SIFMA has requested that the Securities and Exchange Commission (SEC) immediately order a temporary pause related to the further development and implementation of the final full Customer & Account Information System (CAIS) technical specification on customer and account reporting to the Consolidated Audit Trail (CAT).

This pause would allow for an assessment of whether the personally identifiable information (PII) and other customer-related data planned to be reported to and maintained within the customer database is necessary or appropriate to fulfill the purpose of the CAT, particularly in light of the evolving risk landscape.

We believe this pause is crucial before the CAIS technical specification is finalized, as it would allow for an assessment of whether the personally identifiable information (PII) and other customer-related data planned to be reported to and maintained within the CAIS is necessary or appropriate to fulfill the purpose of the CAT.

SIFMA members have fully supported the goals of the CAT since its inception and have been diligently working to implement the CAT transaction database, which remains on track.  At the same time, we have continually voiced concerns about the type and amount of PII data to be reported to and maintained in the CAIS database of the CAT, as well as the security of that data.  Those concerns have only increased with and been validated by the SolarWinds hack, which has been reported to include systems at the Treasury, Commerce and Energy Departments, as well as the systems of other governmental agencies.

Pausing now, while the full CAIS technical specification is being finalized, would give the Commission time to assess whether the PII and other customer-related data to be reported to and maintained within the CAIS is necessary or appropriate to fulfill the purpose of the CAT particularly in light of the evolving risk landscape.

It is important to remember that the CAT is the largest collection of customer and trading data that has ever been consolidated.   When completed, the CAT will become the world’s largest database of equity securities and listed options transactions, including personal information for every retail brokerage client in America, totaling over 100 million institutional and retail accounts; order details on every stock transaction in America, including trades for all retail customers, pension funds, and mutual funds; and order details on every options transaction in America.

Given its size and scope, it is imperative the CAT be held to the highest security standards.  Ensuring these standards are met will not only maximize the efficacy of the system itself, but also to bolster the confidence of market participants reporting into the system and provide confidence to investors that their personally identifiable information will not be at risk of a data breach.

Because the customer and account reporting portion of the CAT is not scheduled to go live until July 2022, a temporary pause ordered by the SEC would not delay the implementation of the CAT.  It would, however, allow for the continued development of the CAIS technical specification consistent with current recordkeeping requirements.  It would also allow the SEC to give further consideration to the PII data that could be exposed if the system is breached, allowing further assessment of whether additional security measures are needed in light of the SolarWinds hack.

We continue to believe there are more secure alternatives.  Pausing the development of the customer and account reporting portion of the CAT would also allow the SEC to consider whether alternatives to the CAT’s wholesale collection and maintenance of investors’ PII such as previously suggested by SIFMA is more preferable given the current threat environment.

Kenneth E. Bentsen, Jr. is president and CEO of SIFMA, the voice of the nation’s securities industry. He is also chief executive officer of the Global Financial Markets Association (GFMA).