The Consolidated Audit Trail and Customer PII: Why take the risk

• The world’s largest database must be held to the highest security standards
• Under current design investors’ personally identifiable information (PII) is at risk
• The SEC and SROs who collect and hold data must be liable for its protection

When the Consolidated Audit Trail, or CAT, is complete, it will become the world’s largest database of securities transactions, containing all daily equity and listed options transactions executed in the U.S. It also will contain vast amounts of personally identifiable information (PII) and other data on every retail brokerage client in the U.S.

The CAT was borne out the 2010 Flash Crash when equities, options and futures markets plunged and then recovered inside the space of an hour. Following an investigation, the U.S. Securities and Exchange Commission (SEC) proposed the creation of a consolidated audit trail to create a cross-market order and transaction tracking system to enhance its regulatory and enforcement capabilities and provide the ability to better reconstruct unusual or volatile market events. The Commission charged the self-regulatory organizations (SROs), specifically FINRA and the various equities and options exchanges, with the sole responsibility to develop and operate the CAT. Broker-dealers are obligated to report all daily equity and option transaction data to the CAT, and ultimately will be obligated to report sensitive client PII to the CAT, but have no authority or control with respect to the protection of the data once it is submitted to the CAT system. Instead, such control resides solely with the SROs.

The transaction database of the CAT containing all daily equity and options transactions was launched last spring and is now becoming operational. The soon-to-be operational CAT Customer Account and Information System, or CAIS, is scheduled to launch in July 2022. It will contain the names, addresses, and years of birth for all retail customers, as well as the types of accounts they hold. Further, the CAIS will contain additional PII related to “authorized traders” for every retail account that has one. Authorized traders are individuals designated by a client to act on their behalf and include, among other capacities, family members or guardians acting as a power of attorney. While broker-dealers do not collect detailed PII information from many authorized traders, the CAIS as currently designed will have the effect of requiring them to do so. When the CAIS is eventually operational, every retail investor will have their PII held in a single data base owned and operated by the current 23 SROs operating under the direction of the SEC.

The industry has long supported the goals of the CAT, and broker-dealers have been diligent in complying with their obligations to report transaction data. At the same time, we have consistently raised material security and privacy concerns about the amount of and need for investor PII to be reported to and maintained in the CAT. To be clear, we do not object to the SEC’s or SROs’ legitimate authority to access individual client data in connection with regulatory investigations, as that authority exists today.

Rather, we have repeatedly questioned whether the benefit of collecting such information in a single data base outweighs the risk of such data being compromised to the detriment of individual investors. In response to these concerns, we have consistently proposed less risky alternatives designed to fulfill the regulatory purposes of the CAT while providing greater protection to investor PII. The recent SolarWinds and related Microsoft hacks, which so far have been reported to include systems at the Treasury, Commerce and Energy Departments, as well as the systems of other governmental agencies, further underscore the risk to collecting every American investors’ PII in a single database maintained by a third party. In this regard, it is worth noting that 25 percent of all cyber incidents today are caused by malicious insiders or by other employees or contractors.

At a recent hearing on Solar Winds hack, Senate Intelligence Committee Chairman Mark Warner (D-VA) said, “This intrusion had the possibility of being exponentially worse than what has come to pass so far. The footholds these hackers gained into private networks including some of the world’s largest IT vendors may provide opportunities for future intrusions for years to come.”

In addition to providing the SEC and SROs with data to reconstruct market events and surveil problematic trading activity, the current construct of the CAT raises additional privacy concerns because it will allow the SEC or any of the 23 SROs with access to randomly conduct sweeping searches of the customer account database.

The potential for abuse abounds. If the SEC or an SRO receives an anonymous tip alleging wrongdoing with only an individual’s name on the tip, the SEC or SRO could use that name and variations on its spelling to conduct a sweeping investigation into the trading activity of anyone with that name or a related name, with no basis beyond the anonymous tip. Perhaps even worse, such an investigation could lead the SEC or an SRO to contact innocent individuals for information based solely on the fact that they had the same or similar last name to the name provided in the tip.

While the scope and impact of the SolarWinds hack is not yet fully known, it won’t be the last data breach. We know other government agencies have been compromised, including by state actors. In 2015, the federal government announced that current and prior employees’ PII contained by the Office of Personnel Management was subject to a hack.

In 2016, the SEC Edgar system, a crucial database containing material non-public corporate issuer information was hacked. Although it is beyond question that the security of the CAT database needs to be ensured, given the recent events, the type and amount of PII for each investor in America that will be collected by the CAT needs to be reconsidered.

In addition to flagging the issues around collecting sensitive data, SIFMA opposes the SROs’ recent proposed amendment to the National Market System (NMS) Plan governing the CAT. The amendment would force all CAT Reporters to effectively assume all liability associated with a breach of the CAT system. It also would permit the SROs, which currently have the ability to bulk download data from the CAT into their own systems, to disclaim liability for a breach or misuse of CAT data beyond the regulatory context in which they already enjoy immunity.

We recently issued a report analyzing the economic impact of that proposed plan amendment which concludes that it would reduce investor welfare by: (1) providing less incentive to the SROs as the operators of the CAT to invest in data security to protect investors’ personally identifiable information and trading data in the CAT, which would place investors at greater risk of having their data compromised; and (2) requiring industry members to absorb litigation-related expenses for an event over which they have no direct control, the amendment will lead to the inefficient purchase of insurance with additional costs likely passed downstream to investors.

Despite these substantial concerns about the CAT, which were detailed in our late January request to the SEC that it order a pause on the further development and implementation of the CAIS, the CAT continues moves forward full steam ahead.

As we noted in our January request, ordering a pause would in no way impede the ongoing collection of transaction data, which as noted commenced last year. We also believe such a pause would not delay the implementation of the CAIS because it is not scheduled to go fully live until July 2022.

Such a pause would, however, allow the SEC which will soon have a new Chair and majority additional time to consider an alternative approach to the CAT collecting and maintaining investors’ PII in light of information learned from the SolarWinds hack.

In sum, it is imperative the CAT be held to the highest security standards, not only to maximize the efficacy of the system itself, but also to bolster the confidence of market participants reporting into the system, and to ensure investors their PII will not be at risk of a data breach.

SIFMA’s members continue to diligently work to meet industry obligations implement the CAT despite our concerns over the amount of PII data to be collected and the security of that collective data. We are doing our part to make the CAT successful. But the SEC and SROs must do their part to ensure investors’ PII is adequately protected from security breaches.

Kenneth E. Bentsen, Jr. is president and CEO of SIFMA, the voice of the nation’s securities industry. He is also chief executive officer of the Global Financial Markets Association (GFMA).