Senate Banking Committee Hearing on the CAT

Senate Banking Committee

“Oversight of the Status of the Consolidated Audit Trail”

Tuesday, October 22, 2019

Key Topics & Takeaways

  • PII Collection: Michael Simon, Chair, CAT NMS Plan Operating Committee, stated that last week the Operating Committee requested that the SEC grant exemptions to eliminate the collection of certain personal information, including Social Security numbers and dates of birth, which would reduce the risk profile of the data collected and stored in the CAT.
  • Access to CAT Data: Sen. Crapo (R-Idaho) asked who will have access to the CAT database. Simon replied that 23 SROs, FINRA and the SEC would have the ability to access the CAT database in whatever manner they feel appropriate to discharge their regulatory responsibilities. He said there will be controls in place to ensure proper training and regulatory oversight over who has access to the data and how they use it.
  • Futures Markets: In response to a question from Rep. Cortez Masto (D-Nev.) about how the CAT could have helped exchanges identify the cause of the 2010 flash crash, Simon also mentioned that it would be good to eventually integrate U.S. futures markets into the CAT, and potentially non-U.S. markets.

Witnesses

Opening Statements

Chairman Mike Crapo (R-Idaho)

In his opening statement, Crapo noted that the Securities and Exchange Commission (SEC) proposed the creation of the Consolidated Audit Trail (CAT) after the 2010 “flash crash,” and referenced estimates from the SEC that the CAT would cost $4 billion to launch and $2.1 billion in ongoing maintenance. He commented that after nine years and several challenges and delays, it appears we have arrived at a version of the CAT that realizes real-time but less accurate data is not necessary to its functioning, and that slightly-delayed but more accurate data would significantly reduce costs while still preserving the system’s functional improvements to market oversight.

Crapo said the CAT now better leverages existing resources with the selection of the Financial Industry Regulatory Authority (FINRA) to be the primary processor. However, he said he continues to have concerns about the system’s cost, the volume and type of information to be collected, who has access to the information, and how the information will be secured. He was supportive of statements from SEC Chair Jay Clayton suggesting the removal of Social Security numbers, dates of birth, taxpayer identification numbers and account numbers from the CAT’s database, agreeing that this would reduce the risk profile of the CAT data but insisting that it will be still be important to have robust security protections.

Ranking Member Sherrod Brown (D-Ohio)

In his opening statement, Brown said that since the 2010 flash crash, markets have become faster, more sophisticated and more fragmented, and that the industry has spent billions upgrading technology and developing faster and smarter trading systems while the SEC still lacks a comprehensive system to help it oversee securities markets. He stated the CAT would be a single system with a beginning-to-end view of how trading happens but lamented that under the current timeline the system would not be fully operational until 2022.

Brown noted that some have taken issue with the SEC, or any government agency, having as much data as the CAT database will hold, calling it a potential target for hackers. However, he said he refuses to accept that regulators cannot both protect people’s personal information and go after criminals. He called the proposal from the self-regulatory organizations (SROs) to exclude Social Security numbers and other personal information “just one example of many creative solutions” to balance the need for oversight against protecting consumers’ information. He said he trusts the “capable minds” at the exchanges, FINRA and the SEC to work out data security concerns and complete the CAT.

 Testimony

Shelly Bohlin, President & Chief Operating Officer, FINRA CAT LLC

In her testimony, Bohlin explained that the CAT is designed to be a centralized source of information on activity in the equities and listed options markets that would allow regulators to efficiently and accurately track all activity in these securities. She acknowledged that there is interest in the CAT from multiple perspectives, including how the system will support use by market regulators and how data will be secured.

Bohlin stated that since FINRA CAT took over as the plan processor six months ago, work to build the CAT has been on schedule and FINRA CAT has worked closely with the SRO consortium and SEC staff to put in place a solution for the CAT’s first scheduled phase, the collection and processing of order trade data from the equities and options exchanges and FINRA. She said FINRA CAT has been involved in full-time industry engagement through a variety of channels to ensure the industry has a voice in the system’s development, and that technical reporting specification and extensive guidance have been published to assist broker-dealers in meeting reporting obligations.

Bohlin stressed that the security of CAT data is of the utmost priority and a strong data security program has been put in place. She pointed out that FINRA CAT is directly subject to the SEC’s Regulation SCI the CAT’s security program aligns with the strictest government requirements.

Judy McDonald, Chair, CAT NMS Plan Advisory Committee

In her testimony, McDonald said she could “confidently state that the effort to deliver CAT is moving forward in a very positive manner.” She said the Advisory Committee is satisfied that the intermediate milestones of the past year have been met and that significant progress has been made toward processing SRO reporting and the completion of industry member technical specifications for the first equity and option reporting phases.

However, she noted some remaining areas of concern as implementation progress, including data security and fees. She said data security is undoubtedly the most significant concern as the CAT will gather and store an unprecedented amount of information, including highly proprietary trading record and personally identifiable information (PII). She said the Advisory Committee is encouraged by the progress to avoid the collection of Social Security numbers and other sensitive PII data, and that with this progress some focus should be shifted to address the retirement of the legacy Electronic Blue Sheet (EBS) system, which currently collects PII data and is less secure than CAT. McDonald also voiced concern on security policies to ensure that bad actors cannot gain access to trade information once data is downloaded in bulk from the central FINRA CAT repository. She said the Advisory Committee urges reconsideration of allowing the 22 exchanges and the SEC to bulk download CAT data.

On fees, McDonald commented that there is a lack of insight into fees that might be applied to broker-dealers. She said the absence of a fee schedule creates uncertainty around the CAT and unnecessarily challenges firms budgeting to comply with CAT reporting obligations.

Michael Simon, Chair, CAT NMS Plan Operating Committee

In his testimony, Simon stressed that only the NMS plan participants and the SEC will be able to query the CAT system, and only for regulatory purposes. He noted that much of the interest in the CAT has been on the inclusion of PII, but pointed out that the SEC’s Rule 613 explicitly requires the CAT to be able to identify underlying customers and to collect personal information including names, addresses, dates of birth, taxpayer IDs or Social Security numbers. He stated that last week the Operating Committee requested that the SEC grant exemptions to eliminate several of these fields, which would reduce the risk profile of the data collected and stored in the CAT. He specifically noted that rather than Social Security numbers, the CAT will generate a CAT Customer ID (CCID).

Regardless of any exemptive relief, Simon said security will always be a top priority and safeguards have been put in place to protect the system and the data within it. He stated that FINRA CAT CISO creates and enforces controls to monitor and address data security issues and evaluates whether participants have information security policies comparable to those of the plan processor. Simon also noted that: the plan processor performs multiple layers of security assessments; regulators can access the system only over dedicated private lines; the system is designed without any internet-based query function; and the system includes multi-factor authentication systems.

Simon commented that while the SROs have borne all costs to implement the CAT so far, it “remains important and reasonable” that industry members contribute to the CAT. He said the Operating Committee is working on an amended fee proposal to this end.

Question and Answer

Personally Identifiable Information and the CCID

Crapo asked about the proposal to replace Social Security numbers with the CCID. Simon explained that the CAT will never receive or store Social Security numbers, and that a multi-step system will exist so that broker-dealers can do hashing and only the CCID will be kept in the CAT database. Bohlin said the CCID would be known only to the CAT, and that while it will have associate customer information it will be tied to transaction data for queries.

Sen. Chris Van Hollen (D-Md.) asked what measures are being taken to address the threat of cyber attacks. Simon said the first thing to do is to make the database less attractive to hackers by excluding PII such as Social Security numbers and dates of birth.

Access to CAT Data

Crapo asked who will have access to the CAT database. Simon replied that 23 SROs, FINRA and the SEC would have the ability to access the CAT database in whatever manner they feel appropriate to discharge their regulatory responsibilities. He said there will be controls in place to ensure proper training and regulatory oversight over who has access to the data and how they use it.

Sen. Tom Cotton (R-Ark.) said he has always been skeptical of the CAT, but that based on what he had heard in the hearing he may now be “downright opposed.” Noting that 25 organizations would have access to the data, he asked how many people will have access. Bohlin replied that the plan has estimated that there would be 3,000 users.

SRO Conflicts of Interest

Sen. Mark Warner (D-Va.) suggested that the SROs accessing the CAT database could be required to have a formal explanation process for why they need to access the data to ensure they are not using it for their own financial interests. Simon insisted that the rules are clear that the SROs can only access the data for regulatory purposes and stated that the SROs are heavily regulated themselves and operate with integrity.

Van Hollen noted that the SROs are for-profit companies and asked for assurance that that CAT system would be run to protect the public interest. Simon answered that the nation’s securities markets are based on self-regulation and that this will not change with the CAT. He continued that the CAT will provide better surveillance tools for the SROs responsible for the integrity of markets, and that that SEC has stated clearly that data can only be used for regulatory and surveillance purposes.

Benefits of the CAT

Brown asked about the market oversight benefits of the CAT and how it improves on current systems. Bohlin explained that the CAT will be a central database to include all the equities and options exchanges, noting that while similar constructs exist for equities today, it is a new system for options markets. Simon said the CAT will enhance regulation and let regulatory bodies move more quickly.

Opposition to the CAT

Cotton expressed his reservations that as many as 3,000 users would have access “to every trade, from every account, from every broker, for every retail investor in America.” He questioned whether foreign bad actors from China or North Korea might be able to gain access and noted previous major data breaches at the Office of Personnel Management, the SEC and large private sector firms. Cotton said the benefits of the CAT for market participants were not clear to him, and referenced comments by SEC Commissioner Hester Peirce that most of the CAT’s benefits could be achieved by focusing solely on large institutional investors.

Sen. John Kennedy (R-La.) noted the expense of building and maintaining the CAT and questioned its worth if it could not prevent future flash crashes or manipulation. Noting that the causes of the 2010 flash crash were eventually identified without the CAT, he voiced his doubts that the CAT’s costs are justified. Kennedy also suggested that the risk of compromising data could pose more risk that exceeds any potential benefit the system offers.

Security Policies

Sen. Mike Rounds (R-S.D.) asked about policies to ensure the security of information reported to the CAT. McDonald noted that broker-dealers are subject to security audits by FINRA and adhere to best practices for security. Simon explained that policing the security of the CAT is the responsibility of the Operating Committee and noted that it has hired a CISO who is an officer of the CAT NMS LLC and oversees the security of the system. He added that the SROs have a security working group comprising CISOs and security experts from the SROs to develop policies, and that the Advisory Committee also works with SIFMA and industry CISOs to ensure they are comfortable with the CAT’s security policies.

Rounds asked how many successful cyber incursions there have been into the CAT system. Bohlin answered that there have been no successful attempts since FINRA CAT has been operational. Simon added that any successful breaches would have to be immediately reported.

Sen. Catherine Cortez Masto (D-Nev.) asked if the CAT has a formal cyber incident response plan. Bohlin explained that a very detailed plan exists, and it was formulated in cooperation with FINRA and the SROs. She said that through this engagement, FINRA CAT has access to experts in breach management, containment, response and notification.

Futures Markets

In response to a question from Cortez Masto about how the CAT could have helped exchanges identify the cause of the 2010 flash crash, Simon mentioned that it would be good to eventually integrate U.S. futures markets into the CAT, and potentially non-U.S. markets.

Van Hollen asked about the possibility of the CAT capturing futures contracts. Simon explained that the CAT was designed based on the SEC mandate for the equities and options markets but noted that the SEC has asked for comment and is considering the inclusion of futures contracts. He called this a possible next step and added that this would require cooperation with the Commodity Futures Trading Commission (CFTC).

For more information on this meeting, please click here.