Is a coming stock trading audit system ready for prime time?

A House panel heard updates on the Consolidated Audit Trail, a software system designed to track and surveil stock market transactions and allow Securities and Exchange Commission regulators to trace suspect automated transaction patterns back to individual firms and traders.

"The stock market is exploding, and many people are putting their faith and hope in it, and I think if we had a crash it would totally destroy the confidence of Americans in this system," said Rep. Carolyn Maloney (D-N.Y.), ranking member of the subcommittee on Capital Markets, Securities, and Investment of the House Financial Services Committee, which held the Nov. 30 hearing.

The CAT system is designed to log the billions of individual stock trades, orders, cancellations and modifications that happen on Wall Street every day, an increasingly number of which are being done through computer programs. Plans for the system began percolating in 2009 but intensified after an incident in March 2010 where a flurry of automated stock trading led to a $1 trillion market crash that lasted 36 minutes before quickly recovering.

This "flash crash" shook lawmakers and SEC regulators who threw support behind the development of CAT shortly after. However, it took another seven years before a contractor was selected to build the system in January 2017.

In the past 10 months, the project has been plagued by cost overruns and delays, and it recently missed a Nov. 15 launch deadline to start accepting trade and order data from brokers. The system is also scheduled to begin accepting the kind of personal data that would allow regulators to identify bad actors next year.

A string of high-profile data breaches over the past year have caused Wall Street lobbyists and some members of Congress to push for draft legislation that would halt the system from going live until additional cybersecurity measures are put in place.

"We're building a system here to make sure we watch out for bad actors … but you're putting a lot of data in one place, and that overconcentration of data concerns me," said Rep. Bruce Poliquin (R-Maine).

Mike Beller, CEO of Thesys Technologies, the company selected as the CAT plan processor, told lawmakers that the current system already follows National Institute for Standards of Technology protocols for cybersecurity and that adequate security and encryption controls already exist within the system.

Tyler Gellasch, executive director of the Healthy Markets Association, made it clear to lawmakers that he felt calls for additional cybersecurity controls within CAT represented an attempt by the stock industry to delay the system's launch or kill it entirely.

"We're ostensibly here today to talk about data security, but I'll assert that this hearing is really about whether for-profit market participants -- many of who may have the most to lose by the creation of the CAT -- are able to exploit a convenient public fear [around data breaches] to continue to deny regulators the basic tools they need to regulate markets."