and Account Information System

#  Joint Industry Plan; Order Approving an Amendment to the National Market System Plan Governing the Consolidated Audit Trail, as Modified by Amendment Nos. 1 and 2 and by the Commission, Regarding the Customer and Account Information System

**I. Introduction**

On March 7, 2025, and pursuant to section 11A(a)(3) of the Securities Exchange Act of 1934 (the “Exchange Act”) [^1] and Rule 608 of Regulation NMS thereunder, [^2] the Consolidated Audit Trail, LLC (“CAT LLC”), on behalf of the following parties to the National Market System Plan Governing the Consolidated Audit Trail (the “CAT NMS Plan” or “Plan”): [^3] BOX Exchange LLC, Cboe BYX Exchange, Inc., Cboe  BZX Exchange, Inc., Cboe C2 Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe EDGX Exchange, Inc., Cboe Exchange, Inc., Financial Industry Regulatory Authority, Inc., Investors Exchange LLC, Long-Term Stock Exchange, Inc., MEMX, LLC, Miami International Securities Exchange LLC, MIAX Emerald, LLC, MIAX PEARL, LLC, MIAX Sapphire, LLC, Nasdaq BX, Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, Nasdaq PHLX LLC, The NASDAQ Stock Market LLC, New York Stock Exchange LLC, NYSE American LLC, NYSE Arca, Inc., NYSE National, Inc., and NYSE Texas, Inc. (f/k/a NYSE Chicago, Inc.) (collectively, the “Participants”) filed with the Securities and Exchange Commission (“Commission”) a proposed amendment to the CAT NMS Plan to reduce the amount of Customer [^4] information in the CAT Customer and Account Information System (“CAIS”) (the “Proposed Amendment”). [^5] The Proposed Amendment was published for comment in the *Federal Register* on March 19, 2025 (“Notice”). [^6]

[^1] 15 U.S.C 78k-1(a)(3).

[^2] 17 CFR 242.608.

[^3] In July 2012, the Commission adopted Rule 613 of Regulation NMS, which required the Participants to jointly develop and submit to the Commission a national market system plan to create, implement, and maintain a consolidated audit trail (the “CAT”). *See* Securities Exchange Act Release No. 67457 (July 18, 2012), 77 FR 45722 (Aug. 1, 2012) (“Rule 613 Adopting Release”); 17 CFR 242.613 (“Rule 613”). On November 15, 2016, the Commission approved the CAT NMS Plan. *See* Securities Exchange Act Release No. 78318, 81 FR 84696 (Nov. 23, 2016) (“CAT NMS Plan Approval Order”). The CAT NMS Plan is Exhibit A to the CAT NMS Plan Approval Order. *See* CAT NMS Plan Approval Order, at 84943-85034.

[^4] A “Customer” means “the account holder(s) of the account at a registered broker-dealer originating the order; and any person from whom the broker-dealer is authorized to accept trading instructions for such account, if different from the account holder(s).” *See* CAT NMS Plan, *supra* note 3, at section 1.1.

[^5]*See* Letter from Brandon Becker, CAT NMS Plan Operating Committee Chair, dated Mar. 7, 2025. On August 6, 2025, 24 National Exchange LLC became a Participant. *See* Securities Exchange Act Release No. 103702 (Aug. 13, 2025), 90 FR 40092 (Aug. 18, 2025).

[^6]*See* Securities Exchange Act Release No. 102665 (Mar. 13, 2025), 90 FR 12845. Comments received in response to the Notice can be found on the Commission's website at *https://www.sec.gov/comments/4-698/4-698-f.htm.*

On May 28, 2025, the Participants filed Amendment No. 1 to the Proposed Amendment (“Amendment No. 1”). [^7] On June 17, 2025, the Commission noticed Amendment No. 1 for comment and instituted proceedings to determine whether to approve or disapprove the Proposed Amendment, as modified by Amendment No. 1, with any changes or subject to any conditions the Commission deems necessary or appropriate after considering public comment (the “OIP”). [^8]

[^7]*See* Letter from Brandon Becker, CAT NMS Plan Operating Committee Chair, dated May 28, 2025 (“CAT LLC May Response Letter”).

[^8]*See* Securities Exchange Act Release No. 103288, 90 FR 26637 (June 23, 2025). Comments received in response to Amendment No. 1 can be found on the Commission's website at *https://www.sec.gov/comments/4-698/4-698-f.htm.*

On September 11, 2025, to provide sufficient time to consider the changes set forth in Amendment No. 1 and any comments received on Amendment No. 1, the Commission designated a longer period within which to conclude proceedings. [^9] On November 14, 2025, the Commission extended the period within which to conclude proceedings regarding the Proposed Amendment, as modified by Amendment No. 1, to January 13, 2026. [^10] On December 1, 2025, the Participants filed Amendment No. 2 to the Proposed Amendment (“Amendment No. 2”). [^11] On December 5, 2025, Amendment No. 2 was published in the *Federal Register* . [^12]

[^9]*See* Securities Exchange Act Release No. 103946, 90 FR 44734 (Sept. 16, 2025).

[^10]*See* Securities Exchange Act Release No. 104179, 90 FR 51801 (Nov. 18, 2025).

[^11]*See* Letter from Robert Walley, CAT NMS Plan Operating Committee Chair, to Vanessa Countryman, Secretary, Commission, dated Dec. 1, 2025 (“CAT LLC December Response Letter”).

[^12]*See* Securities Exchange Act Release No. 104290 (Dec. 2, 2025), 90 FR 56224 (“Notice of Amendment No. 2”). Comments received in response to Amendment No. 2 can be found on the Commission's website at *https://www.sec.gov/comments/4-698/4-698-f.htm.*

The Commission is approving the Proposed Amendment, as modified by Amendment Nos. 1 and 2 (hereinafter, the “Proposed Amendment” unless otherwise noted), and as modified by the Commission. For the reasons discussed below, the Commission finds that the Proposed Amendment, as modified by Amendment Nos. 1 and 2, and as modified by the Commission, is appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanism of a national market system, or is otherwise in furtherance of the purposes of the Exchange Act.

**II. Background**

On July 11, 2012, the Commission adopted Rule 613 of Regulation NMS, which required the SROs to submit a national market system (“NMS”) plan to create, implement and maintain a consolidated audit trail that would capture customer and order event information for orders in NMS securities. [^13] The Commission had found that the prior, fragmented regulatory data infrastructure had become outdated and inadequate to effectively oversee a complex, dispersed, and highly automated national market system. [^14] In performing their oversight responsibilities before CAT, the SROs and the Commission pulled disparate data from a variety of existing information systems lacking in completeness, accuracy, accessibility, and/or timeliness. [^15] That model neither supported the efficient aggregation of data from multiple trading venues nor yielded complete and accurate market activity data. [^16] In particular, the shortcomings of the disparate systems on which the Commission and the SROs previously relied made it impractical to follow orders through their entire lifecycle as they may be routed, aggregated, re-routed, and disaggregated across multiple markets. [^17] CAT was designed to address those concerns by consolidating customer and order event data previously available from disparate sources into a single audit trail system that would facilitate cross-market oversight of the national market system.

[^13] 17 CFR 242.613; Rule 613 Adopting Release.

[^14]*See* Rule 613 Adopting Release, at 45723-36.

[^15]*Id.* at 45723.

[^16]*Id.*

[^17]*See* CAT NMS Plan Approval Order, at 84698.

On November 15, 2016, the Commission approved the CAT NMS Plan, and, among other things, concluded that the CAT would improve the completeness, accuracy, accessibility, and timeliness of the data available to regulators, and that these improvements would significantly improve regulatory efforts by the SROs and the Commission, including market surveillance, market reconstructions, enforcement investigations, and examinations of market participants, thereby strengthening the integrity and efficiency of the markets. [^18]

[^18]*See id.* at 84727, 84800.

At the inception of CAT, customer information was considered important to enable regulators to more quickly and reliably identify the customers associated with potentially unlawful trading activity and to facilitate the reconstruction of important market events. [^19] At the same time, the Commission has sought to balance these benefits against the risks associated with collecting and storing personally identifiable investor information. From the start, for example, personal customer information in CAT has been stored separately from transaction data. The transaction database contains only anonymized order and event data, including anonymized customer identifiers. The CAT NMS Plan contains a number of provisions designed to mitigate the risks of a security breach of personally identifying information (“PII”) data. [^20]

[^19]*See* Rule 613 Adopting Release, at 45731, 45772.

[^20]*See, e.g.,* Section 6.5(f) of the CAT NMS Plan (requirements relating to, among other things, CAT data security, access, and logging).

In 2020, in light of concerns raised by market participants, industry representatives and the Participants, the Commission granted exemptive relief that limited the personal customer information that must be reported to CAT to name, address, and birth year  (“CCID Exemption Order”). [^21] The CCID Exemption Order also permitted the Participants to implement the CCID alternative or CCID process. Under the CCID alternative, the Plan Processor generates a unique CAT Customer-ID, or CCID, using a two-phase transformation process that avoids having individual social security numbers or tax-payer identification numbers (“SSNs/ITINs”) reported to or stored in the CAT. In the first transformation phase, a CAT Reporter transforms the SSN/ITIN into an interim transformed value. This transformed value, and not the SSN/ITIN, is submitted to a separate system within the CAT (“CCID Subsystem”). The transformed value is sent to the CAT separate and apart from the other customer and account information. [^22] The CCID Subsystem then performs a second transformation to create the globally unique CCID for each Customer that is unknown to, and not shared with, the original CAT Reporter. The CCID is then sent to the customer and account information system (“CAIS”) of the CAT, where it is linked with the other customer and account information. The CCID may then be used by the Participants' regulatory staff and Commission staff in queries and analysis of CAT data.

[^21]*See* Securities Exchange Act Release No. 88393 (Mar. 17, 2020), 85 FR 16152, 16156 (Mar. 20, 2020), *https://www.govinfo.gov/content/pkg/FR-2020-03-20/pdf/2020-05935.pdf* (“CCID Exemption Order”).

[^22]*See* CCID Exemption Order, at 16153.

In February 2025, the Commission provided an exemption from the requirement to report other personal customer information not covered by the CCID Exemption Order (collectively, “Name, Address, and YOB”) for natural persons with social security numbers or tax-payer identification numbers (the “CAIS Exemption Order”). [^23] The CAIS Exemption Order did not extend this relief to the reporting of customer information to foreign natural persons and legal entities. The Commission explained that it weighed the benefits of maintaining certain PII in the CAT differently in light of both the heightened security risks posed by the increased sophistication of bad actors and the prospect of relatively efficient indirect access to customer information. [^24] The Commission concluded that the regulatory benefit of collecting the names, addresses and years of birth for natural persons reported with transformed SSNs no longer justified the associated risks. [^25] The Commission emphasized, however, that the system of generating reliable CCIDs—the anonymized, unique customer identifiers contained in the CAT that are linked to each order event captured in the transaction database—would not be impacted. [^26] Thus, if a regulator needs to determine the identity of the individual behind a particular CCID, the regulator would be able to use one or more of the Firm Designated IDs (“FDIDs”) associated with the CCID and contact the broker-dealer(s) who reported the FDID(s) and request the name, address and/or year of birth for the individual Customer. [^27]

[^23]*See* Securities Exchange Act Release No. 102386 (Feb. 10, 2025), 90 FR 9642, 9643 (Feb. 14, 2025), *https://www.sec.gov/files/rules/sro/nms/2025/34-102386.pdf* (“CAIS Exemption Order”).

[^24]*Id.* at 9644.

[^25]*Id.* at 9644-45.

[^26]*Id.* at 9645.

[^27]*Id.*

The Participants now propose to amend the CAT NMS Plan to: (i) incorporate and codify the CCID Exemption Order; (ii) incorporate and codify the CAIS Exemption Order; (iii) expand upon the CAIS Exemption Order's relief by eliminating the reporting requirements relating to Names, Addresses, and YOBs for all customers, including foreign natural persons and legal entities; (iv) make other modifications related to the elimination of personally identifying information from the CAT; and (v) and require CAT LLC to direct the Plan Processor to delete from CAIS previously reported customer data currently stored in the CAT. These amendments would have the effect of eliminating all CAT NMS Plan requirements to report Names, Addresses, YOBs, SSNs/ITINs, and EINs to the CAT and to remove such previously reported customer information stored in the CAT, as well as codify the Participants' current method of generating anonymized customer identifiers without requiring the receipt or storage of individual SSNs/ITINs in the CAT.

**III. Discussion and Commission Findings**

Section 11A of the Exchange Act authorizes the Commission, by rule or order, to authorize or require the self-regulatory organizations to act jointly with respect to matters as to which they share authority under the Exchange Act in planning, developing, operating, or regulating a facility of the national market system. [^28] Rule 608(a) of Regulation NMS states that any two or more self-regulatory organizations, acting jointly, may file a national market system plan or may propose an amendment to an effective national market system plan by submitting the text of the plan or amendment to the Commission by email, together with a statement of the purpose of such plan or amendment and, to the extent applicable, the documents and information required by paragraphs (a)(4) and (5) of Rule 608. [^29] Under Rule 608(b)(2) of Regulation NMS, the Commission shall approve a national market system plan or proposed amendment to an effective national market system plan, with such changes or subject to such conditions as the Commission may deem necessary or appropriate, if it finds that such plan or amendment is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Exchange Act. [^30] The Commission shall disapprove a national market system plan or proposed amendment if it does not make such a finding. [^31]

[^28]*See* 15 U.S.C. 78k-1(a)(3)(B).

[^29] 17 CFR 242.608(a).

[^30] 17 CFR 242.608(b)(2).

[^31]*See id.* Approval or disapproval of a national market system plan, or an amendment to an effective national market system plan (other than an amendment initiated by the Commission), shall be by order. *Id.* In addition, Rule 700(b)(3)(ii) of the Commission's Rules of Practice states that “[t]he burden to demonstrate that a NMS plan filing is consistent with the Exchange Act and the rules and regulations issued thereunder that are applicable to NMS plans is on the plan participants that filed the NMS plan filing.” 17 CFR 201.700(b)(3)(ii). “Any failure of the plan participants that filed the NMS plan filing to provide such detail and specificity may result in the Commission not having a sufficient basis to make an affirmative finding that a NMS plan filing is consistent with the Exchange Act and the rules and regulations issued thereunder that are applicable to NMS plans.” *Id.*

For the reasons described below, the Commission finds that the Proposed Amendment, as modified by Amendment Nos. 1 and 2, and by the Commission as described below in Part III.C, meets the required standard. [^32]

[^32] 17 CFR 242.608(b)(2).

**A. Codification of the CCID Exemption Order and CCID Alternative**

The Proposed Amendment codifies the CCID Exemption Order, which, as described above, allows the Participants to implement a two-phase CCID creation process and also provided exemptive relief from CAT NMS Plan requirements related to the reporting of SSNs/ITINs, dates of birth, and account numbers to the CAT. [^33] Under the CCID creation  process, unique CCIDs are created using a two-phase transformation process that avoids having SSNs/ITINs reported to or stored in the CAT.

[^33] Among other changes to the CAT NMS Plan discussed below in Part III.B, the Participants propose to revise Section 9.3 of Appendix D to incorporate the existing process under the CCID Exemption Order by which the Plan Processor  determines a unique CCID for each Customer, a process which is described in further detail above in Part II. *See* Notice, *supra* note 6, at 12848.

To effectuate this change, the Proposed Amendment adds several new defined terms in section 1.1 of the CAT NMS Plan: “CCID Subsystem,” [^34] “Reference Data,” [^35] “Reference Database,” [^36] and Transformed Identifier (“TID”). [^37] “CCID Subsystem” means the subsystem of the Reference Database that exists solely to transform input TID values into CCID values. “Reference Data” shall mean the data elements in Account Reference Data and Customer Reference Data. “Reference Database” means the information system of CAT containing Reference Data. TID means the transformed version of the input used to identify unique Customers, including, but not limited to ITIN or SSN submitted by Industry Members in place of an ITIN or SSN.

[^34]*See* proposed Section 1.1.

[^35]*See* proposed Section 1.1.

[^36]*See* proposed Section 1.1.

[^37]*See* proposed Section 1.1. The Participants originally proposed a defined term “CAIS,” but modified that to “Reference Database,” in Amendment No. 1, as “CAIS” and “customer and account information system” terminology would no longer apply given the limited nature and scope of data that would be collected under the Proposed Amendment, and that the terminology was predicated on concepts relating to the collection of PII that would no longer accurately describe the database. *See* OIP, *supra* note 8, at 26637, 39.

Commenters discussed the CAIS database [^38] (which was later proposed to be renamed as the Reference Database, as discussed above) and the CCID creation process. One commenter suggests it may be possible for the CAIS database to be eliminated entirely and any CAIS processes related to creating the CCIDs to be switched to the Transactions database. [^39] Another commenter states that market participants have raised questions about whether the Commission expects the SROs to retain either or both of the CAIS database and CCID functionality, and asks for “SEC guidance on its future plans for CAIS and potential use of the CCID.” [^40] This commenter states that absent PII, its members have questioned the continuing need for the CAIS database. [^41] This commenter “calls on the Commission to provide further, explicit guidance on its expectations for the future direction of the CAT.” [^42]

[^38] In Amendment No. 1 the Participants modified the Proposed Amendment to rename “CAIS” to the “Reference Database,” but several commenters use the term CAIS and CAIS database both prior and after the publication of Amendment No. 1. For purposes of this Order, references to “CAIS database” apply to the “Reference Database” as defined by the Proposed Amendment.

[^39]*See* Letter from H. Meyerson, Managing Director, Financial Information Forum (“FIF”) to Secretary, Commission, dated Apr. 9, 2025 (“FIF April Letter”), at 4-5. The commenter states that the Participants have stated that the CAT operating budget for 2025 includes approximately $35.5 million in CAIS-related costs and asks for further information to determine the potential for additional cost savings beyond the $12 million in cost savings projected from the Proposed Amendment. *Id.* This commenter also expresses support for consideration of a Petition for Rulemaking and Exemptive Relief submitted by certain Participants that would, among other things, retire the CAIS system, but asks for additional detail before they could meaningfully comment on such a proposal. *See* Letter from H. Meyerson, Managing Director, FIF, to Secretary, Commission, dated July 14, 2025 (“FIF July Letter”), at 12.

[^40]*See* Letter from J. Corcoran, Managing Director and Associate General Counsel, and G. O'Hara, Vice President and Assistant General Counsel, SIFMA, to Vanessa Countryman, Secretary, Commission, dated May 30, 2025 (“SIFMA Letter”), at 2-4. The commenter states that the Commission indicated in the CAIS Exemption Order that CCID functionality should be retained, but it did not explicitly tell the SROs to do so. *Id.* at 4.

[^41]*Id.* at 3-4.

[^42]*Id.* at 4.

One commenter, representing a group of Participants, states that CCIDs are needed for the Participants to comply effectively with their SRO obligations, and that transitioning to a CAT without CCIDs would bring further increased costs to both the SROs and the industry to allow for changes to the CAT system and to meet new reporting requirements. [^43] The commenter states that the removal of CCIDs would increase costs, because without CCIDs, the burden and costs of responding to blue sheet requests would increase for broker-dealers, as well as increase burdens and costs to SROs. [^44] However, this commenter states that CAIS could be eliminated in its entirety, but only if some form of CAIS persists until an alternative effective and cost-efficient solution for CCIDs—or another unique customer identifier methodology—is implemented. [^45]

[^43]*See* Letter from Jaime Klima, General Counsel, NYSE, to Vanessa Countryman, Secretary, Commission, dated July 22, 2025 (“NYSE Letter”), at 2.

[^44]*Id.* at 2-3; *see also* FIF July Letter, at 6 (stating that electronic blue sheets does not include FDIDs or CCIDs and therefore it cannot be used to link CAT transactional data with customer information)

[^45]*Id.* at 2.

The Participants state that under the Proposed Amendment, as currently designed, the Reference Database would be maintained to facilitate the mapping of unique CCIDs to FDIDs and would preserve the CCID enrichment of transaction data. [^46] The Participants state that this functionality allows regulators the ability to identify a customer's market activity across multiple exchanges, broker-dealers, and accounts, which was one of the critical innovations of the CAT. [^47] The Participants state that this approach was informed by significant discussion and was strongly supported by industry. [^48] However, the Participants state that there may be additional proposals to eliminate the Reference Database entirely, which will require further analysis, but that they hope that the Proposed Amendment could be considered and approved expeditiously as they continue to evaluate additional cost savings measures and alternatives. [^49]

[^46]*See* CAT LLC May Response Letter, at 17-18. The Participants also represent that regulatory users would still be able to query transaction data by CCID, and the Proposal would not impact reciprocal functionality allowing regulatory users with access to SSNs and/or EINs to input those values into the query tool to identify associated CCIDs. *See id.* at 7 n.19.

[^47]*Id.* at 17-18.

[^48]*Id.* at 18.

[^49]*Id.* at 18.

One commenter raises potential security and privacy concerns with the retention of TID values, which the commenter understands is retained by the Plan Processor. [^50] The commenter states that it believes a TID for a U.S. natural person could be reverse engineered to obtain the underlying SSN used to generate a TID, and asks for clarification as to whether TID values are retained by the Plan Processor and if so, requests that they be removed after the generation of an associated CCID. [^51] The commenter continues to state that its members are concerned that the “cybersecurity threat landscape has significantly changed since 2020, when the CCID alternative was devised and the process of creating CCIDs was put in place.” [^52] The commenter states that maintaining TIDs means that the Proposed Amendment does not fully achieve the objective of removing PII from CAT, since TIDs are vulnerable to a “rainbow table attack.” [^53] The commenter specifically states that the Commission should still approve the rule filing, but states that CAT LLC could modify the CAT system in a manner that would not require the retention of TIDs in their current form, as a future enhancement to CAT to  protect personally identifiable information. [^54]

[^50]*See* FIF July Letter, at 9-10.

[^51]*Id.*

[^52]*See* Letter from Howard Meyerson, Managing Director, FIF, to Secretary, Commission, dated Aug. 21, 2025 (“FIF August Letter”), at 7.

[^53]*See also* FIF July Letter, at 9 (stating that because there are a finite number of SSNs (equal to one billion), any TID for a U.S. natural person could be reverse engineered to the underlying SSN through applying the SHA-256 hash to each of the one billion potential SSNs).

[^54] FIF August Letter, at 8.

In response, the Participants state that if TIDs were not retained, the CCID could not be used for its intended purpose of conducting cross-market, cross-broker, and cross-account surveillance of a single customer's trading activity, nor could it even be used for surveillance of the same broker or same account. [^55] The Participants state that without TIDs, there would be no mapping of TIDs to CCIDs; if there is no mapping of TIDs to CCIDs, there would be no way to ascertain if a reported TID already has a designated CCID, so every reported TID would be assigned a new CCID, even if the TID had previously been reported by the same broker-dealer and associated with the same FDID. [^56] The Participants note that the process for creating CCIDs has been in place since 2020 and the concern raised by the commenter was taken into account when the CCID alternative was ultimately proposed, and states that TIDs are reported and stored in an isolated, secure database called the CCID Subsystem, separate from other information reported to CAIS and with very limited access by Plan Processor staff. [^57]

[^55]*See* Letter from Robert Walley, CAT NMS Plan Operating Committee Chair, to Vanessa Countryman, Secretary, Commission, dated Sept. 16, 2025 (the “CAT LLC September Response Letter”), at 8 n.30.

[^56]*Id.*

[^57]*Id.*

Another commenter stated that its members have raised concerns about whether CCID could be viewed as another form of PII due to the current operation of the CAT system. [^58] Specifically, the commenter states that once a regulator establishes a link between an investor and a CCID, it is able to know and track that investor's trading activity in CAT theoretically in perpetuity—even in the absence of any evidence of wrongdoing. [^59] In addition, because CAT captures all of an investor's trading activity in equities and listed options, once a regulator knows the identity of an investor behind a CCID, the regulator has the ability see all of that investor's trading activity across markets and brokers even if this activity falls outside of the scope of the regulator's purpose for requesting the investor's identity. [^60] Another commenter, who recommends disapproval of the Proposed Amendment, states that they are suspicious about CCID and how it may be misused, asking if CCID, non-public data and PII report logs offer valuable insights to help exchanges target and attract order flow. [^61] A different commenter, representing a group of Participants, states that “CCIDs contain no personally identifiable information and therefore pose no cybersecurity or privacy risk.” [^62]

[^58]*See* SIFMA Letter, at 5.

[^59]*Id.*

[^60]*See* SIFMA Letter, at 5.

[^61]*See* Letter from Kelvin To, Founder and President, Data Boiler Technologies, LLC, to Vanessa Countryman, Secretary, Commission, dated Dec. 26, 2025, at 4 (“Data Boiler Letter”).

[^62]*See* NYSE Letter, at 2.

It is appropriate for the Proposed Amendment to incorporate the relief granted in the CCID Exemption Order into the CAT NMS Plan, which, among other things, codifies the current CCID creation process into the CAT NMS Plan. As described above in Part II, the CCID process (or CCID alternative) allows the Participants to generate a unique CCID using a two-phase transformation process that avoids having SSNs/ITINs reported to or stored in the CAT. This process was the product of coordination between the Participants and security experts from member firms of SIFMA, [^63] and has been implemented successfully by the Participants since the Commission issued the CCID Exemption Order.

[^63]*See* CCID Exemption Order, at 16152.

The Commission agrees that the CCID process should be maintained and codified in the Plan. The proposed modifications to the CAT NMS Plan, including the proposed new definitions to be added to the CAT NMS Plan, are reasonably designed to codify this existing process. The ability to link information about order events throughout the national market system to a unique customer identifier is one of the core regulatory advances of the CAT over the fragmented regulatory data sources that preceded it. [^64] The CCID process makes that possible, allowing for the tracking of a specific order of a Customer throughout its entire lifecycle without the reporting or storage of social security numbers in the CAT. In doing so, the CCID process greatly facilitates the regulatory and surveillance efforts of the Participants and the Commission by, among other things, enabling regulators to detect potentially unlawful trading activity and to identify those responsible for or victims of it. [^65] Codification of the CCID process, combined with the further elimination of PII reporting as described in Part III.B. below, preserves the regulatory benefits of the CAT while addressing the privacy, security, and other risks associated with capturing and storing personal customer information in the CAT.

[^64]*See* CCID Exemption Order, at 16156 n.78. *See also* CAT LLC September Response Letter, at 3-4 (stating that the Plan Processor would continue to create a unique CCID and provide CCID enrichment of transaction data in the same way that it does today under the Proposed Amendment, allowing regulators to conduct cross-market, cross-broker, and cross-account surveillance—and preserving the core regulatory goals of SEC Rule 613).

[^65]*See* CCID Exemption Order, at 16156 & n.78.

In addition, the CAT NMS Plan imposes numerous requirements related to data security, access, and logging, that are reasonably designed to prevent a regulator from using CCIDs for non-regulatory purposes. [^66] The Commission continues to believe that the CCID process provides CAT the ability to provide customer attribution of order and trade activity even if such trading activity spans multiple broker-dealers, and without this ability, the value and usefulness of the CAT would be significantly diminished. [^67]

[^66]*See, e.g.,* Section 6.5(f) of the CAT NMS Plan.

[^67]*See* CCID Exemption Order, at 16156 n.78.

The Commission also agrees with the Participants' approach with respect to the TID and maintenance of TID information in an isolated, secure database within the CCID Subsystem. [^68] As explained by the Participants, without retaining TIDs the CCID process could not work, because without the ability to map TIDs to CCIDs there would be no way to ascertain if a reported TID has already been assigned a CCID, meaning that each TID would be assigned a new CCID. [^69] This would make CCIDs substantially less useful for regulators, as certain customers could have multiple CCIDs and cross-market, cross-broker, and cross-account surveillance of a single customer's trading activity would be impractical. As noted by the Participants, TID information is subject to substantial protection, as it is reported and stored in an isolated, secure database, the CCID Subsystem, separate from any other information reported to CAIS, and only a very limited, defined, and pre-approved set of Plan Processor staff may be assigned temporary access to this database strictly for operational issues. [^70]

[^68]*See* CAT LLC September Response Letter, at 8 n.30.

[^69]*Id.*

[^70]*Id.*

With respect to questions about the future of the Reference Database (formerly the CAIS system), CCID functionality, and the CAT more generally, [^71] approval of the Proposed Amendment today will codify the CCID alternative into the CAT NMS Plan. The Proposed Amendment does not propose  to move the process of creating CCIDs to the Transactions database and to eliminate the CAIS system, as one commenter suggested, and the Commission declines to decide that issue in this Order. The Commission is engaged in a comprehensive review of the CAT, [^72] and as part of this process the Commission expects to engage with the Participants, Industry Members, and the public more broadly on issues relating to the future of CAT, the CCID creation process, functionality and security, and the Reference Database, among other things.

[^71]*See, supra,* notes 39-42, and accompanying text.

[^72]*See* Securities Exchange Act Release No. 104144 (Sept. 30, 2025), 90 FR 47853, 47854 (Oct. 2, 2025) (stating that “the Chairman of the Commission instructed the staff to undertake a comprehensive review of the CAT” and citing Prepared Remarks Before SEC Speaks, Chairman Paul S. Atkins, May 19, 2025, *available at**https://www.sec.gov/newsroom/speeches-statements/atkins-prepared-remarks-sec-speaks-051925* ). *See also* SIFMA Letter, at 2 (stating that the commenter “wholeheartedly” supports the announced comprehensive review of the CAT and is submitting a separate letter with several high-level recommendations).

**Large Trader and Legal Entity Identifiers**

One commenter states that the Proposed Amendment also should eliminate reporting requirements for a large trader field on FDID records, stating that it is unnecessary because the Commission can track activity based on CCID, and should also eliminate the existing requirement to report legal entity identifiers (“LEIs”) for legal entities. [^73] One commenter, representing a group of Participants, states that there would be no impact to regulatory functionality for that group of Participants if legal entity identifiers were removed from CAIS. [^74] The Participants state that while legal entity *names* are eliminated from the CAT pursuant to the Proposed Amendment (discussed below in Part III.B), FDIDs would be associated with valid LEIs and, if applicable, large trader identifiers, allowing regulators to use this information to identify the name of a legal entity associated with a particular FDID. [^75]

[^73]*See* FIF April Letter, at 3; FIF July Letter, at 12.

[^74]*See* NYSE Letter, at 2.

[^75]*See* CAT LLC May Response Letter, at 10. The Participants also, in the context of removing the reporting of EINs, discussed in Part III.B. below, provide statistics on the number of customers with LEIs and EINs. *See* CAT LLC September Response Letter, at 6. The Participants state that there are approximately 4,243,672 U.S. legal entity Customers and 143,793 foreign legal entity Customers in CAIS. *Id.* Of the U.S. legal entity Customers, 37,627 have both LEIs and EINs; none have only an LEI; and 4,206,045 have only EINs. *Id.* With respect to foreign legal entity Customers, 2,391 have both an LEI and EIN, 33,730 have only an LEI, 169 have only an EIN, and 107,503 have neither an LEI nor EIN. *Id.* The Participants state that all such customers have a CCID in CAIS and it is anticipated that regulators will be able to continue to perform cross-market, cross broker, and cross-account surveillance of both U.S. and foreign legal entities as they will for natural persons. *Id.*

While there may be further cost savings that could be achieved with the elimination of large trader and LEI reporting, the Proposed Amendment does not propose to eliminate the reporting requirements associated with large trader and LEI, and the Commission declines to decide that issue in this Order. The Proposed Amendment retains such reporting requirements, which is reasonable, as large trader and LEI reporting could allow regulators to more easily identify legal entities in CAT in the absence of a legal entity name, especially in the context of legal entities with multiple sub-accounts and sub-entities.

In addition, a commenter suggests that the Commission should provide exemptive relief from large trader requirements, or otherwise evaluate large trader reporting requirements generally in light of the existence of CAT and CAIS, which should allow regulators to determine the activity level of any CCID across accounts at the same broker-dealer and across accounts at different broker dealers. [^76] The commenter specifically requests exemptive relief from requirements relating to unidentified large traders, arguing that since CAIS is in operation, the current requirements relating to unidentified large traders are redundant and should be retired. The request for exemptive relief related to large traders is beyond the scope of the Proposed Amendment and outside the purview of the Participants, but the Commission welcomes further discussion and comment on the potential elimination of large trader requirements made possible by CAT.

[^76]*See* FIF August Letter, at 4-6.

**Request-Response System and Retirement of EBS**

Two commenters call for the retirement of electronic blue sheets (“EBS”), and replacement of the system with a request-response system using CCIDs and FDIDs. [^77] Both commenters provide some details on how such a request-response system might work, involving the submission of FDIDs by regulators through an automated system to request data fields that are no longer going to be reported to CAIS or the CAT. [^78] One of these commenters describes deficiencies of EBS, including the fact that EBS contains large amounts of PII, including plaintext SSNs, and shortcomings with respect to transaction and customer and account data, necessitating “a proactive and expedited focus on retiring EBS as soon as possible.” [^79]

[^77]*See* SIFMA Letter, at 14 (calling the retirement of EBS “one of the promises of the CAT”); FIF April Letter, at 5-8 (stating, among other things, that the Commission as “previously committed” to retiring EBS); FIF July Letter, at 10; FIF August Letter, at 6. In addition, one commenter, a Participant, quotes a FINRA CEO blogpost stating that “over the years there have been concerns about the efficiency and design of Blue Sheets, and consideration could be given to creating a new request and response utility operated in conjunction with CAT to facilitate and streamline the information collection process for both regulators and the impacted broker-dealers.” *See* Letter from Marcia E. Asquith, Corporate Secretary, EVP, Board and External Relations, to Vanessa Countryman, Secretary, Commission, dated July 25, 2025 (the “FINRA Letter”), at 3 n.9.

[^78]*See* SIFMA Letter, at 3 n.11; FIF April Letter, at 6-7.

[^79]*See* FIF July Letter, at 4-6.

CAT LLC states that whether or not a request-response system is appropriate or desirable is outside the scope of the Proposed Amendment and outside the purview of CAT LLC. [^80] The comment letters raise several thoughtful potential modifications to the CAT Plan and other regulatory reporting obligations. [^81] With respect to the creation of a request-response system, Commission agrees that it is beyond the scope of the Proposed Amendment. However, such a system could decrease regulators' reliance on EBS, which could facilitate the eventual elimination of EBS and could reduce the cost and burdens to Industry Members and increase efficiencies. Accordingly, as stated in the CAIS Exemption Order, [^82] the Commission continues to urge the Participants to work with industry members to establish such a request-response system by taking advantage of the systems industry members have already established to format and submit customer information consistent with CAT specifications. [^83]

[^80]*See* CAT LLC May Response Letter, at 12; CAT LLC September Response Letter, at 16.

[^81] One commenter asks the Commission to remove PII from other reporting systems that include PII, such as the Large Options Positions Reporting System. *See* FIF April Letter, at 8. The Proposed Amendment does not propose changes to other reporting systems and such changes are beyond the scope of the Proposed Amendment.

[^82]*See* CAIS Exemption Order, at 9645 n.52.

[^83] An efficient electronic means of requesting and providing targeted subsets of customer identifying information from industry members benefits all market participants. In connection with the relief provided by this Order, the Commission urges the Participants to work with industry members to establish these means by taking advantage of the systems industry members have already established to format and submit customer information consistent with CAT specifications.

**B. Permanent Elimination of the Reporting of Names, Addresses, and YOBs**

The Proposed Amendment codifies and expands upon the CAIS Exemption Order, which provides exemptive relief from the reporting of Name, Address, and YOB for certain natural person Customers to the CAT. [^84] Specifically, pursuant to the Proposed Amendment, the exemptive relief in the CAIS Exemption Order would be expanded to apply to all Customers, including foreign nationals and legal entities, and not be limited to natural persons with transformed SSNs or ITINs. Pursuant to the Proposed Amendment, the reporting requirements relating to Name, Address, and YOBs would be eliminated for all natural persons and legal entities, at both the Customer and account level. In addition, the proposed amendment would remove the requirement to report Employer Identification Numbers (“EINs”) as part of legal entities' customer reference data.

[^84] In the Notice, the Participants stated that they understand the CAIS Exemption Order to be “permissive at the discretion of Industry Members (meaning that Industry Members may choose to take advantage of the exemptive relief or choose to continue reporting names, addresses, and years of birth for natural persons reported with transformed SSNs or ITINs to CAIS).” *See* Notice at 12847. References to the CAIS Exemption Order that the Participants propose to incorporate and codify in the CAT NMS Plan refer to the CAIS Exemption Order as understood by the Participants.

The Participants propose the deletion of the definition of the term “PII,” and modification of numerous provisions of the CAT NMS Plan to replace references to “PII” or “Customer Account Information and Customer Identifying Information” to references to “Reference Data,” or otherwise remove the concept of “PII” from relevant portions of the CAT NMS Plan. [^85] The Participants state that while the CAT NMS Plan distinguishes PII from other forms of CAT Data and requires “additional levels of protection for PII,” it would be incongruent to apply these PII-specific requirements to Reference Data given that the particularly sensitive data that these requirements were designed to protect— *e.g.,* Customer name, Customer address, account name, account address, authorized trader names list, account number, day of birth, month of birth, year of birth, and ITIN/SSN—would be eliminated under the Proposed Amendment, and given the security and confidentiality requirements that continue to apply to CAT Data in general. [^86]

[^85]*See* proposed Sections 6.2(a)(v)(C), 6.2(b)(v)(F), 6.4(d)(ii), and 6.10(c)(ii), and Appendix D, Sections 4.1; 4.1.2; 4.1.4; 4.1.6; 6.2, 8.1.1; 8.1.3; 8.2; 8.2.2; 9.1 and 10.1.

[^86]*See* CAT LLC May Response Letter, at 4-5.

The Participants also propose revising certain definitions in the CAT NMS Plan. The definition of “Customer Account Information” would be modified to be “Account Reference Data,” and specifically remove account number and customer type as elements of Customer Account Information. [^87] The definition of “Customer Identifying Information” would be modified to “Customer Reference Data,” and references to name, address, date of birth, ITIN, SSN would be removed for individuals, while name, address, EIN, and “other information of sufficient detail to identify a Customer” would be removed for legal entities. [^88] The revised definition adds, for individuals, TID and customer type, and for legal entities, customer type only. [^89] The Participants state that because an EIN contains the same number of digits as a SSN and must be reported as plain text, there is the risk that an Industry Member could inappropriately report an individual's SSN in the EIN field. [^90] The Participants maintain that eliminating the EIN field would eliminate the possibility of such improper reporting without any effect on the Plan Processor's ability to create a unique CCID, because Industry Members would continue to report the translated TID value (which is based on the EIN) to the CCID Subsystem, and that even if the EIN field is eliminated, regulators would retain the ability to search by EIN for a CCID value. [^91]

[^87]*See* proposed Section 1.1. The provision would also state that for the avoidance of doubt, Industry Members are required to provide a Firm Designated ID in accordance with the CAT NMS Plan. *Id.*

[^88]*Id.*

[^89]*See* proposed Section 1.1. In addition, “CAT Customer-ID” or “CCID” would be defined to have the same meaning as the existing definition “Customer-ID,” which has the same meaning provided in SEC Rule 613(j)(5). *See* proposed Section 1.1.

[^90]*See* CAT LLC May Response Letter, at 6.

[^91]*See id.*

The Participants also propose additional modifications to the definition of “Full Availability and Regulatory Utilization of Transactional Database Functionality,” to add footnotes to make clear that the Proposed Amendment is not meant to change the meaning of defined terms that are being modified by the Proposed Amendment for purposes of the Financial Accountability Milestones (“FAM”). [^92] The Participants state that CAT LLC does not intend to change the meaning of the defined term “in any way,” and the footnotes are designed to “avoid retroactively changing the meaning of a FAM-related defined term.” [^93]

[^92]*See* proposed section 1.1. *See also* Securities Exchange Release No. 88890, 85 FR 31322 (May 22, 2020) (adopting, among other changes, financial accountability provisions called “Financial Accountability Milestones”).

[^93]*See* CAT LLC December Response Letter, at 2-3.

Certain provisions of Appendix D of the CAT NMS Plan would be revised to incorporate the CAIS Exemption Order, CCID Exemption Order, and to remove references to Name, Address, and YOB. [^94] Proposed section 9.1 of Appendix D would require CAT to capture and store Reference Data that at a minimum, includes TIDs and for legal entities, Legal Entity Identifiers (LEIs) if available, and remove references to the eliminated Customer information and the validation process for SSNs and DOBs. [^95] Section 9.2 of Appendix D would be revised to eliminate the requirement to accept data attributes related to an account owner's name, mailing address, or tax identifier, and now state that TIDs must be accepted by the CAT. [^96] In addition, the term “Firm Identifier Number” would be modified to “Firm Designated ID,” which the Participants state more accurately captures the information that this section describes as the “number that the CAT Reporter will supply on all orders generated for the Account.” [^97]

[^94]*See* Notice, *supra* note 6, at 12848.

[^95]*See* proposed section 9.1 of Appendix D.

[^96]*See* proposed section 9.2 of Appendix D.

[^97]*See* OIP, *supra* note 8, at 26639.

In addition, the Participants propose to modify section 4.1.4 of Appendix D of the CAT NMS Plan to state that the Plan Processer must record all access to, and all queries of, data stored in the Reference Database and generate periodic reports of all access to, and all queries of, data stored in the Reference Database. [^98] The Participants explain that this modification is to clarify that the Plan Processor will record all access to, and all queries of, data stored in the Reference Database in a series of logs that can be used to generate periodic reports in the same way that the Plan Processor currently records and tracks access to the broader CAT System. [^99] The Participants state that Reference Data, which shall mean the data elements in the new terms Account Reference Data and Customer Reference Data, would continue to be subject to existing provisions relating to general data security requirements. [^100] In addition, the Participants state that FDID validations will not change as a result of implementing the Proposed Amendment, and the Plan Processor  would continue to perform the same consistency checks that it currently performs today to confirm that all FDIDs reported to the transaction database exist in the Reference Database and were active on the relevant transaction date. [^101]

[^98]*See* proposed section 4.1.4 of Appendix D.

[^99]*See* CAT LLC December Response Letter, at 4.

[^100]*See* CAT LLC May Response Letter, at 4.

[^101]*See* CAT LLC December Response Letter, at 4.

Proposed section 9.1 of Appendix D would state that the Plan Processor “will design and implement a robust data validation process for submitted Firm Designated IDs and must continue to process orders while investigating Firm Designated ID mismatches,” which the Participants state is to confirm that the Proposed Amendment is making no change to current FDID validation procedures. [^102]

[^102]*See* CAT LLC May Response Letter, at 4.

In addition, section 9.4 of Appendix D would be revised to eliminate the requirement that the Plan Processor design and implement procedures and mechanisms to handle minor and material inconsistencies in Customer information. The Participants state that the Plan Processor currently validates whether a TID value is associated with different years of birth, and the query tool currently accounts for minor inconsistencies in how CAT Reporters report data to the CAT; for example, a query including the word “Street” would include results including both “Street” and “St.,” but because the Proposed Amendment would eliminate Customer addresses and years of birth, the proposed change to section 9.4 of Appendix D is appropriate. [^103]

[^103]*See id.* at 9.

The Participants state that the Proposed Amendment would allow CAT LLC to achieve an overall cost savings of between $7 million and $9 million per year as compared to the 2024 actual budget. [^104] The Participants state that these cost savings would not be achieved if Names, Addresses, and YOBs were required to be reported and stored for certain categories of Customers. [^105] Additionally, the Participants state that the Plan Processor has estimated a one-time implementation cost of approximately $4.5 million to $5.5 million. [^106] The Participants acknowledge that there would be Industry Member implementation costs for the Proposed Amendment, and while they understand that Industry Members would need to update their systems in order to stop reporting Customer Names, Addresses, and YOBs to the CAT, they were not in a position to quantify such Industry Member costs. [^107]

[^104]*See* OIP, *supra* note 8, at 26637.

[^105]*See* CAT LLC September Response Letter, at 3.

[^106]*See* OIP, *supra* note 8, at 26642. The Participants state that one-time implementation costs will generally consist of Plan Processor labor costs associated with coding and software development, as well as any related cloud fees associated with the development, testing, and load testing of the proposed changes. *Id.*

[^107]*Id.*

Several commenters support the Proposed Amendment and the elimination of the reporting requirements for Names, Addresses, and YOBs from the CAT. [^108] One of these commenters supports the Proposed Amendment, [^109] highlighting in particular the proposed changes: (1) excluding PII for all natural persons, including foreign natural persons who are not reported with transformed SSNs or ITINs; [^110] (2) permanently eliminating the reporting of PII to CAT; (3) excluding PII for all legal entity customers since PII of natural persons (including names, address and dates of birth) is often included in CAIS records for legal entities; and (4) eliminating requirements relating to the handling of inconsistencies. [^111]

[^108]*See* FIF April Letter; FIF July Letter; FIF August Letter; SIFMA Letter; NYSE Letter; FINRA Letter. Some commenters also acknowledged the direct cost impact of the Proposed Amendment and reduction in CAT operating costs. *See* SIFMA Letter, at 3 (stating that the Participants represent that the Proposed Amendment would achieve “significant annual savings in CAT operating costs); FINRA Letter, at 4 (stating that the Proposed Amendment would “yield material cost savings”).

[^109]*See* FIF April Letter; FIF July Letter; FIF August Letter.

[^110]*See* FIF July Letter, at 10 (stating that the policy objective of removing PII from CAT would not be achieved unless the elimination of reporting PII applied to all types of customers).

[^111]*See* FIF April Letter, at 2.

This commenter explains that the security benefits of removing PII from the CAT outweigh the costs based on several considerations. [^112] Specifically, the commenter states that: (1) data breaches involving PII can result in significant financial losses from legal fines, penalties, and loss of business, as well as damage to an organization's reputation; (2) protecting PII helps organizations comply with relevant global, U.S. Federal and U.S. state data protection laws and regulations such as General Data Protection Regulation (GDPR), the Personal Information Protection and Electronic Documents Act (PIPEDA), and the California Consumer Privacy Act (CCPA), avoiding regulatory consequences and significant fines; (3) Industry Members could be subject to legal costs and resulting damages resulting from PII data breaches; (4) the removal of PII from CAIS demonstrates a commitment to data privacy, which enhances customer trust; (5) data breaches (even where the data is not within an Industry Members' control) can disrupt the Industry Member's operations, potentially requiring costly and time-consuming system overhauls to restore security; the CAT system would also incur disruption and costs resulting from a data breach, and any costs would be passed-through to market participants and, in many cases, to customers; and (6) the alternative to the removal of PII from CAIS is the continued implementation of measures to strengthen PII protection in response to evolving threats; these measures could include additional encryption and other enhanced security measures to proactively identify and mitigate vulnerabilities and prevent future data leaks and associated risks; any costs to implement heightened security controls in response to evolving threats would be passed through to market participants and, in many cases, to customers. [^113]

[^112]*See* FIF July Letter, at 11.

[^113]*Id.*

Another commenter states that it supported the CAIS Exemption Order and similarly support the Proposed Amendment as it furthers the goal of eliminating the collection and storage of individual investors' PII in the CAT. [^114] The commenter explains that it has long-standing privacy and cyber security concerns regarding the CAT, and has opposed the collection and storage of PII data by the CAT since its inception. [^115] The commenter believes that codification of the CCID Exemption and CAIS Exemption would “seem to effectively eliminate the reporting and storage of individual investors' PII within the CAT.” [^116]

[^114]*See* SIFMA Letter, at 2.

[^115]*See id.* at 3.

[^116]*See id.* at 3.

Another commenter, a Plan Participant, states that it approves of the passage of the Proposed Amendment because the systemic and prospective collection of names, addresses, and years of birth for all customers is not necessary for effective oversight of the securities markets. [^117] The commenter states that approval of the Proposed Amendment would “reduce CAT costs without unduly compromising regulatory effectiveness and would further privacy considerations,” adding that regulators have alternative mechanisms available to obtain the identity of market participants on an as-needed basis. [^118] This commenter additionally states that the Proposed Amendment's modifications to relief granted in the CAIS Exemption are important to resolve remaining gaps in  balancing privacy concerns with regulatory effectiveness and costs. [^119] This commenter states that the continued collection of PII for any person or legal entity involves risks and costs that are not outweighed by any regulatory benefit. [^120] The commenter states that it is able to maintain effective oversight in the absence of the collection of this customer information in CAIS as the primary benefits of consolidating market trading data in a standardized manner are provided by the Transaction Database, which would be unaffected by the approval of the Proposed Amendment. [^121]

[^117]*See* FINRA Letter, at 2.

[^118]*Id.* at 1-3.

[^119]*Id.* at 2.

[^120]*Id.* at 4.

[^121]*Id.* at 3.

In contrast to the commenters above, one commenter opposes the Proposed Amendment, stating that it would frustrate the purposes of the CAT and make it harder for the SEC to detect misconduct and identify the perpetrators. [^122] This commenter states that issuance of the CAIS Exemption Order was “a mistake,” and that the Commission should not compound its mistake by approving the Proposed Amendment to further reduce the information in CAT. [^123] This commenter states that CAT is designed to enable the SEC to not only reduce, manage, and better understand market disruptions and crashes but also to identify, deter, and punish illegal manipulations and other trading abuses to better protect investors. [^124] The commenter states that the Proposed Amendment would hinder the SEC's ability to accomplish these goals because the SEC will not be able to quickly spot illegal and manipulative trading and identify the parties responsible for market disruptions, manipulations, and other abuses if the CAT does not collect or retain customer identifying information such as names, addresses, and years of birth. [^125] The commenter states that the Proposed Amendment would make it harder for the SEC to determine the identities of customers, which is one of the fundamental purposes of the CAT. [^126] This commenter states that legitimate privacy concerns can be addressed in ways that do not “needlessly” prevent the SEC from policing the markets and increase the chances of lawbreakers escaping detection. [^127] The commenter also argues that the Proposed Amendment would do little to safeguard customers' personal information, as bad actors could hack personal information from checking accounts, credit card accounts, or brokerage accounts that are placing retail trades. [^128]

[^122]*See* Letter from B. Schiffrin, Director of Securities Policy, Better Markets, Inc., to Vanessa Countryman, Secretary, Commission, dated Apr. 9, 2025 (“Better Markets Letter”), at 1-2.

[^123]*Id.* at 1.

[^124]*Id.* at 2.

[^125]*Id.* at 4.

[^126]*Id.* at 5.

[^127]*Id.* at 5.

[^128]*Id.* at 5-6.

Another commenter “strongly” recommends that the Proposed Amendment be disapproved for different reasons. [^129] This commenter states that the Proposed Amendment would not “achieve its stated ` *cost savings and efficiency.* ' ” [^130] This commenter also states that it is “unjust” for CAT LLC to retain Account Reference Data and Customer Reference Data information because Exchange Act Rule 17a-1 record retention requirements are obligations of the SROs and this is an attempt to “cross-subsidize SROs in fulfillment of obligations that deviate from the CAT project's original purposes.” [^131] This commenter also states that neither the SEC nor the SROs have rights above the U.S. Constitution, referencing the Fourth Amendment and stating that the right to be free of unwarranted search or seizure is recognized by the Supreme Court as protecting a general right to privacy. [^132] The commenter also states that, “[c]aptioned releases of CAT NMS Plan amendment proposals are inconsistent with § 11A of the Exchange Act, the Fourth Amendment of US Constitution, the Department of Justice's latest edition of the Privacy Act of 1974.” [^133]

[^129]*See* Data Boiler Letter.

[^130]*See* Data Boiler Letter, at 5. The commenter continues to state that certain concerns and/or questions relating to CAT costs are unaddressed as of today, including: “Bifurcated Cost Allocation is Inequitable and Proposed Minimum for Industry Members,” “[t]he allocation and minimum are undue burden on Industry Members,” and “[p]roposed CAT Participants allocation versus Our Counter Suggestions,” which are beyond the scope of the Proposed Amendment. *Id.* The Commission notes that the Participants have separately filed a proposed amendment to implement a revised funding model for the CAT and establish a fee schedule for Participant CAT fees in accordance with that proposed amendment. *See* Securities Exchange Act Release No. 103960 (Sept. 12, 2025), 90 FR 44910

[^131]*See* Data Boiler Letter, at 2.

[^132]*See* Data Boiler Letter, at 1. *See also* Data Boiler Letter at 5 (stating that “[n]ational security and privacy ordinance matters are Outside Jurisdiction of the SEC and the SROs to make sole determination”). This commenter also states that “[u]nlike the census,” collection of non-public and PII by CAT for all trade activities without express consent by the investors is an intrusion of one's privacy, and that “Congress confers the authority to the Department of Commerce to conduct census, NOT the SEC.” *Id.* at 2.

[^133]*See* Data Boiler Letter, at 4.

This commenter also raises various issues that are beyond the scope of the Proposed Amendment. This commenter broadly recommends changes to the structure of CAT, stating that they suggest a “more effective and efficient real-time analytics approach,” that refusal to “make a concrete and complete overhaul to the out-of-date technical design of CAT since 2012” means that the “CAT project is and will continue to be a Money Pit,” and that “trade reporting” is “outdated.” [^134] The commenter also objects to various aspects of the regulatory use of CAT, stating that there should be no access to CAT for “market surveillance” purposes prior to “identifying symptoms of irregularity that are substantiated by data at Securities Information Processors/Competing Consolidators and/or analytical procedures at SROs/the SEC,” [^135] and that the defined purposes of accessing CAT should be much narrower than the broadly defined “regulatory purposes.” [^136] The commenter also suggests adopting principle-based rules for security and privacy. [^137] This commenter also makes statements regarding the availability of information of securities holdings of institutional investors in section 13(f) filings, [^138] and the ability to perform a broker search for underlying beneficial shareholders information, [^139] which are  both beyond the scope of the Proposed Amendment and misunderstand the purposes and functionality of the CAT. [^140]

[^134]*See* Data Boiler Letter, at 1, 3. The commenter also states that “CAT has an Outdated Design, is an Outsized Elephant,” and that the “unbearable building and on-going operating costs of CAT Outweigh its Benefits.” *Id.* at 5.

[^135]*See* Data Boiler Letter, at 3.

[^136]*See* Data Boiler Letter, at 3.

[^137]*See* Data Boiler Letter, at 4 (citing Letter from Kelvin To, Founder and President, Data Boiler Technologies, LLC to Vanessa Countryman, Secretary, Commission, dated November 30, 2020, *available at: https://www.sec.gov/comments/s7-10-20/s71020-8068693-225956.pdf* ). In addition, this commenter states that they “envisage a crowd model to reduce unknown unknowns while enhancing security of CAT,” identifying several benefits of this suggested approach. *See* Data Boiler Letter, at 4 (citing Letter from Kelvin To, Founder and President, Data Boiler Technologies, LLC to Vanessa Countryman, Secretary, Commission, dated January 27, 2021, *available at: https://www.sec.gov/comments/4-698/4698-8311309-228460.pdf* ). The commenter also states that the CAT NMS Plan fails to address certain causes for potential information leaks, and that CAT is “vulnerable to internal compromise and external hackers' attacks.” *See* Data Boiler Letter at 3. The Commission believes that this is outside the scope of the Proposed Amendment, but the Proposed Amendment would reduce the amount of information stored in the CAT, including the storage of certain Customer information, and as discussed below, the security benefits of eliminating the requirement to report PII justifies approval of the Proposed Amendment.

[^138]*See* Data Boiler Letter, at 2 (stating that if policy makers want to collect additional investor information beyond Section 13(f) filings, then Section 13(f) requirements should be updated through “proper law-making procedures”).

[^139]*See* Data Boiler Letter, at 2 (stating that if the SEC and SROs want to develop their own similar capabilities instead of paying or partnering with a  private vendor, then an appropriate costs-benefits justification and separate apportioning of Federal funding are required).

[^140] The CAT is designed to provide a comprehensive audit trail for U.S. securities markets, and thus is designed to provide regulators different information than what is contained within section 13(f) filings or underlying beneficial shareholder information.

In addition, one commenter, who generally supports the Proposed Amendment, [^141] expresses concerns about the impact of approval of the Proposed Amendment on costs that would be incurred by Industry Members if there is an increase in ad hoc EBS inquiries. [^142] The commenter states that removal of PII from CAIS “could result in a significant increase in the volume of EBS requests.” Its members still support the Proposed Amendment, but believe that this necessitates a proactive and expedited focus on retiring EBS. [^143] The commenter acknowledges that with the removal of PII from CAIS, the Commission and SROs can no longer access the CAIS system to link transaction data to customer PII. [^144] However, the commenter states that it does not agree with the Participants' representation that, at least in the near term, the current EBS system provides an appropriate mechanism for obtaining identifying information for natural persons and legal entities if the Proposed Amendment were approved. [^145]

[^141]*See* FIF April Letter; FIF July Letter; FIF August Letter.

[^142]*See* FIF July Letter, at 10.

[^143]*See* FIF July Letter, at 4; *see also* FINRA July Letter, at 3 (stating that the solution to this issue is not to disapprove the rule filing, rather, the solution is to retire EBS and implement the commenter's proposed request-response system). *See supra* Part III.A for a discussion on commenters' requests for a request-response system and retirement of EBS.

[^144]*See* FIF July Letter, at 4-5.

[^145]*See id.* at 8 (citing CAT LLC May Response Letter, at 12).

Another commenter, representing a group of Participants, states that since the issuance of the CAIS Exemption, the exchanges have reverted to using blue sheet requests to broker-dealers to obtain customer data for regulatory purposes. [^146] This commenter states that as part of these requests, the exchanges use CCIDs to identify the correct broker-dealers and provide broker-dealers with corresponding firm account identifiers to more efficiently produce customer data to the exchanges, and without CCIDs, the burden and costs of responding to blue sheet requests would increase for broker-dealers, as would the burdens and costs for SROs. [^147] One commenter, a Participant, states that FINRA and other regulators use alternative mechanisms to obtain information regarding the identity of market participants on an as-needed basis, quoting a FINRA CEO blogpost stating that EBS and other existing systems work adequately. [^148] This commenter states that, as a Participant, FINRA would neither realize direct cost savings from the implementation of the CAIS Amendment nor incur additional expenses related to fulfilling ad hoc regulatory data requests related to customer information. [^149] As noted by the commenter above, CAT LLC states that, at least in the near term, the current EBS system provides an appropriate mechanism for obtaining identifying information for natural persons and legal entities if the Proposed Amendment were approved. [^150]

[^146]*See* NYSE Letter, at 3.

[^147]*See id.* at 3.

[^148]*See* FINRA Letter, at 3.

[^149]*See id.* at 4 n.10.

[^150]*See* CAT LLC May Response Letter, at 12.

In response to a commenter that objects to the Proposed Amendment, [^151] the Participants state that the Proposed Amendment would not prevent regulators from determining the identity of persons involved in potential violations of the securities laws. [^152] According to the Participants, the continued existence of the requirement of maintaining FDIDs and CCIDs within CAT will allow regulators to use the FDID and the CCID to identify the associated account, which will then allow them to determine identities by seeking the information from Industry Members as needed. [^153] The Participants acknowledge that the speed with which regulators can access the identity of those involved with a transaction at issue will decrease, but believe that the CAIS Exemption Order already acknowledges this delay and concludes that it would be reasonable for regulators to rely on obtaining such information from Industry Members rather than the CAT. [^154] The Participants further state that, based on their experience, the difference in the amount of time it takes to access the name of a customer in CAT versus the time to request and obtain a name from Industry Members would only rarely be an issue and would not materially impede examinations and investigations. [^155] Because of this, the Participants state that it is difficult to justify the “substantial costs” related to the collection and storage of Names, Address, and YOBs for all Customers, as well as security concerns, for the convenience of regulators having direct access to such personal information in the CAT for limited regulatory circumstances. [^156]

[^151]*See* Better Markets Letter.

[^152]*See* CAT LLC May Response Letter, at 11. *See also**id.* at 10 (stating that the Proposed Amendment would not impact the ability of regulators to perform cross-market surveillance via the unique CCID or to otherwise use the CAT for its intended regulatory purposes).

[^153]*See id.* at 11.

[^154]*Id.*

[^155]*Id.*

[^156]*Id.*

The Participants state that the Proposed Amendment would have “no impact on the creation or regulatory function of the CCID.” [^157] They state that the Plan Processor would continue to create a CCID for each unique TID the same way as it does today, provide a daily mapping of CCID to FDID to the transaction database by the CAT System to provide CCID enrichment of transaction data. [^158] The Participants state that, “[i]n short, because the Plan Processor would continue to provide CCID enrichment of transaction data, the Proposed Amendment would preserve regulators' ability to perform cross-market, cross-broker, and cross-account surveillance, while achieving approximately $7 million to $9 million in annual cost savings and furthering the Commission's goal of reducing unnecessary Customer information in the CAT.” [^159]

[^157]*See* CAT LLC September Response Letter, at 5.

[^158]*Id.* at 6. *See also* CAT LLC May Response Letter, at 7 (stating that the Proposed Amendment would require the Plan Processor to continue creating a unique CCID in the same way that it does today).

[^159]*See* CAT LLC September Response Letter, at 6.

The Participants state that in their view, the Commission already considered the issue of requesting Customer information directly from Industry Members in the CAIS Exemption Order and concluded that requesting such information from Industry Members would pose less risk than collecting, transmitting, and/or requesting such information via the CAT. [^160] In addition, the Participants state that it is difficult to justify the substantial monetary costs to maintain the collection Names, Addresses and YOBs in the CAT for certain categories of Customers, because it would add operational complexity and prevent CAT LLC from achieving approximately $7 million to $9 million in annual cost savings. [^161] However, the Participants acknowledge that this could lead to some increased costs for Industry  Members who receive blue sheet requests for the data, the Participants state that any associated cost would be significantly outweighed by the cost savings that the Proposed Amendment would allow CAT LLC to achieve each year. [^162]

[^160]*Id.* at 7.

[^161]*Id.* at 3.

[^162]*Id.* at 4 n.14.

For reasons discussed in greater detail below, the proposed modifications to the CAT NMS Plan to eliminate the reporting of Names, Addresses, and YOBs for all customers is reasonable and appropriate. The Commission acknowledges that there are some regulatory benefits that will be lost by ending the collection and storage of customer names, addresses, and birth years in the CAT. However, the Commission no longer believes that the collection and storage of this information is justified in light of heightened security risks and the prospect of relatively efficient indirect access to customer information, which could mitigate at least some of the loss in regulatory efficiency, and that the Proposed Amendments preserve the CAT's ability to advance the key regulatory objectives for which it was intended.

As discussed in greater detail below, the Proposed Amendment codifies and expands upon the relief granted by the CAIS Exemption Order. The CAIS Exemption Order granted exemptive relief from certain sections of the CAT NMS Plan relating to the reporting of Name, Address and YOB from natural persons with transformed CCIDs, but it did not require that such information no longer be reported and did not apply to all Customers. The Proposed Amendment would go further and eliminate the reporting requirements for natural persons with transformed CCIDs and would also eliminate the reporting requirements for all natural persons and entities, instead of just U.S. natural persons. Unlike the relief provided in the CAIS Exemption Order, which was optional so broker-dealers could choose not to take advantage of it and continue reporting the customer information, the Proposed Amendment would result in the CAT system no longer including fields for reporting these data points. [^163]

[^163]*See* Notice, at 12846 n.12 (stating that the Plan Processor would make conforming changes to the CAT Reporting Customer & Account Technical Specifications for Industry Members to eliminate any fields related to the Proposed Amendment).

Importantly, the Proposed Amendment would preserve key elements of the CAT as it currently functions. In particular, it would not impact the creation of CCIDs for most CAT customers, which are identifiers that have proven to be an effective means of uniquely and consistently identifying customers. The Commission stated, in approving the CAT NMS Plan, the importance of the CCID approach, as it “constitutes a significant improvement relative to the Baseline because it would consistently identify the Customer responsible for market activity, obviating the need for regulators to collect and reconcile Customer Identifying Information from multiple broker-dealers.” [^164] This Order generally preserves this benefit of the CCID process, thereby preserving one of the critical innovations of the CAT, the ability to track one Customer's market activity across multiple exchanges.

[^164]*See* CAT NMS Plan Approval Order, at 84827.

The Commission disagrees that the Proposed Amendment would “frustrate the purposes of the CAT,” or unduly hinder the Commission's ability to accomplish the goals of CAT. [^165] The Proposed Amendment preserves key CAT functionality on which the Participants and the Commission rely to understand market disruptions and identify illegal manipulations and other trading abuses, including access to more accurate, complete, and timely order information from across the national market system and the ability to track a specific order of a Customer throughout its entire lifecycle.

[^165]*See* Better Markets Letter.

The Commission acknowledges, however, that removing additional PII from the CAT will negatively impact regulatory efficiency. [^166] Pursuant to the Proposed Amendment, regulators, using the CAT alone, will not be able to determine the identity of the individual behind a CCID or FDID. It will take additional time and effort to identify the individual or entity behind any specific CCID or FDID which will necessitate contacting Industry Members directly to provide regulators with this information. [^167] Also, the Proposed Amendment could result in regulators needing to contact Industry Members for Customer information in situations where previously they may have received sufficient information to conclude their examination or investigative activities with the Customer information in CAIS. In addition, the Proposed Amendment would reduce the number of fields by which regulators could search CAT for Customer information. For example, regulators will not be able to narrow the scope of search results from the CAT based on certain name or address information, which could result in additional inquiries to Industry Members or potentially the cessation or modification of certain regulatory functions due to an impractical amount of time and effort that could be required to obtain information from Industry Members. However, regulators' use of CCIDs, along with FDIDs, will allow regulators to determine which Industry Members to contact for additional information about the persons or entities behind CCIDs.

[^166]*See* CAIS Exemption Order, at 9645.

[^167] In Commission staff's experience, there can be a material difference in the amount of time it takes to access the name of a customer in CAT versus the time to request and obtain a name from Industry Members. However, this additional time generally does not materially impede examinations and investigations. *See also* CAT LLC May Response Letter, at 11 (stating that, “[b]ased on their experience, the Participants believe that the difference in the amount of time it takes to access the name of an investor in CAT versus the time it takes to request and obtain a name from an Industry Member would be relevant in only very limited scenarios and would not materially impede examinations and investigations.”); FINRA Letter at 4 (stating that “FINRA and other regulators are able to use alternative mechanisms to obtain information regarding the identity of market participants on an as-needed basis” and that “elimination of this customer information would not unduly hinder FINRA's ability to oversee market activity”).

The Commission further recognizes that removal of PII from the CAIS system will mean regulators will be unable to immediately link transaction data to customer PII, and will instead have to seek Customer identifying information from broker-dealers, which may result in increased requests through EBS. [^168] As discussed in Part III.A above, the Commission is aware of and encourages discussion about the development of a request-response system as a more efficient and secure replacement for EBS. However, even in the absence of such a system, the security and other benefits of removing customer information from the CAT are sufficient to justify the potential increase in costs associated with an increased number of EBS requests to broker-dealers by regulators.

[^168]*See* FIF July Letter at 3-4, 10. In addition, one commenter, representing a group of Participants, states that since the since the issuance of the CAIS Exemption, the exchanges have reverted to using blue sheet requests to broker-dealers to obtain customer data for regulatory purposes. *See* NYSE Letter, at 3.

The Commission also recognizes that because the Proposed Amendment would eliminate the requirements relating to reporting of Names, Addresses, and YOBs of foreign Customers, there is a risk that the CAT may not reliably generate unique CCIDs for foreign Customers, as a unique foreign Customer may have multiple government issued IDs used across multiple broker-dealers to generate multiple TIDs and thus multiple CCIDs. The potential existence of multiple CCIDs for one Customer may make it  more difficult for regulators to identify the full extent of such persons' trading activities, and the Proposed Amendment proposes to delete the information—Name, Address and YOB—that regulators can currently use to mitigate that problem for their CAT searches. Thus, the deletion of the requirement to report information related to foreign Customers could delay the Commission's efforts to take swift and covert actions to protect U.S. markets. However, the potential risk of foreign Customers having multiple CCIDs may be mitigated by steps taken by the Participants, including instructions to broker-dealers for determining what identifier should be used for foreign customers to generate TIDs, which should reduce the odds of foreign Customers having multiple CCIDs. [^169]

[^169]*See CAT Reporting Customer & Account Technical Specifications for Industry Members* 29 (v. 2.2.0 r4 2025) (“Full CAIS Technical Specifications”), at Section 2.2.5, *available at https://www.catnmsplan.com/sites/default/files/2025-08/08.14.25_Full_CAIS_Technical_Specifications_2.2.0_r4_CLEAN.pdf* ; CAT FAQ Q57 (addressing when there is a CAT Customer with multiple valid Input Identifiers who is associated with a single account at a CAT Reporter firm, which Input Identifier must be used to generate a TID for the Customer), *available at https://catnmsplan.com/faq#Q57* .

Regulators may also be able to take steps in response to this issue. Importantly, the CAT will maintain a “foreign” flag to identify which trades are associated with foreign Customers. Also, broker-dealers are obligated to collect certain information about their customers pursuant to various recordkeeping rules, Know Your Customer Rules, and anti-money laundering rules, and thus key foreign Customer information will be available to regulators upon request. Thus, if a regulator needs to determine the identity of the individual behind a particular CCID, the regulator would be able to use one or more of the FDIDs associated with the CCID and contact the broker-dealer(s) who reported the FDID(s) and request the Name, Address, and YOB for the individual Customer. [^170] A regulator, however, will not be able to use a CCID to determine FDIDs that are associated with other CCIDs that may exist for a particular Customer and thus because some foreign Customers may have multiple CCIDs, regulators may have to contact more broker-dealers to determine whether a foreign Customer has multiple CCIDs. While this workaround is less efficient and more time-consuming than current practice, it does not warrant disapproval of the Proposed Amendment.

[^170]*See* 15 U.S.C. 78q(a), requiring registered broker-dealers to “furnish” records as the SEC prescribes by rule. *See also* 17 CFR 240.17a-25(a), requiring broker-dealers to electronically submit securities information (including customer identifying information) to the SEC “upon request.” If multiple FDIDs are associated with a single CCID, regulators would only need to contact one broker-dealer to request the name and/or address of the individual. Contacting other broker-dealers should result in the same name and/or address.

The security benefits of eliminating the requirement to report PII to the CAT support approval of the Proposed Amendment, as modified herein, despite the loss of some regulatory efficiency. From the CAT's inception, the Commission has sought to continually balance the regulatory benefits of the CAT with the risks associated with a security breach. In the CAT NMS Plan Approval Order, the Commission recognized that “because some of the CAT Data stored in the Central Repository will contain PII such as names, [and] addresses . . . a security breach could raise the possibility of identity theft. . ., ” and it emphasized that the Plan contained provisions designed to mitigate the risks of such a breach. [^171] In issuing the CAIS Exemption Order, the Commission considered the benefits of maintaining some of the PII in the CAT differently in light of both the heightened security risks posed by the increased sophistication of bad actors and the prospect of relatively efficient indirect access to customer information. The Commission also recognized the risks identified by market participants, industry representatives, and members of Congress, and acknowledged the increased sophistication of cybercriminals and bad actors. [^172]

[^171]*See* CAT NMS Plan Approval Order, *supra* note 3, at 84874-75.

[^172]*See* CAIS Exemption Order, at 9644.

As one commenter noted, [^173] in response to evolving threats surrounding PII the Participants could instead implement additional encryption and enhanced security measures to proactively identify and mitigate vulnerabilities and prevent future data leaks and associated risks. However, rather than engage in costly and difficult measures that could substantially add to the costs of CAT as a whole and would still not eliminate the serious risks associated with maintaining large amounts of customer information in the CAT, the Participants' proposed approach to instead remove the data from the CAT is reasonable.

[^173]*See* FIF July Letter, at 11.

The risks of maintaining personal information in the CAT include potential harm to all market participants, including the Participants, Industry Members, and Customers. For Customers, a cybercriminal with knowledge of a person's Name, Address, and YOB may be able to impersonate a customer or broker-dealer to gain access to a Customer's account or attempt to defraud the Customer directly. For Participants and Industry Members, a breach involving PII could result in significant financial harm from legal fines, penalties, and lawsuits, as well as significant reputational harm and loss of consumer confidence and trust. In addition, any legal costs and damages suffered by the Participants or Industry Members due to a security breach could ultimately be borne by Customers. While it is true that wrongdoers could do things beyond the Participants' control, such as hacking personal information from checking accounts, credit card accounts, or brokerage accounts that are placing retail trades, the Proposed Amendment addresses risks that are within the Participants' control—the risks of maintaining personal information in the CAT. [^174] And these risks have only grown since the adoption of the CAT, due to the increased sophistication of cybercriminals and bad actors, as acknowledged by the Commission when it adopted amendments to Regulation S-P. [^175]

[^174]*See* Better Markets Letter, at 5-6.

[^175]*See* Securities Exchange Act Release No. 100155 (May 16, 2024), 89 FR 47688 (June 3, 2024) (citing, Federal Bureau of Investigation, 2022 internet Crime Report (Mar. 27, 2023), at 7-8 (stating that the FBI's internet Crime Complaint Center received 800,944 complaints in 2022 (an increase from 351,937 complaints in 2018). The complaints included 58,859 related to personal data breaches (an increase from 50,642 breaches in 2018)); the Financial Industry Regulatory Authority (“FINRA”), 2022 Report on FINRA's Examination and Risk Monitoring Program: Cybersecurity and Technology Governance (Feb. 2022), (noting increased number and sophistication of cybersecurity attacks and reminding firms of their obligations to oversee, monitor, and supervise cybersecurity programs and controls of third-party vendors); Office of Compliance Inspections and Examinations (now the Division of Examinations) (“EXAMS”), Risk Alert, Cybersecurity: Safeguarding Client Accounts against Credential Compromise (Sept. 15, 2020) (describing increasingly sophisticated methods used by attackers to gain access to customer accounts and firm systems)). This Risk Alert, and any other Commission staff statements represent the views of the staff. They are not a rule, regulation, or statement of the Commission. Furthermore, the Commission has neither approved nor disapproved their content. These staff statements, like all staff statements, have no legal force or effect. They do not alter or amend applicable law; and they create no new or additional obligations for any person.

In light of these risks and the increasing sophistication of cybercriminals and bad actors, it is appropriate to approve the Participants' proposal to eliminate the requirement  that the CAT collect Name, Address, and YOB for all Customers, including foreign Customers and legal entities. The Commission considered the trade-off between the protection of investors' personal information and losses to regulatory efficiency that would result from eliminating this information from the CAT and has concluded that the regulatory benefit of collecting the Name, Address, and YOB for Customers no longer justifies the associated risks. Even if the CAT no longer collects the Name, Address, and YOB (as applicable) for these individuals and legal entities, broker-dealers would still be required to transform SSNs/ITINs/government issued ID numbers into interim values and report those TIDs to the CCID Subsystem for each order, such that the system of generating CCIDs will not be materially impacted.

The Commission finds that the proposed modifications to the CAT NMS Plan are reasonably designed to implement the CAIS Exemption Order and CCID Exemption Order and to remove references to Name, Address, and YOB. This includes modifications to sections 9.1 and 9.2 of Appendix D of the CAT NMS Plan, which would modify the CAT to capture and store the more limited Reference Data in the Proposed Amendment, state that TIDs must be accepted by the CAT, and eliminate reporting requirements inconsistent with reduced reporting of Customer information. The modification of the term “Firm Identifier Number” to “Firm Designated ID” is also reasonable, as this more accurately defines a number that is currently reported by CAT reporters on all orders generated for a particular account.

In addition, proposed changes in the Proposed Amendment designed to maintain current processes are reasonable and should be approved. Specifically, maintaining the process for monitoring and documenting access to the Reference Database and FDID validations processes is appropriate and would help ensure the security of the Reference Database and the accuracy of FDID data. [^176] The Participants state that following the implementation of the Proposed Amendment, the Plan Processor will record all access to, and all queries of, data stored in the Reference Database in a series of logs that can be used to generate periodic reports in the same way that the Plan Processor currently records and tracks access to the broader CAT System. [^177] In addition, the Participants confirm that FDID validations would not change as a result of implementing the Proposed Amendment, and that the Plan Processor would continue to perform the same consistency checks that it currently performs today to confirm that all FDIDs reported to the transaction database exist in the Reference Database and were active on the relevant transaction date. [^178]

[^176]*See* proposed Sections 4.1.4 and 9.1 of Appendix D of the CAT NMS Plan; CAT December Response Letter, at 4-5.

[^177]*See* CAT December Response Letter, at 4.

[^178]*Id.* at 5.

The proposed modifications to definitions in the CAT NMS Plan are also reasonable. Specifically, it is appropriate to modify the definition of “Customer Account Information” to “Account Reference Data,” and remove account number and customer type as elements of Customer Account Information, because pursuant to the Proposed Amendment these elements would no longer be reportable to the CAT. [^179] Similarly, it is reasonable to modify the definition of “Customer Identifying Information” by changing it to “Customer Reference Data,” and removing references to name, address, date of birth, ITIN, SSN removed for individuals and name, address, and EIN for legal entities. Pursuant to the Proposed Amendment, these fields will no longer be reportable to the CAT. [^180] It is also reasonable to remove a reference to “other information of sufficient detail to identify a Customer” for legal entities from the definition of “Customer Reference Data,” because the Proposed Amendment modifies Customer reporting requirements to be limited to a specific list of categories of Customer information that will still be maintained by the CAT. [^181]

[^179]*See* proposed Section 1.1.

[^180]*See id.*

[^181]*See id.*

The removal of the defined term PII, as well as changes throughout the CAT NMS Plan to replace references to “PII” or “Customer Account Information and Customer Identifying Information” to references to “Reference Data,” or otherwise remove the concept of “PII” from relevant portions of the CAT NMS Plan, is reasonable. [^182] “PII” was a term used in the CAT NMS Plan to distinguish certain Customer data elements as particularly sensitive and warranting additional levels of protection ( *e.g.,* SSNs/ITINs, addresses), but without the reporting of these Customer data elements the definition and PII-specific CAT NMS Plan provisions are no longer necessary. The continued inclusion of the term PII could also imply that the CAT system is collecting personal data about Customers that it will no longer be accepting after the Proposed Amendment.

[^182]*See* proposed Sections 6.2(a)(v)(C), 6.2(b)(v)(F), 6.4(d)(ii), and 6.10(c)(ii), and Appendix D, Sections 4.1; 4.1.2; 4.1.4; 4.1.6; 6.2, 8.1.1; 8.1.3; 8.2; 8.2.2; 9.1 and 10.1.

In addition, the proposed addition of footnotes to the definition of “Full Availability and Regulatory Utilization of Transactional Database Functionality” [^183] is designed to maintain the existing meaning of the defined term and avoid retroactively changing the meaning of a FAM-related term. Specifically, the definition of “Full Availability and Regulatory Utilization of Transactional Database Functionality” references “Customer Identifying Information” and “Customer Account Information,” which terms are being replaced by the terms “Customer Reference Data” and “Account Reference Data.” Because the replacement terms refer to a narrower scope of customer-and-account related information than do the original terms, [^184] the proposed footnotes are important to clarify that those previously defined terms maintain the same meaning as they did when the Financial Accountability Milestones Order was first issued, even though they will no longer appear in the CAT NMS Plan, and that more broadly, the definition added by the Financial Accountability Milestones Order maintains the same meaning as it did before in spite of modifications to other definitions in the CAT NMS Plan approved January 12, 2026.

[^183]*See* proposed Section 1.1 of the CAT NMS Plan; CAT LLC December Response Letter, at 2-3.

[^184]*See* CAT LLC December Response Letter, at 3.

The removal of reporting requirements relating to EINs is likewise reasonable. The Commission agrees with the reasoning of the Participants that requiring the reporting of EINs, in plain text and with the same number of digits as SSNs, increases the risk of improper reporting of SSNs. The Participants state that even in the absence of EIN reporting, the Plan Processor's ability to create a unique CCID would not be affected as Industry Members would continue to report a translated TID value (based on EIN) to the CCID Subsystem. [^185] The Commission notes that the Participants state that even if the EIN field is eliminated, “regulators would retain the ability to search by EIN for a CCID value.” [^186]

[^185]*See* CAT LLC May Letter, at 6.

[^186]*See id.*

The elimination of the requirement that the Plan Processor design and implement procedures and mechanisms to handle minor and material  inconsistencies in Customer information is also appropriate. As noted above, one commenter specifically supports eliminating requirements relating to the handling of inconsistencies and requests that CAT LLC remove all outstanding material inconsistencies. [^187] The Participants explain that elimination of this requirement is consistent with the Proposed Amendment because the Plan Processor currently accounts for minor inconsistencies in how CAT Reporters report data to CAT that would no longer be reported—customer addresses and years of birth. [^188] It is reasonable to remove this provision in light of the customer information that will no longer be reported to the CAT.

[^187]*See* FIF April Letter, at 2.

[^188]*See* CAT May Letter, at 8-9.

**Rule 613 and the CAT NMS Plan**

Although one commenter raises concerns regarding statutory authority and the Fourth Amendment [^189] the Commission is not, in this proceeding, reconsidering or revisiting the decision to establish a consolidated audit trail or to approve the CAT NMS Plan. Rather, the Commission is reviewing an SRO-initiated amendment to the CAT NMS Plan pursuant to Rule 608—an amendment that is intended to mitigate many of the privacy and security concerns highlighted by the commenter. In any event, CAT falls within the Commission's authority under the Exchange Act and does not violate the Fourth Amendment. [^190]

[^189]*See* Data Boiler Letter, at 4.

[^190]*See, e.g.,* SEC's Opposition to Petitioners' Motion for Stay and Injunctive Relief at 11-13, *Am. Secs. Ass'n* v. *SEC,* No. 23-13396 (11th Cir. Sept. 30, 2024); SEC Defendants' Motion to Dismiss and Opposition to Plaintiff's Preliminary-Injunction Motion at 37-47, *Davidson* v. *Gensler,* No. 6:24-cv-00197 (W.D. Tex. July 12, 2024); Securities Exchange Act Release No. 98290 (Sept. 6, 2023), 88 FR 62628, 62672-73 (Sept. 12, 2023), *vacated on other grounds by Am. Secs. Ass'n* v. *SEC,* 147 F.4th 1264 (11th Cir. 2025).

**C. Removal of Previously Reported Customer Data**

The Proposed Amendment would add a new section 9.5 to Appendix D of the CAT NMS Plan, “Deletion from CAIS of Certain Reported Customer Data,” which would require CAT LLC to direct the Plan Processor to delete from CAIS all existing Customer data and information contemplated by the Proposed Amendment, [^191] and state that such Customer data and information would not constitute records that CAT LLC must retain under Exchange Act Rule 17a-1. [^192] Section 9.5 would also state that CAT LLC or the Plan Processor would be permitted to delete any such information that has been improperly reported by an Industry Member to the extent that either becomes aware of such improper reporting through self-reporting or otherwise. This provision would also require CAT LLC to direct the Plan Processor to document all deletions of Customer information from the Reference Database and provide periodic reports of all such deletions to the CAT Operating Committee.

[^191]*See* proposed section 9.5 of Appendix D of the CAT NMS Plan. Specifically proposed section 9.5 of Appendix D would require the following data attributes be deleted or otherwise made inaccessible to regulatory users: Customer name, Customer address, account name, account address, authorized trader names list, account number, day of birth, month of birth, year of birth, and ITIN/SSN. *See id.*

[^192]*Id.* Because the CAT NMS Plan cannot overrule the Exchange Act and because the Commission is granting exemptive relief from these requirements, the Commission is modifying the proposed text of new section 9.5 to delete this reference and issuing the accompanying Exemptive Relief, as discussed below.

Commenters generally support the deletion of previously reported customer data information. [^193] One commenter, a Participant, states that retaining historical information would “not provide sufficient regulatory benefit when balanced against the privacy and security risks,” and states that “this is particularly true since the previously reported data would no longer be actively maintained or validated, and thus, its reliability would diminish over time. [^194] However, as noted above, one commenter objects to the Proposed Amendment generally, stating that, among other things, a purpose of CAT was to allow regulators to identify the parties responsible for each order and that the Proposed Amendment would make it more difficult for the SEC to identify securities law violators. [^195] Another commenter states that the retention of Account Reference Data and Customer Reference Data, combined with the documentation and review of the deletion of Customer information from the Reference Database, would allow for the possibility of reverse-engineering to reconstruct the private information. [^196]

[^193]*See* FIF May Letter, at 2. FINRA Letter, at 1-2, 10; SIFMA Letter.

[^194]*See* FINRA Letter, at 10.

[^195]*See* Better Markets Letter.

[^196]*See* Data Boiler Letter, at 2.

The Participants state that deleting all historical customer information would improve operational efficiency and would be the most straightforward and efficient way to remove sensitive information that is currently held in the customer information database. [^197] The Participants also assert that deleting all historical customer information would have minimal impact on regulatory efficiency, because the Plan Processor would continue to create a unique CCID for each customer and provide daily CCID enrichment of transaction data, allowing regulatory users to conduct cross-market, cross-broker, and cross-account surveillance of a single customer's trading activity. [^198] The Participants state that deleting the information would reduce cloud hosting fees by approximately $2 to $4 million per year and lower Plan Processor operating fees by $5 million, which would outweigh any additional cost associated with the need to obtain Name, Address, and YOB data directly from Industry Members when that information is needed. [^199]

[^197]*See* CAT LLC September Response Letter.

[^198]*See id.* at 5.

[^199]*Id.* 4-5.

The Participants' proposal to eliminate existing Customer data information from CAIS is reasonable and should be approved. Merely eliminating the prospective reporting of customer data and information would leave a significant amount of older Customer data and information in CAIS and thus only partially address the risks of a security breach. Moreover, such information would no longer be subject to updates or corrections and thus become less reliable and useful over time in any event. And, according to the Participants, eliminating the data will result in substantial cost savings. The Commission also believes that the requirement that the Plan Processor document all deletions of Customer information and provide reports to the CAT Operating Committee will help ensure that the Participants are effectively monitoring the Plan Processor's elimination of Customer information and ensure that customer information is deleted in a thoughtful and appropriate manner. The Commission disagrees with the commenter that believes that Customer account information, once deleted, could be “reverse-engineered” through other information maintained by the CAT to “reconstruct the entire [Customer Account Information] and [Customer Identifying Information] privacy information.. [^200] The requirement to document deletions of Customer information does not require the documentation of Customer information itself, and the deleted Customer information will not be accessible to regulators once the Proposed Amendment is fully implemented. [^201]

[^200]*See* Data Boiler Letter, at 2.

[^201]*See* CAT LLC December Response Letter, at 5 (stating that logs required by proposed section 9.5 of Appendix D will include both the time of and reason for each deletion); proposed section 9.5 of  Appendix D (requiring CAT LLC to direct the Plan Processor to develop and implement a mechanism to delete from CAIS, or otherwise make inaccessible to regulatory users, certain Customer information).

In conjunction with proposed section 9.5 of Appendix D of the CAT NMS Plan, the Participants specifically request, “[t]o the extent that the Commission deems it necessary,” exemptive relief from Rule 17a-1 under the Exchange Act with respect to existing Customer data and information in CAIS on a retroactive and prospective basis. [^202] Such relief is necessary in order to effectuate the Proposed Amendment, as Rule 17a-1 would otherwise require the customer data and information in CAIS be preserved by the Participants. [^203] The Commission finds that it is appropriate in the public interest and consistent with the protection of investors under section 36 of the Exchange Act, [^204] as well as consistent with the public interest, the protection of investors, the maintenance of fair and orderly markets and the removal of impediments to, and the perfection of, a national market system under Rule 608(e) under the Exchange Act, [^205] to grant relief that exempts each Participant from the recordkeeping and data retention requirements for Customer data and information in the CAIS that is subject to section 9.5 of Appendix D of the CAT NMS Plan and that otherwise would apply as set forth in Rule 17a-1 under the Exchange Act. This relief applies only to the Participants' obligation to keep and preserve the customer information and records in CAIS. It does not apply to any customer information or records that the Participants are required to keep and preserve outside of CAIS.

[^202]*See* Notice, at 12850.

[^203] Rule 17a-1 requires national securities exchanges and national securities associations, among others, to keep and preserve at least one copy of all documents, including all correspondence, memoranda, papers, books, notices, accounts, and other such records as shall be made or received by it in the course of its business as such and in the conduct of its self-regulatory activity. 17 CFR 240.17a-1.

[^204] 17 CFR 242.608(e).

[^205] 17 CFR 240.17a-1.

However, pursuant to Rule 608(b)(2), [^206] the Commission is modifying proposed section 9.5 of Appendix D of the CAT NMS Plan as described below. In the Proposed Amendment, section 9.5 of Appendix D would state that “[n]otwithstanding any other provision of the CAT NMS Plan, this Appendix D, *or the Exchange Act,* CAT LLC shall direct the Plan Processor to develop and implement a mechanism to delete from CAIS . . .” (emphasis added). [^207] In addition, the provision would state, “[f]or the avoidance of doubt, such data attributes do not constitute records that must be retained by CAT LLC under Exchange Act Rule 17a-1.” [^208] An NMS plan, however, cannot void or otherwise modify the requirements of the Exchange Act. The CAT NMS plan is a contractual agreement among the Participants created pursuant to the Exchange Act and, absent an exemption or other relief, the NMS Plan and the Participants themselves are subject to applicable Exchange Act requirements. In addition, this reference to Exchange Act Rule 17a-1 is unnecessary given the exemptive relief granted above. Thus, the Commission is modifying section 9.5 of the CAT NMS Plan to remove the references to the Exchange Act and Exchange Act Rule 17a-1. The approved section 9.5 of Appendix D of the CAT NMS Plan is shown below:

[^206] 17 CFR 242.608(b)(2).

[^207]*See* Notice of Amendment No. 2, at 56231.

[^208]*Id.*

**9.5 Deletion From CAIS of Certain Reported Customer Data**

Notwithstanding any other provision of the CAT NMS Plan or this Appendix D, CAT LLC shall direct the Plan Processor to develop and implement a mechanism to delete from CAIS, or otherwise make inaccessible to regulatory users, the following data attributes: Customer name, Customer address, account name, account address, authorized trader names list, account number, day of birth, month of birth, year of birth, and ITIN/SSN. CAT LLC or the Plan Processor shall be permitted to delete any such information that has been improperly reported by an Industry Member to the extent that either becomes aware of such improper reporting through self-reporting or otherwise. CAT LLC shall direct the Plan Processor to document all deletions of Customer information from the Reference Database and provide periodic reports of all such deletions to the Operating Committee.

In comparison to proposed section 9.5 of the CAT NMS Plan in the Proposed Amendment, as modified by Amendments No. 1 and 2, the following changes would apply. Deletions are shown through [brackets], and additions are shown with *italics:*

**9.5 Deletion From CAIS of Certain Reported Customer Data**

Notwithstanding any other provision of the CAT NMS Plan[,] *or* this Appendix D[, or the Exchange Act], CAT LLC shall direct the Plan Processor to develop and implement a mechanism to delete from CAIS, or otherwise make inaccessible to regulatory users, the following data attributes: Customer name, Customer address, account name, account address, authorized trader names list, account number, day of birth, month of birth, year of birth, and ITIN/SSN. [For the avoidance of doubt, such data attributes do not constitute records that must be retained by CAT LLC under Exchange Act Rule 17a-1.] CAT LLC or the Plan Processor shall be permitted to delete any such information that has been improperly reported by an Industry Member to the extent that either becomes aware of such improper reporting through self-reporting or otherwise. CAT LLC shall direct the Plan Processor to document all deletions of Customer information from the Reference Database and provide periodic reports of all such deletions to the Operating Committee.

**D. Implementation**

The Participants state that the Proposed Amendment will save between $7 million and $9 million annually after an implementation cost of $4.5 million to $5.5 million. In order to achieve these savings, the Participants state that the Plan Processor would need to eliminate the software that is required to support regulatory queries of Name, Address, and YOB. [^209] As discussed above, regulators have other ways, even if less efficient, to obtain this information from broker-dealers. One commenter recommends a two-phase implementation, with the first phase allowing Industry Members to continue to report fields that contain PII, but the CAIS system would not record or store those fields, and a second phase where all Industry Members would be prohibited from reporting PII. [^210] This commenter states that this implementation approach will give firms that need more time to update their systems the chance to do so, while allowing firms for whom it does not take as long to cease reporting faster. [^211] This commenter also asks that, upon approval of the Proposed Amendment, that CAT LLC remove all error codes and outstanding rejections relating to the fields that will no longer be reportable to the CAIS. [^212]

[^209]*Id.*

[^210]*See* FIF April Letter, at 2.

[^211]*See id.* at 3.

[^212]*See id.* at 7.

The Participants responded to this commenter to provide more detailed information regarding how the Proposed Amendment would be implemented, if approved. [^213] The commenter that recommended a two-phase implementation plan above responded  to the Participants to state that its members support the phased approach proposed by the Participants. [^214]

[^213]*See* CAT LLC May Response Letter, at 16.

[^214]*See* FIF July Letter, at 12.

In their response, the Participants state that any implementation schedule will be designed to allow the Plan Processor and Industry Members adequate time to finalize Technical Specifications and guidance, and to develop, test and implement the necessary changes to firm systems in order to comply with the Proposed Amendment. [^215] The Participants outline a potential phased implementation schedule to include the following key phases, but state that this is subject to change based on discussions among the Participants, the Plan Processor, Industry Members, and Commission staff: [^216]

[^215]*See* CAT LLC May Response Letter, at 16-17.

[^216]*Id.*

• Stop providing visibility to regulators of existing Names, Addresses, and YOBs in CAT—approximately 3 months from effective date;

• Continue to accept submissions from Industry Members that include Names, Addresses, and YOBs, but stop processing any such information in CAT (such Customer information would remain on the as-submitted file)—approximately 3 months;

• Reject any submissions from Industry Members that continue to include Names, Addresses, and YOBs ( *i.e.,* Industry Members would no longer be able to report these fields to CAIS)—approximately 6 months or more depending on the amount of time required for Industry Members to update their reporting systems;

• Delete all existing Names, Addresses, and YOBs (as well as any other sensitive Customer data and information contemplated by the Proposed Amendment) from the CAT—approximately 9-12 months after the data migration is completed and verified; it will take approximately 2-3 months to permanently remove old data.

The Commission agrees that a phased implementation schedule is appropriate, to help assure that the removal of PII from the CAT is implemented in a careful and efficient manner, with minimal impact on other CAT Data. [^217] The Commission, however, encourages the Plan Processor to extend the approximately three month period for providing regulators with visibility into the existing Names, Addresses, and YOBs in CAT, to provide regulators with sufficient transition time. The Commission also believes that it may be appropriate for the Plan Processor to extend the phased implementation schedule in light of pending amendments [^218] to the CAT NMS Plan that, if approved, could require the Plan Processor to make further changes to CAIS and Industry Members to make changes to their reporting systems.

[^217]*See* FIF July Letter, at 12 (stating that “FIF members support the phased approach proposed by CAT LLC in the amended filing for implementing the removal of PII from CAT.”).

[^218] Securities Exchange Act Release No. 104504 (Dec. 23, 2025); 90 FR 61506 (Dec. 31, 2025).

**IV. Efficiency, Competition, and Capital Formation**

In determining whether to approve an amendment to the CAT NMS Plan and whether that amendment is in the public interest, Rule 613 requires the Commission to consider the impact of that amendment on efficiency, competition, and capital formation. [^219] The Participants stated that the Proposed Amendment will have a positive impact on competition, efficiency, and capital formation. Based on its analysis, the Commission concludes that the Proposed Amendment will result in cost savings that will improve the operational efficiency of the CAT central repository. These savings in operating costs will have a small positive effect on competition, while the changes to CAIS Data will reduce the efficiency of some regulatory workflows. Effects on market efficiency and capital formation, stemming from the impacts of the Proposed Amendment on regulatory and operational efficiencies, will likely be second-order and limited. The Commission recognizes, however, that while the Proposed Amendment, in combination with the CAIS Exemption Order, will reduce the costs to operate the CAT central repository, it will also require regulators to seek alternatives to CAIS for certain regulatory activities, which are less efficient and will increase costs for Industry Members.

[^219] 17 CFR 242.613(a)(5).

**A. Baseline**

In analyzing the impact of the Proposed Amendment on efficiency, competition and capital formation, the Commission considered the current reporting, use, and state of CAIS Data as the baseline. Specifically, the baseline consists of the characteristics [^220] and the actual and potential regulatory usages of CAT Data, in the absence of the Proposed Amendment. The baseline includes the CCID Exemption Order and the CAIS Exemption Order.

[^220] Characteristics include the scope of data fields that are included in CAT Data, as well as how these fields are described in data specifications provided by FINRA CAT and populated by CAT Reporters.

**1. CAIS Exemption Order**

The baseline takes into account the exemptive relief that has been granted since the implementation of the CAT NMS Plan, which has changed the information that is reported to and maintained within CAIS. [^221] The CAT NMS Plan originally required that Industry Members report the following customer information: the Firm Designated ID; the Customer's name, address, date of birth; individual tax payer identifier number (“ITIN”)/social security number (“SSN”); individual's role in the account ( *i.e.,* primary holder, joint holder, guardian, trustee, person with power of attorney); and LEI, and/or Large Trader ID (“LTID”). [^222] Under the CCID Exemption Order, the Commission issued relief that exempted the Participants from collecting or retaining an individual's SSN or ITIN, as well as date of birth and account numbers. The CAIS Exemption Order provided relief from requirements relating to reporting of the names, addresses and years of birth of natural persons reported with transformed SSNs or ITINs to CAIS; this exemptive relief does not extend to foreign nationals or legal entities. Because some Industry Members have stopped reporting and/or updating this information, over time, the data covered by the exemption (mostly the names, addresses, and years of birth of U.S.-based natural persons) are expected to become increasingly unreliable and/or unavailable in CAIS.

[^221]*See supra notes* 21-27 and accompanying text.

[^222]*See* CAT NMS Plan Approval Order, at 84715.

The changes to CAIS data resulting from the CAIS Exemption Order have resulted in, and would have continued to result in, changes to the manner in which regulators perform regulatory duties that require identifying individual customers who might be U.S. natural persons, or linking trading activity to customer data in CAIS when the trading data might be from U.S. natural persons. These changes have reduced regulatory efficiency, [^223] which refers to the efficiency of regulatory activities conducted by SROs and/or the Commission necessary to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation. Regulators can currently access CAIS to obtain customer information when such information is needed; in many instances, the CAIS data sought may not be covered by the CAIS Exemption, in which case they would still be available to regulators in the CAT, or it may not have become stale since the exemption went into  effect. But, as a result of the CAIS Exemption, certain tasks that regulators could perform using CAIS data—such as identifying a particular customer who might be a U.S. natural person who is associated with specific transactions—may currently and increasingly would have required regulators to request identifying information associated with a CAT Customer-ID (“CCID”) from Industry Members by using EBS requests or other ad hoc data requests. [^224] The need to make such requests delays regulatory tasks that require such information because regulators must create data requests and communicate them to Industry Members and then regulators must process responses to these requests and combine resulting data with transaction data from CAT or other sources. [^225] The state of CAIS data usage in regulatory activities is discussed further in the baseline sections that follow.

[^223]*See* CAIS Exemption Order, at 9645, where the Commission acknowledged this effect.

[^224] This is discussed further in section IV.A.2, *infra.*

[^225]*See* CAT NMS Plan Approval Order, at 84814 and 84826, discussing the inefficiencies associated with combining data sources. *See also infra* note .

The Participants stated that the CAIS Exemptive Relief would not result in cost savings for the Plan Processor. [^226] However, additional data requests by regulators as a result of the CAIS Exemption Order have increased, and would continue to increase, Industry Member costs, because Industry Members invest staff time and other resources to respond to ad hoc data requests. [^227] In addition, the exemptive relief has resulted in some Industry Members incurring certain implementation costs associated with changes to CAIS data reporting. On the other hand, Industry Members that relied upon the exemption to reduce their CAIS data reporting likely would ultimately incur reduced CAT Data reporting costs because reporting requirements would cover less customer data overall and Industry Members would not have to resolve reporting errors returned by the Plan Processor associated with data they no longer reported.

[^226] “[T]he Plan Processor must maintain all software that is required to continue to accept such Customer information for those Industry Members who choose to continue reporting it, as well as to support regulatory queries of Name, Address, and YOB data for non-exempted persons. Consequently, the CAIS Exemption Order will not result in any cost savings.” Notice, at 12847.

[^227] These increased ad hoc data requests would not just impact Industry Members that relied upon the exemption to reduce their CAIS data reporting because regulators would not be able to determine whether data that had not been updated recently was stale, or whether the data was reliable but recently unchanged. Consequently, regulators would need to make more ad hoc data requests because CAIS data was, in its entirety, less reliable and regulators would often not be able to tell what CAIS data had become unreliable.

Because the CAIS Exemption Order forms part of the baseline with respect to the reporting and use of CAIS data, the economic effects of the CAIS Exemption Order are discussed in greater detail in the following sections of the baseline. The discussion of effects on efficiency, competition, and capital formation below considers the incremental effects of the Proposed Amendment beyond the effects of the CAIS Exemption Order.

**2. Regulatory Use**

**(a) CAIS Data**

CAT Data was intended to improve regulators' ability to perform analysis and reconstruction of market events, [^228] market analysis and research that informs policy decisions, regulatory activities such as market surveillance, examinations and investigations, and enforcement functions in an efficient and effective manner. [^229] Regulators rely on the CAIS data for a subset of these regulatory activities. In the CAT NMS Plan Approval Order, the Commission explained how investors benefit from the CAT-enabled improvements to such regulatory activities. [^230] This baseline discussion considers how the CAT data elements being removed from the CAIS data by the Proposed Amendment are currently used by regulators, and how this usage is anticipated to change absent the Proposed Amendments whose effects are analyzed in a later section.

[^228] In market reconstructions, regulators aim to provide an accurate and factual accounting of what transpired during a market event. These market events often encompass activities in many securities across multiple trading venues. *See* CAT NMS Plan Approval Order, at 84805.

[^229]*See id.* at 84833-84840.

[^230] A discussion of the expected benefits and regulatory usage of the CAT NMS Plan is available in the CAT NMS Plan Approval Order. *See* CAT NMS Plan Approval Order, at 84816-40.

CAT maintains transaction data in the Central Repository, separate from customer and account information, which is maintained in CAIS. In CAT data, customers are uniquely identified by a CAT Customer ID (“CCID”), which is attached to all of a customer's account records in CAIS (allowing regulators to connect together all of a customer's accounts, even those held with different Industry Members) and to all transaction records pertaining to the customer (allowing regulators to obtain all of a customer's transaction records across all accounts). [^231] Changes to customer and account information maintained in CAIS do not affect related CAT transaction data; CAT transaction records do not themselves contain information about the customer(s) in a transaction, but can instead be connected to customer and account records obtained from CAIS using CCID.

[^231] Also attached to CAT transaction records is the customer's FDID, which identifies the customer but not uniquely: a customer may have multiple FDIDs associated with their different accounts.

Access to CAT data by default does not confer access to CAIS data; regulators must separately request and be approved for access to CAIS data. [^232] CAIS data, including PII stored in CAIS, are not returned in the results of online or direct query tools used to access CAT transaction data and are instead accessed using separate query tools. Access to CAIS data is logged and monitored to lower the risk of data misuse. [^233]

[^232]*See* Appendix D to the CAT NMS Plan, at 15.

[^233] One commenter stated that monitoring and documenting access to reference data “exposes a higher risk than it intends to address.” See Data Boiler Letter at 3. The creation of this data trail improves the security of CAIS data by potentially exposing inappropriate access to this data by regulatory users.

Customer records in CAIS can be used to establish elements of the identity of customers in CAT transaction data. Customer information currently stored in CAIS for customers that are natural persons includes (but is not limited to) names, addresses, YOBs, and customer types; and for customers that are legal entities, such information includes (but is not limited to) legal names, addresses, EINs, LEIs, and customer types. Customer records can be linked to transaction records by two unique identifiers, the FDID and the CCID. FDID is a unique identifier for accounts, determined and reported by Industry Members. Each FDID may be linked to one or more entities that are holders of an account, and potentially to one or more other entities that are authorized traders on an account, but not account holders. Customers may have multiple FDIDs assigned to them by different Industry Members with whom they hold accounts. CCID is a unique identifier for customers and is computed from identifiers reported to CAIS by Industry Members. [^234] CCIDs nominally correspond to customers on a one-to-one basis and are therefore generally preferred over FDID as a customer identifier by regulators.

[^234] The CCID is generated by applying certain computational transformations to one of several identifiers; the identifier used depends on the type of customer in question. *See Foreign Input Identifiers and Generating TID Values* (2022) (“Foreign Input Identifiers and Generating TID Values”), *available at https://www.catnmsplan.com/sites/default/files/2022-04/04.12.22-CAIS-TSWG-Foreign-Input-Identifiers-and-TID.pdf.*

CAIS is useful for regulatory activities that involve connecting customer or account data with transaction data. It is useful in quickly establishing such connections in either direction: it can be used either to run queries of CCIDs or FDIDs obtained from CAT transaction data to obtain the corresponding customer information (“Queries of CCID”) or to run queries of customer information for a particular customer to obtain that customer's CCID or FDID (“Queries of Customer Information”), enabling regulators to query the CAT transaction data for that customer's transaction information. The ability to quickly establish these connections is important for many regulatory activities, although some regulatory functions predominantly require establishing a connection only in one direction; Queries of Customer Information are particularly useful when attempting to obtain transaction information for a customer identified only by name or address, as may be the case when investigating tips, complaints, and referrals. CAIS aids in establishing these connections for customers that are U.S. natural persons, non-U.S. natural persons, and legal entities alike.

On occasion, investigations are resolved in early stages, using only CAIS information and the CAT transaction information linked to a CCID retrieved from CAIS. Resolution of matters using CAIS data without making data requests to other regulators or Industry Members is cost effective and efficient. However, often investigations involve contacting Industry Members for additional information even when CAIS data are available, for example to verify the completeness of information obtained from CAT before proceeding further with an investigation of potentially violative behavior indicated by the CAT data, or to obtain information about related activity not required to be reported to CAT such as ETF creations and redemptions.

The CAIS Exemption Order provides optional relief from the requirement that Industry Members report customer names, addresses and YOBs for U.S. natural persons ( *i.e.,* customers with transformed SSNs or ITINs) to CAIS and that they correct errors in such information that they previously reported. As such, the baseline of information on U.S. natural persons is different than the baseline of information for non-U.S. natural persons and legal entities, for which such exemptive relief has not been granted, in that some of the information may not be reported or updated for U.S. natural persons. Despite the CAIS Exemption Order, many Industry members continue to report this information for U.S. natural persons, and CAIS still retains information previously required to be reported by Industry Members. [^235] Under the baseline—that is, under the CAIS Exemption Order, in the absence of the Proposed Amendment—the Commission expects that, as a result of the CAIS Exemption Order, the Industry Members that continue to report, update, and/or correct this information would over time make changes to their reporting systems to no longer do so. [^236] As a result, the Commission expects that over time this extant CAIS data for U.S. natural persons would become less reliable, both in the sense that CAIS would less reliably contain these types of information for a given U.S. natural person customer and in the sense that where it does so, it would less reliably be current; regulators would not be able to tell which information still in CAIS was accurate, and as such, would be less able to rely on such information in their regulatory activities even to the extent that CAIS still contains such information for a customer. Moreover, under the baseline, CAT's six-year data retention policy would cause the extant data of this type in CAIS to be removed over approximately six years following the CAIS Exemption Order, thereby further reducing the likelihood that CAIS would contain such information as time goes on. [^237]

[^235] The Participants report that roughly 12% of CAIS records include dummy values that the Plan Processor recommended to Industry Members as substitutes for actual customer names, addresses and years of birth. *See* CAT LLC September Response Letter, at 2.

[^236] The Commission understands that some CAT Reporters have not yet made such changes since the CAIS Exemption Order. *See id,* discussing the apparent prevalence of such changes. While there are ongoing costs to maintaining systems that report this information, which could be avoided by modifying the systems to no longer do so, these modifications would also incur costs. The Commission expects that some CAT Reporters have delayed making these modifications because they could more cost-effectively implement them at a later point in their systems' development lifecycle. Additionally, to the extent that there is uncertainty as to the permanence of the CAIS Exemption Order, some CAT Reporters may have delayed making these changes as a precaution against the risk of the CAIS Exemption Order being removed and necessitating that they then reverse the changes to their reporting systems.

[^237] To the extent that some CAT Reporters would continue to report this information for some time following the CAIS Exemption Order, such reporting would extend the data retention period; the Commission understands that such information would only be removed from CAIS six years after it was reported. *See supra* note 248, discussing this continued reporting.

Under the CAIS Exemption Order, address data for U.S. natural persons would likely become unreliable more quickly than name data, since changes of addresses are generally more common than name changes. YOB data for U.S. natural persons would largely remain reliable until they were removed from CAIS at the end of the data retention period, since the only reason that this data should change is if it were incorrectly reported and a subsequent correction was made.

Regulators have used CAT to identify the trading of individuals or accounts, and many times CAT Data queries using CCIDs obtained from CAIS formed a viable substitute for data that regulators would previously have obtained through EBS or ad hoc data requests. The CAIS Exemption Order reduces the effectiveness of Queries of CCID, which seek to obtain the identity of customers using the CCID or FDID of transactions of interest, and particularly the efficacy of Queries of Customer Information, which seek to obtain a CCID or FDID using specified customer information.

First, the CAIS Exemption Order would result in it gradually becoming more difficult to determine the identity of U.S. natural person customers associated with transactions of interest using Queries of CCID, such as to follow-up when an SRO surveillance identifies transactions for particular FDIDs or CCIDs in exception reports. Because CAT transaction records identify customers in the transaction using their CCID and FDID, the real-world identity of such customers is not immediately apparent from the transaction record. It is currently generally possible for regulators to obtain U.S. natural person customers' name, address, and/or YOB from CAIS, but as this information would become less reliable in CAIS, identifying the customer associated with a CCID would, with increasing frequency, require regulators to request information from other sources, such as a broker-dealer with a relationship to the customer. [^238] It would therefore become increasingly difficult and time-consuming to identify U.S. natural person customers associated with transactions of interest.

[^238] The Commission expects that a typical workflow to establish the identity of a customer from a CCID would involve first identifying the broker-dealers and FDIDs associated with the customer in CAIS, and then submitting an EBS or ad-hoc data request to broker-dealers for customer and account information associated with the FDID they submitted.

Second, when a regulator needs to investigate the trading of a specified U.S. natural person, [^239] regulators would more frequently, under the CAIS Exemption Order, find that Queries of Customer Information in CAIS data would be unable to return the CCID necessary to identify the transaction data associated with the customer. In particular, a search of CAIS using customer information may not return that customer's CCID if the customer's information in CAIS is stale or unavailable. This could increasingly make it necessary for regulators to obtain some non-CAT data linking the customer to their CCID, which would generally be more difficult. [^240] Further, requesting a customer's FDID from Industry Members could be impractical for U.S. natural person customers if regulators are unaware of which broker-dealers service the customer and the customer does not have an alternative identifier, such as an LTID. [^241]

[^239] For example, when a member of the public submits a tip that a particular individual has engaged in insider trading.

[^240] Name, address, and YOB data in CAIS would remain accurate for some customers, allowing regulators to obtain these customers' CCIDs from CAIS. Additionally, there might remain other ways of obtaining some customers' CCIDs from CAIS even without accurate name, address, and YOB data: for example, where a CAT Customer has an LTID recorded in CAIS, and this LTID is known to a CAT user, the user might be able to use this identifier to find the customer's CCID. The CAT NMS Plan requires Industry Members to report the LTIDs of their customers when the customer has these identifiers and the Industry Member has this information. The Commission understands LTIDs to be vastly more common among legal entities than natural persons; however, since it is possible for a U.S. natural person customer whose PII is no longer accurately recorded within CAIS to have an LTID, this may serve as an alternative means of identifying such a customer following the CAIS Exemption Order. *See* CAT NMS Plan, at 48.

[^241] For example, in a case where regulators receive concerning information about a customer's potentially violative trading without information on which broker-dealers service that customer, regulators would not be able to obtain the customer's FDID from just those broker-dealers. Instead, determining this customer's CCID and FDID in the absence of name, address, and YOB data in CAIS could involve sending a “scattershot” EBS or ad-hoc data request to a large number of broker-dealers who may or may not have a relationship with this customer, which would impose costs on most of these broker-dealers such that regulators could determine that such an approach is impractical.

One commenter stated, “[s]ince the Commission exempted reporting of certain personally identifiable information (`PII') from the CAT, the NYSE Exchanges have reverted to using blue sheet requests to broker-dealers to obtain customer data for regulatory uses.” [^242] The Commission interprets this as an indication that regulators already have begun falling back on data requests to Industry Members as a replacement for the data no longer required to be reported to CAIS.

[^242]*See* NYSE Letter, at 3.

**(b) Use of CCID as Unique Identifier**

The purpose of the CCID is to act as a unique identifier for customers, bridging multiple accounts, possibly at multiple broker-dealers, that belong to the same customer. CCID thus allows regulators to easily obtain all of a customer's transaction information, rather than just the transaction information for a single known account belonging to the customer. The Participants have described the CCID as “one of the critical innovations of CAT” and noted that it allows regulators “the ability to identify a Customer's market activity across multiple exchanges, broker-dealers, and accounts.” [^243]

[^243]*See* CAT LLC May Response Letter, at 17-18, CAT LLC September Response Letter, at 4-5.

The Commission understands the CCID to be generally reliable as a unique customer identifier. The Participants have stated that the Plan Processor performs certain validation checks upon information submitted to CAIS [^244] and that ending the collection of customer information (as under the CAIS Exemption Order) would not significantly impact the thoroughness of validations performed upon information that continues to be submitted to CAIS. The Commission concurs with this assessment, but notes that these validations are not, and likely cannot be, sufficient to perfectly detect errors [^245] in CCID assignment, [^246] and that there likely exists a small but non-zero rate of these errors. The Commission also understands there to be concerns about the accuracy of CCIDs for customers that are non-U.S. natural persons, [^247] for whom there may be a greater rate of errors in CCID assignment, as well as for certain other types of customer. [^248] The Commission staff understands from its experience that errors of this nature associated with U.S. natural persons and legal entities are not routinely discovered and are thus likely rare. [^249]

[^244]*E.g.,* to verify that a Transformed ID (TID) is a correctly-transformed SSN, ITIN or EIN. *See also* Foreign Input Identifiers and Generating TID Values.

[^245] There are broadly two types of errors that would cause CCIDs to be less effective as a unique customer identifier: assignment of multiple CCIDs to the same customer, and assignment of the same CCID to multiple customers. Either type could conceivably occur due to errors in data entry, data transmission, or the process by which CCIDs are generated and assigned. In cases where a customer is mistakenly assigned multiple CCIDs, this could lead regulators to be unable to correctly identify all of a customer's trading activity during an investigation. In cases where the same CCID is mistakenly assigned to multiple customers, this could lead regulators to mistakenly associate these customers' trading activity with the others' during an investigation.

[^246] To give one example, the Commission does not believe that these validations would generally be sufficient to detect that the TID reported to CAIS was generated using an SSN in which two digits had been transposed due to typographical error. Additionally, the Commission understands that for practical purposes, even the Plan Processor's ability to detect errors in CCID generation and assignment is limited to validation checks when assigning CCIDs and spot checks afterwards. It would be prohibitively complex and costly to run a comprehensive search of CAIS for CCID assignment errors, and even such a search would not be guaranteed to find all such errors.

[^247] The Commission understands that it is possible to validate that a TID purportedly transformed from an SSN is in fact a transformation of a valid SSN, because the Plan Processor can trivially determine the set of TIDs that would be generated from transformations of the set of valid SSNs. However, because there are numerous types of identifiers issued by foreign governments, it is not feasible for the Plan Processor to check that a TID generated from a foreign-origin identifier is in fact a transformation of a valid such identifier. *See supra* note 257 and accompanying text.

[^248] The Commission also has anecdotal evidence that CAIS data does not always correctly reference investment advisers who have trading authority for an account, but the Commission cannot gauge the extent of such data errors because it does not have relevant data (if such data exists) from the Plan Processor. It also has anecdotal experience that CAT transaction data queried by a CCID following a CAIS Queries of Customer Information using authorized traders does not always align with data requested directly from Industry Members; this misalignment of results may be partly or mostly attributable to the design of CAIS because a CCID can link to trading of multiple authorized traders for a given account.

[^249] For both U.S. natural persons and legal entities, there is a small range of identifiers that may be used to generate a customer's TID (SSN and ITIN for U.S. natural persons, EIN for legal entities), while for non-U.S. natural persons, the TID is generated using one of a wider range of identifiers; if a customer uses different identifiers to open accounts at different Industry Members ( *e.g.,* a foreign passport number at one and a permanent resident number at another), this may result in the Industry Members using different identifiers to generate a TID such that multiple TIDs are reported to CAIS for the same customer.

As name, address, and YOB data for U.S. natural persons would become less reliable and/or available in CAIS under the baseline due to the CAIS Exemption, any inaccuracies in their CCIDs would become more difficult to identify, and analyses using CAT data would be more frequently affected by such inaccuracies. Currently, the presence of name, address, and YOB data in CAIS makes it possible for regulators to perform certain spot-checks that would indicate some types of CCID inaccuracy early in the course of an investigation. [^250] Spot-checks of this  nature make analyses using CAT data less susceptible to such errors by helping regulators to detect, report, and correct for errors in CCID assignment before expending significant effort on the basis of erroneous information. [^251] As the data for U.S. natural persons would become less reliable and/or accessible over time due to the CAIS Exemption Order, the Commission anticipates that conducting spot-checks of this nature would become substantially less informative. It is likely that some errors of this nature would still be caught without these early spot-checks, but only at a later point in an investigation. [^252]

[^250] A reasonable early step in an investigation into an entity with known PII would be to query CAIS using that PII, which would likely uncover whether any duplicative CCIDs had been assigned to the entity. Likewise, a reasonable early step in an investigation of an entity with known CCID would be to search CAIS using that CCID, which would uncover whether it had been assigned to multiple entities.

[^251] For example, if the error discussed in note 257 above, resulting in a customer being assigned an erroneous second CCID, were detected early in an investigation, this would allow regulators to then obtain the transaction data associated with both CCIDs early in the investigation. If the error went undetected, this would result in regulators working with an incomplete set of transaction data, at least until a later stage of the investigation when requests for information from Industry Members might reveal the error. Depending on the nature of the investigation, this might result in regulators expending effort that would otherwise be unnecessary, might impose unnecessary costs on the customer, or might cause the investigation to reach inaccurate conclusions and be closed prematurely.

[^252] Errors assigning the same CCID to multiple customers could still be identified and reported to the Plan Processor by regulators during an investigation into a customer affected by such an error, if the investigation proceeds to the point of requesting customer information from an Industry Member; however, not all such investigations necessarily reach such a point, and this would cause the error to be detected only later in the investigation. It would be less likely that errors in which a single customer is assigned multiple CCIDs are caught in the course of an investigation, since if information obtained from an Industry Member in the course of an investigation were sufficient to identify an error of this type, the responsive Industry Member would in many cases itself be able to detect the error, and would have been required to report it already.

In the CAT NMS Plan Approval Order, the Commission discussed how the CAT would aid regulators in performing market surveillance, [^253] noting that the CAT's use of unique customer identifiers (what would later be termed the CCID) would grant regulators the ability to “link uniquely identified customers with suspicious trading behavior” and provide them “a better opportunity to identify the distribution of suspicious trading instances by a customer as well as improve regulators' ability to utilize customer-based risk assessment.”

[^253]*See* CAT NMS Plan Approval Order, at 84836.

**(c) Authorized Traders**

One type of CAT Customer that Industry Members are required to report to CAIS is “[a]ny person from whom the broker-dealer is authorized to accept trading instructions for such account, if different from the account holder(s)” (“Authorized Traders”). [^254] Industry Members are required to report Authorized Traders for an account in the same manner as the account's holders; this would result in both the account's holders and Authorized Traders having FDID Customer Records associated with the account within CAIS. Authorized Traders for an account are distinguished from the account's holders by the role field in their FDID Customer Records. [^255] This allows regulators to identify not just the customers who hold and benefit from the account, but also those entities with the ability to enter trading instructions on behalf of those account holders.

[^254]*See supra* note 4.

[^255] The role field identifies each reported CAT Customer for an account as either an account holder with trading authorization, an account holder without trading authorization, a representative of the reporting entity with trading authorization, or a third party (neither an account holder nor representative of the reporting entity) with trading authorization. The Commission understands that Authorized Traders on an account would fall into one of the latter two categories, and might include, among other categories, spouses, investment advisers, trustees, and entities with power of attorney for the account holder(s).

However, CAIS requires that CAT Customers who are natural persons be reported with certain required data, including a TID. [^256] Because not all Industry Members have historically collected and systematized the data required to compute the TID for Authorized Traders who are natural persons (“Natural Person Authorized Traders” or “NPATs”), the Plan Participants have temporarily made available an Authorized Trader Names List (“ATNL”) on the FDID Record. [^257] The ATNL may be used to report a NPAT only if an Industry Member “has not historically collected and systematized all data required” to report the NPAT as a CAT Customer, and allows Industry Members to report only the name of the NPAT, “where [they do] not have all data required to report a full Customer Record.” [^258] Use of the ATNL “is only allowable on a temporary basis and, with sufficient time and notice, will be retired from the Full CAIS Technical Specifications at a future date” which has not yet been set. [^259] Once this future date is set, “Industry Members will be required to resubmit the FDID Record to CAIS with all required data for a full Customer Record” by or before that future date. [^260] The ATNL allows reporting names of natural persons who are Authorized Traders for accounts held by any type of entity (U.S. natural person, non-U.S. natural person, or legal entity).

[^256]*See* Full CAIS Technical Specifications, at 29.

[^257]*See id.*

[^258]*See id.*

[^259]*See* Full CAIS Technical Specifications, at 30.

[^260]*See id.*

Because of the CAIS Exemption Order, Industry Members currently have three options when reporting a U.S. NPAT to CAIS: (1) where they have all the required information to report the U.S. NPAT as a CAT Customer, they may do so, reporting the U.S. NPAT's name, address, and/or YOB even though this is optional following the CAIS Exemption Order; (2) they may report the U.S. NPAT as a CAT Customer while not reporting name, address, or YOB, due to the optionality granted due to the CAIS Exemption Order; or (3) they may use the ATNL to report only the U.S. NPAT's name. Under the baseline—that is, under the CAIS Exemption Order, in the absence of the Proposed Amendment—the Commission expects the first two of these options would remain available following the eventual retirement of the ATNL at some future date, as the retirement of the ATNL would not be anticipated to affect the information that the NMS CAT Plan would require to be reported when reporting a Natural Person CAT Customer, nor would it be anticipated to affect the CAIS Exemption Order.

For those U.S. NPATs currently reported to CAIS as CAT Customers, name, address, and YOB data on these entities would become less reliable and/or accessible over time, as for U.S. natural persons in general. However, until the retirement of the ATNL, name data on other U.S. NPATs would continue to be updated via this list, to the extent that Industry Members would continue to report U.S. NPATS using the ATNL. Once this list is retired, it is uncertain whether name data previously reported as part of this list would be retained in CAIS or would be deleted. If these data were retained, they would become gradually less reliable and/or available in the same manner as name data for U.S. natural persons, and would do so more rapidly than name data in general, since changes to authorized traders on an account would be likely to occur more frequently than changes of or corrections to the legal names of customers.

Because the CAIS Exemption Order provided relief from requirements to report names, addresses, and YOBs of U.S. natural person customers, including U.S. NPATs reported as CAT Customers, the only circumstance in which an Industry Member currently must report the name of a U.S. NPAT to CAIS is when reporting them via the ATNL. As such, to the extent that U.S. NPATs continue to be reported via the  ATNL, because certain Industry Members have not systematized the information required to report them as CAT Customers, the ATNL data would continue to contain reliable name data for these entities, which might not otherwise be reported to CAIS. [^261]

[^261] For example, if a U.S. NPAT undergoes a legal change of name, this might not be reported to CAIS except by an Industry Member who has not systematized the data necessary to report this person as a CAT Customer, and therefore reports them via the ATNL.

Under the baseline, the Commission expects that, over time, Industry Members would likely modify their systems to systematize the information required to report NPATs (including non-U.S. NPATs) to CAIS as CAT Customers, in anticipation of the eventual retirement of the ATNL requiring such modifications, and would thus be required to report NPATs as CAT Customers instead of using the ATNL. These modifications, coupled with modifications to reporting systems to no longer report name, address and YOB data for U.S. Natural Person CAT Customers following the CAIS Exemption Order, would result in name data for U.S. NPATs reported via the ATNL becoming less reliable in the manner of name data for U.S. natural persons generally. This would require regulators to connect such Authorized Traders to transaction data using the same methods employed for U.S. natural persons in general, as discussed above.

**(d) Trading Activity by Customer Type**

The degree to which regulatory activities such as investigations or market analysis focus on particular customer types is likely related to the relative trading volume of different customer types. Between 2021 and 2025, in both equity and options markets, trading activity of legal entities increased substantially. In particular, legal entities have come to have disproportionately larger shares in dollar values of trade compared to retail. [^262]

[^262] Among the information that the Proposed Amendment would eliminate are “Name, Address, and YOB” of natural persons not subject to the CAIS Exemption Order, a category that includes Legal Entities. *See, supra* section III.B. *See* Table 1 for a description of how information on account holder type is used to categorize legal entities and retail for the analysis in this section.

Legal entities account for the majority of trading in both equities and options. Table 1 presents the trade shares by retail and legal entities as identified by account holder type designation in CAT from 2021 to 2025. Although retail trades have captured a lot of attention, [^263] Table 1 shows that, between Q2-2021 and Q2-2025 not only do legal entities comprise the majority of trading activity, their share of trading increased while that of retail decreased. For example, in the equities market, the share of retail in trade count, trade volume, and dollar value of trade reduced by 43 percent, 46 percent and 36 percent, respectively. In the options market, the share of legal entities in dollar value of trade increased by 18 percent while, in the equities market, the share of legal entities in trade volume increased by 45 percent.

[^263]*See, e.g.,* Svetlana Bryzgalova, Anna Pavlova, & Taisiya Sikorskaya, *Retail Trading in Options and the Rise of the Big Three Wholesalers,* 78 J. Fin. 3465 (2023).

| Quarter-year | Share of trade count | Legal entities | Retail | Share of trade volume | Legal entities | Retail | Share of dollar volume of trade | Legal entities | Retail |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
|  |  |  |  |  |  |  |  |  |  |
| Q2-2021 | 75 | 25 | 51 | 49 | 82 | 17 |  |  |  |
| Q2-2025 | 86 | 14 | 73 | 27 | 89 | 11 |  |  |  |
|  |  |  |  |  |  |  |  |  |  |
| Q2-2021 | 57 | 43 | 57 | 43 | 64 | 36 |  |  |  |
| Q2-2025 | 57 | 43 | 63 | 37 | 76 | 24 |  |  |  |

**3. CAIS-Related Operational Costs of the Plan Processor**

CAIS-related costs account for a non-trivial share of the Plan Processor's operating costs. Table 2 presents some of the publicly available CAT cost information and estimates. According to the Participants' 2025 budget estimate and their May response letter, the total CAIS-related costs of $32.5 million to $33.5 million are approximately 21 percent of total operating expenses; [^264] 52 percent of total operating expenses is cloud hosting fees, approximately 10-11 percent of which is CAIS-related cloud hosting fees. CAIS-related cloud hosting fees combined with CAIS operating fees account for 91-92 percent of total CAIS-related costs (see Table 2).

[^264]*See* CAT LLC May Response Letter, at 13; CAT LLC, 2025 Financial and Operating Budget (“CAT LLC 2025 Budget”), *available at https://www.catnmsplan.com/sites/default/files/2025-11/11.07.25-CAT-LLC-2025-Finacial_and_Operating-Budget.pdf.*

|  | (Estimated) 2025 | (Estimated) 2024 |
| --- | --- | --- |
| Total Operating Expenses | 156,432,998 | 208,927,267 |
| Technology costs | 137,514,003 | 196,921,118 |
| Cloud hosting services | 81,900,006 | 148,789,981 |
| CAIS-related cloud hosting fees | 9,000,000 | n/a |
| CAIS operating fees (payable to the Plan Processor) | 21,268,584 | 20,199,919 |
| CAIS licensing fees (payable to the Plan Processor) | 2,800,000 | n/a |

Although CAIS-related cloud hosting fees and CAIS licensing fees (payable to the Plan Processor) for the year 2024 are not separately reported in the *2024 Financial and Operating Budget—Mid-Year Update—July 2024,*[^265] based on the information that is available, [^266] a reasonable estimate is that the total CAIS-related costs between 2024 and 2025 declined by 15-17 percent. [^267]

[^265]*See* CAT LLC, 2024 Mid-Year Budget—Mid-Year Update—July 2024 (“CAT LLC 2024 Mid-Year Budget”), *available at https://www.catnmsplan.com/sites/default/files/2024-08/07.31.24-CAT-LLC-2024-Financial_and_Operating-Budget.pdf.*

[^266]*See, e.g.,* CAT LLC May Response Letter.

[^267] Assuming that the share of CAIS-related cloud hosting fees in the total cloud hosting services costs in 2024 was the same as that in 2025 ( *i.e.,* 10.4-11.6%), an estimate for CAIS-related cloud hosting fees for 2024 is $15.4-17.3 million. As the Participants report in CAT LLC May Response Letter at 14, the CAIS licensing fees (payable to the Plan Processor) is $2.8 million whether the Proposed Amendment is implemented or not, a reasonable assumption for CAIS licensing fees (payable to the Plan Processor) is that it remained the same in 2024 at $2.8 million. Then, under these assumptions, the estimated total CAIS-related costs in 2024 are $38.4 million (20.2+15.4+2.8) to $40.2 million (20.2+17.3+2.8).

By contrast, Table 3 shows that the message traffic in equities and options markets between Q2-2024 and Q2-2025 increased by 120 percent and 69 percent, respectively. Table 3 also shows the growth of message traffic since the beginning of CAT reporting: [^268] between Q2-2021 and Q2-2025, message traffic has grown by approximately 250 percent in both equities and options markets. These data suggest that overall CAIS-related costs may not increase in the same proportion as message traffic. [^269]

[^268] Since the reporting started in the middle of 2020—equities reporting on June 22, 2020, and options on July 20, 2020 (2021 is the first full year of CAT reporting.) *See* Update on the Consolidated Audit Trail: Data Security and Implementation Progress, Aug. 21, 2020, *available at https://www.sec.gov/newsroom/speeches-statements/clayton-kimmel-redfearn-nms-cat-2020-08-21.* In addition, complete information of the message traffic in the equities market is first available from the beginning of the second quarter (Q2) of 2021.

[^269] The Participants have stated that, “CAT operating costs are estimated to approach $250 million in 2025 as data volumes continue to reach record highs,” and that, “On March 4, 2025, data volumes exceeded 1 trillion reportable events for the first time,” and that, “CAT LLC and the Plan Processor have put significant effort into reducing CAT costs that are within their control given the strict reporting requirements in the CAT NMS Plan, but additional cost savings measures—like those contemplated in this CAIS Amendment—require Commission action to permit their implementation.” *See* Notice, at 12850.

|  | Equities | Exchanges | Industry | Total | Options | OMM quotes | Total |
| --- | --- | --- | --- | --- | --- | --- | --- |
|  |  |  |  |  |  |  |  |
| Q2-2024 to Q2-2025 | 107 | 124 | 120 | 62 | 69 |  |  |
| Q2-2021 to Q2-2025 | 132 | 311 | 253 | 226 | 241 |  |  |

Some of CAT's operating costs are cybersecurity costs associated with maintaining the security of CAT including preventing breaches of transaction data, and customer and account information. CAIS currently presents cybersecurity risks in relation to two broad areas of activities: transmission (when information is sent from Industry Members to CAIS or from CAIS to regulators and other users of CAIS data), [^270] and storage (when information is at rest within CAIS or the systems of a party who received the information from CAIS). [^271] Because the information in CAIS is sensitive and includes investor customers, CAIS is likely to significantly contribute to the cybersecurity insurance costs that CAT LLC bears related to CAT. It is unclear to the Commission how large the cybersecurity prevention costs are. No data breaches of CAT are known to have occurred. The CAT LLC Revised 2025 Financial and Operating Budget does not distinguish cybersecurity costs from other operating costs; nor does the Proposed Amendment make this distinction. The CAIS Exemption Order, and the prior CCID Exemption Order, have reduced the scope of sensitive PII that is required to be reported to, and stored in, CAIS, thus reducing the range of data that could be exposed by a breach. The costs of cybersecurity measures represent an added cost to  investors, as they may ultimately bear the costs of CAT. [^272]

[^270] The Plan Processor is required to have appropriate solutions and controls in place to address data confidentiality and security during all communication between CAT Reporters, Data Submitters, and the Plan Processor; data extraction, manipulation, and transformation; data loading to and from the Central Repository; and data maintenance by the CAT System. *See* Securities Exchange Act Release No. 89632 (Aug. 21, 2020), 85 FR 65990, at 65991 (Oct. 16, 2020).

[^271] The CAT NMS Plan also sets forth minimum data security requirements for CAT that the Plan Processor must meet, including requirements governing connectivity and data transfer, data encryption, data storage, data access, breach management, data requirements for PII, and applicable data security industry standards. *See id.*

[^272]*See* CAT NMS Plan Approval Order, at 84992 (“broker-dealers may seek to pass on to investors their costs to build and maintain the CAT, which may include their own costs and any costs passed on to them by Participants. . . . The extent to which these costs are passed on to investors depends on the materiality of the costs and the ease with which investors can substitute away from any given broker-dealer.”).

**4. Competition Baseline**

Participants and Industry Members compete in the market for trading services and the market for broker-dealer services.

**(a) Market for Trading Services**

Participants and Industry Members compete in the market for trading services, which is served by exchanges, ATSs, and liquidity providers (internalizers and others). [^273] This market relies on competition to supply investors with execution services at efficient prices. These trading venues, which compete to match traders with counterparties, provide a framework for trading and disseminate trading information. The market for trading services in options and equities consists of 25 national securities exchanges, which are all Plan Participants, and off-exchange trading venues including broker-dealer internalizers, which execute substantial volumes of transactions, and 36 ATSs, [^274] which are not Plan Participants. Finally, some Industry Members provide liquidity by trading with customers from their own inventory without the facilitation of a trading venue.

[^273]*See* CAT NMS Plan Approval Order, at 84882.

[^274] The remainder of the 99 extant ATSs do not trade NMS stocks or listed options.

**(b) Market for Broker Dealer Services**

Industry Members compete in the Market for Broker Dealer Services which covers many different markets for a variety of services, including, but not limited to, managing orders for customers and routing them to various trading venues, holding customer funds and securities, handling clearance and settlement of trades, intermediating between customers and carrying/clearing brokers, dealing in government bonds, private placements of securities, and effecting transactions in mutual funds that involve transferring funds directly to the issuer. [^275] Some broker-dealers may specialize in just one narrowly defined service, while others may provide a wide variety of services.

[^275]*See* Securities Act Release No. 77724 (Apr. 27, 2016), 81 FR 30614, at 30742 (May 17, 2016).

The market for broker-dealer services relies on competition among broker-dealers to provide the services listed above to their customers at efficient levels of quality and quantity. This market includes a small set of large broker-dealers and thousands of small broker-dealers competing for niche or regional segments of the market. To limit costs and make business more viable, small broker-dealers often contract with larger broker-dealers or service bureaus to handle certain functions, such as clearing and execution, or to update their technology. Large broker-dealers typically enjoy economies of scale over small broker-dealers and compete with each other to service the smaller broker-dealers, who are both their competitors and their customers.

Of the extant 3,284 [^276] broker dealers, there are 1,768 [^277] Industry Members that are CAT Reporters. Industry Members may compete with broker-dealers that are not CAT Reporters in various broker-dealer market segments that do not generate activity that is reported to CAT.

[^276] Based on 2025 second quarter FOCUS filings.

[^277] Based on the FINRA CAT list of CAT Reporter IDs, *https://files.catnmsplan.com/firm-data/IMID_Daily_List.txt.*

Some broker-dealers may offer specialized services in one line of business mentioned above, while other broker-dealers may offer diversified services across many different lines of businesses. As such, the competitive dynamics within each of these specific lines of business for broker-dealers is different, depending on the number of broker-dealers that operate in the given segment and the market share that the broker-dealers occupy.

**B. Efficiency**

The Proposed Amendment involves tradeoffs between operational efficiency and regulatory efficiency. In particular, the Proposed Amendments will cause reductions in regulatory efficiency for certain types of regulatory activities. At the same time, the Proposed Amendment will likely result in modest improvements to operational efficiency. It is unlikely to impact market efficiency.

**1. Operational Efficiency**

Economically, operational efficiency refers to the effective use of resources to generate a given output. In the case of CAT, the output refers to the CAT Data, which is generated for regulatory purposes. Even though the output, CAT Data, under the proposal is not the same as that in the absence of the proposal, the analysis of operational efficiency is simplified by focusing on the use of resources as measured by the cost savings, net of implementation costs; the efficiency effects of changes in CAT Data are discussed separately (as impacts on regulatory efficiency). [^278] The estimated cost savings from the Proposed Amendment are small relative to the overall cost of the Plan Processor, but meaningful relative to the overall costs of CAIS. At the same time, the Amendment is associated with implementation costs to be incurred by the Plan Processor that offset much of the first year of cost savings. Further, some of these cost savings are transferred to Industry Members in the form of costs incurred responding to data requests from SROs or the Commission. Overall, the Proposed Amendment is likely to result in a modest improvement in operational efficiency.

[^278]*See* Securities Exchange Act Release No. 101901 (Dec. 12, 2024), 80 FR 103033, 103045 (Dec. 18, 2024).

**(a) Operating Costs of the Central Repository**

The Participants estimate that the Proposed Amendment is expected to save approximately $7 to $9 million in overall costs annually. [^279] In size, the overall cost savings from the Proposed Amendment are 4.5-5.8 percent of estimated 2025 total operating expenses, and the incremental cloud savings [^280] are 2.4-4.9 percent of estimated 2025 cloud hosting services costs. [^281] Relative to the CAIS costs, however, the cost savings appear more meaningful. The overall cost savings of the Proposed Amendment are expected to be 21-27 percent of 2025 budgeted total CAIS costs and the expected incremental cloud hosting savings are 21-47 percent of 2025 budgeted CAIS cloud hosting costs. The participants stated that “the CAIS Exemption Order will not result in any cost savings”; the cost savings estimates presented, therefore, pertain only to the Proposed Amendment. [^282]

[^279] The Notice estimated a $10 million to $12 million annual cost savings. *See* Notice, at 12850. In the CAT LLC May Response Letter, at 14, the estimate was revised to $7 to $9 million.

[^280] The Participants state that the Proposed Amendment is expected to save approximately $2 to $4 million in incremental cloud costs.

[^281]*See* Consolidated Audit Trail, LLC, 2025 Financial and Operating Budget, *https://www.catnmsplan.com/sites/default/files/2025-11/11.07.25-CAT-LLC-2025-Finacial_and_Operating-Budget.pdf; see also**CAT Financial and Operating Budget,* CAT, *https://www.catnmsplan.com/cat-financial-and-operating-budget.*

[^282]*See* Notice, at 12847.

One commenter stated, “[w]e do [not] believe the proposed amendments if adopted would achieve its stated [`]cost savings and efficiency.['] Referencing to 2022 CAT Budget, $118.7 million  (73.8% of total technology cost or 69% of operating cost) goes to [Cloud] hosting services.” [^283] Although the Commission agrees that cloud hosing services are a large percentage of the CAT budget, the Commission concludes that the Proposed Amendment does achieve cost savings and efficiency.

[^283]*See supra* note 130.

The primary source of these cost savings is the $5 million reduction in CAIS operating fees (payable to the Plan Processor). In addition, the Participants estimate $2-4 million in incremental cloud savings that arise from a reduction in CAIS-related cloud hosting services fees. [^284] The remaining item, CAIS licensing fees payable to the Plan Processor remains the same at $2.8 million. The Amendment entails implementation costs—the Participants estimate approximately $4.5-$5.5 million in one-time implementation costs, [^285] that is approximately 50-80 percent of the estimated first year's cost savings. [^286]

[^284]*See* CAT LLC May Response Letter, at 14.

[^285]*See id.* at 15.

[^286] One-time implementation costs will generally consist of labor costs on the part of the Plan Processor associated with coding and software development, as well as any related cloud fees associated with the development, testing, and load testing of the Proposed Changes. *See* Notice, at 12850.

The magnitude of cost savings is driven by two aspects of the Proposed Amendment—elimination of customer information across all Customer accounts and elimination of all customer information. Operationally, cost savings arise from elimination of PII for all Customer accounts. [^287] This allows the Plan Processor to apply the same validations for all data, regardless of Customer type, and to maintain an infrastructure with a standard set of tools for all Customer data. As compared to the baseline with the optionality provided by the CAIS Exemption Order, the Plan Processor does not need to keep certain search architecture in place to support queries of Customer and account names. The Plan Processor would also not need to maintain free text fields and related validations even though Names, Addresses, and YOBs would not be reported for the majority of Customer accounts.

[^287]*See* CAT LLC September Response Letter, at 3.

Elimination of all PII from CAIS, as opposed to some PII under the CAIS Exemption Order, also has operating cost implications. [^288] CAT NMS Plan distinguishes PII from other forms of CAT Data and requires “additional levels of protection for PII.” The elimination of all PII from CAIS, under the Proposed Amendment, therefore, eliminates certain requirements since, effectively, customer information will no longer be reported to CAT. For example, currently, the Plan Processor designs and implements procedures and mechanisms to handle minor and material inconsistencies in Customer information. [^289] Permanent elimination of customer information renders having to implement such procedures and mechanisms unnecessary. [^290]

[^288]*See supra* section III.B for a detailed discussion of elimination of PII from CAT.

[^289]*See* Notice, at 12. Note that minor data discrepancies, for example, refers to variations in road name abbreviations for Customer addresses.

[^290]*See supra* section III.B.

Given these cost drivers the timing of these cost savings will depend on the implementation schedule. The Participants outline a potential phased implementation schedule that will more than a year for full implementation. [^291] Some cost savings may not be realized until implementation is complete. As discussed in the Notice, it is the permanent elimination of “Name, Address, and YOB from CAT reporting while also allowing the Plan Processor to eliminate the software that is required to support regulatory queries of Name, Address, and YOB, which would result in significant annual cost savings.” [^292] The Plan Processor will implement a data migration process that “will involve multiple rounds of testing and validation to ensure all data and relationships are migrated correctly.” [^293] The phased implementation plan proposes to “[d]elete all existing Names, Addresses, and YOBs (as well as any other sensitive Customer data and information contemplated by the Proposed Amendment) from the CAT—approximately 9-12 months after the data migration is completed and verified; it will take approximately 2-3 months to permanently remove all the old data.” [^294]

[^291] To allow the Plan Processor and Industry Members adequate time to finalize Technical Specifications and guidance, and to develop, test and implement the necessary changes to firm systems in order to comply with the Proposed Amendment. *See supra* section III.D.

[^292]*See* Notice, at 6.

[^293]*See* CAT LLC May Response Letter, at 16.

[^294]*See id.* at 17.

The actual cost savings could differ from the Participants' estimates because of uncertainty in several factors, particularly the changes in the cost of cloud computing. The estimates of potential savings apply to the first year following the full implementation of the Amendment, but are based on assumptions that today's costs will be the same in the one year plus when the Proposed amendment is fully implemented. [^295] While the Commission recognizes the necessity of using simplifying assumptions to generate estimates, the cost savings estimates may be imprecise if the costs underlying the estimates change over time. For example, realized cost savings could decline as cloud computing evolves. [^296] Likewise, changes in any other costs underlying the Participants' estimates could result in realized future cost savings being higher or lower than the current estimates.

[^295]*See* Notice, at 12846 n.5 (stating that “[a]ll cost savings projections provided in this CAIS Amendment are the Plan Processor's best estimates based on costs actually incurred in 2024 (`2024 Actuals') and are subject to change based on ongoing improvements to cloud that may reduce current cloud costs”).

[^296]*See* Securities Exchange Act Release No. 101901 (Dec. 12, 2024), 80 FR 103033 (Dec. 18, 2024) at 103047, notes 211 and 212.

**(b) Cost Transfers to Reporters**

The Proposed Amendment would likely increase ad hoc requests by regulators for name, address, and/or YOB that will entail costs. [^297] While the Proposed Amendment will bring some cost savings to the market participants that fund CAT, [^298] Industry Members will be fielding additional ad hoc data and EBS requests, and will be subject to costs associated with fielding these requests. These costs are likely to be small relative to the cost of CAT as a whole.

[^297]*See infra* section IV.B.2.

[^298]*See supra* section IV.B.1.(a).

The need for additional ad hoc requests is likely to vary depending on whether the required information is for a U.S. natural person, a non-U.S. national person, or a legal entity; [^299] clientele effects may result in those costs accruing disproportionately to Industry Members whose clientele have the most account information no longer reported to, or removed from, CAIS.

[^299]*See id.* (discussing how the Proposed Amendment will affect regulatory efficiency of identifying each type of person).

The Commission cannot estimate the cost transfers resulting from additional ad hoc data requests because it lacks estimates of typical ad hoc data request response costs and cannot estimate the number of additional data requests Industry Members would need to fulfill. [^300] In the Approval Order, the  Commission discussed the number of EBS and other ad hoc data requests it made in 2014. In 2024, the Commission made 5,109 EBS data requests resulting in 201,605 letters to Industry Members, compared to 3,722 requests made in 2014 that resulted in 194,696 letters. However, since 2014, the process whereby Industry Members respond to EBS requests has become increasingly automated and it is likely that the fixed costs directly attributable to the request and response process are lower today. [^301]

[^300] A commenter expressed concern that removal of PII from CAIS could result in a significant increase in the volume of EBS requests and, in turn, be very costly to Industry Members. The commenter, however, continued to support the Proposed Amendment despite the concern. *See* FIF July Letter, at 4. The Participants argued that any costs associated with fielding the regulatory users' need for any Name, Address, and YOB data that might accrue to the Industry Members under the  Proposed Amendment, “. . . would be significantly outweighed by the estimated $7 million to $9 million in cost savings that the Proposed Amendment would allow CAT LLC to achieve each year.” *See* CAT LLC September Response Letter, at 4 n. 14.

[^301] The Commission acknowledged that due to technological advancements it is reasonable to expect the process for requesting names, and/or years of birth from broker-dealers will be more efficient than it would have been a few years ago. *See* CAIS Exemption Order, at 9645.

**2. Efficiency in Regulatory Activities**

In analyzing how the Proposal will impact regulatory efficiency, the Commission assessed how the Proposal will impact regulatory activities. [^302] The Proposed Amendment will reduce regulatory efficiency to the extent regulators need certain types of data currently in CAIS that will become unavailable in CAIS. [^303] In such cases, regulators will have to expend additional time and effort to perform certain analyses, due to the need to obtain these data, or a close substitute, from sources other than CAIS. Generally, the Commission expects regulators to increase ad hoc data requests (including EBS requests) to Industry Members to obtain the names, YOBs, or addresses of customers associated with an account. [^304] Such an increase has already occurred in the wake of the CAIS Exemption Order. [^305] Increased reliance on ad hoc data requests will often delay certain common regulatory activities ( *e.g.,* investigations) that do not tend to be time-sensitive, such that the effect of the Proposed Amendment on these regulatory activities will not be meaningful. However, the Proposed Amendments could impose a meaningful delay on regulatory activities that are time-sensitive ( *e.g.,* reconstructions of market events), which are uncommon. Regulatory activities involving Queries of Customer Information that rely on name, address, or YOB could also be meaningfully less efficient, although this reduced efficiency will only rarely make it infeasible to perform regulatory activities requiring them.

[^302] When approving the CAT NMS Plan, the Commission discussed improvements to the efficiency of regulatory activities in its Economic Analysis. See, *e.g.,* CAT NMS Plan Approval Order at 84889-84892.

[^303] One comment stated that the Proposal would reduce regulatory efficiency. *See, e.g.,* Better Markets Letter, at 1-2.

[^304]*See supra* section IV.A.2.a for a discussion of why and when regulators currently request data from Industry Members for investigations.

[^305] The CAIS Exemption Order stated that regulators would be able to contact Industry Members if they need to determine the identity of an individual behind a particular CCID. *See* CAIS Exemption Order, at 9645. In its comment letter, the NYSE stated that “[s]ince the Commission exempted reporting of certain personally identifiable information (“PII”) from the CAT, the NYSE Exchanges have reverted to using blue sheet requests to broker-dealers to obtain customer data for regulatory uses.” *See* NYSE Letter, at 3.

The Proposed Amendment will eliminate requirements related to reporting and delete from CAIS all data previously reported for the fields “Customer name, Customer address, account name, account address, authorized trader names list, account number, day of birth, month of birth, year of birth, and ITIN/SSN.” [^306] It will also delete from CAIS all data previously reported for EIN. [^307] These changes will negatively impact regulatory efficiency when regulators seek information on U.S. natural persons, non-U.S. natural persons, Legal Entities, or Authorized Traders. [^308]

[^306]*See* Notice, at 12846, 12849.

[^307]*See* OIP, at 26655.

[^308] The degree to which regulatory activities focus on particular classes of customers is likely related to their relative trading volume. *See supra* section IV.A.2(d) that describes the relative importance of natural person customers and legal entities.

With respect to U.S. natural persons, the Proposed Amendment will reduce regulatory efficiency by causing name, address, and YOB data for U.S. natural persons to become unavailable in CAIS sooner, as such data already reported to CAIS and maintained therein will be deleted. Such data otherwise would have eventually become unreliable under the baseline, as a result of the CAIS Exemption Order. Thus, instead of it gradually becoming more difficult to connect U.S. natural person customers to their transaction data using CAT and CAIS data, it will instead become more difficult to do so upon implementation of the Proposed Amendment. As a result, it will be necessary upon implementation for regulators to rely on alternate sources of data to connect U.S. natural persons to their transaction information, which will be less efficient. [^309] To the extent regulators can use LTIDs to identify customers without requesting information from Industry Members, the delays resulting from the Proposed Amendment will be smaller for U.S. natural person customers with LTIDs than for ones without LTIDs. The unavailability of this data in CAIS will also cause inaccuracies in CCIDs to more frequently go undetected, since spot checks will no longer be feasible to perform, and this will affect the quality of analyses conducted using CAT data that depend on linking together a customer's multiple accounts. [^310] Rather than occur gradually, as anticipated under the baseline due to the CAIS Exemption Order, this increase in undetected inaccuracies in CCIDs—and the corresponding reduction in regulatory efficiency—will instead happen immediately upon implementation of the Proposed Amendment. Because CCIDs are believed to be less prone to inaccuracies for U.S. natural persons, this effect is likely to be small. Because the CAIS Exemption Order would have eventually made this information less reliable, the Proposed Amendment's effect on regulatory efficiency will depend on the extent to which CAT Reporters would have continued to report this information despite being permitted to not do so. The Commission expects that CAT Reporters eventually would have modified their systems to discontinue reporting the exempted data as it became cost-effective to do so during their systems' development lifecycles, and that it would take years afterward for some of the information to become unreliable.

[^309]*See supra* sections IV.A.2(a) and IV.A.2(b) for discussions of how the anticipated unreliability and/or unavailability of this information is expected to alter regulatory usage of CAT. To summarize, if the information is not available in non-CAT data in house, regulators will likely need to request additional information from Industry Members, using EBS or ad-hoc requests, to connect customers to transaction information. Such requests can take up to 10 business days ( *See infra* note 387), rather than minutes or hours as is generally the case currently when it is possible using CAIS data alone.

[^310]*See supra* section IV.A.2(b) for a discussion of the causes and impacts of such inaccuracies.

With respect to data on non-U.S. natural persons, the Proposed Amendment will reduce regulatory efficiency by causing name, address, and YOB data for non-U.S. natural persons to become unavailable in CAIS. Connecting non-U.S. natural person customers to their transaction information using CAT and CAIS data will be more difficult for regulators. This will, in turn, require regulators to use alternative sources of customer and account data as discussed. It will also cause inaccuracies in CCIDs to more frequently go undetected since spot checks will no longer be feasible to perform, and this will increasingly affect the quality of analyses conducted using CAT data that depend on linking  together a customer's multiple accounts, as discussed above for U.S. natural person customers. [^311] Because the CAIS Exemption Order did not extend to non-U.S. natural person customers, and name, address, and YOB data for such customers was not already anticipated to become less reliable, the reductions in regulatory efficiency pertaining to such customers are anticipated to be larger than for U.S. natural persons. The reductions are also expected to be of greater magnitude than those for U.S. natural persons, because of the concern that CCID may be less accurate for non-U.S. natural persons, [^312] amplifying the effect of inaccuracies on the quality of analyses that rely on linking accounts. [^313] As with U.S. natural persons, the reduction in regulatory efficiency will likewise be smaller when dealing with non-U.S. natural person customers with LTIDs. [^314]

[^311]*See supra* section IV.A.1(b) for a discussion of the impacts of such inaccuracies.

[^312]*See supra* note 259259, and accompanying text.

[^313] CAT transaction data indicates whether the customer account in a transaction is foreign, potentially alerting regulators to the possibility that the account may be affected by the increased inaccuracy of CCIDs for non-U.S. natural persons. This may allow regulators to take additional precautions when attempting to identify such customers, potentially alleviating in part the reduction in regulatory efficiency that is specific to non-US. natural persons.

[^314]*See supra* section IV.A.2(a) for a discussion of how the existence of an LTID may make it easier to identify a CAT Customer for whom no name, address, or YOB data are reported.

With respect to data on legal entities, the Proposed Amendment will reduce regulatory efficiency by causing name, address, and EIN data for legal entities to become unavailable in CAIS. It will be more difficult for regulators to connect legal entities to their transaction information using CAT and CAIS data. This will, in turn, require regulators to use alternative sources of customer and account data. It will also cause inaccuracies in CCIDs to go undetected more often, due to spot checks that will no longer be feasible to perform, and this will increasingly affect the efficiency of regulatory activities conducted using CAT data that depend on linking together a customer's multiple accounts, such as market reconstructions and enforcement investigations, as discussed above for U.S. natural person customers. [^315] Because the CAIS Exemption Order did not extend to legal entity customers, and name, address, and EIN data for such customers was not already anticipated to become less reliable, the reductions in regulatory efficiency pertaining to such customers are anticipated to be larger than for U.S. natural persons. The reductions could be of greater magnitude than those for other customer types, because legal entities account for significantly more trading activity than other customer types.

[^315]*See supra* section IV.A.2(b) for a discussion of the impacts of such inaccuracies.

However, these reductions in regulatory efficiency may also be ameliorated for legal entities for whom certain alternative identifiers such as EIN, LEI and LTID are available in CAIS and accessible to regulators. [^316] This is particularly true in the case of Queries of Customer Information where it is not initially known what Industry Members service the customer. In some such cases, [^317] these alternative identifiers will provide regulators an alternative means of querying CAIS, without making it necessary to issue ad-hoc data requests to numerous Industry Members.

[^316] It may also be possible in some circumstances, when a regulator is attempting to determine the identity of the customer in certain transaction data, and the customer account in the transaction is a proprietary trading or market-making account belonging to a CAT Reporter, to identify this CAT Reporter without issuing a request for information. This is because accounts of these types are marked as such in CAIS, and the CAT Reporter could be identified from the associated CRD number reported to CAIS. To the extent that regulators must identify singular customers that happen to be CAT Reporters, this would ameliorate the associated reduction in regulatory efficiency from having to issue data requests. It is not clear that this capacity could readily be applied to use cases in which it is necessary to identify groups of customers among whom there might be CAT Reporters, or that it would be worthwhile to apply this capacity in use cases where a CAT Reporter is not already known or suspected to be among a set of customers to be identified.

[^317]*E.g.,* in the case of an investigation of a tip, complaint, or referral identifying a legal entity that is an issuer of a security by name, it would be possible to obtain this legal entity's EIN from filings such as its Form 10-Ks or 10-Qs, and use this identifier to query CAIS.

The Participants state that when the EIN field is eliminated, regulators will retain the ability to search by EIN to retrieve a CCID for a legal entity. [^318] As such, a regulator looking for a specific legal entity's CCID can retrieve that entity's EIN from a non-CAT source and then search CAIS using Queries of Customer Information using that EIN to get the CCID. The loss in regulatory efficiency could be reduced to the extent that the continued ability to search CAIS using the legal entity's EIN allows regulators to avoid issuing data requests to Industry Members. It will therefore still be possible to connect a legal entity with an EIN [^319] to its CCID using Queries of Customer Information and thus its transaction data from CAT using CAIS data, if the regulator can otherwise obtain the legal entity's EIN. [^320] To the extent that regulators already use the EINs of legal entities to obtain their transaction data from CAT, and that Queries of Customer Information, as expected, remain unaffected by the implementation of the Amendment, it will require minimal, if any, additional effort to obtain such entities' transaction data, ameliorating the Proposed Amendment's reduction in regulatory efficiency. However, it will become more difficult to obtain transaction data for legal entities if regulators have to first obtain their EINs rather than being able to search on name. [^321] Further, the ability to search by EIN does not facilitate Queries of CCID that currently return an EIN, because after the Proposed Amendments are implemented, EIN will no longer be a field in CAIS. Therefore, this capability does not reduce the impact of the Proposed Amendments on regulatory efficiency with respect to identifying which legal entities are behind trading activity identified in the CAT transaction data.

[^318]*See* CAT LLC May Response Letter, at 6. The Commission understands that this could be made possible because the search interface is able to transform an input EIN to the corresponding TID, which is stored in CAIS, and then search CAIS for this TID. In this way, a user could obtain the CCID corresponding to the input EIN, which can then be used to search for the customer's transaction data.

[^319] The Participants have stated that all 4,243,672 U.S. legal entity customers in CAIS have EINs, while only 2,560 of the 143,793 non-U.S. legal entity customers have EINs. *See* CAT LLC September Response Letter at 6.

[^320] Because the same legal entity can have different customer accounts with different account names ( *e.g.,* different funds within the same family), a search on EIN can pull up multiple accounts. The unavailability of name data will mean that while it will remain possible to identify all of the legal entity's trading using EIN, it may be more difficult for regulators to pick out an account of interest, which may still require issuing a request for information.

[^321] Specifically, this will likely require, at a minimum, that regulators obtain the legal entity's EIN from a non-CAT source, and then use this EIN to obtain its CCID and transaction data.

In addition, the loss in regulatory efficiency could be reduced if regulators are able to use LEI or LTID to connect legal entities to their transaction information without issuing data requests to Industry Members. For those legal entities that possess an LEI or LTID, regulators can obtain this identifier from a non-CAT source [^322] and use it in Queries of Customer Information to obtain the entity's CCID,  if this identifier has been reported to CAIS and then use the CCID to retrieve its transaction data. Regulators can likewise identify suspicious trading activity in CAT transaction data for a certain CCID and then obtain the customer's LEI or LTID through Queries of CCID. After getting the LEI or LTID from CAIS, regulators can then obtain identifying information for the customer by requesting it from the organization that issued this identifier instead of from an Industry Member. In either case, this effectively allows a customer identified by an LEI or LTID in CAIS to be connected to their transaction data with an additional step relative to the baseline. This additional step would take less time than a data request that will be necessary for customers without an LEI or LTID in CAIS. [^323] However, since LEI and LTID identifiers are recorded in CAIS for relatively few customers, [^324] this amelioration will likely be smaller than that associated with EIN. The CAT NMS Plan requires Industry Members to report the LEIs and LTIDs of their customers when the customer has these identifiers and the Industry Member has this information. [^325] However, Industry Members are not currently required to obtain the LEIs of their customers who have LEIs.

[^322] LEIs are issued and recorded by the Global Legal Entity Identifier Foundation (GLEIF), which makes available a publicly-searchable database of LEIs and associated PII. It is thus possible to search this database for either an LEI associated with PII such as a name or address, or vice versa. LTIDs are issued and recorded by the Commission itself; while not publicly searchable, this makes it possible for regulators to obtain from the Commission any PII associated with an LTID, or vice versa.

[^323] Obtaining identifying information for an LEI would be accomplished through the publicly-searchable database of LEIs. The Commission itself would be able to obtain PII from a known LTID, or vice versa, more readily than it would be able to obtain such information from data requests to Industry Members, and expects this to also be the case for other regulators requesting PII for a known LTID, or vice versa, although this is currently a sufficiently infrequent request that processes for doing so are not well-established. *See supra* note 334.

[^324] The CAT LLC September Response Letter provides statistics on the prevalence of LEIs among CAT Customers, stating that 37,627 out of 4,243,672 US legal entities and 36,121 out of 143,793 foreign legal entities in CAIS have LEIs. This information suggests that LEI will be available to establish a foreign legal entity's identity roughly 25% of the time, and less than 1% of the time for US legal entities.

[^325]*See* CAT NMS Plan, at 48.

Federal financial regulators including the Commission have proposed joint standards that would default to using LEI in those agencies' rulemakings. [^326] If that joint proposal is adopted as proposed and the agencies all increase their usage of LEIs in future rulemaking, the Commission anticipates that more CAT customers may have associated LEIs in the future. Nonetheless, at present LEI does not provide a consistently available method of establishing the identity of a legal entity based on a CCID, or vice versa. Additionally, because it is not required for Industry Members to obtain current LEI data, it is not clear how current the LEI data stored in CAIS is. [^327] It may therefore be less useful than indicated by the proportion of legal entities for whom an LEI is recorded in CAIS. One commenter, who is a regulator, stated that the presence or absence of LEI in CAIS would not impact its regulatory activities under the Proposed Amendment, [^328] which the Commission views as an indication that some regulators do not currently use LEI in CAIS for any regulatory activities.

[^326]*See* Securities Act Release No. 112995 (Aug. 2, 2024), 89 FR 67890 (Aug. 22, 2024).

[^327] It is possible for a legal entity's LEI to change over time, due to the existence of multiple LEI issuers. If an entity allows its LEI to lapse with one issuer and obtains a new one from another issuer, there would be no requirement for any Industry Members with whom the entity has accounts with the old LEI on file to obtain the new one. This, among other reasons, allows for a legal entity's LEI to change over time and for LEIs previously reported to CAIS to become out of date. It is unclear how readily a legal entity's current LEI could be connected to any former ones.

[^328]*See* NYSE Letter, at 2.

With respect to analyses that focus on Authorized Traders, such as an investigation into violative behavior on the part of an Authorized Trader for multiple, otherwise unconnected accounts, the Proposed Amendment will reduce regulatory efficiency because the Proposed Amendment will also implement the planned retirement of the ATNL. [^329] This will make it necessary for Industry Members to begin reporting NPATs to CAIS as CAT Customers, and will also include the deletion of ATNL data already reported to CAIS. ATNL data will therefore become unavailable upon implementation. The Proposed Amendment will remove the requirement for Industry members to report the names, addresses, and YOBs of NPATs when reporting them as CAT Customers and will prevent any such information reported from being stored in CAIS. To the extent that ATNL data currently provides regulators with a more efficient way of connecting NPATs reported through the ATNL instead of as CAT Customers to their transaction data, this will instead require users to employ the same, less efficient methods [^330] that they would use when dealing with other accounts without reported name, address, or YOB data. The Commission is uncertain to what degree regulators rely on ATNL data to connect NPATs with their transaction data but believes that this is relatively uncommon and that the reduction in regulatory efficiency will therefore be small.

[^329]*See supra* section IV.A.2(c) for a discussion of the ATNL and its planned retirement.

[^330] As discussed above, likely consisting of EBS and ad-hoc information requests to Industry Members.

The Participants state that “the difference in the amount of time it takes to access the name of an investor in CAT versus the time it takes to request and obtain a name from an Industry Member would be relevant in only very limited scenarios and would not materially impede examinations and investigations.” [^331] Responses to EBS requests are permitted to take up to 10 business days. [^332] While responses to EBS requests may arrive ahead of this deadline, this is not guaranteed, and while it is possible to request an expedited response to an EBS request, there is no actual requirement that respondents respond more quickly to such a request. Because responses to EBS requests are permitted to take up to 10 business days, this represents a potentially significant delay relative to querying CAIS, which generally returns results within minutes. Such a delay could materially impede time-sensitive regulatory activities, such as reconstructions of market events, where a delay of up to 10 business days could represent a significant delay in responding to a market event. Such activities are likely to be infrequent.

[^331]*See* CAT LLC May Response Letter, at 11.

[^332]*See* CAT NMS Plan Approval Order at 84818.

One commenter, who is a regulator, stated that the Proposal “would [not] unduly compromise[e] regulatory effectiveness,” noting that “the systemic and prospective collection of names, addresses, and years of birth for all customers is not necessary for effective oversight of the securities markets.” [^333] This commenter also stated that “regulators are able to use alternative mechanisms to obtain information regarding the identity of market participants on an as-needed basis.” [^334] The Commission agrees that regulators can obtain this information through other means, but acknowledges that the inclusion of customer information in CAIS promoted regulatory efficiency by making this information more readily available to regulators.

[^333]*See* FINRA Letter, at 1-3.

[^334]*See id* at 3.

In the CAT NMS Plan Approval Order, the Commission discussed how the CAT would aid regulators in performing analysis and reconstructions of market events, market analysis and research, enforcement investigations, and triage of tips and complaints. [^335] As it becomes more necessary for regulators to issue data requests to Industry Members to link customers to their transaction information, these benefits  of the CAT will be reduced. This will reduce regulatory efficiency.

[^335]*See* CAT NMS Plan Approval Order, at 84840.

When conducting analysis and reconstructions of market events, which tend to be large analyses conducted less often than other regulatory activities, it may be necessary for regulators to make numerous requests for information, to numerous Industry Members. [^336] As a result of the Proposed Amendment, CAIS will also less effectively aid regulators in examining the behavior of specific traders or subsets of traders during or in response to a market event. In these use cases, the reduction in regulatory efficiency will result from the added time and effort involved in making requests for information, awaiting responses, and then merging the responses of numerous respondents. Reconstruction of market events is often time-sensitive and could be significantly delayed by the need to await Industry Members' responses to information requests, which could be further exacerbated by the volume of information that it might be necessary to request for such a reconstruction.

[^336] The Commission noted in the CAT NMS Plan Approval Order that including EBS data for a reconstruction of trading in the market for even one security on one day could involve many, perhaps hundreds, of requests and that the CAT would be useful if regulators were interested in determining if a particular trader or category of traders had some role in causing the market event, or how they might have adjusted their behavior in response to the event. *See* CAT NMS Plan Approval Order, at 84834.

In performing examinations and enforcement investigations, [^337] regulators will less reliably be able to connect customers of interest in the investigation to their transaction data using CAIS data. In Queries of CCID motivated by analysis of transaction data identifying a CCID associated with violative behaviors, either as a victim or violator, it will be more often necessary for regulators to request information from Industry Members to be certain of the identity associated with this CCID. [^338] Likewise, in Queries of Customer Information motivated by a tip, complaint, or referral identifying a victim or violator by their customer information [^339] or motivated by examinations focused on particular customers, [^340] it will be more often necessary for regulators to request information from Industry Members to determine this customer's FDID and CCID in order to obtain their transaction information from CAT. In this latter case, replicating the effectiveness of CAIS may require making a large number of requests for information if it is not initially known what Industry Members this named customer has accounts with. It may also be necessary to make large numbers of requests when performing an examination that requires a representative sample of customers, for example an analysis of the treatment of senior citizens. In both types of queries, the reduction in regulatory efficiency will depend heavily on the urgency of the investigation or examination and how rapidly Industry Members respond to requests. Additionally, the request itself would reveal confidential regulatory information.

[^337] The Commission noted in the CAT NMS Plan Approval Order that CAT would aid in performing investigations through multiple channels including reducing the time and effort required to compile data to support an investigation, and making it easier to review the activity of specific market participants as would be useful in identifying insider trading, manipulation, and other potentially violative activity that depends on the identity of market participants. *See* CAT NMS Plan Approval Order, at 84839.

[^338] In addition, when regulators are attempting to find and contact the investors harmed by a violation, they will no longer be able to use CAIS to get such investors' names and addresses.

[^339] The Commission noted that CAT would “drastically increase the detail of data available to regulators for the purposes of tip assessment.” One manner in which the CAT aids in this function is by making it possible to rapidly connect a customer identified in a tip or complaint to their transaction information. *See* CAT NMS Plan Approval Order, at 84840.

[^340] For example, when regulators are focusing on specific issuer share repurchases, ETF authorized participant trading, or investment adviser allocations, they will no longer be able to use CAIS alone to identify the accounts held by the specific issuers or ETF authorized participants or the accounts for which the investment advisers of interest have trading authority. Instead, regulators may need to first find an alternative identifier, such as LEI, LTID, or EIN and then search CAIS for that identifier and then request information from Industry Members if CAIS does not contain the alternative identifier.

The Proposed Amendments will particularly reduce the efficiency of regulatory activities that rely on Queries of Customer Information if regulators do not know which broker-dealers service the customers of interest and such customers do not have alternative identifiers in CAIS. This is commonly necessary for purposes such as triaging tips, complaints, and referrals that identify a possible victim or violator by their customer information, but do not also identify broker-dealers servicing this customer. When initially triaging a low-information tip, complaint, or referral such as this, regulators would have been able to quickly query CAIS using customer information and thus determine not just the broker-dealers servicing the customer, but the customer's CCID, enabling regulators to also obtain transaction data to further investigate the tip, complaint, or referral. [^341] Under the Proposed Amendments, to replicate this functionality will likely require issuing a wide-reaching request for information to numerous broker-dealers, most of which would have no relationship to the customer in question, and then ingesting and merging their responses.

[^341] Or, if the customer information provided was not sufficiently complete to identify a unique customer, the query would reveal this (by returning multiple customers matching the information provided), informing regulators' triage decision.

Based on the experience of Commission staff, these anticipated changes will most frequently affect regulatory uses of CAT related to investigations (but will only rarely materially impede them [^342] ), and less frequently use cases related to market reconstructions and examinations; it will only rarely, if at all, affect market surveillance and research. The magnitude of these anticipated changes will depend largely upon three factors: the increase in response time when obtaining customer information through requests to Industry Members; [^343] the degree to which responses to ad-hoc requests for customer information are delivered in standardized formats; <sup>344</sup> and the degree to which regulators already rely on requests for customer information from Industry Members. [^345]

[^342]*See supra* note 155 and accompanying text.

[^343] Regulators can currently obtain customer PII from CAIS with extremely short response times (on the order of minutes). Industry Members' responses to EBS or ad-hoc data requests are likely to be significantly slower (on the order of days to weeks, based on the Commission's experience with EBS requests). This will introduce significant delays in use cases where it is necessary to obtain customer PII that is no longer available in CAIS. To the extent that Industry Members respond quickly, it will reduce this effect.

[^344] Customer PII is currently stored in CAIS using a standardized format. To the extent that Industry Members supply responses to ad-hoc data requests in non-standardized formats, this will require regulators to expend effort developing distinct procedures for ingesting responses from each Industry Member. If Industry Members instead adopt a standardized format for responses to these requests, it will reduce this effect. One commenter suggested that EBS was not an ideal method of handling such requests, due in part to its relative lack of security, and suggested that EBS should be replaced by a “request and response” system that would be more secure and more tailored to handling requests for sensitive information such as PII. *See* FIF April Letter, at 5-7; FIF July Letter, at 4-8. Such a system would be one way for Industry Members to standardize their responses. *See* Section III.A for a discussion on Request-Response System and Retirement of EBS.

[^345] If regulators are already routinely contacting Industry Members for additional information beyond what appears in CAIS when they investigate matters that require them to extract PII from CAIS, contacting Industry Members to obtain this PII will require less additional effort than if such requests to Industry Members are currently infrequent. However, the Commission understands such data requests to generally occur at later stages of an investigation: it may therefore be necessary to either  issue an initial data request ahead of a later, more comprehensive request, or to forgo certain data until it can be included in a data request at a later stage of an investigation.

Because the Proposed Amendment's deletion of information retained in CAIS will cause information to become unavailable, it may cause additional short-term transitory reductions in regulatory efficiency until regulators can adjust. Regulators will have a short timeframe in which to develop modified procedures for using CAT and CAIS in regulatory tasks, which may require temporarily drawing resources away from other regulatory activities.

**3. Market Efficiency**

The Proposed Amendment could have an adverse impact on market efficiency that is not likely to be large. While a potential positive impact on market efficiency due to certain reduced transaction costs is possible, it is not likely to be consequential. The impact on market efficiency, in this analysis, is second order to regulatory efficiency, which the Commission expects to decline with the Proposed Amendments. [^346]

[^346]*See supra* section IV.B.1. Because the loss in regulatory efficiency will depend on the type of entity the regulator is interested in ( *i.e.,* U.S. natural persons, non-U.S. natural persons, Legal Entities, or Authorized Traders), these reductions in regulatory efficiencies will be smaller for some entities due to factors that include, for example, availability of alternative identifiers. Further, the effects on regulatory efficiency depend on the frequency of the impacted use cases and the magnitude of such impact.

The Proposed Amendment could reduce market efficiency if it were to result in a reduction in the deterrence of violative behaviors or in an increase in the persistence of violative behaviors. However, as stated by the Participants, the changes to availability of customer identifying information, including that associated with legal entity and non-U.S. national persons in CAIS, would only rarely materially impede examinations or investigations. [^347] While the Proposed Amendment will reduce regulatory efficiency, regulators will still be able to detect potentially violative behavior in the CAT transactional data without meaningful additional delays. Also, regulators can, using the FDID in CAT transactional data, without meaningful additional delays, contact Industry Members for any urgent matters, as necessary. Consequently, the Proposed Amendment is unlikely to negatively impact the detection and deterrence of violative activity.

[^347]*See* CAT LLC May Response Letter, at 11.

The cost savings associated with the Proposed Amendments might contribute to lowering transaction costs, however, the contribution is unlikely to be large enough to meaningfully affect market efficiency. CAT costs related to the operation and maintenance of CAIS and costs related to reporting to CAIS on the part of the Industry Members, in principle, likely contribute to the overall transaction costs in the market. [^348] The costs of maintaining customer identifying information associated with legal entities and foreign national customers in CAIS, however, are small relative to the overall costs of CAT. [^349] Likewise, the costs incurred by Industry Members to report customer identifying information involving non-U.S. natural persons and Legal Entities to CAIS are not likely to be large enough to have a meaningful contribution to the overall transaction costs in the market. Therefore, the marginal contribution of these costs to the overall transaction costs in the market is likely to be small and, thus, the Proposed Amendment is unlikely to significantly impact market efficiency.

[^348] Note that these are not net costs as they do not account for benefits; these simply reflect operating costs incurred by various parties involved.

[^349]*See supra* section [[IV.2.(a)]] for a description of the estimated cost savings from the Proposed Amendment.

**C. Competition**

The Proposed Amendment may have a small positive effect on competition in the markets for trading services and broker-dealer services in which Industry Members and Participants compete. As discussed above, the Proposed Amendment is likely to reduce the costs of operating and maintaining CAT. These cost savings will marginally reduce the competitive advantages and disadvantages inherent in the CAT funding model that may impact competition in the market for trading services and the market for broker-dealer services. [^350]

[^350]*See* CAT NMS Plan Approval Order. The original funding model in the CAT NMS Plan Approval Order consists of various funding principles. At the time at which a new funding model is approved, to replace the original funding model approved in the CAT NMS Plan Approval Order both the funding model and how CAT costs are distributed will change.

In the market for trading services, the Proposed Amendment is likely to have mixed effects upon competition. The Proposed Amendment may provide a small disadvantage to broker-dealers that have customers and participate in the market for trading services because these broker-dealers are likely to be burdened with additional ad hoc data requests related to customer information that was formerly reported to CAIS. However, these same broker-dealers currently operate under a competitive disadvantage due to potential liability in the event that their customers' data is exposed if there were a CAT data breach; the Proposed Amendment is likely to provide a significant reduction to this disadvantage by reducing the potential costs to broker-dealers if their customers experience such a breach. Market centers without customers, such as exchanges, would not experience such cost savings.

In the CAT NMS Plan Approval Order, the Commission stated its belief that the operational requirements of the plan (excluding effects arising from the funding model) would likely not reduce competition and efficiency in the overall market for broker-dealer services, although it recognized that there might be competitive effects between broker-dealers that did and did not have CAT reporting obligations. [^351] Because all broker-dealers in the market for broker-dealer services have customers, all of the participants in this market may be subject to additional ad hoc data requests and EBS requests as regulators no longer rely upon CAIS data in their activities.

[^351]*See* CAT NMS Plan Approval Order, at section IV.G.1.

The Commission expects that Industry Members will incur one-time implementation costs related to modifying their systems to cease the reporting of customer information that will no longer be collected under the Proposed Amendment. [^352] However, the Commission also expects that Industry Members will accrue ongoing cost savings due to the reduction in the amount of information that they will need to report. Given the combination of small one-time costs, and ongoing cost savings, also small, the Commission does not expect these cost changes to have a meaningful effect.

[^352]*See supra* note 107 (and associated text); *see also supra* note 248 and FIF April Letter, at 3 on how Industry Members will require time to update their systems.

In conclusion, the Proposed Amendment is likely to have small mixed effects upon competition in the market for broker-dealer services. Furthermore, the Proposed Amendment is unlikely to have an adverse effect on competition in the markets for broker-dealer or trading services in which Industry Members compete.

**D. Capital Formation**

The Proposed Amendment is unlikely to result in a significant effect on capital formation. In the CAT NMS Plan Approval Order, the Commission discussed its belief that concerns regarding data security were unlikely to  affect capital formation substantially. [^353] As discussed above, [^354] the Proposed Amendment is likely to reduce the potential severity and cost [^355] of a data breach of the CAIS system by removing the most sensitive information that remains within that system. [^356] However, the Proposed Amendment is likely to cause an increase in EBS requests which have their own security risks since EBS also contains customer PII; [^357] consequently, the Proposed Amendment may increase the potential severity of a security breach of the EBS system, although the breadth of investor coverage of EBS responses is necessarily a subset of that within CAIS, which contains information on all customers regardless of whether their activity has been covered by a previous EBS request. On balance, it is unlikely that the Proposed Amendment will significantly affect capital formation because each of these effects is likely to be small and the effects are in opposition, with one possibly increasing data breach risks while the other possibly decreasing the severity of a data breach were one to occur.

[^353]*See* CAT NMS Plan Approval Order, at section IV.G.3(b).

[^354]*See supra* section III.

[^355] FIF discusses the costs that Industry Members would incur if a data breach were to occur. FIF July Letter, at 11.

[^356] FIF discusses risks of central storage of PII. *See* FIF July Letter, at 8. FINRA discusses privacy and security risks in retaining data. *See* FINRA Letter, at 4.

[^357]*See* FIF July Letter, at 4.

**V. Conclusion**

For the reasons discussed, the Commission, pursuant to section 11A of the Exchange Act, [^358] and Rule 608(b)(2) [^359] thereunder, is approving the proposed changes to the CAT NMS Plan, as those changes are set forth in the Proposed Amendment, as modified by Amendment Nos. 1 and 2, and as modified by the Commission. Section 11A of the Exchange Act authorizes the Commission, by rule or order, to authorize or require the self-regulatory organizations to act jointly with respect to matters as to which they share authority under the Exchange Act in planning, developing, operating, or regulating a facility of the national market system. [^360] Rule 608 of Regulation NMS authorizes two or more SROs, acting jointly, to file with the Commission proposed amendments to an effective NMS plan, [^361] and further provides that the Commission shall approve an amendment to an effective NMS plan if it finds that the amendment is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Exchange Act. [^362]

[^358] 15 U.S.C. 78k-1.

[^359] 17 CFR 242.608(b)(2).

[^360]*See* 15 U.S.C. 78k-1(a)(3)(B).

[^361]*See* 17 CFR 242.608.

[^362]*See* 17 CFR 242.608(b)(2).

For the reasons set forth above, the Commission finds that the proposed changes to the CAT NMS Plan, as set forth in the Proposed Amendment, as modified by Amendment Nos. 1 and 2, and as modified herein, meet the required standard.

*It is therefore ordered,* pursuant to section 11A of the Exchange Act, [^363] and Rule 608(b)(2) [^364] thereunder, that such changes be, and hereby are, approved.

[^363] 15 U.S.C. 78k-1.

[^364] 17 CFR 242.608(b)(2).

By the Commission.

J. Matthew DeLesDernier,

Deputy Secretary.