SIFMA members have consistently supported the goals of the Consolidated Audit Trail (CAT) since its inception and have been diligently working to implement the CAT transaction database, which has become operational and is allowing regulators to examine market events including the January 2021 market volatility.  At the same time, we have continually voiced concerns over the years about the type and amount of personally identifiable information (PII) data to be reported to and maintained in the Customer & Account Information System (CAIS) database of the CAT, and have repeatedly offered viable alternatives that would serve the same purpose as the CAIS database without the attendant data and privacy risk to member clients.  Those concerns have greatly increased since the discovery of the SolarWinds hack, which has validated our long-standing concerns and been reported to include systems at the Treasury, Commerce and Energy Departments, as well as the recent Microsoft and ransomware attacks.

CAT PII Information

In January 2021, SIFMA requested the SEC order a temporary pause related to the further development and implementation of the final full CAT CAIS technical specification to allow for a reassessment of whether the PII and other customer-related data planned to be reported to and maintained within the CAIS database is necessary or appropriate to fulfill the purpose of the CAT particularly in light of the evolving risk landscape.

SIFMA noted that we had previously offered a workable alternative (i.e., a request / response system) to the mass collection and storage of PII data that we still believe allows the SEC to meet its goals with the CAT.  While the SEC previously rejected this alternative, the recent SolarWinds hack further underscores SIFMA concerns about the protection of PII data, and we continue to recommend the SEC order a temporary pause of the further development and implementation of the final CAIS specification to allow for a full reassessment of whether the PII and other customer-related data to be held within the CAIS database is necessary or appropriate to fulfill the purpose of the CAT.

SIFMA does not object to the SEC’s or SROs legitimate authority to access individual client data in connection with regulatory investigations, as that authority exists today.  Rather, we have repeatedly questioned whether the benefit of collecting and storing such information in a single data base outweighs the risk of such data being compromised to the detriment of individual investors. In response to these concerns, we have consistently proposed less risky alternatives designed to fulfill the regulatory purposes of the CAT while providing greater protection to investor PII.  We appreciate the bills introduced earlier this year by Congressman Barry Loudermilk (R-GA) and Senator John Kennedy (R-LA), under which PII would remain within SIFMA members’ systems and be transmitted in a timely manner to SEC and FINRA upon request.  This alternative is a far safer approach for investors.

While the CAT is up and running from the transaction reporting perspective, there are several open issues related to the CAT, including data security, liability and funding, which are critical to resolve before the full CAT is scheduled to go live in July 2022.

CAT Data Security Proposal

This proposal was issued by the SEC in August 2020 and has not yet been approved by the SEC.  The proposal would, among other things, prohibit the bulk downloading of CAT Data by mandating the use of Secure Analytical Workspaces (SAWs) for self-regulatory organization (SRO) review of CAT Data, subject to a strict exception process in which an SRO has the ability to seek a limited exception to download CAT transaction data provided its security is as robust as the CAT System’s security.  The proposal also would strictly and clearly prohibit the use of CAT Data for any commercial purpose, such as a rule filing that has both a commercial and regulatory purpose.

SIFMA supports much of what is included in the proposal, some of which we have previously recommended.  We nonetheless recommend certain minor enhancements, discussed in our comment letter, that the SEC should consider in connection with finalizing the proposal.  We believe our recommendations will help enhance the overall confidence of the investing public in the CAT, which will hold vast amounts of their data.

These enhancements include:

• Working with the exchanges that do not currently use FINRA for cross-market surveillance activities to encourage them to do so.
• Clarifying that the scope of the terms “customer type” and “account type” are strictly bound by broker-dealers’ existing recordkeeping obligations, which should help further limit the amount of PII in the CAT consistent with current broker-dealer recordkeeping requirements.
• Restricting each exchange’s access to transaction data to trading activity conducted on that exchange (and not trading activity on other markets), with the only exception being for limited and well-defined regulatory purposes.
• Requiring the adoption of procedures to monitor and log an exchange’s access to other markets’ trading data to further ensure that the data is only used for limited and well-defined regulatory purposes and to provide an audit trail of the exchange’s access to the data.
• Adding industry member representation to the Security Working Group, which is designed to enhance its effectiveness much like the collaborative work SRO and SIFMA member representatives conducted to find a solution for collecting PII data that is reflected in the PII Exemption Order.
• Requiring the SRO data confidentiality policies to be subject to a public notice and comment process. Such a process would allow the policies to be subject to public input from investors and securities industry participants whose data will reside in the CAT System.

It is important to remember that the CAT will be the largest database of customer and institutional trading data ever created.   When completed, it also will include personal information on every retail brokerage customer in America, as well as identifying information for every pension fund, mutual fund, and other institutional account in America.

Given its size and scope, it is imperative the CAT be held to the highest security standards.  Ensuring these standards are met will not only maximize the efficacy of the system itself, but also provide confidence to investors and market participants that investors’ PII and transaction data will not be at risk of a data breach.

CAT Limitation of Liability Proposal

The SROs’ December 2020 limitation of liability proposal is still pending before the SEC.  It would force all industry members that are obligated to report all retail and institutional trade data to the CAT pursuant to SEC and SRO rules effectively to assume all of the liability associated with a breach or misuse of data in the CAT System, which has been developed and is operated exclusively by the SROs.

Consistent with SIFMA’s litigation against the SROs in May 2020, SIFMA remains strongly opposed to the proposal and recommends that the SEC disapprove it.  As designed by the SEC, broker-dealers are legally obligated to report their customers’ data to the CAT, but have absolutely no control over the data once submitted. SIFMA members do not believe they should bear liability for the protection of data they do not hold and over which they have no control.

As we noted in a report analyzing the economic impact of the SROs’ limitation of liability proposal, the proposal, if adopted, would reduce investor welfare in two ways:

First, if the CAT does not bear the liability of data breaches, it is incentivized to invest less in data security to protect investors’ PII and trading data in the CAT, which would place investors at greater risk of having their data compromised.

Second, requiring industry members to absorb litigation-related expenses for an event which they have no direct control over will lead to the inefficient purchase of insurance with additional costs likely passed downstream to investors.

On May 3, 2021, SIFMA provided the SROs a term sheet setting forth the general terms that firms would be willing to discuss with the SROs regarding the allocation of liability in the event of a CAT Data breach.  At a high-level, firms would be willing to accept a cap on SRO liability for a CAT breach that occurred when an SRO was acting solely in a regulatory capacity (e.g., the cap would not apply if the SROs were acting in a commercial capacity or engaged in willful misconduct or other bad acts).  The SROs countered with their own proposal, which does not contain an exclusion from the SROs’ proposed liability cap if the SROs acted in a commercial capacity or normal contractual exclusions for gross negligence, fraud, or willful misconduct by the SROs or their agents.  SIFMA subsequently responded to the SROs’ counter-proposal, noting that its members are unable to accept the counter-proposal but that we remain available to re-engage in discussions with the SROs should they reconsider their position and would welcome an updated offer from the SROs should their position change.

We continue to believe that shifting the liability to industry members is fundamentally unfair because the SROs have the exclusive responsibility for maintaining the CAT and for implementing measures to protect the CAT against a data breach.  We strongly believe those responsible for the data should bear the liability for any breaches, and we encourage the highest levels of security measures be put in place to protect investors.

CAT Funding Model

The SROs proposed a CAT funding model in April 2021 that would require Industry Members to pay 75% of the total historical and going-forward costs, and the SRO Participants to pay 25% of the total historical and going-forward costs to implement and operate the CAT.  SIFMA is strongly opposed to the funding model as it is inconsistent with the relevant Exchange Act standards.  Notably, NYSE, FINRA and the Long-Term Stock Exchange also are opposed to the proposed funding model.  SIFMA is discussing this issue with NYSE, FINRA and Nasdaq and our goal is to work with the SROs in an attempt to reach a negotiated, long-term funding model.

Authorized Trader

SIFMA members’ concerns about the information they are required to report to the CAT on Authorized Traders continue to remain unresolved.  Authorized Traders are defined pursuant to the CAT requirements as persons other than account holders who have trading authority over accounts.  Authorized Traders are treated as “customers” under Rule 613, and as such, the CAT NMS Plan contemplates that Industry Members would have certain information about them to allow their trading activity to be tracked across firms in the CAT.  In particular, the Plan appears to contemplate that for natural persons serving as Authorized Traders, broker-dealers would have the social security numbers of such individuals.

The issue with this approach is that it runs afoul of broker-dealers’ existing recordkeeping requirements, which CAT was not supposed to change.   Moreover, by requiring the collection, systemization, and reporting for Authorized Traders’ PII information by all firms reporting to CAT, CAT would fundamentally increase the potential harm that a data security breach at either an individual firm reporting to CAT or the CAT System would cause.

Request for Exemptive Relief for Resubmission of Corrected Data

On March 17, 2021, the SROs filed an Exemptive Relief request with the SEC to extend the deadline to resubmit corrected data to CAT from T+3 at 8 am ET to T+4 at 8 am ET.  This request replaced an earlier SRO request dated December 4, 2020 regarding the same issue.  The SROs recognized in their request that various operational issues faced by broker-dealers reporting to CAT make it difficult or impracticable for them to consistently meet the current T+3 deadline for the resubmission of corrected data to CAT.  The SROs also recognized in their request that these issues will persist indefinitely and cannot be cured by implementing technical or similar changes, or by providing temporary exemptive relief from the current deadline.  The SROs also acknowledged in their request that receipt of the data by T+4 at 8 am ET will not interfere with the SROs’ ability to provide the regulators with final corrected data by the T+5 at 8 am ET deadline in the CAT NMS Plan.

To conclude, the successful resolution of the outstanding issues noted above is critically important for the successful implementation of the CAT and industry compliance with it.  We continue to support of the goals of CAT and encourage the SEC to act to resolve these issues in a way that optimizes the efficiency of the CAT while ensuring that it adopts maximum safeguards to protect investors’ data within it.