CAT. GDPR. MiFID II. AML. KYC.

Market participants have myriad regulations to comply with, at various stages of implementation, each with their own requirements and nuances.

But the diverse rule sets have some common themes, among them cybersecurity, regulatory reporting, market access, and identifying and preventing manipulative activity. So rather than managing each regulatory regime separately, it’s important for broker-dealers and hedge funds to have a cohesive strategy.   

“It’s about thinking holistically and globally about all the requirements, allocating resources and developing a schema that builds something across different asset classes,” said Joanna Fields, founding principal at consultancy Aplomb Strategies. “This way you’re not building 400 different reports, you’re building one report for many different asset classes. You’re not multi-tasking with the same resources.”

The Consolidated Audit Trail is a top-priority concern for broker dealers. Mandated by the U.S. Securities and Exchange Commission, the CAT is a single, comprehensive database to enable regulators to more efficiently and thoroughly track all trading in U.S. equity and options markets.

The CAT is slated to roll out in multiple stages between this fall and November 2019; earlier this week, SEC Chairman Jay Clayton said the CAT would start as scheduled, but implementation could be phased in more gradually. For now at least, large broker-dealers must begin reporting trades in November 2018.

Fields, who was head of equities and derivatives market structure at Deutsche Bank before starting her own firm four years ago, said a core challenge for resource-constrained capital markets firms is allocating the resources to properly address regulatory change. Stitching up resources, to the extent possible, optimizes efficiency better than handling each project on a piecemeal basis.       

“If you think about regulatory reporting, it’s not just the Consolidated Audit Trail — there are best-execution reports for MiFID and updated requirements for TRACE,” among other mandates, Fields said. “You have to think holistically with your resources. Three years from now you’re not going to want to have a staff of 40 and need to lay off people.”

Regarding cybersecurity, Fields said only a small percentage of corporate boards have experience in the field. Chief information security officers (CISOs) are sometimes brought in to to ensure the right concerns are raised, but she is kept busy in this area.    

“I’ve been focused on cyber policies from the top — making sure you have insurance, making sure you have governance,” she said.  

Broadly speaking, firms ring up Aplomb when they have a problem. “What usually happens is there is a regulatory sweep or focus, and we’re called in,” Fields said. “We look at the issue and we turn that into ‘how do I fix the larger problem?’.”