“With the approval and ultimate implementation of CAT, the Commission’s regulatory capacity strongly embraces 21st century technology, enabling the Commission and the SROs to harness data and technology to more effectively oversee market participants,” said SEC Chair Mary Jo White. “Through the CAT, regulators will have more timely access to a comprehensive set of trading data, enabling us to more efficiently and effectively conduct research, reconstruct market events, monitor market behavior, and identify and investigate misconduct.”

The CAT would be managed by an LLC jointly owned by the affected SROs, governed by an operating committee comprised of one representative from each group who would each have one vote. The company, which would be based out of Delaware, would be responsible for operating, maintaining and upgrading the central repository, ensuring the security and confidentiality of all data within it, and educating broker-dealers and SROs on how to submit the necessary data. Funding for this company will come from the SROs who will, in turn, level tiered fixed fees on CAT reporters and broker-dealers based on a combination of market share and message traffic. 

In its comment letter, the Securities Industry and Financial Markets Association heavily criticized this funding model, saying that its development was dominated by SROs with no meaningful input from broker-dealers even though, it said, nearly all of the costs will be borne by them. It also questioned the authority of the SROs to level such a fee structure, and said that there was a fundamental conflict of interest in giving them this much control. 

"At this point, we have to assume that any CAT funding model designed by the SROs themselves will be built to favor the commercial interests of one set of for-profit market participants – the exchanges – at the expense of the exchanges’ competitors – the broker-dealers," said SIFMA. 

SIFMA recommended that the SEC conduct a study on whether there is sufficient jurisdiction for the fee structure, and further requested that any fees be set by an independent third party.

Both the SEC and the various SROs would have access to the data, which would be used for regulatory and oversight purposes. The database will be set up in such a way as to allow for complex queries such as reconstructing market events and the status of order books at various time intervals. 

Several stakeholders critiqued the plan on cybersecurity grounds, expressing worry that the central database would be a tempting target for hackers. Fidelity Investments, in its own comment letter, noted that the CAT Central Repository would process more than 58 billion records, representing 13 terabytes of data, daily, making it the largest, most comprehensive data repository for securities transactions to date. Some of this information, Fidelity noted, includes confidential and sensitive personal and proprietary trading information, which it said represents an attractive opportunity for potential misuse, such as identity theft. While it noted that the rule does include certain cybersecurity provisions, it lamented a lack of specifics. 

Like Fidelity, the Financial Services Roundtable also faulted the plan for lack of specific on cybersecurity. It pointed to recent high-profile data breaches for both public and private sector entities, and said steps need to be taken to ensure proper controls are in place throughout the data's lifestyle using secure, authenticated and industry-accepted encryption mechanisms. It also said the SEC needs to consider the risk of state-based actors and make sure that those with access to the data have comprehensive background checks not just upon hire but continuously on a periodic basis to avoid insider threat concerns. 

The final rule is the culmination of a years-long process starting in 2012, with the adoption of Rule 613. This rule provided a broad framework for the CAT and required SROs to use their own expertise to work out the details of how it would be created, implemented and maintained. The plan itself was released for comment in April, and now that it has been approved, members of the public have 60 days to comment on the latest version.