Consolidated Audit Trail: Insights from Broadridge's David Campbell
Earlier this year, Broadridge published a white paper that looked at how firms are preparing to meet the regulatory reporting requirements associated with the Securities and Exchange Commission's Consolidated Audit Trail (CAT). SmartBrief recently chatted with David Campbell, Vice President of Strategy and Business Development in Global Technology and Operations at Broadridge, to learn more about the challenges CAT represents and the steps firms are taking to prepare for its implementation.
How does CAT differ from other regulatory reporting regimes?
The most obvious difference is volume. Being focused on US equities and options markets means there is a lot more volume than a lot of the other regulatory regimes. The fact that CAT is focused on order events, rather than post-trade events means there is a lot more focus on the linkage of events within the life cycle. Another one of the more complicated differences is the CAT repository’s focus on linking events together across market participants. That is something people are going to have to deal with because those aspects are not typically coupled together from either a systemic or a process point of view within firms.
Thus far, what are the biggest challenges CAT presents for firms?
Obviously, the timeline is a challenge because it’s still up in the air.
The structure of the CAT operating committee – in terms of working groups working thru industry associations to come up with technical interpretations to work through these issues – is showing that there is a lot of complexity. Based on that, it makes the timeline a challenge, even with the reset timeline from the SROs.
Being able to gather all that information, make sense of that information and then submit the right information to the CAT processor within the timelines is a challenge. And then there is the challenge of the revised exception window, so that if something comes back from the CAT processor, there is a shorter window than in the Order Audit Trail System (OATS) world for people to turn around for corrections.
At this point, we also don’t even have an understanding of what the end of the business day is going to be. If the business day is going to be extended - I think the original technical specification called for midnight as being end of day - that adds a lot of complexity for clients in terms of the way they operate. Other systems may have to be changed to be able to meet some other regulatory requirements each day.
So what may look like minor things – like the definition of the end of the day – are very important in terms of how complex and how much change this ends up creating for the broker-dealer community.
Of the tactical disadvantages to patch work/reactive builds, which one is the most painful or costly?
For people looking at going with a system-by-system basis to try and tactically put something together, where they are just making modifications to their existing systems to then account for CAT reporting, the obvious issue is going to be how you link things across systems. How should information be tracked and linked? There is a lot of complexity if you are doing that with multiple systems and trying to do it with a patchwork approach because you are implementing the rules many times in different systems and therefore it can really lead to a lot of trouble-shooting issues, testing and then long-term maintenance.
And the rule will change. That’s one thing we have seen with a lot of the new trade reporting rules. Even OATS has changed over time. The more systems that you have producing CAT input to the repository, the more points that you have to change and the higher the long-term overhead and maintenance is going to be if you do it on a system-by-system basis, rather than looking at a more consolidated approach.
What are some of the things firms need to prioritize when they devise their approach to CAT reporting?
The two main things are going to be data aggregation and the management of rules and workflow.
Do they have the mechanisms in place to be able to aggregate all of the data. That requires actually understanding what all the data sources are, what all the data gaps are likely to be and how to consolidate all of that data together.
Rules and work flow are crucial in determining what needs to go to CAT because one of the ways to minimize the amount of change to upstream systems is to output all the data from the effected systems to the central repository or work flow engine that will then be able to determine what needs to be reported, what doesn’t need to be reported and what enhancements to those data elements need to be made to report them. There also needs to be the ability to handle all the exceptions that come up – either prior to submission or post-submission. Adding that kind of workflow engine on top of centralized data helps in terms of being able to understand what the issues are and correct them before sending things out the door. And being able to alert prior and then being able to react much more effectively if there are any issues that come back from the CAT repository.
Those two things together give you much more easily traceable and audited process to be able to control and demonstrate how you are in compliance.
How common has it become for firms to use systems put in place for regulatory reasons as a tool for analyzing their own business operations and using those insights to shape new best practices?
Some do it better than others.
For example, the platform that we are extending out for this is the same one we use for our G20 reporting for things like EMIR, Dodd-Frank and MiFID II. One of the things that came out of our MiFID II prep was that though a lot of firms talked about gleaning insights, they didn’t really have a good idea about things like their data lineage. Where is their data coming from? If I am bringing data to the trade repository I putting these fields in a certain format, but do I know where those fields are coming from? Do I know how that particular field was constructed? Do I know how many fields, systems and rules it went through to get to that point? A lot of firms didn’t have that.
One of the things that we built was “data lineage and rules applied visualization” to allow firms to be able to say, “This is the data input to the system. This data came out. Here is how what was put in became what went out.” Firms need to be able to show where the data comes from, what rules and processes have been applied to it and what’s gone out the door. They also need to be able to trace that back if the regulators reject the data. Just being able to have that kind of visualization and data lineage is very important and a number of firms haven’t had the tools for that.
That is something that is going to be important in CAT because with the error rate that CAT is looking to enforce, you can’t over-submit data and you can’t under-submit data. You have to submit the right amount of data. With large sums of data, if somebody comes to you during an audit and asks, “How do you know that field was right when you sent it out the door?” you need to be able to respond with confidence, “Here, I’ll show you.”
Looking at the regulatory landscape around the world, it seems like we might be in for a period of what one might call "regulatory fracturing." What kind of impact might that have on CAT reporting?
If you have an operational platform that allows you to have a single workflow model around order events and trade and transaction reporting that can then be applied against the different rules across multiple regimes, it means you can more efficiently and more cost-effectively manage the fracturing. In the end, all this regulatory reporting is about capturing data and figuring out what is reportable to whom and for what purpose; and then being able to figure out what format that particular regulatory organization needs. If you’re planning the right solution, you will be able to consolidate your regulatory reporting operations into a more coherent operational process based on strong data aggregation, data evaluation and work flow capability.
The challenge is to make sure you are aggregating the data using the same kinds of tools while meeting all of the fragmented requirements around privacy protection and data sovereignty. If you are trying to do multi-jurisdictional, global trade reporting, you are automatically entering into a discussion about where the data is held, who can access the data and how do they access the data. Those are the kinds of things that if you are a big global firm and trying to think about them strategically, you always want to be able to consolidate things while still satisfying all the different jurisdictional needs. It is really hard to do if you are taking a tactical approach.
Are firms cutting back on compliance spending? How will that affect long-term strategic technology initiatives?
What we are seeing at this point is people are trying to figure out how they can satisfy CAT requirements without adding more people. The challenge is that as we look at what just happened with MiFID II, what seems to be happening with CAT, and maybe what is happening with the SFTR in Europe, is the fluidity surrounding what is going to be within the scope and the deadline is challenging. It always feels - and often is - too short to be able to implement correctly. There is a lot of pressure to just ‘get it done,’ which means more staff and perhaps tactical solutions.
What we have seen over time is that as each new regulation has been rolled out, within 6-9 months we’ve started having discussions with people about implementing that regulation within our platform because the cost of maintenance for what got them over the initial finish line is not sustainable in the long term. When people try to solve these challenges reg-by-reg, there comes a point when they realize the platforms they have in place, especially the internal builds, just can’t sustain the next one. They have to look at a different approach. I think we will see that with CAT.
One of our longer term objectives is that for everything that is a US-based reporting regime, offering a consolidation point on top of a CAT solution to make those environments more cost-effective and easier to operate in the long term. That will allow firms to look at finding optimal staffing levels and give them the ability to use newer technologies like AI on top of a centralized, strategic platform. There isn’t going to be as much impetus after CAT for implementing new, large-scale regulations. But I think there is going to be a lot of impetus to clean up what is there and become much more effective.
Are you seeing any regional trends with regard to firms’ appetite to tackle these regulatory challenges? Or is different for each firm?
I think it is firm-by-firm. We’ve seen firms in Asia use MiFID II as their tipping point to revisit all of what they have done previously. It really comes down to where that firm is in their cycle. Some firms took a much better approach by tackling each new regulatory regime by just adding onto a platform that is a sustainable platform that allows them to move forward. For others, a new regulation is sometimes the impetus to make the jump over to something more strategic and more sustainable.
The real driver is more about the size of the firm and the complexity of their global reporting requirements. Generally, the Tier 1 players had the resources to take a much more thoughtful approach at the first gate and have been able to build on that since. The Tier 2 and Tier 3 firms who do a lot of global business and are caught by a lot of global regulation don’t necessarily have the resources of the biggest players. They have had to be a bit more tactical with how they have implemented these things; and now they have to re-evaluate because their approach is not sustainable for the long term.
So what is your best “big picture” advice for firms?
Based on the uncertainty of the timeline and the scope, the main thing is that everybody really needs to be thinking about where their data sits. Once this thing becomes real and we have real deadline to work towards, firms need to know where their data sits, where their data gaps exist and how they are going to bring all their data together.
They also need to think about how they will operate in an environment that is going to be pretty high volume – for some people it is going to be exceptionally high volume – with much more limited time windows. That’s where firms will realize that while data is obviously key, so is the ability to workflow.
Everybody has to do it and everybody has to adhere to the same rules, so doing it all on your own doesn’t make a lot of sense. You are going to be re-inventing the wheel while someone else is making that same wheel. If you can look at solutions that allow you to mutualize the cost of compliance, that makes a lot more sense than trying to spend all the money on your own.