In the wake of the 2010 “Flash Crash,” the SEC in 2012 adopted Rule 613 of Regulation NMS, which requires the national securities exchanges and FINRA (collectively, the “SROs”) to work together to develop and submit to the SEC a plan to create, implement, and maintain a consolidated audit trail (the “CAT”).  Simply put, the CAT is intended to enable regulators to oversee our securities markets on a consolidated basis—and in so doing, better protect these markets and investors. 

The Commission approved in November 2016 a CAT NMS plan prepared by the SROs.  Under the SROs’ plan, the first phase of reporting to the CAT (SRO reporting) is scheduled to start tomorrow.  Last night, the SROs submitted an exemptive request to the Commission that makes clear that they will not meet that deadline and certain other deadlines contemplated by the plan.  The SROs’ letter requests that the Commission issue broad exemptive relief extending the initial deadline by a year and other deadlines by a year or more. 

I recognize that recently the SROs have worked together to develop an action plan for bringing the CAT on-line, albeit on a delayed basis.  Further, it is clear that the SROs’ increased engagement with the SEC in recent days has been constructive.  However, I am not in a position to support the issuance of the requested relief on the terms currently proposed.  That said, I will continue to engage with the SROs on these issues, and I have instructed the SEC staff to make themselves available to the SROs as necessary or appropriate.  I urge the SROs to continue their efforts to work cooperatively with each other and to meet their responsibilities as promptly as practicable. 

With regard to cybersecurity, I have informed the SROs that protection of the information submitted to the CAT is of paramount importance and that I am open to various paths for addressing cybersecurity matters.  Additionally, I have made it clear that the SEC will not retrieve sensitive information from the CAT unless we believe appropriate protections are in place.  In this regard, Commission staff is currently conducting an evaluation of our needs for personally identifiable information (“PII”) in the CAT.  It is important that the Commission, the SROs, and the plan processor continuously evaluate the approach to the collection, retention and protection of PII and other sensitive data, as we continue to progress in the development and operation of the CAT.