Joint Industry Plan: National Market System Plan Governing the Consolidated Audit Trail

Joint Industry Plan; Notice of Filing of Amendment No. 2 to the National Market System Plan Governing the Consolidated Audit Trail, as Modified by Amendment No. 1, Regarding the Customer and Account Information System

December 2, 2025.

I. Introduction

On March 7, 2025, the Consolidated Audit Trail, LLC ("CAT LLC"), on behalf of the following parties to the National Market System Plan Governing the Consolidated Audit Trail (the "CAT NMS Plan" or "Plan"):  ⁽¹⁾ BOX Exchange LLC, Cboe BYX Exchange, Inc., Cboe BZX Exchange, Inc., Cboe C2 Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe EDGX Exchange, Inc., Cboe Exchange, Inc., Financial Industry Regulatory Authority, Inc., Investors Exchange LLC, Long-Term Stock Exchange, Inc., MEMX, LLC, Miami International Securities Exchange LLC, MIAX Emerald, LLC, MIAX PEARL, LLC, MIAX Sapphire, LLC, Nasdaq BX, Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, Nasdaq PHLX LLC, The NASDAQ Stock Market LLC, New York Stock Exchange LLC, NYSE American LLC, NYSE Arca, Inc., NYSE National, Inc., and NYSE Texas, Inc. (collectively, the "Participants"  ⁽²⁾ ) filed with the Securities and Exchange Commission ("Commission") pursuant to Section 11A(a)(3) of the Securities Exchange Act of 1934 ("Exchange Act"), ⁽³⁾ and Rule 608 thereunder, ⁽⁴⁾ a proposed amendment to the CAT NMS Plan to reduce the amount of Customer  ⁵ information in the CAT Customer and Account Information System ("CAIS") (the "Proposed Amendment"). ⁽⁶⁾ The Proposed Amendment was published for comment in the Federal Register on March 19, 2025 ("Notice"). ⁽⁷⁾

On May 28, 2025, the Participants filed Amendment No. 1 to the Proposed Amendment ("Amendment No. 1"). ⁽⁸⁾ On June 17, 2025, the Commission noticed Amendment No. 1 for comment and instituted proceedings to determine whether to approve or disapprove the Proposed Amendment, as modified by Amendment No. 1, with any changes or subject to any conditions the Commission deems necessary or appropriate after considering public comment (the "OIP"). ⁽⁹⁾

On September 11, 2025, to provide sufficient time to consider the changes set forth in Amendment No. 1 and any comments received on Amendment No. 1, the Commission designated a longer period within which to conclude proceedings. ⁽¹⁰⁾ On November 14, 2025, the Commission extended the period within which to conclude proceedings regarding the Proposed Amendment, as modified by Amendment No. 1, to January 13, 2026. ⁽¹¹⁾

On December 1, 2025, the Participants filed Amendment No. 2 to the Proposed Amendment ("Amendment No. 2"), ⁽¹²⁾ to clarify changes in the Proposed Amendment, as modified by Amendment No. 1. Amendment No. 2 is set forth in Item II, as prepared by the Participants. Exhibit A sets forth the cumulative changes proposed to be made to the existing CAT NMS Plan under the Proposed Amendment, as modified by Amendment Nos. 1 and 2. Exhibit B sets forth the proposed additional changes to the Proposed Amendment, as modified by Amendment No. 2. The Commission is publishing this notice to solicit comments on Amendment No. 2 from interested persons.

II. Notice of Amendment No. 2

During meetings with the Staff subsequent to publication of the Proposed Amendment, CAT LLC agreed to provide additional information responsive to questions received from the Staff regarding (1) the effect of the Proposed Amendment on certain defined terms related to the Financial Accountability Milestones ("FAMs"); (2) how access to the Reference Database would be monitored and documented under the Proposed Amendment; (3) the effect of the Proposed Amendment (if any) on FDID validations; and (4) the process for documenting and reviewing deletions of Name, Address, and YOB  ⁽¹³⁾ data under the Proposed Amendment. CAT LLC is also proposing certain clarifying changes to the Proposed Amendment in light of the Staff's questions.

A. Effect of the Proposed Amendment on FAM-Related Defined Terms

First, the Staff asked CAT LLC to provide additional detail explaining the meaning of the following footnotes, which CAT LLC proposes adding to the Article I definition of "Full Availability and Regulatory Utilization of Transactional Database Functionality" in the Proposed Amendment:

Effective [DATE], "Customer Account Information" as used in the Financial Accountability Milestones (Initial Industry Member Core Equity Reporting; Full Implementation of Core Equity Reporting; Full Availability and Regulatory Utilization of Transactional Database Functionality; and Full Implementation of CAT NMS Plan Requirements) is no longer a defined term and has been superseded by the new defined term "Account Reference Data".

Effective [DATE], "Customer Identifying Information" as used in the Financial Accountability Milestones (Initial Industry Member Core Equity Reporting; Full Implementation of Core Equity Reporting; Full Availability and Regulatory Utilization of Transactional Database Functionality; and Full Implementation of CAT NMS Plan Requirements) is no longer a defined term and has been superseded by the new defined term "Customer Reference Data".

Specifically, the Staff noted that the defined term "Full Availability and Regulatory Utilization of Transactional Database Functionality" represents one of the FAMs and asked for confirmation regarding whether CAT LLC intends to change the meaning of that term in any way through the addition of the above footnotes.

CAT LLC does not intend to change the meaning of the defined term "Full Availability and Regulatory Utilization of Transactional Database Functionality" in any way. As described in the Response Letter, CAT LLC proposes to remove the defined terms "Customer Identifying Information" and "Customer Account Information" from the Plan and to replace those terms in all instances with the new defined terms "Customer Reference Data" and "Account Reference Data" to more accurately reflect the nature of the information that would remain in the Reference Database as a result of implementing the Proposed Amendment. However, CAT LLC recognizes that doing so in the definition of "Full Availability and Regulatory Utilization of Transactional Database Functionality" would retroactively change the meaning of that defined term because the terms "Customer Reference Data" and "Account Reference Data" refer to a narrower scope of customer-and-account-related information than do the terms "Customer Identifying Information" and "Customer Account Information." To avoid retroactively changing the meaning of a FAM-related defined term, CAT LLC proposed adding the footnotes described above where the terms "Customer Identifying Information" and "Customer Account Information" appear in the definition of "Full Availability and Regulatory Utilization of Transactional Database Functionality" in Article I of the Plan to make clear that-even after the implementation of the Proposed Amendment-the terms "Customer Identifying Information" and "Customer Account Information" will continue to be defined as set forth in Securities Exchange Act Release No. 88890 (May 15, 2020) solely for purposes of the FAMs.

To add clarity in light of the Staff's question, and to prevent any potential misinterpretation, CAT LLC proposes removing the phrase ". . . and has been superseded by the new defined term `Account Reference Data'" from the first footnote described above. Similarly, CAT LLC proposes removing the phrase ". . . and has been superseded by the new defined term `Customer Reference Data'" from the second footnote described above. As revised, the two footnotes would read as follows:

Effective [DATE], "Customer Account Information" as used in the Financial Accountability Milestones (Initial Industry Member Core Equity Reporting; Full Implementation of Core Equity Reporting; Full Availability and Regulatory Utilization of Transactional Database Functionality; and Full Implementation of CAT NMS Plan Requirements) is no longer a defined term.

Effective [DATE], "Customer Identifying Information" as used in the Financial Accountability Milestones (Initial Industry Member Core Equity Reporting; Full Implementation of Core Equity Reporting; Full Availability and Regulatory Utilization of Transactional Database Functionality; and Full Implementation of CAT NMS Plan Requirements) is no longer a defined term.

B. Process for Monitoring and Documenting Access to the Reference Database

Second, the Staff noted CAT LLC's proposal to delete the following language from Section 4.1.6 of Appendix D and asked whether there would still be an audit trail or other record or report of persons that have accessed the Reference Database under the Proposed Amendment:

The Chief Compliance Officer and the Chief Information Security Officer shall have access to daily PII reports that list all users who are entitled for PII access, as well as the audit trail of all PII access that has occurred for the day being reported on.

CAT LLC confirms that following the implementation of the Proposed Amendment, the Plan Processor will record all access to, and all queries of, data stored in the Reference Database in a series of logs that can be used to generate periodic reports in the same way that the Plan Processor currently records and tracks access to the broader CAT System.

To clarify in light of the Staff's question, CAT LLC proposes amending the Proposed Amendment to add the following sentence at the end of Section 4.1.4 of Appendix D:

The Plan Processor must record all access to, and all queries of, data stored in the Reference Database and generate periodic reports of all access to, and all queries of, data stored in the Reference Database.

C. Effect of the Proposed Amendment on FDID Validations

Third, the Staff noted CAT LLC's proposal to remove language from Section 9.1 of Appendix D stating that the Plan Processor "will design and implement a robust data validation process for submitted Firm Designated ID, Customer Account Information and Customer Identifying Information, and must continue to process orders while investigating Customer information mismatches." The Staff asked whether the deletion of this language means that FDID validations would change under the Proposed Amendment.

CAT LLC confirms that FDID validations would not change as a result of implementing the Proposed Amendment. The Plan Processor would continue to perform the same consistency checks that it currently performs today to confirm that all FDIDs reported to the transaction database exist in the Reference Database and were active on the relevant transaction date. These validations are described in more detail in Section 2.4.2.1 of the CAT Reporting Technical Specifications for Industry Members. ⁽¹⁴⁾

To clarify in light of the Staff's question, CAT LLC proposes amending the language from Section 9.1 of Appendix D cited above to state that the Plan Processor:

will design and implement a robust data validation process for submitted Firm Designated IDs and must continue to process orders while investigating Firm Designated ID mismatches.

D. Process for Documenting and Reviewing Deletions of Name, Address, and YOB Data

Fourth, the Staff noted CAT LLC's proposed addition of Section 9.5 to Appendix D, which requires CAT LLC to direct the Plan Processor to delete all categories of Customer information currently stored in the Reference Database that would be eliminated from Reference Database reporting as a result of implementing the Proposed Amendment. The Staff asked CAT LLC whether there would be a process for documenting and reviewing deletions of Customer information from the Reference Database under the Proposed Amendment.

CAT LLC confirms that the Plan Processor will keep a log documenting all deletions of Customer information from the Reference Database. Those logs will include both the time of and reason for each deletion, and the Plan Processor will provide periodic reports to the Operating Committee for visibility and oversight.

To clarify in light of the Staff's question, CAT LLC proposes adding a sentence to the end of proposed Section 9.5 of Appendix D stating that "CAT LLC shall direct the Plan Processor to document all deletions of Customer information from the Reference Database and provide periodic reports of all such deletions to the Operating Committee."

Separately, proposed Section 9.5 of Appendix D includes a sentence stating that "[f]or the avoidance of doubt, such data attributes do not constitute records that must be retained under Exchange Act Rule 17a-1." CAT LLC proposes making a technical revision to make clear that the data attributes listed in proposed Section 9.5 of Appendix D do not constitute records that must be retained "by CAT LLC" under Exchange Act Rule 17a-1.

As revised, proposed Section 9.5 of Appendix D would read as follows:

9.5 Deletion From CAIS of Certain Reported Customer Data

Notwithstanding any other provision of the CAT NMS Plan, this Appendix D, or the Exchange Act, CAT LLC shall direct the Plan Processor to develop and implement a mechanism to delete from CAIS, or otherwise make inaccessible to regulatory users, the following data attributes: Customer name, Customer address, account name, account address, authorized trader names list, account number, day of birth, month of birth, year of birth, and ITIN/SSN. For the avoidance of doubt, such data attributes do not constitute records that must be retained by CAT LLC under Exchange Act Rule 17a-1. CAT LLC or the Plan Processor shall be permitted to delete any such information that has been improperly reported by an Industry Member to the extent that either becomes aware of such improper reporting through self-reporting or otherwise. CAT LLC shall direct the Plan Processor to document all deletions of Customer information from the Reference Database and provide periodic reports of all such deletions to the Operating Committee.

III. Solicitation of Comments on Amendment No. 2

Interested persons are invited to submit written data, views, and arguments regarding whether the Proposed Amendment, as modified by Amendment No. 2, should be approved or disapproved by December 26, 2025. Comments may be submitted by any of the following methods:

Electronic Comments

• Use the Commission's internet comment form ( https://www.sec.gov/rules/sro.shtml ); or

• Send an email to [email protected]. Please include file number 4-698 (CAT CAIS Amendment) on the subject line.

Paper Comments

• Send paper comments in triplicate to: Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090.

All submissions should refer to File Number 4-698 (CAT CAIS Amendment). This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's internet website ( https://www.sec.gov/rules/sro.shtml ). Copies of the filing will be available for inspection and copying at the Participants' principal offices. Do not include personal identifiable information in submissions; you should submit only information that you wish to make available publicly. We may redact in part or withhold entirely from publication submitted material that is obscene or subject to copyright protection. All submissions should refer to File Number 4-698 (CAT CAIS Amendment) and should be submitted on or before December 26, 2025.

EXHIBIT A

Cumulative Proposed Revisions to CAT NMS Plan

Additions italicized; deletions [bracketed]

* * * * *

ARTICLE I

Definitions

* * * * *

Section 1.1. Definitions.

* * * * *

"[Customer] Account Reference Data [Information]" shall include, but not be limited to, [account number,] account type, [customer type,] date account opened, and large trader identifier (if applicable) ( excluding, for the avoidance of doubt, account number ); except, however, that (a) in those circumstances in which an Industry Member has established a trading relationship with an institution but has not established an account with that institution, the Industry Member will (i) provide the Account Effective Date in lieu of the "date account opened"; [(ii) provide the relationship identifier in lieu of the "account number"; ]and (ii[i]) identify the "account type" as a "relationship"; (b) in those circumstances in which the relevant account was established prior to the implementation date of the CAT NMS Plan applicable to the relevant CAT Reporter (as set forth in Rule 613(a)(3)(v) and (vi)), and no "date account opened" is available for the account, the Industry Member will provide the Account Effective Date in the following circumstances: (i) where an Industry Member changes back office providers or clearing firms and the date account opened is changed to the date the account was opened on the new back office/clearing firm system; (ii) where an Industry Member acquires another Industry Member and the date account opened is changed to the date the account was opened on the post-merger back office/clearing firm system; (iii) where there are multiple dates associated with an account in an Industry Member's system, and the parameters of each date are determined by the individual Industry Member; and (iv) where the relevant account is an Industry Member proprietary account. For the avoidance of doubt, Industry Members are required to provide a Firm Designated ID in accordance with this Agreement.

* * * * *

"CCID Subsystem" means the subsystem of the Reference Database that exists solely to transform input TID values into CCID values.

* * * * *

"Customer-ID" or "CAT Customer-ID" or "CCID" has the same meaning provided in SEC Rule 613(j)(5).

"Customer Reference Data [Identifying Information]" means information [of sufficient detail to identify ] attributed to a Customer, including, but not limited to, (a) with respect to individuals: [name, address, date of birth, individual tax payer identification number ("ITIN")/social security number ("SSN"),] TID, customer type, and the individual's role in the account ( e.g., primary holder, joint holder, guardian, trustee, person with the power of attorney); and (b) with respect to legal entities: [name, address, ] customer type and [Employer Identification Number ("EIN")/]Legal Entity Identifier ("LEI") or other comparable common entity identifier, if applicable; provided, however, that an Industry Member that has an LEI for a Customer must submit the Customer's LEI[ in addition to other information of sufficient detail to identify a Customer].

* * * * *

" Full Availability and Regulatory Utilization of Transactional Database Functionality " means the point at which: (a) reporting to the Order Audit Trail System ("OATS") is no longer required for new orders; (b) Industry Member reporting for equities transactions and simple electronic options transactions, excluding Customer Account Information, ^(*) Customer-ID, and Customer Identifying Information, ^(*) with sufficient intra-firm linkage, inter-firm linkage, national securities exchange linkage, trade reporting facilities linkage, and representative order linkages (including any equities allocation information provided in an Allocation Report) to permit the Participants and the Commission to analyze the full lifecycle of an order across the national market system, from order origination through order execution or order cancellation, is developed, tested, and implemented at a 5% Error Rate or less; (c) Industry Member reporting for manual options transactions and complex options transactions, excluding Customer Account Information, Customer-ID, and Customer Identifying Information, with all required linkages to permit the Participants and the Commission to analyze the full lifecycle of an order across the national market system, from order origination through order execution or order cancellation, including any options allocation information provided in an Allocation Report, is developed, tested, and fully implemented; (d) the query tool functionality required by Section 6.10(c)(i)(A) and Appendix D, Sections 8.1.1-8.1.3, Section 8.2.1, and Section 8.5 incorporates the data described in conditions (b)-(c) and is available to the Participants and to the Commission; and (e) the requirements of Section 6.10(a) are met. This Financial Accountability Milestone shall be considered complete as of the date identified in a Quarterly Progress Report meeting the requirements of Section 6.6(c).

* * * * *

["PII" means personally identifiable information, including a social security number or tax identifier number or similar information; Customer Identifying Information and Customer Account Information.]

* * * * *

"Reference Data" shall mean the data elements in Account Reference Data and Customer Reference Data.

"Reference Database" means the information system of the CAT containing Reference Data.

* * * * *

"Transformed Identifier" or "TID" means the transformed version of the input used to identify unique Customers, including, but not limited to individual tax payer identification number ("ITIN") or social security number ("SSN") submitted by Industry Members in place of an ITIN or SSN.

* * * * *

ARTICLE VI

Functions and Activities of CAT System

* * * * *

Section 6.2. Chief Compliance Officer and Chief Information Security Officer

* * * * *

(a) Chief Compliance Officer.

* * * * *

(v) The Chief Compliance Officer shall:

* * * * *

(C) in collaboration with the Chief Information Security Officer, and consistent with Appendix D, Data Security, and any other applicable requirements related to data security[,] and Reference Data [Customer Account Information and Customer Identifying Information], identify and assist the Company in retaining an appropriately qualified independent auditor (based on specialized technical expertise, which may be the Independent Auditor or subject to the approval of the Operating Company by Supermajority Vote, another appropriately qualified independent auditor), and in collaboration with such independent auditor, create and implement an annual audit plan (subject to the approval of the Operating Committee), which shall at a minimum include a review of all Plan Processor policies, procedures and control structures, and real time tools that monitor and address data security issues for the Plan Processor and the Central Repository;

* * * * *

(b) Chief Information Security Officer.

* * * * *

(v) Consistent with Appendices C and D, the Chief Information Security Officer shall be responsible for creating and enforcing appropriate policies, procedures, and control structures to monitor and address data security issues for the Plan Processor and the Central Repository including:

* * * * *

(F) [PII data requirements, including the standards set forth in Appendix D, PII Data Requirements] [Reserved];

* * * * *

Section 6.4. Data Reporting and Recording by Industry Members

* * * * *

(d) Required Industry Member Data.

* * * * *

(ii) Subject to Section 6.4(c) and Section 6.4(d)(iii) with respect to Options Market Makers, and consistent with Appendix D, Reporting and Linkage Requirements, and the Technical Specifications, each Participant shall, through its Compliance Rule, require its Industry Members to record and report to the Central Repository the following, as applicable (" Received Industry Member Data " and collectively with the information referred to in Section 6.4(d)(i) " Industry Member Data "):

* * * * *

(C) for original receipt or origination of an order, the Firm Designated ID for the relevant Customer, and in accordance with Section 6.4(d)(iv), Reference Data [Customer Account Information and Customer Identifying Information] for the relevant Customer; and

* * * * *

Section 6.10. Surveillance

* * * * *

(c) Use of CAT Data by Regulators.

* * * * *

(ii) Extraction of CAT Data shall be consistent with all permission rights granted by the Plan Processor. All CAT Data returned shall be encrypted[, and PII data shall be masked unless users have permission to view the CAT Data that has been requested].

* * * * *

APPENDIX D

CAT NMS Plan Processor Requirements

* * * * *

4. Data Security

4.1 Overview

* * * * *

The Plan Processor must provide to the Operating Committee a comprehensive security plan that covers all components of the CAT System, including physical assets and personnel, and the training of all persons who have access to the Central Repository consistent with Article VI, Section 6.1(m). The security plan must be updated annually. The security plan must include an overview of the Plan Processor's network security controls, processes and procedures pertaining to the CAT Systems. Details of the security plan must document how the Plan Processor will protect, monitor and patch the environment; assess it for vulnerabilities as part of a managed process, as well as the process for response to security incidents and reporting of such incidents. The security plan must address physical security controls for corporate, data center, and leased facilities where Central Repository data is transmitted or stored. The Plan Processor must have documented "hardening baselines" for systems that will store, process, or transmit CAT Data [or PII data].

* * * * *

4.1.2 Data Encryption

All CAT Data must be encrypted at rest and in flight using industry standard best practices ( e.g., SSL/TLS) including archival data storage methods such as tape backup. Symmetric key encryption must use a minimum key size of 128 bits or greater ( e.g., AES-128), larger keys are preferable. Asymmetric key encryption ( e.g., PGP) for exchanging data between Data Submitters and the Central Repository is desirable.

[Storage of unencrypted PII data is not permissible. PII encryption methodology must include a secure documented key management strategy such as the use of HSM(s). The Plan Processor must describe how PII encryption is performed and the key management strategy ( e.g., AES-256, 3DES).]

If public cloud managed services are used that would inherently have access to the data ( e.g., BigQuery, S3, Redshift), then the key management surrounding the encryption of that data must be documented (particularly whether the cloud provider manages the keys, or if the Plan Processor maintains that control). Auditing and real-time monitoring of the service for when cloud provider personnel are able to access/decrypt CAT Data must be documented, as well as a response plan to address instances where unauthorized access to CAT Data is detected. Key management/rotation/revocation strategies and key chain of custody must also be documented in detail.

* * * * *

4.1.4 Data Access

The Plan Processor must provide an overview of how access to [PII and other] CAT Data by Plan Processor employees and administrators is restricted. This overview must include items such as, but not limited to, how the Plan Processor will manage access to the systems, internal segmentation, multi-factor authentication, separation of duties, entitlement management, background checks, etc.

* * * * *

Any login to the system [that is able to access PII data must follow non-PII password rules and] must be [further] secured via multi-factor authentication ("MFA"). The implementation of MFA must be documented by the Plan Processor. MFA authentication capability for all logins is required to be implemented by the Plan Processor.

The Plan Processor must record all access to, and all queries of, data stored in the Reference Database and generate periodic reports of all access to, and all queries of, data stored in the Reference Database.

* * * * *

4.1.6 [PII Data Requirements] [Reserved]

[PII data must not be included in the result set(s) from online or direct query tools, reports or bulk data extraction. Instead, results will display existing non-PII unique identifiers ( e.g., Customer-ID or Firm Designated ID). The PII corresponding to these identifiers can be gathered using the PII workflow described in Appendix D, Data Security, PII Data Requirements. By default, users entitled to query CAT Data are not authorized for PII access. The process by which someone becomes entitled for PII access, and how they then go about accessing PII data, must be documented by the Plan Processor. The chief regulatory officer, or other such designated officer or employee at each Participant must, at least annually, review and certify that people with PII access have the appropriate level of access for their role.

Using the RBAC model described above, access to PII data shall be configured at the PII attribute level, following the "least privileged" practice of limiting access as much as possible.

PII data must be stored separately from other CAT Data. It cannot be stored with the transactional CAT Data, and it must not be accessible from public internet connectivity. A full audit trail of PII access (who accessed what data, and when) must be maintained. The Chief Compliance Officer and the Chief Information Security Officer shall have access to daily PII reports that list all users who are entitled for PII access, as well as the audit trail of all PII access that has occurred for the day being reported on.]

* * * * *

6.2 Data Availability Requirements

* * * * *

Figure B: [Customer and Account Information (Including PII)] Reference Data

[Link]

{changes to the title of the chart: Timeline for Reference Data [Customer and Account Information (including PII)]}

CAT [PII] Reference Data data must be processed within established timeframes to ensure data can be made available to Participants' regulatory staff and the SEC in a timely manner. Industry Members submitting new or modified Customer information must provide it to the Central Repository no later than 8:00 a.m. Eastern Time on T+1. The Central Repository must validate the data and generate error reports no later than 5:00 p.m. Eastern Time on T+1. The Central Repository must process the resubmitted data no later than 5:00 p.m. Eastern Time on T+4. Corrected data must be resubmitted no later than 5:00 p.m. Eastern Time on T+3. The Central Repository must process the resubmitted data no later than 5:00 p.m. Eastern Time on T+4. Corrected data must be available to regulators no later than 8:00 a.m. Eastern Time on T+5.

[Customer information that includes PII] Reference [d] D ata must be available to regulators immediately upon receipt of initial data and corrected data, pursuant to security policies for retrieving [PII] Reference Data.

* * * * *

8. Functionality of the CAT System

8.1 Regulator Access

* * * * *

8.1.1 Online Targeted Query Tool

* * * * *

The tool must provide a record count of the result set, the date and time the query request is submitted, and the date and time the result set is provided to the users. In addition, the tool must indicate in the search results whether the retrieved data was linked or unlinked ( e.g., using a flag). [In addition, the online targeted query tool must not display any PII data. Instead, it will display existing non-PII unique identifiers ( e.g., Customer-ID or Firm Designated ID). The PII corresponding to these identifiers can be gathered using the PII workflow described in Appendix D, Data Security, PII Data Requirements.] The Plan Processor must define the maximum number of records that can be viewed in the online tool as well as the maximum number of records that can be downloaded. Users must have the ability to download the results to .csv, .txt, and other formats, as applicable. These files will also need to be available in a compressed format ( e.g., .zip, .gz). Result sets that exceed the maximum viewable or download limits must return to users a message informing them of the size of the result set and the option to choose to have the result set returned via an alternate method.

* * * * *

8.1.3 Online Targeted Query Tool Access and Administration

Access to CAT Data is limited to authorized regulatory users from the Participants and the SEC. Authorized regulators from the Participants and the SEC may access all CAT Data[, with the exception of PII data. A subset of the authorized regulators from the Participants and the SEC will have permission to access and view PII data]. The Plan Processor must work with the Participants and SEC to implement an administrative and authorization process to provide regulator access. The Plan Processor must have procedures and a process in place to verify the list of active users on a regular basis.

A two-factor authentication is required for access to CAT Data. [PII data must not be available via the online targeted query tool or the user-defined direct query interface.]

8.2 User-Defined Direct Queries and Bulk Extraction of Data

The Central Repository must provide for direct queries, bulk extraction, and download of data for all regulatory users. Both the user-defined direct queries and bulk extracts will be used by regulators to deliver large sets of data that can then be used in internal surveillance or market analysis applications. The data extracts must use common industry formats.

[Direct queries must not return or display PII data. Instead, they will return existing non-PII unique identifiers ( e.g., Customer-ID or Firm Designated ID). The PII corresponding to these identifiers can be gathered using the PII workflow described in Appendix D, Data Security, PII Data Requirements.]

* * * * *

8.2.2 Bulk Extract Performance Requirements

* * * * *

Extraction of data must be consistently in line with all permissioning rights granted by the Plan Processor. Data returned must be encrypted, password protected and sent via secure methods of transmission. [In addition, PII data must be masked unless users have permission to view the data that has been requested.]

* * * * *

9. CAT Reference Data [Customer and Customer Account Information]

9.1 [Customer and Customer Account Information] Reference Data Storage

The CAT must capture and store Reference Data [Customer and Customer Account Information] in a secure database physically separated from the transactional database. The Plan Processor will maintain certain information [of sufficient detail to uniquely and consistently identify] attributed to each Customer across all CAT Reporters, and associated accounts from each CAT Reporter. [The following attributes, a] A t a minimum, the CAT must capture Transformed Identifiers. [be captured:]

[Social security number (SSN) or Individual Taxpayer Identification Number (ITIN);]

[Date of birth;]

[Current name;]

[Current address;]

[Previous name; and]

[Previous address.]

For legal entities, the CAT must capture Legal Entity Identifiers (LEIs) (if available). [the following attributes:]

• [Legal Entity Identifier (LEI) (if available);]
• [Tax identifier;]
• [Full legal name; and]
• [Address.]

The Plan Processor must maintain valid Reference Data [Customer and Customer Account Information] for each trading day and provide a method for Participants' regulatory staff and the SEC to easily obtain historical changes to that information[ ( e.g., name changes, address changes, etc.)].

The Plan Processor will design and implement a robust data validation process for submitted Firm Designated ID s [, Customer Account Information and Customer Identifying Information,] and must continue to process orders while investigating Firm Designated ID [Customer information] mismatches. [Validations should:

Confirm the number of digits on a SSN,

Confirm date of birth, and

Accommodate the situation where a single SSN is used by more than one individual.]

The Plan Processor will use the [Customer information] Transformed Identifier submitted by all broker-dealer CAT Reporters to the CCID Subsystem to assign a unique Customer-ID for each Customer. The Customer-ID must be consistent across all broker-dealers that have an account associated with that Customer. This unique CAT-Customer-ID will not be returned to CAT Reporters and will only be used internally by the CAT.

Broker-Dealers will initially submit full account lists for all active accounts to the Plan Processor and subsequently submit updates and changes on a daily basis. In addition, the Plan Processor must have a process to periodically receive full account lists to ensure the completeness and accuracy of the account database. The Central Repository must support account structures that have multiple account owners and associated Customer information (joint accounts, managed accounts, etc.), and must be able to link accounts that move from one CAT Reporter to another ( e.g., due to mergers and acquisitions, divestitures, etc.).

* * * * *

9.2 Required Data Attributes for Customer Information Data Submitted by Industry Members

At a minimum, the following Customer information data attributes must be accepted by the Central Repository:

[Account Owner Name;]

[Account Owner Mailing Address;]

[Account Tax Identifier (SSN, TIN, ITN)] Transformed Identifier ;

Market Identifiers (Larger Trader ID, LEI);

Type of Account;

Firm [Identifier Number] Designated ID ;

○ The number that the CAT Reporter will supply on all orders generated for the Account;

Prime Broker ID;

Bank Depository ID; and

• Clearing Broker.

* * * * *

9.3 Customer-ID Tracking

The Plan Processor will assign a CAT-Customer-ID for each unique Customer. The Plan Processor will [determine] generate and assign a unique CAT- Customer -ID [using information such as SSN and DOB for natural persons or entity identifiers for Customers that are not natural persons and will resolve discrepancies] for each Transformed Identifier submitted by broker-dealer CAT Reporters to the CCID Subsystem. Once a CAT-Customer-ID is assigned, it will be added to each linked (or unlinked) order record for that Customer.

Participants and the SEC must be able to use the unique CAT-Customer-ID to track orders from any Customer or group of Customers, regardless of what brokerage account was used to enter the order.

* * * * *

9.4 Error Resolution for Customer Data

[The Plan Processor must design and implement procedures and mechanisms to handle both minor and material inconsistencies in Customer information. The Central Repository needs to be able to accommodate minor data discrepancies such as variations in road name abbreviations in searches. Material inconsistencies such as two different people with the same SSN must be communicated to the submitting CAT Reporters and resolved within the established error correction timeframe as detailed in Section 8.]

The Central Repository must have an audit trail showing the resolution of all errors. The audit trail must, at a minimum, include the:

CAT Reporter submitting the data;

Initial submission date and time;

Data in question or the ID of the record in question;

Reason identified as the source of the issue[, such as:] ;

○ [duplicate SSN, significantly different Name;]

○ [duplicate SSN, different DOB;]

○ [discrepancies in LTID; or]

○ [others as determined by the Plan Processor;]

Date and time the issue was transmitted to the CAT Reporter, included each time the issue was re-transmitted, if more than once;

Corrected submission date and time, including each corrected submission if more than one, or the record ID(s) of the corrected data or a flag indicating that the issue was resolved and corrected data was not required; and

Corrected data, the record ID, or a link to the corrected data.

* * * * *

9.5 Deletion from CAIS of Certain Reported Customer Data

Notwithstanding any other provision of the CAT NMS Plan, this Appendix D, or the Exchange Act, CAT LLC shall direct the Plan Processor to develop and implement a mechanism to delete from CAIS, or otherwise make inaccessible to regulatory users, the following data attributes: Customer name, Customer address, account name, account address, authorized trader names list, account number, day of birth, month of birth, year of birth, and ITIN/SSN. For the avoidance of doubt, such data attributes do not constitute records that must be retained by CAT LLC under Exchange Act Rule 17a-1. CAT LLC or the Plan Processor shall be permitted to delete any such information that has been improperly reported by an Industry Member to the extent that either becomes aware of such improper reporting through self-reporting or otherwise. CAT LLC shall direct the Plan Processor to document all deletions of Customer information from the Reference Database and provide periodic reports of all such deletions to the Operating Committee.

* * * * *

10. User Support

10.1 CAT Reporter Support

* * * * *

The Plan Processor must develop tools to allow each CAT Reporter to:

* * * * *

• Manage Reference Data [Customer and Customer Account Information];

* * * * *

10.3 CAT Help Desk

* * * * *

CAT Help Desk support functions must include:

* * * * *

• Supporting CAT Reporters with data submissions and data corrections, including submission of Reference Data [Customer and Customer Account Information];

* * * * *

EXHIBIT B

Proposed Additional Revisions to Changes in Proposed Amendment

Additions italicized; deletions [bracketed]

* * * * *

ARTICLE I

Definitions

* * * * *

Section 1.1. Definitions.

* * * * *

" Full Availability and Regulatory Utilization of Transactional Database Functionality " means the point at which: (a) reporting to the Order Audit Trail System ("OATS") is no longer required for new orders; (b) Industry Member reporting for equities transactions and simple electronic options transactions, excluding Customer Account Information,* Customer-ID, and Customer Identifying Information,* with sufficient intra-firm linkage, inter-firm linkage, national securities exchange linkage, trade reporting facilities linkage, and representative order linkages (including any equities allocation information provided in an Allocation Report) to permit the Participants and the Commission to analyze the full lifecycle of an order across the national market system, from order origination through order execution or order cancellation, is developed, tested, and implemented at a 5% Error Rate or less; (c) Industry Member reporting for manual options transactions and complex options transactions, excluding Customer Account Information, Customer-ID, and Customer Identifying Information, with all required linkages to permit the Participants and the Commission to analyze the full lifecycle of an order across the national market system, from order origination through order execution or order cancellation, including any options allocation information provided in an Allocation Report, is developed, tested, and fully implemented; (d) the query tool functionality required by Section 6.10(c)(i)(A) and Appendix D, Sections 8.1.1-8.1.3, Section 8.2.1, and Section 8.5 incorporates the data described in conditions (b)-(c) and is available to the Participants and to the Commission; and (e) the requirements of Section 6.10(a) are met. This Financial Accountability Milestone shall be considered complete as of the date identified in a Quarterly Progress Report meeting the requirements of Section 6.6(c).

* * * * *

APPENDIX D

CAT NMS Plan Processor Requirements

* * * * *

4. Data Security

* * * * *

4.1.4 Data Access

The Plan Processor must provide an overview of how access to CAT Data by Plan Processor employees and administrators is restricted. This overview must include items such as, but not limited to, how the Plan Processor will manage access to the systems, internal segmentation, multi-factor authentication, separation of duties, entitlement management, background checks, etc.

* * * * *

Any login to the system must be secured via multi-factor authentication ("MFA"). The implementation of MFA must be documented by the Plan Processor. MFA authentication capability for all logins is required to be implemented by the Plan Processor.

The Plan Processor must record all access to, and all queries of, data stored in the Reference Database and generate periodic reports of all access to, and all queries of, data stored in the Reference Database.

* * * * *

9. CAT Reference Data

9.1 Reference Data Storage

The CAT must capture and store Reference Data in a secure database physically separated from the transactional database. The Plan Processor will maintain certain information attributed to each Customer across all CAT Reporters, and associated accounts from each CAT Reporter. At a minimum, the CAT must capture Transformed Identifiers.

For legal entities, the CAT must capture Legal Entity Identifiers (LEIs) (if available).

The Plan Processor must maintain valid Reference Data for each trading day and provide a method for Participants' regulatory staff and the SEC to easily obtain historical changes to that information.

The Plan Processor will design and implement a robust data validation process for submitted Firm Designated IDs and must continue to process orders while investigating Firm Designated ID mismatches.

The Plan Processor will use the Transformed Identifier submitted by all broker-dealer CAT Reporters to the CCID Subsystem to assign a unique Customer-ID for each Customer. The Customer-ID must be consistent across all broker-dealers that have an account associated with that Customer. This unique CAT-Customer-ID will not be returned to CAT Reporters and will only be used internally by the CAT.

Broker-Dealers will initially submit full account lists for all active accounts to the Plan Processor and subsequently submit updates and changes on a daily basis. In addition, the Plan Processor must have a process to periodically receive full account lists to ensure the completeness and accuracy of the account database. The Central Repository must support account structures that have multiple account owners and associated Customer information (joint accounts, managed accounts, etc.), and must be able to link accounts that move from one CAT Reporter to another ( e.g., due to mergers and acquisitions, divestitures, etc.).

* * * * *

9.5 Deletion From CAIS of Certain Reported Customer Data

Notwithstanding any other provision of the CAT NMS Plan, this Appendix D, or the Exchange Act, CAT LLC shall direct the Plan Processor to develop and implement a mechanism to delete from CAIS, or otherwise make inaccessible to regulatory users, the following data attributes: Customer name, Customer address, account name, account address, authorized trader names list, account number, day of birth, month of birth, year of birth, and ITIN/SSN. For the avoidance of doubt, such data attributes do not constitute records that must be retained by CAT LLC under Exchange Act Rule 17a-1. CAT LLC or the Plan Processor shall be permitted to delete any such information that has been improperly reported by an Industry Member to the extent that either becomes aware of such improper reporting through self-reporting or otherwise. CAT LLC shall direct the Plan Processor to document all deletions of Customer information from the Reference Database and provide periodic reports of all such deletions to the Operating Committee.

[FR Doc. 2025-21986 Filed 12-4-25; 8:45 am]

BILLING CODE 8011-01-P

⁽¹⁾  In July 2012, the Commission adopted Rule 613 of Regulation NMS, which required the Participants to jointly develop and submit to the Commission a national market system plan to create, implement, and maintain a consolidated audit trail (the "CAT"). See Securities Exchange Act Release No. 67457 (July 18, 2012), 77 FR 45722 (Aug. 1, 2012); 17 CFR 242.613 ("Rule 613"). On November 15, 2016, the Commission approved the CAT NMS Plan. See Securities Exchange Act Release No. 78318, 81 FR 84696 (Nov. 23, 2016) ("CAT NMS Plan Approval Order"). The CAT NMS Plan is Exhibit A to the CAT NMS Plan Approval Order. See CAT NMS Plan Approval Order, at 84943-85034.

⁽²⁾  On August 6, 2025, 24X National Exchange LLC became a Participant. See Securities Exchange Act Release No. 103702 (Aug. 13, 2025), 90 FR 40092 (Aug. 18, 2025).

⁽³⁾  15 U.S.C 78k-1(a)(3).

⁽⁴⁾  17 CFR 242.608.

⁽⁵⁾  A "Customer" means "the account holder(s) of the account at a registered broker-dealer originating the order; and any person from whom the broker-dealer is authorized to accept trading instructions for such account, if different from the account holder(s)." See CAT NMS Plan, supra note 1, at Section 1.1.

⁽⁶⁾ See Letter from Brandon Becker, CAT NMS Plan Operating Committee Chair, dated Mar. 7, 2025.

⁽⁷⁾ See Securities Exchange Act Release No. 102665 (Mar. 13, 2025), 90 FR 12845. Comments received in response to the Notice can be found on the Commission's website at https://www.sec.gov/comments/4-698/4-698-f.htm.

⁽⁸⁾ See Letter from Brandon Becker, CAT NMS Plan Operating Committee Chair, dated May 28, 2025 ("CAT LLC Response Letter").

⁽⁹⁾ See Securities Exchange Act Release No. 103288, 90 FR 26637 (June 23, 2025). Comments received in response to Amendment No. 1 can be found on the Commission's website at https://www.sec.gov/comments/4-698/4-698-f.htm.

⁽¹⁰⁾ See Securities Exchange Act Release No. 103946, 90 FR 44734 (Sept. 16, 2025).

⁽¹¹⁾ See Securities Exchange Act Release No. 104179, 90 FR 51801 (Nov. 18, 2025).

⁽¹²⁾ See Letter from Robert Walley, CAT NMS Plan Operating Committee Chair, dated Dec. 1, 2025.

⁽¹³⁾  As described in the Proposed Amendment, the term "Name, Address, and YOB" includes Customer names, Customer addresses, account names, account addresses, years of birth, and authorized trader names.

⁽¹⁴⁾  CAT Reporting Technical Specifications for Industry Members at 11 (July 31, 2025), https://www.catnmsplan.com/sites/default/files/2025-07/07.31.25_CAT_Reporting_Technical_Specifications_for_Industry_Members_v4.1.0r9_CLEAN.pdf.

⁽¹⁵⁾  17 CFR 200.30-3(a)(85).

^(*) Effective [DATE], "Customer Account Information" as used in the Financial Accountability Milestones (Initial Industry Member Core Equity Reporting; Full Implementation of Core Equity Reporting; Full Availability and Regulatory Utilization of Transactional Database Functionality; and Full Implementation of CAT NMS Plan Requirements) is no longer a defined term.

^(*) Effective [DATE], "Customer Identifying Information" as used in the Financial Accountability Milestones (Initial Industry Member Core Equity Reporting; Full Implementation of Core Equity Reporting; Full Availability and Regulatory Utilization of Transactional Database Functionality; and Full Implementation of CAT NMS Plan Requirements) is no longer a defined term.

* Effective [DATE], "Customer Account Information" as used in the Financial Accountability Milestones (Initial Industry Member Core Equity Reporting; Full Implementation of Core Equity Reporting; Full Availability and Regulatory Utilization of Transactional Database Functionality; and Full Implementation of CAT NMS Plan Requirements) is no longer a defined term[ and has been superseded by the new defined term "Account Reference Data"].

* Effective [DATE], "Customer Identifying Information" as used in the Financial Accountability Milestones (Initial Industry Member Core Equity Reporting; Full Implementation of Core Equity Reporting; Full Availability and Regulatory Utilization of Transactional Database Functionality; and Full Implementation of CAT NMS Plan Requirements) is no longer a defined term[ and has been superseded by the new defined term "Customer Reference Data"].