Connectivity and Data Transmission
FINRA Rule 6870 governs the technical mechanics of how Industry Members actually connect to and transmit data into CAT's Central Repository, and, in its third paragraph, addresses one of the most practically significant questions in the entire CAT Compliance Rule Series: what happens to a firm's regulatory responsibility when it delegates its CAT reporting function to a third party.
FINRA adopted Rule 6870 as part of the original Rule 6800 Series rollout under SR-FINRA-2017-003, and unlike several of the more heavily amended provisions elsewhere in this series, its core text has remained comparatively stable since that original 2017 adoption.
Data Transmission and Connectivity Requirements
Paragraph (a) requires each Industry Member to transmit data as required under the CAT NMS Plan to the Central Repository using whatever format the Plan Processor provides and the Operating Committee approves, implementing the formatting requirements found in Section 6.4(a) of the CAT NMS Plan itself. This centralized format-setting authority means individual Industry Members do not negotiate or determine their own reporting format; they build their systems to conform to whatever standardized format the Plan Processor establishes, ensuring consistency across the entire universe of CAT reporters regardless of firm size or technical sophistication.
Paragraph (b) addresses connectivity specifically: each Industry Member must connect to the Central Repository using a secure method, including but not limited to a private line or a virtual private network connection, implementing the connectivity requirements found in Section 4 of Appendix D to the CAT NMS Plan. The "including but not limited to" language signals that this list is illustrative rather than exhaustive, giving firms some flexibility in how they satisfy the underlying secure-connectivity requirement, provided whatever method they choose genuinely achieves the security standard the Plan contemplates rather than simply mimicking the two named examples in form without matching their substance.
The CAT Reporting Agent Framework
Paragraph (c) addresses a mechanism many firms rely on heavily in practice: the CAT Reporting Agent relationship. Any Industry Member may enter into an agreement with a CAT Reporting Agent, under which that agent agrees to fulfill the Industry Member's obligations under the Rule 6800 Series on its behalf. This agreement must be evidenced in writing, specifying the respective functions and responsibilities each party bears in order to achieve full compliance with the Rule Series, and both parties to the agreement must maintain their own copy of these written documents.
The single most consequential sentence in this entire rule, however, is paragraph (c)(3): each Industry Member remains primarily responsible for compliance with the Rule 6800 Series' requirements, notwithstanding the existence of an agreement with a CAT Reporting Agent. This is an explicit non-delegation principle. A firm cannot contract away its underlying CAT compliance obligation simply by hiring a third party to handle the mechanical reporting function; the Industry Member that actually received or originated the order remains legally responsible for that order's CAT compliance regardless of who technically transmits the data to the Central Repository on the firm's behalf.
Why This Non-Delegation Principle Matters So Much in Practice
FINRA has reinforced this non-delegation principle directly and repeatedly in its own guidance, treating it as a cornerstone of how CAT compliance risk is properly allocated between a firm and any third party it engages. Regulatory Notice 20-31 states plainly that the member receiving or originating an order in an NMS stock, OTC Equity Security, or Listed Option is responsible for complying with the CAT Rules, and cannot contract away or otherwise shift this responsibility to a third party, regardless of whether that firm develops its own proprietary CAT reporting system or instead enters into a Reporting Agent agreement under Rule 6870(c). FINRA explicitly ties this back to a firm's broader Rule 3110(a) supervisory obligation, stating that a well-designed and properly implemented supervisory system becomes particularly important precisely when a member relies on a Reporting Agent, since the firm needs some mechanism for confirming that its agent is actually conducting CAT reporting activities as agreed and in genuine compliance with the CAT Rules, rather than simply trusting that outsourcing the mechanical task has also outsourced the underlying compliance risk.
This creates a practical tension many firms need to navigate carefully: a firm may have entirely legitimate business reasons for using a Reporting Agent rather than building proprietary CAT reporting infrastructure, particularly smaller firms without the technical resources to develop and maintain such a system independently, but doing so does not reduce that firm's ultimate compliance exposure if the Reporting Agent's performance falls short. A firm that treats Reporting Agent selection as a purely operational or cost-driven decision, without building genuine ongoing oversight of that agent's actual performance, is taking on meaningful, uncompensated compliance risk that the underlying commercial arrangement with the agent does nothing to actually transfer.
The Rule 17d-2 Plan and Reduced Regulatory Duplication
A separate but related structural feature worth understanding involves how FINRA coordinates CAT compliance oversight with the other CAT NMS Plan Participants for firms that hold membership across multiple SROs simultaneously, a coordination mechanism distinct from, but complementary to, the Reporting Agent framework discussed above. The SEC approved a Rule 17d-2 Plan on March 12, 2020, allocating the regulation of CAT compliance rules among the various Participants specifically to reduce regulatory duplication for Industry Members that are members of more than one Participant, such as a firm that is both a FINRA member and a member of one or more national securities exchanges. Under this Plan, regulation of CAT compliance rules with respect to a firm's status as a common member is allocated to FINRA specifically, meaning a firm subject to this allocation does not face separate, potentially duplicative CAT compliance examination from each individual exchange it also belongs to, but rather a single, consolidated regulatory relationship channeled through FINRA.
This coordination reflects a broader recognition among the Participants that CAT compliance, spanning identical underlying rule requirements across every Participant's nearly identical Compliance Rule, does not benefit from duplicated examination effort across multiple regulators asking the same firm the same underlying compliance questions. Firms that are members of multiple SROs should understand this allocation when planning for CAT-related examinations, recognizing that FINRA, rather than each individual exchange separately, will typically be the Participant actually conducting their CAT compliance review.
A Worked Example of Non-Delegated Liability
Consider a small introducing broker-dealer that engages a third-party CAT Reporting Agent to handle all of its CAT reporting obligations, having neither the technical staff nor the infrastructure to build a proprietary reporting system internally. The Reporting Agent, due to its own internal system error, fails to correctly report a category of order events for several months, generating a substantial pattern of missing and inaccurate CAT data attributable to the introducing broker's order flow. When FINRA identifies this reporting gap during a routine examination, paragraph (c)(3) makes clear that the introducing broker-dealer, not the Reporting Agent, bears primary responsibility for the underlying compliance failure, regardless of the fact that the broker-dealer never directly touched the CAT reporting infrastructure that actually malfunctioned.
This outcome may initially seem harsh to a firm that reasonably relied on a vendor specifically selected for its CAT reporting expertise, but it reflects a deliberate regulatory choice: FINRA wants every Industry Member to maintain genuine, active oversight of its own CAT compliance regardless of how that reporting function is technically implemented, rather than allowing firms to treat CAT compliance as fully outsourced and therefore no longer requiring internal attention. The introducing broker-dealer's own written supervisory procedures, and its own periodic review of its Reporting Agent's actual performance, are what should have caught this pattern before it accumulated into a months-long gap, rather than the firm learning about the problem only once FINRA's own examination surfaced it. A firm's separate legal recourse against its Reporting Agent under their commercial agreement, whatever indemnification or damages provisions that agreement might contain, exists independently of, and does nothing to resolve, the firm's own direct regulatory exposure to FINRA for the underlying CAT compliance failure itself.
What Reasonable Reporting Agent Oversight Actually Looks Like
FINRA's guidance in Regulatory Notice 20-31 outlines specific elements a reasonably designed set of written supervisory procedures addressing CAT compliance should include, elements that carry particular weight where a firm relies on a Reporting Agent given the added layer of third-party risk involved. These procedures should identify, by name or title, the specific individual responsible for reviewing the firm's CAT reporting, describe specifically what type of review that individual will conduct of the data actually posted to the CAT Reporter Portal, specify how frequently that review will occur, and describe what remediation process follows when the review identifies a problem.
A firm relying on a Reporting Agent should not treat these WSP elements as satisfied simply by identifying the Reporting Agent itself as responsible for CAT compliance; the rule's non-delegation principle means the firm's own designated individual still needs to conduct genuine, independent review of the firm's CAT Reporter Portal data, since that data reflects what was actually submitted to the Central Repository regardless of which party technically transmitted it. A firm whose WSPs simply state that "the Reporting Agent handles CAT compliance," without describing the firm's own independent verification process, has not actually satisfied the kind of reasonably designed supervisory system FINRA's guidance contemplates, and would likely draw exactly the kind of examination finding the worked example above illustrates.
Relevance Across FINRA's Exam Programs
The SIE, Series 63, and Series 65 do not test Rule 6870's connectivity and data transmission mechanics, since these exams do not reach into CAT's technical infrastructure at this level of detail. A Series 7 candidate is unlikely to encounter this rule directly, though understanding that CAT reporting can be outsourced to a third party, while the underlying compliance responsibility cannot, provides a useful general principle applicable across many other areas of FINRA regulation as well.
A Series 24 candidate supervising a firm that relies, or is considering relying, on a CAT Reporting Agent needs to understand paragraph (c)(3)'s non-delegation principle as a foundational fact shaping the entire vendor relationship, not a minor technical footnote. A principal's due diligence process for selecting a Reporting Agent, and the firm's ongoing supervisory procedures for monitoring that agent's performance once engaged, should both be built around the recognition that the firm itself remains fully exposed to CAT compliance risk regardless of the agent's own performance. A Series 57 candidate working at a firm using a Reporting Agent should understand that questions about a specific order's CAT reporting status ultimately trace back to the firm's own responsibility, even where the mechanical transmission was handled entirely by the third-party agent.
Practical Guidance for Firms
Firms selecting a CAT Reporting Agent should treat the written agreement required under paragraph (c)(1) as a genuine risk-allocation document deserving careful negotiation, rather than a boilerplate formality completed quickly to satisfy the rule's written-agreement requirement. The agreement should specify, in real operational detail, exactly which functions the Reporting Agent will perform, how errors will be identified and corrected, and what reporting or notification obligations the agent owes the firm regarding its own performance, since these details become critical if a CAT compliance problem later emerges and the firm needs to understand precisely what its agent was, and was not, actually responsible for under their agreement.
Firms relying on a Reporting Agent should build genuine, ongoing oversight of that agent's performance into their Rule 3110 supervisory procedures, consistent with FINRA's explicit guidance in Regulatory Notice 20-31. This oversight should go beyond simply reviewing whatever summary reports the agent itself chooses to provide, and should instead include the firm's own independent review of CAT Reporter Portal data and error rates, ensuring the firm maintains genuine visibility into its actual CAT compliance status rather than relying entirely on the agent's own self-reported performance characterization.
Firms that are members of multiple SROs should confirm their understanding of how the Rule 17d-2 Plan's allocation affects their own CAT examination experience, recognizing that FINRA will typically serve as the primary regulator for their CAT compliance regardless of their other exchange memberships. This understanding can help a firm properly direct its CAT-related regulatory inquiries, comment letters, and examination preparation efforts toward the actual Participant responsible for its oversight, rather than assuming each exchange membership carries an independent, parallel CAT compliance examination relationship requiring separate preparation.
Firms negotiating a new Reporting Agent relationship, or renewing an existing one, should specifically build periodic performance review meetings into the underlying commercial agreement, rather than allowing the relationship to run passively based on the agent's own unprompted reporting. These review meetings give the firm's designated CAT compliance individual a structured opportunity to raise questions about specific error patterns the firm has independently identified through its own CAT Reporter Portal review, and to confirm the agent's remediation efforts are actually addressing root causes rather than merely resolving individual flagged errors without investigating why they occurred in the first place.
Firms should also consider building contractual provisions addressing what happens if a Reporting Agent relationship needs to be terminated, whether due to performance concerns or a simple business decision to bring CAT reporting in-house or switch providers. Given that the underlying CAT reporting obligation continues uninterrupted regardless of which vendor happens to be handling it at any given moment, a firm should ensure its agreement contemplates a reasonable transition period and data handoff process, avoiding a scenario where terminating an underperforming Reporting Agent inadvertently creates its own reporting gap during the transition to a replacement solution.
Smaller firms weighing whether to build proprietary CAT reporting infrastructure versus continuing to rely on a Reporting Agent should factor the ongoing supervisory burden discussed throughout this entry into that cost-benefit analysis, recognizing that outsourcing the mechanical reporting function does not eliminate the compliance oversight burden, only shifts its character from technical system maintenance to vendor oversight and independent verification. A firm that underestimates the ongoing supervisory effort a Reporting Agent relationship genuinely requires may find the total cost of that relationship, inclusive of proper oversight, considerably higher than initially anticipated when the decision to outsource was first made.
