CAT: Access to Sensitive Personal and Transaction Data Requires Maximum Protection and Accountability

The Consolidated Audit Trail (CAT) is a major regulatory initiative by the Securities and Exchange Commission and twenty-four (24) self-regulatory organizations (SROs) including FINRA and stock and options exchanges to significantly enhance regulators’ ability to monitor and analyze trading activity. Under the CAT, broker-dealers will be required to report every equity and option transaction as well as certain personal information of retail and institutional clients to a database operated by the twenty-four (24) SROs.

When it’s completed, the CAT will become the world’s largest database of equity securities and listed options transactions, including:

  • Personal information for every retail brokerage client in America – over 100 million institutional and retail accounts;
  • Order details on every stock transaction in America – trades for all retail customers, pension funds, and mutual funds; and
  • Order details on every options transaction in America.

SIFMA and its members are supportive of the CAT and its regulatory intent but have repeatedly expressed strong concerns regarding the risks to our customers’ information, including the wholesale collection of personally identifiable information (PII) with such a significant amount of sensitive financial data being compiled in one place. This risk is further compounded by allowing twenty-four (24) separate organizations to have the ability to bulk download and store all such data, including transactions and customer data, on their own systems, dramatically increasing exposure to data breach and theft.  Allowing up to 3,000 users at twenty-four (24) different groups to hold the data internally with personnel having unfettered access makes absolutely no sense.

We have repeatedly argued that transaction and customer data should only be collected in a secure, controlled environment and only the SEC and FINRA should have access to the entire database.  Further, broker-dealers and their customers should not bear the liability of such risks to their information, when they are being compelled by government regulation to provide it.

But in fact, the SROs are seeking to limit their liability at $500.  Lastly, competing entities, of which many of the SROs are, should be strictly precluded from accessing data with any commercial intent.  It is outside the original intent of the CAT to put investors’ data and identity at risk or allow for-profit entities to potentially mine it for commercial gain under the guise of regulation.

Data security must be a paramount concern with a database this large.  But while the CAT itself is required to have robust and transparent security protocols, the CAT rules allow the SEC and every single one of the twenty-four (24) SROs to download CAT data onto their own systems.  This bulk downloading capability, which will provide thousands of additional individuals access, is a force multiplier of the already considerable data risk of the CAT Processor itself.

Simply put, the SEC and twenty-four (24) SROs should not be permitted to download any data from the CAT onto their own systems. All surveillance and analysis on CAT data should occur within a highly controlled, limited access analytics environment within the CAT.

And in spite of the substantial breach risk, the SROs responsible for operating the CAT are unwilling to be accountable for any breach damages to U.S. investors.  Instead, the SROs are requiring that broker-dealers reporting to the CAT agree in writing to waive any claims of liability against the SROs before firms are even allowed to begin testing.

This appears to put broker-dealers in an impossible position.  Either the firms report to the CAT and sign away any legal protection for their customers’ data, or they remain firm in protecting their customers’ data and risk violating a regulatory reporting requirement.  This is untenable, and policymakers must not force broker-dealers to sacrifice the safety of their customers’ information.

SIFMA supports a successfully designed, implemented and secured CAT.  However, it is critical that the SEC and the SROs tasked with implementing the CAT NMS Plan take the necessary steps to protect the sensitive CAT data and establish reasonable access limits with full accountability for any breaches.

Kenneth E. Bentsen, Jr. is president and CEO of SIFMA, the voice of the nation’s securities industry. He is also CEO of the Global Financial Markets Association (GFMA), of which SIFMA is the U.S. regional member.