In the latest in SIFMA’s podcast series, SIFMA president and CEO Kenneth E. Bentsen, Jr. is joined by Ellen Greene, SIFMA managing director, equity and options market structure and Joe Corcoran, managing director and associate general counsel to talk about the current state of the Consolidated Audit Trail, or CAT.

The CAT was created by the Securities and Exchange Commission to be a cross-market order and transaction tracking system to enhance its regulatory and enforcement capabilities and provide the ability to better reconstruct unusual or volatile market events.  SIFMA’s members have long supported the goals of the CAT and broker-dealers have been diligent in complying with their obligations to report transaction data.

At the same time, however, SIFMA has consistently raised material security and privacy concerns about the amount of and need for investor’s personally identifiable information (PII) to be reported to and maintained in the CAT.  When it’s complete, the CAT will house the largest collection of customer and trading data that has ever been consolidated.  SIFMA believes the CAT must be held to the highest security standards, and that under current design, investors’ PII is at risk of a data breach.  SIFMA also believes the SEC and the self-regulatory organizations (SROs) who collect and hold data must be liable for its protection, which is not currently the case.

Transcript
Edited for clarity

[Ken Bentsen] Thank you for joining us for this episode in SIFMA’s podcast series. I’m Ken Bentsen, SIFMA’s president and CEO. I’m joined today by my colleagues, Ellen Greene, SIFMA managing director, equity and options market structure, and Joe Corcoran, managing director and associate general counsel, to talk about our current views of the Consolidated Audit Trail or CAT.  The CAT was created by the Securities and Exchange Commission to be cross-market order and transaction tracking system to enhance its regulatory and enforcement capabilities and provide the ability to better reconstruct unusual or volatile market events.  Ellen, where does the CAT stand in its development today?

[Ellen Greene] SEC Rule 613, better known as the CAT, was born out of the 2010 flash crash, when the equity, options, and futures markets plunged, with security prices recovering inside the space of an hour. The SEC charged the self-regulatory organizations, the SROs, specifically FINRA and all equity and options exchanges, with the sole responsibility to develop, implement, and operate the CAT.

Under Rule 613, broker-dealers are obligated to report all daily equity and option transaction data to the CAT and ultimately will obligated to report sensitive client personally identifiable information, or PII, to the CAT. The CAT transaction database containing all daily equity and options transactions was launched in June 2020 and is currently processing billions of records daily. Noteworthy, the industry’s post-correction error rate is below 1 percent, which exceeds initial expectations, since CAT already expanded upon the information in OATS, and for the first time includes listed options. The soon-to-be operational CAT Customer Account and Information System, or CAIS, is scheduled to launch in July 2022.

Ken, how would you characterize SIFMA’s views of the CAT?

[Ken Bentsen] Our members have long been supportive of the goals of the CAT. As you note, this came about in 2010 and is something that our members have been working on, and SIFMA as well, including you and others, for really more than a decade now. If I think back, I believe it was 2011, 2012 we actually published a guide on how CAT might be developed, so it’s something that the industry’s been very much involved in.

As you pointed out, the broker-dealers are obligated to report and have been doing so. They’ve been very diligent in complying with their obligations to report transaction data. But at the same time, our members have continued to raise concerns regarding the need and risk of including investor PII in the customer database, or the CAIS, as you noted. For many years we’ve been in discussions with the SEC over whether or not the benefit of holding all of that PII in one central database outweighs the risk, and this has just been heightened with the advent of SolarWinds.

To be clear, we are not suggesting that the SEC or FINRA or the other SROs don’t have authority to access individual client data in connection with their regulatory authorities, whether it be investigations or whatever. That authority exists today. Nobody challenges that. We just think that the approach that’s being taken is a very, very risky approach involving private data of individual investors, and we have seen time and again where individual data has been compromised, including, frankly, within the government, when you think about data that was contained in the Office of Personnel Management for current and former federal employees. The SEC itself has had a hack with EDGAR and then, of course, with SolarWinds, which we may talk about some more. Numerous federal agencies have acknowledged that they’ve been hacked so far.

I think the other thing to keep in mind is broker-dealers, in many ways, have all the obligations [under the CAT], but have absolutely no authority whatsoever. We have no authority over the construction, the operation, or the control of the CAT or the data that’s reported to the CAT. Once broker-dealers hand off the data—and today they’re handing off the transaction data–they lose all control over that. That’s going to be true with respect to the PII when that is to be stood up by July of 2022. It raises a whole host of questions, and I think we’ll get into these as we go through this discussion.

Joe, you work closely with Ellen on this issue. Maybe you can go into a little more detail on the PII aspect.

[Joe Corcoran] Thanks, Ken. As you noted, the Customer and Account Information System database of CAT is the part of CAT that will hold all the PII of individual investors within the CAT system. It will require our industry members to report the name, address, and year of birth of every brokerage customer in the U.S. As you noted, it’s scheduled to become operative in July of 2022. As currently designed, it also requires our industry members to collect vast amounts of personally identifiable information on authorized traders. Authorized traders are individuals or entities that have the authority to trade on an account. For example, an investment advisor would be an example of an authorized trader.

This aspect of CAT, in which it’s requiring the reporting of PII on authorized traders, goes well beyond existing broker-dealer recordkeeping obligations. This is a point that we’ve made to the CAT folks, the SROs, and the SEC time and time again–that this reporting will require broker-dealers, essentially, to maintain new records, records that they don’t currently maintain. One of the big issues we have with the collection of all this PII by CAT is that all the SROs can download this data. As currently constructed, the SROs have the ability to download the transaction data as well as the PII information regarding individual customers, as well as authorized traders. As Ken alluded to, we just think the risk associated with collecting this data and holding it in a centralized database far exceeds the regulatory benefit of CAT.

In that regard, we suggested an alternative approach where the SROs and the SEC could request information related to problematic trading activity from industry members. It’s a request/response system, and essentially, it would allow the PII to remain outside of the database. It would reside at broker-dealers, as opposed to being in this centralized database where it could be subject to breach or misuse by the SROs.

Ellen, you’ve worked on CAT since essentially the beginning. What about the data concerns, and what are our members saying about that?

[Ellen Greene] As I think you alluded to, the ability of the SROs to download data into their own individual environments is something that our members certainly have a tremendous concern over. As the SROs have proposed, SIFMA strongly supports that all analysis is done in a secure analytical workspace, or SAW, that allows that data to be consolidated within the CAT system, as opposed to being downloaded outside of that into each of the 25 SROs.

It’s important to remember that, upon completion, CAT will be the largest database and collection of customer and trading data that has ever been consolidated. We think this makes CAT a very ripe target for hackers, and I think it’s important to point out that 25 percent of all cyber-incidents today are caused by malicious insiders or other employees or contractors.

As Ken alluded to, the recent SolarWinds and related Microsoft hacks, which have been reported to include systems at Treasury, Commerce, and Energy Department, as well as the systems of other governmental agencies, further underscore the risk to collecting American investors’ PII in a single database maintained by a third party. In addition to providing the SEC and SROs with data to reconstruct market events and surveil problematic trading activity, the current construct of the CAT raises additional privacy concerns, because it will allow the SEC or any of the 25 SROs with access to randomly conduct sweeping searches of the customer and account database.

The potential for abuse abounds. If the SEC or an SRO receives an anonymous tip alleging wrongdoing with only an individual’s name, the SEC or SRO could use that name and variations on its spelling to conduct a sweeping investigation into the trading activity of anyone with the name or a related name, with no basis beyond the initial tip. Perhaps even worse, such an investigation could lead the SEC or an SRO to contact innocent individuals for information based solely on the fact that they had the same or similar last name to the name provided in the initial tip.

[Ken Bentsen] I want to get to Joe to talk about liability, because that’s another issue, in addition to concerns about the data and particularly the PII. But just to be clear on the construct of the CAT, this is the SEC directing FINRA and 23 or 4 SROs, separate entities, to create a database. This is a massive database that is really outsourced to a third party controlled by, effectively, two dozen third parties. Is that right?

[Ellen Greene] That’s correct, and the project has been outsourced to FINRA-CAT, which is an independent entity from FINRA, who manages the CAT system on a daily basis, and together with Kingland, who will be the operator of the Customer and Account Information System, the two partners will work collectively to develop both that transaction and the customer database, which will be housed in AWS, or Amazon Web Services.

[Ken Bentsen] So, as currently designed, you’ve got multiple third parties and outsourcing holding sensitive data, both transaction and PII data, managed and accessed by, again, two dozen different entities, and in that case, many multiples of employees, and yet, the people reporting the data have no control over the security of that. In the same way they have to maintain control and security when the firms hold that data themselves.

[Joe Corcoran] It’s even worse than that, because, back in December of last year, the SROs filed an amendment with the SEC to amend the CAT NMS plan to essentially limit their liability, to the extent that the CAT system is breached. The amendment, if it’s approved by the SEC, would have the effect of placing all liability associated with a breach of the CAT system on the CAT reporters or, in other words, the broker-dealers that are obligated to report transaction information to the CAT. The limitation of liability is actually very sweeping. It also would shield the self-regulatory organizations from any liability for misuse of the data outside of the regulatory context. SROs have, pursuant to court decisions long established, immunity for acting in their regulatory context, but the liability limitation provision they’re seeking to impose on industry members would go well beyond that regulatory immunity context and would apply to situations such as an SRO employee misusing the data or taking the data and using it for some other purpose outside of what the CAT is designed for.
Of course, we’re strongly opposed to this amendment. It’s still pending with the SEC. We did file a comment letter on January 27, stating our concerns with regard to the limitation of liability provision. In addition, a week or so ago, we filed a white paper as an amendment or supplement to our comment letter. The SROs, when they had filed their plan amendment to impose the limitation of liability, had included an economic analysis. As our white paper demonstrates, I think that the economic analysis that the SROs had filed with the SEC is flawed.

Really, one of the hearts of the arguments that we make, both in our comment letter as well as in the economic analysis that was prepared by Professor Craig Lewis, is that this attempt by the SROs to shift liability to the industry members does not properly incentivize them to invest in security to protect the CAT system. It would effectively have the impact of creating greater risk of investors’ transaction and PII information being breached in the CAT system.

With that, Ken, I think we’ve talked about alternatives with the SEC as far as maintaining all the information within the CAT system. Could you briefly touch on the alternative we’ve described to the SEC?

[Ken Bentsen] Before we get there, I just want to tease out one more thing on the liability. If I, as an individual investor, learn that my personal information and, for that matter, my account information, transaction information, has been compromised by, let’s say, a breach or a hack, by a bad actor, what’s my redress? To whom do I go to have it resolved?

[Joe Corcoran] The customer has a customer relationship with the broker-dealer who is providing them services. It’s very likely that they’re going to turn around and sue the broker-dealer, because the broker-dealer provided–of course, they were required to–their transaction and PII to the CAT system. Broker-dealers, in turn, don’t, under the SROs’ proposal, have any recourse to go after the CAT system in that situation. Really, just teasing out the point you were just asking a question about, it’s really the firms that would hold all the liability and would be exposed to their customers, to the extent that their customers’ data was breached in the CAT system or otherwise misused.

[Ken Bentsen] Obviously, the firms would state, as you point out, the fact that they were obligated to give the data by rule or law, but they had no control, again, under the construct, whatsoever once they met their obligation to give the data. To some extent, I mean, the customer is left of kind of high and dry in this. That’s something that we continue to raise with the SEC and the SROs. I note that this is not just one thing. It’s a continuum of things that kind of pile up with the CAT. Even if the PII were to be addressed appropriately, in our view, you’d still have liability concerns around the transaction data that’s reported.

In addition, as Ellen talked about, who has access to the data among the multiple SROs and the ability to download not just data that relates to transactions through their venues, but basically data across the entire CAT? You just grow the risk exponentially in how this is created, which is why we’re so alarmed at how this is going. Our members are complying because it’s their obligation to do so, but we’re also obligated to raise concerns where we see them, and that’s why, earlier this year, SIFMA submitted a request to the SEC that they pause the development of the CAIS, or the customer database, because of all these concerns piling one upon another, in addition to our full-throated opposition to the SROs’ proposed limitation of liability, which is not only grossly inequitable and unfair, but really is to the detriment of the individual client, and, as our analysis points out, totally undermines any incentive on the part of the SROs to properly protect that data, because they’re the only ones who are authorized to do so.

As you point out, we have since, I believe, 2017, consistently offered alternatives to the SEC, things such as an expedited blue sheet process, and we’re very much open to other ideas. Our ideas may not be the best idea, but we continue to argue that the idea, particularly in the cyber world we live in today, of creating this massive database of every American retail investor’s PII is really something that the SEC needs to step back and rethink.

It’s a tremendous amount of risk, and we just frankly are dumbfounded that they haven’t sort of realized what’s happening here. We definitely believe there’s a better way to do this. We will continue to offer ideas, because we think it’s not a question of if the CAT will be breached.  It’s just a question of when.

With that, I want to thank Ellen and Joe for participating on today’s SIFMA podcast. For more information on our views and work on the Consolidated Audit Trail, please go to www.sifma.org, where you’ll find that information, plus other information that SIFMA is working on to promote effective and resilient capital markets. Thank you.

Ken Bentsen is president and CEO of SIFMA and CEO of the Global Financial Markets Association.

Ellen Greene is SIFMA managing director, equity and options market structure

Joe Corcoran is SIFMA managing director and associate general counsel

• The Consolidated Audit Trail and Customer PII: Why take the risk

• Pause the CAT to Reconsider Customer Privacy Implications and Security of the Data

• SIFMA Cautions Liability Provisions Under CAT NMS Plan Will Harm Investors