Podcast: They Who Hold the Data Should Bear the Liability

SIFMA’s Challenge of the Consolidated Audit Trail Reporter Agreement Over Data Privacy, Security and Liability Concerns

The latest edition of SIFMA’s podcast series covers a recent development related to the Consolidated Audit Trail (CAT) – the major regulatory initiative by the SEC and 24 self-regulatory organizations (SROs) aimed at enhancing regulators’ ability to monitor and analyze trading activity. SIFMA and its members are supportive of the CAT and its regulatory intent but remain concerned regarding the risks of sensitive customer information being compiled in one government-mandated database, and the liability that comes with that risk. Last week, SIFMA acted to formally challenge the CAT Reporter Agreement industry members are required to sign by SROs to gain access to the database.

In this podcast, Ken Bentsen, SIFMA President and CEO sits down with Ira Hammerman, SIFMA Executive Vice President and General Counsel and Ellen Greene, Managing Director of Equity and Options Market Structure to talk more about the risks associated with CAT and the reasoning behind the challenge.

Transcript

Edited for clarity

Ken Bentsen: Thanks for joining us for this episode in SIFMA’s podcast series. I’m Ken Bentsen, President and CEO of SIFMA. Today, we’re here today to talk about recent action taken by SIFMA on behalf of our members related to the Consolidated Audit Trail, better known at CAT and more specifically, the agreement industry members are required to sign by the self-regulatory organizations that will operate the database to gain access to the database.

I am pleased to be joined by two of my colleagues, Ira Hammerman, SIFMA’s Executive Vice President and General Counsel, and Ellen Greene, SIFMA’s Managing Director of Equity and Options Market Structure and our lead on all matters related to the Consolidated Audit Trail.

Before we dive into the latest development, Ellen can you give us the cliff notes version on what the Consolidated Audit Trail is and where it stands?

Ellen Greene: CAT is a major regulatory initiative by the Securities and Exchange Commission (SEC) that requires the 24 self-regulatory organizations – or SROs – including FINRA and stock and options exchanges, to enhance regulators’ ability to monitor and analyze trading activity.
Following the SEC’s adoption of Rule 613 in 2012, the CAT NMS plan was approved by the SEC on November 15, 2016.

CAT will be a database operated by the 24 exchanges and FINRA that will capture customer and order event information for transactions in all equity and options securities, across all markets, as well as certain information concerning retail and institutional clients.

When completed, the CAT will become the world’s largest database of equity and options transactions, including:

  • order details on every stock and listed options transaction in America – trades for all retail customers, pension funds, and mutual funds as well as
  • certain customer information concerning every retail brokerage client in America – over 100 million institutional and retail accounts.

Ken Bentsen: So, Ellen, as an industry we support the regulatory intent of the CAT, but what are the concerns it raises?

Ellen Greene: SIFMA and its members are supportive of the CAT and its regulatory intent but have repeatedly expressed strong concerns about the risks to our customers’ information since CAT will compile a significant amount of sensitive financial data all in one place.

Beyond the sheer size of the database, the risk is further compounded by allowing 24 separate organizations to have the ability to bulk download and store all such data, including transactions and customer data, on their own systems, dramatically increasing exposure to data breach and theft. And with that risk, comes liability. Broker-dealers and their customers should not bear the liability of such risks to their information when they are being compelled by government regulation to provide it.

Ken Bentsen: So this is where the crux of the issue is today – that late last year the SROs notified the industry that in order to be able to report data to the CAT, they were going to have to sign an agreement, known as the CAT Reporter Agreement or CRA, that sets the terms by which they report the data and who has or does not have liability. Within that there was some surprising language to the industry. Ellen, can you explain?

Ellen Greene: Yes, Ken. As you alluded to in order to gain access to the CAT Processor, the SROs are requiring industry members to sign the agreement.  It’s noteworthy that the agreement was never specifically disclosed or contemplated in the approved CAT NMS Plan, follow-on amendments or SRO rules.

The CAT Reporter Agreement limits the SROs liability at $500 annually per industry member, which amounts to nothing, if god-forbid there is a breach. Further, under the CAT Reporting Agreement, the SROs are requiring that broker-dealers waive any claims of liability against the SROs before firms are permitted to submit data to meet CAT obligations.

SIFMA’s guiding principle is ‘they who hold the data bear the liability.’ Under the agreement, the contrary is true: firms and clients will have all the risk despite having zero control over the data.

The industry has tried to negotiate with the SROs on liability since November 2019 and we have been unable to get the SROs to agree on a reasonable approach to underwriting the risk for customer data that the industry is compelled to share.

This puts broker-dealers in an impossible position: either the firms report to the CAT and sign away protection for customer data, or they remain firm in protecting their customers’ data and risk violating a regulatory reporting requirement.

Ken Bentsen: To put a finer point on this, the brokerage industry is required by rule to report all of this transaction data and ultimately other customer data to the Consolidated Audit Trail over which the industry has absolutely no control and yet at the same time they have absolutely no protection once they hand the data over should there be a break or malicious activity. Is that right?

Ellen Greene: Yes, that’s correct.

Ken Bentsen: So, this leaves the industry in the untenable position of having to take all the risk over which they have no ability to manage. As a result of this, Ira, what action is SIFMA taking to rectify these concerns?

Ira Hammerman: In light of the many challenges Ellen just explained we feel the industry is left with no other option but to challenge the SRO’s denial of access and the CAT Reporter Agreement and inappropriate restriction on liability.

So SIFMA filed an application with the SEC by which it is requesting the Commission stay or set aside SRO action prohibiting the submission of order and trade data to the CAT unless an industry member signs a proposed CAT reporter agreement. The industry believes the SRO’s have violated Sections 19(d) and 19(f) of the Exchange Act by denying broker-dealers access to report production data as required by rule, without signing the agreement.

In addition to the unfairness of the terms of the agreement, the SROs failed to follow the necessary process under the Exchange Act as the agreement was not proposed in any SEC filings or approved by the SEC. The CAT Reporter Agreement contains material requirements that otherwise should have been subject to notice and comment, including the limitation of liability provisions.

To be clear, this is not a challenge to the existence CAT, nor about our trying to delay or stop the CAT – we have worked in good faith with the SEC and SROs to reach a resolution, and firms continue to work toward compliance. This action is instead about protecting firm and client data and ensuring that those who maintain the data – the SROs – are legally responsible for the potential exposure of this sensitive information.

Ken Bentsen: And to add some emphasis to that, as we’ve said the firms are ready, willing, and able to provide the data. And to your point Ira, this in no way should or is intended to delay the CAT, but rather to allow firms to continue testing, begin submitting data in accordance with the timelines have been established, while the SEC resolves this issue, which we feel very strongly about on the merits. What’s next?

Ira Hammerman: We’ve made our filing of the 19(d) application with the SEC and now we await the SEC’s decision first as to a briefing schedule and a process that will unfold, but we are hopefully they will set aside the SRO denial of access and stay the application of the reporting agreement. If they do this it would allow CAT reporting to proceed according to the proposed schedule, while the SEC reviews and resolves the obvious flaws in the proposed agreement.

And again, SIFMA supports a successfully designed, implemented and secured CAT.  However, it is critical that the SROs tasked with implementing the CAT NMS Plan take the necessary steps to protect the sensitive data and establish reasonable access limits and take full accountability for any breaches of the system they maintain.

Ken Bentsen: As the firms continue their work to be prepared to achieve their regulatory requirements to report data to the CAT there will be more to come on this issue. We will look to reconvene as it develops. To learn more about SIFMA’s advocacy related to the Consolidated Audit Trail please visit https://www.sifma.org/explore-issues/consolidated-audit-trail/. I want to thank Ira and Ellen for joining me today and thank you to the audience for listening.

Kenneth E. Bentsen, Jr. is president and CEO of SIFMA, the voice of the nation’s securities industry. Ira Hammerman is SIFMA’s Executive Vice President and General Counsel, and Ellen Greene is SIFMA’s Managing Director of Equity and Options Market Structure.