Are You Thinking Beyond CAT?
A Practical Guide to Implementation Strategy
The top 10 things firms should consider as they near initial go-live milestones.
It seems that the industry has resigned to the fact that CAT going live is no longer a matter of ‘IF’ but ‘WHEN’. FINRA’s ability to work through thorny issues and keep up with deliverables / promises to date has been proving the naysayers wrong. General view is that 2a will most definitely happen on time!
While the industry at large is working very hard to achieve go-live with successful testing and April 2020 go-live of 2a, this article aims to give firms time to pause and consider other critical items. The list is not exhaustive and there is no intention to cover the obvious challenges i.e. Phases 2c / d, Legal Entities and FDID, linkages, representative orders, customer data, error corrections, enhanced surveillance etc. That’s entirely a different topic and would require appropriate focus. Regardless of your CAT solution (i.e. internal, vendor, etc.) the aim is to provide practical considerations that will yield significant benefit to your organization and make CAT implementation more accurate, meaningful, and sustainable.
Lastly, 2020 is starting to shape up as one of the most challenging years for Reg Reporting implementation. Primary driver for this is the fact that starting with April until Dec, CAT community will experience 8 independent go-live dates! To add to the frenzy, there will be multiple important milestones for testing, new tech spec releases, etc. Further, each new go-live will introduce significant challenges, and should be treated as an independent initiative. Please see below referenced 2020 go-live cheat sheet, for actual dates refer to FINRA CAT Timelines.
CAT implementation timeline modification from ‘big bang’ to ‘phased out’ go-live has been of tremendous benefit to the industry, and according to some experts, CAT would not have been anywhere near as far along if not for this change. There is tremendous opportunity for the industry to avoid a typical costly and draining ‘remediation process’. With CAT there is a unique opportunity to take a pulse check very early on and as you progress through phases by conducting an independent ‘Health Check‘, which will yield very important output, e.g. Inform soundness of current implementation, influence future controls, inform upcoming phases, and make overall change managements much more cohesive.
Engage with internal stakeholders and/or external resources to access and validated various aspects of the implementation. Some examples include: (a) Ensuring the rule interpretation is complete and signed off (b) Requirements are consistent and traceable to the rule (c) Data sourcing is documented appropriately (d) RAID Log is complete and closed, among various other points.
You will identify gaps / potential issues, very early on in the process. Having the ability to prioritize ‘known’ issues and having a list available for external / internal audit or interested parties will proof invaluable!
Due to multiple go-live dates, the transition to BAU is not a trivial / typical exercise as it relates to CAT. The resources working on the immediate implementation will likely have to continue to roll out future phases. The strategy will be unique to each firm / size / location etc. Note: It’s not obvious at first hand, but as pointed out above, there are 8 expected go-live production dates for CAT in 2020 alone; BAU should be appropriately designed to scale.
To get you started, some low hanging fruit are: (a) Ensure that you have an ongoing process and plan for knowledge transfer. Don’t leave critical knowledge as it relates to decisions, internal limitations, etc. to only remain with the implementation team (b) Create relevant content on confluence page / SharePoint or procedures, to easily share with appropriate team members (c) have documentation such as training materials, escalation procedures, clearly mapped and updated (d) Design a process that fits your company and business e.g. regional ownership vs. follow the sun(e) lastly, one of the most critical components, due diligence on accurate initial headcount requirements, will ensure your team can cope with work and not generate backlog.
This effort will yield much fruit. For starters, your firm will be ready to deal and focus on exceptions / errors and escalations. You will be able to scale as the scope grows, because you will have all necessary components in place. Withstand queries from senior stakeholders and interested teams (auditors, compliance, etc.). Lastly, this will ensure that you are not relying on any key ‘go-to-person’ to ensure you can keep the shop open.
Controls are fabric that gives senior management, auditors, regulators some level of comfort to ensure accuracy, timeliness, and completeness when it comes to regulatory reporting. Unfortunately, typically controls are built ‘hind-sight’ after a major flaw is uncovered or audit points out specific weakness. Although, at times necessary, the sequence for building controls on the back of an incident is far from ideal. Firms should consider the implementation and assumptions and build solid controls unique to their implementation, ‘new business’ process and risk tolerance. Consider using independent tools to conduct some controls; Can help your firm establish credibility in addition to benefiting from ‘crowd sourcing’ approach to controls and thereby avoiding a silo viewpoint.
This section largely depends on the size of your organization but will likely be relevant to all in one way or another. Start with (a) defining a control framework (b) look to existing controls already in-place for other reg reporting obligations (c) involve impacted teams to generate critical controls (d) itemize your list of controls that spans ‘critical’ to ‘important’ to ‘nice to have’ (just sample buckets), as this will help you define your strategy. (e) think about timeline of controls (I.e. pre / post reporting) (f) ensure that controls are owned by the correct actor, a control that doesn’t have an appropriate user will not only be useless, but can actually cause you pain points down the road (e.g. Why do you have a control that no one is looking at).
This effort will yield much fruit. For starters, your firm will be ready to deal Controls will be designed based on pro-active and thoughtful approach vs. Reactive.
Service Level Agreements (SLAs)
One of the hot button topics for the industry is the ‘error correction cycle’ and its impact on ‘exception management’. Essentially firms will have 1 ½ days to correct errors (T+3 correction requirement is from Trade Date and FINRA will provide broker dealers with errors by 12pm next day). SLAs with key players in the process to manage error corrections in 1 ½ is a very worthwhile consideration.
(a) identify various actors in your business process flow (b) further identify who needs to be involved resolving the issue (e.g. Reg Reporting IT Team, Trade Capture group, Front Office, etc.) (c) link error types with potential users (d) generate a proposal of expected actions and timeline (e) negotiate the final SLAs (f) create an escalation process for all impacted teams for instances where SLAs are not adhered to or bottlenecks are created.
BAU teams will successfully comply with managing exceptions and errors and have a solid plan for dealing with anomalies.
With the passing of time, and natural attrition of your SMEs working on the implementation, knowing the ‘why’ ‘how’ ‘who’ ‘when’ as it relates to your program will be critical. It is inevitable that assumptions are made, unique rule interpretation specific to a business line are penned, bespoke code to deal with a unique problem, etc. Are all important components of your program. It may be obvious now why something was done or implemented a certain way; it is NOT the case with the passing of time. Ensuring that you have clear traceability, evidence of sign off, approval of critical decisions, will not only shield your work and withstand the test of time, it will make the lives of people who own the process after you that much easier. Although this item will not show up for a very long time, eventually your due diligence will pay off and earn your work a solid reputation. This section is closely correlated to your data strategy, storage, and lineage.
(a) Define a strategy on traceability (b) ensure consist tooling is used to capture and high-light traceability (c) avoid any black-box solutions, make as much as possible transparent to all relevant users (d) have a framework of why items have to trace to each other e.g. Regulatory Rule to a specific Rule Interpretation to a specific User Story or a Reportable Attribute to Stored Data Attribute to System Generated Attribute.
Following consistent and pre-agreed defined approach, your implementation will be easy to validate, employ change, and maintain.
With the passing of time, and natural attrition of your SMEs working on the Most firms are focused specifically on getting past the hitting the expected go-live dates, and are having a hard time keeping up with requirements, changes to tech specs, internal implementations, etc. Who has time or presence of mind to think about what happens 2 or 3 years from now? Answer is: Not many can afford this luxury! However, thinking about implication of regulators starting to leverage CAT data for surveillance for reporting purposes is of paramount importance. If you look back at how CAT was born, the initial whitepaper and legislation has, what feels like, infinite number of references to how they intent to utilize the data to improve surveillance. And they give examples of what they currently unable to do vs. What they intent to do with new data points (e.g. both new products, PII info, and new events). It’s worthwhile exercise to plan and speak to your technology and compliance teams to give your firm an opportunity to be at the forefront of the initiative vs. having to be caught off guard.
(a) Review initial whitepapers and public comments prior to NMS Plan being approved, as well as, other public sources that speak to how the information is intended to be utilized (b) make a list of new surveillance practices or limitations and determine if this impacts your firm or business lines (c ) work with your business partners to determine there are any requirements to improve internal surveillance capability or functionality.
Will be able to have foresight on how the regulators will be leveraging the new data and ensure that it doesn’t have an adverse impact on your business.
Data Lineage & Governance
With the passing of time, and natural attrition of your SMEs working on the Most firms are focused specifically on getting past the hitting the expected go-live dates, and are having a hard time keeping up with Although data governance is distinct from lineage, the two components are very much correlated. Therefore, as you go through the implementation process, it’s important that the way your data is stored / transferred and shared is fit for purpose.
(a) Review initial whitepapers and public comments prior to NMS Plan (a) Define your data strategy (b) ensure that procedures are in place to govern data points that may impact your reporting obligations, with proper escalation process (c) consistency or known dependencies for data points & usage is highlighted (e.g. Sell x all systems is represented as S)
Will be able to have foresight on how the regulators will be leveraging the new data and ensure that it doesn’t have an adverse impact on your business.
With the passing of time, and natural attrition of your SMEs working on the CAT is not a small or short program; it has multiple phases and goes out for few years (see above referenced timeline). It’s important that you appropriately design the program and plan for changes in personnel / new business / etc.
(a) Gantt chart that spans the entire program, to accounts for all the phases. Although I appreciate that there are multiple dependencies (e.g. we don’t have Tech Specifications for all the phases) (b) Consolidate ownership as much as possible. Single vision / execution will yield stronger / better reporting results and reduce re-work. Naturally, there will be workstreams unrelated to each other e.g. FDID, Options business units, Equity business units, etc. However, they will nevertheless have multiple dependencies and contingencies on each other, not to mention potential re-use. Single point to run and execute the program will yield continuous benefit.
Consistent implementation across various business units. Further, easier ability to remediate and manage changes / strategy shifts for future implementations.
Personally, Identifiable Information (PII)
CAT requirement to send PII data for all relevant accounts is a very sizable challenge. Although the notion of FDID has been made so much more reasonable when FINRA introduced the concept of ‘Relationship ID’, still I want to caution you that FDID and PII associated with each trading account, investment advisor, beneficiary, etc. will not be trivial to solve even for Broker Dealers with sophisticated reference data governance / strategy. There is still an opportunity for firms to review and improve the client and associated reference data.
(a) Gantt chart that spans the entire program, to accounts for all the phases. Although I appreciate that there are multiple dependencies (e.g. (a) Identify groups accountable for client data (e.g. Client onboarding, reference data team, etc.) (b) capture various processes and use cases and determine implication for CAT (c) ensure you have access to key PII for all use cases (This will be especially an important point when it comes to Wealth Management related accounts e.g. custody account for minors)
Either have a clear way to identify and tag appropriate PII data for CAT reporting or understand known gaps to articulate to senior management / regulators as appropriate. Knowing gaps, managing the talking points and having a solution that your firm is working towards, can make a meaningful difference in risk assessment and regulatory review.
CAT requirement to send PII data for all relevant accounts is a very sizable Last but certainly not least, cyber security has a paramount role in the story of CAT. In majority of instances, the reporting data and personal information is largely already being provided and is accessible to the regulators. So, the question then is: Why has ‘security’ been such a focal point when speaking about CAT? There are numerous answers and considerations to answer this question. One that’s top of mind is the fact that all previous reporting to date has been done in silo e.g. OATS provides trade activity, while Electronic Blue Sheets provided the ‘actor’ (there are multiple other examples); With CAT, for the first time, firms will be associating the ‘WHAT’ with the ‘WHO’ on each order. That is a very significant change in how reporting is done today. And firms, as well as other interested parties, should rightfully be concerned about the security of this data and stability of financial markets.
(a) Involve the experts! Identify the right folks within your firm who own and understand cyber security, so that they can appropriately evaluate the tools being proposed by the industry, and various implications. Don’t confuse ‘Technology’ expert with ‘Cyber Security’ experts, the two often are not aligned.
With proper input from internal experts, your firm will have a stronger appreciation of the risks and tools associated with reporting PII and trading activity and take appropriate precautions or advocate for alternative tools / solutions.
All in all, as with any other complicated topic, there are multiple other items that firms should be thinking about now, the ones that were covered above seem to be most practical to tackle at this stage, but you should NOT stop here! Use this as an opportunity to have an internal discussion and create your critical list of items that your firm should be focusing on. Wishing you a successful go-live and overall smooth implementation program.
Risk Focus is a consultancy solving capital-markets business problems with technology and insight. We combine business domain knowledge, technology expertise, and a disciplined process to ensure the success of the most challenging projects in the industry. Many of the largest exchanges and investment banks operate on systems built by Risk Focus teams. Our practices include Custom Application Development, Regulatory Reporting & Compliance, DevOps & Cloud, Streaming Architectures, and IT Strategy. We’re a Premier Confluent Systems Integrator and an AWS Advanced Consulting Partner with Financial Services, Migration, and DevOps Competencies. Clients count on us to provide outcomes that advance their objectives on time and on budget.