Consolidated Audit Trail (CAT) is live, what’s next?!

Consolidated Audit Trail (CAT) is live, what’s next?!

Compliance beyond Phase 2a/b – Top 5 things firms should be considering as they near initial go-live milestones.

It seems that the industry has resigned to the fact that CAT going live is no longer a matter of ‘IF’ but ‘WHEN’. FINRA’s ability to work through thorny issues and keep up with deliverables / promises to date has been proving the naysayers wrong. General view is that 2a will most definitely happen on time!

While the industry at large is working very hard to achieve go-live with successful testing and April 2020 go-live of 2a, this article aims to give firms time to pause and consider other critical items. The list is not exhaustive and there is no intention to cover the obvious challenges i.e. Phases 2c / d, Legal Entities and FDID, linkages, representative orders, customer data, error corrections, etc. That’s entirely a different topic and would require appropriate focus.

Regardless of your CAT solution (i.e. internal, vendor, etc.) the aim is to provide practical considerations that will yield appropriate fruits and make CAT implementation more accurate, meaningful, and sustainable.

Readiness Assessment

CAT implementation modification from ‘big bang’ to ‘phased out’ go-live has been of tremendous benefit to the industry, and according to some experts, CAT would not have been anywhere near as far along if not for this change. There is a tremendous opportunity for the industry to avoid a typical costly and draining ‘remediation process’.

With CAT there is a unique opportunity to take a pulse check very early on, as you progress through phases by conducting an independent ‘Health Check’, which will yield very important output, e.g. Inform soundness of current implementation, influence future controls, inform upcoming phases, and make overall change managements much more cohesive.

BAU Transition

Due to multiple go-live dates, the transition to BAU is not a trivial / typical exercise as it relates to CAT. The resources working on the immediate implementation will likely have to continue to roll out future phases. The strategy will be unique to each firm / size / location etc. To get you started, some low hanging fruits are: Knowledge transfer, documentation, training materials, regional ownership vs. follow the sun, initial headcount requirements and ways to scale as the scope grows, among others.

Controls

Controls are fabric that gives senior management, auditors, regulators some level of comfort to ensure accuracy, timeliness, and completeness when it comes to regulatory reporting. Unfortunately, controls are typically built in ‘hind-sight’ after a major flaw is uncovered or audit points out a specific weakness. Although, at times necessary, the sequence for building controls on the back of an incident is far from ideal. Firms should build solid controls unique to their implementation, ‘new business’ process and risk tolerance. Consider using independent tools to conduct some controls that can help your firm establish credibility in addition to benefiting from ‘crowd sourcing’ approach to controls and thereby avoiding a siloed viewpoint.

Service Level Agreements (SLAs)

One of the hot button topics for the industry is the ‘error correction cycle’ and its impact on ‘exception management’. Essentially firms will have 1 ½ days to correct errors (T+3 correction requirement is from Trade Date and FINRA will provide broker dealers with errors by 12pm next day). Drafting and finalizing SLAs with key players in the process (e.g. Middle Office, Trade Capture, Technology team, etc.) to make appropriate changes needed to facilitate a reasonable exception management and error corrections process is a very worthwhile exercise.

Traceability

With the passing of time, and natural attrition of your SMEs working on the implementation, knowing the ‘why’ ‘how’ ‘who’ ‘when’ as it relates to your program will be critical. It is inevitable that assumptions are made, unique rule interpretation specific to a business line are penned, and a bespoke code to deal with a unique problem are developed. It may be obvious now why something was done or implemented a certain way; it is NOT the case with the passing of time. Ensuring that you have clear traceability, evidence of sign off, approval of critical decisions, will not only shield your work and withstand the test of time, it will make the lives of people who own the process after you that much easier. Although this item will not show up for a very long time, eventually your due diligence will pay off and earn your work a solid reputation.

All in all, as with any other complicated topic, there are multiple other items that firms should be thinking about now i.e. Impact on surveillance, data lineage and governance, change management, etc. 5 that were covered above seem to be most practical to tackle at this stage, but you should NOT stop here! Wishing you a smooth implementation and a successful go-live!

Consolidated Audit Trail (CAT) resurrects the age-old question ‘Build vs. Buy?’

Consolidated Audit Trail (CAT) resurrects the age-old question ‘Build vs. Buy?’

Well, like any other complicated problem there isn’t a ‘one size fits all’ answer. Multiple variables will be at the heart of your decision making, including your firm’s scope, long-term strategy, maintenance, etc. Hopefully below will give your firm some guidance on things to consider making the right strategic decision.

Case for working with a dependable vendor:

Price: Your budget will likely be a #1 driver. Cost that will be associated with building an in-house solution will likely far exceed a pre-determined solution. Depending on your size, it may be economical to give up convenience of proprietary built vs. out of the box solution.

Time: Conforming with expected regulatory timelines is critical, both from reputational standpoint and having to avoid a potential regulatory fine/action. Possibility of slippage is a reason enough for you to consider a vendor solution.

Industry knowledge: SME knowledge is not replaceable, but where proficiency is lacking utilizing a vendor may be optimal way to go to market. A reputable vendor will ensure the solution aligns to the actual rule and regulator’s expectations.

Scale: Overtime the vendor will receive continuous feedback as it relates to the solution, and economies of scale will dictate that their solution will continue to improve and serve your broader needs.

Reasons to consider looking to internal solution:

Accountability: Don’t confuse ‘service offering’ that meets your needs with your obligations. Just because you are utilizing a given solution that seems to ‘work’, it doesn’t alleviate your overall responsibility for the accuracy of the reporting. ‘Safety in numbers’ will not work when external audit is conducted.

Ongoing maintenance: Going with a vendor is never truly ‘plug n’ play’. You will have to ensure you implement and deploy the solution. Involvement and scope will depend on size/needs of your firm.

Limitations: You will find yourself locked into the solution and proposal that aims to address broader needs but may not be customizable to your specific business and overtime may generate unwanted limitations which will be difficult to overcome.

Cost: up-front price may be attractive but consider the longevity and ongoing dependability. Price point shouldn’t be limited to ‘go-to-market’ mentally.

In Conclusion

Overall, in-house built is not replaceable, but it may be more practical to consider outside solutions. The decision is never one dimensional and never in the moment, as it will transcend scope and time. Your decision should balance practical short-term considerations and long-term strategy/vision.