Skip to content

Cut the waste, keep the controls: our response to the SEC's CAT review

Control Now has filed its first comment letter with the SEC, responding to the Concept Release on the Consolidated Audit Trail (Release No. 34-105251). We set out what the review is really about and the two recommendations we put forward: stop making every firm solve the same field-mapping problem, and keep two-sided reporting rather than cutting it to save money. Both come down to one principle, that an audit trail is only worth its cost if the data in it is accurate, complete and trustworthy.

/ Article

Control Now has filed its first comment letter with the U.S. Securities and Exchange Commission, responding to the Concept Release on the Consolidated Audit Trail (Release No. 34-105251). This is our view of what the review is really about, and the two recommendations we put forward.

The SEC has opened a comprehensive review of the Consolidated Audit Trail and the other audit trails used to regulate US securities markets. Its Concept Release asks for comment on the CAT's purpose, structure, scope, funding and governance, along with its cybersecurity and data privacy safeguards. It is a genuinely open question being asked in public, before any reform is on the table, and the breadth of it is unusual.

It is also overdue. The CAT was meant to give regulators a single, complete, reconstructable record of order and trade activity across the national market system. It does that. But its running costs have grown well beyond what anyone budgeted for, its funding model has been litigated repeatedly, and its concentration of sensitive market and customer data has made it a standing target for privacy concerns. The review is the Commission stepping back and asking whether the thing it built is still the right shape.

We didn't try to answer all of it. We wrote about two issues we have worked through ourselves, in production, on behalf of firms that report to the CAT every day. And we wrote them around a single idea.

Most of the debate about the CAT is a debate about cost. It is expensive to operate and expensive to report into, and a large part of the industry would like it smaller. We understand that instinct, and we don't dismiss it. But "how do we make the CAT cheaper" is the wrong question to lead with. The better one is: where is the effort actually being wasted, and which of the expensive parts are earning their keep? Those two questions do not point in the same direction, and treating them as one is how good controls get cut in the name of efficiency.

That distinction runs through both of our recommendations.

One: stop making every firm solve the same problem

Every broker-dealer that reports to the CAT has to determine how its order-handling practices map onto each CAT field. There are roughly a hundred of them. Some are trivial; price is price. Others are not. The handling-instructions field alone carries more than ninety options, and the right answer often involves real interpretive judgement.

Now multiply that by every routing destination a firm sends to, each with its own specifications, and again by the fact that those destinations keep changing. The result is an enormous, permanent, duplicated effort, repeated firm by firm across the whole industry. Worse, because the determinations involve discretion, the same underlying practice gets mapped differently by different firms. That is exactly how you end up with inconsistent reports describing identical activity, which is the opposite of what an audit trail is for.

The CAT already publishes one narrow mapping document, covering the handful of fields used for exchange route matching. It is genuinely useful. It simply stops well short of the wider problem.

Our recommendation is straightforward: routing destinations should publish a mapping of their own business specifications to the CAT reporting specifications. They have largely built this already, for their own reporting purposes, so the marginal cost of publishing it is low. We have proposed that the CAT Operating Committee establish a voluntary framework for these publications, with FINRA CAT reviewing them and an SRO statement that reporting consistent with a reviewed mapping is given a presumption of compliance. Once the framework exists, the exchanges are well placed to lead, with the rest of the industry following.

The point is that this reduces burden by removing duplication, not by removing data. The whole industry stops solving the same problem in parallel, reporting gets more consistent, and regulators get a clearer view. It is a low-cost, high-impact reform, and we have said we will help build it.

Two: don't cut two-sided reporting to save money

This is the recommendation that runs against the grain of the cost debate.

Two-sided reporting, where both sides of an order report it, is one of the more expensive features of the CAT. If you are optimising purely for cost, it is an obvious thing to cut. We argued for keeping it.

The reasoning is the same one our own validation process relies on every day. Part of how we assure our clients' CAT reporting is by evaluating the messages they receive from routing destinations. That recipient-side data is a critical control. It surfaces missing reports, message translations that don't line up, and confirmation that an order lifecycle actually completed. None of that is reliably visible from one side alone.

The same logic holds at the level of the CAT itself. Several CAT processor validations already depend on two-sided reporting and continue to catch errors. The Commission's own recent exemption for port-level settings relies on it, because certain material terms are only ever reported by the recipient. And where the two sides report under different specifications, they don't always agree, which is not noise to be eliminated, but information about where reporting is breaking down.

Remove two-sided reporting and you would save real money. You would also remove a proven error-detection mechanism and weaken the data integrity that gives the audit trail its entire value. A cheaper audit trail that catches fewer errors is not a better audit trail.

The thread underneath: data integrity, and where data lives

Both recommendations are really about the same thing. An audit trail is only worth its cost if the data in it is accurate, complete, and trustworthy. Efficiency that improves data quality is worth having. Efficiency that quietly erodes it is a false economy, and it tends to show up later, as the errors you stopped looking for.

That principle also shapes how we build. The Commission's review puts real weight on cybersecurity and data privacy, and rightly so, a single store of this much sensitive market and customer data is a serious concentration of risk. Our solutions are designed so that client data stays on client servers throughout the reporting process. We think the direction of travel in this review, towards minimising unnecessary data concentration, is the right one, and our architecture already reflects it.

Where this leaves Control Now

This is the first time we have put our name to a US market-structure consultation, and that is deliberate.

Control Now has spent the better part of a decade on transaction reporting across EMIR, MiFIR/MiFID II, ASIC, MAS and the Canadian regimes. The CAT is a different proposition. It reports orders, not just transactions, and it operates at a scale and granularity that most regimes don't approach. Working through it in detail has confirmed something we already believed: the principles of accurate, complete, well-controlled reporting carry across regimes even when the rules do not. Domain expertise built in one market is not stranded there.

We will have more to say on the CAT shortly, including what we are bringing to market for it. For now, our letter is on the public file, and we are glad the Commission is asking the harder questions rather than only the cheaper ones.

Read the full comment letter on the SEC's public comment file for S7-2026-12, or get in touch to talk about what well-controlled CAT reporting looks like in practice.

Control Now is a London-based regulatory technology firm. Our no-code solutions cover transaction reporting across EMIR, MiFIR/MiFID II, ASIC, MAS, CSA and the CAT, with the ability to retain client data on client servers throughout the reporting process if required.

Prepared with Thirty4 Advisory.