The Consolidated Audit Trail: Protect Investor Data, Place Liability Where it Belongs

When fully implemented, the Consolidated Audit Trail (CAT) will be the largest database of retail and institutional trading data ever created. It also will include personal information on every retail brokerage customer in America, as well as personally identifiable information (PII) for every pension fund, mutual fund, and other institutional account. It is imperative the CAT be held to the highest security standards to protect investors. Currently, there are two key outstanding items that must be addressed in order to protect investors when the CAT becomes fully operational in the fourth quarter of this year.

First, the SEC should adopt its August 2020 CAT data security proposal, which is designed to significantly enhance the security of data held within CAT.

The proposal would, among other things, prohibit the bulk downloading of CAT data by the self-regulatory organizations (SROs) by requiring them to use Secure Analytical Workspaces (SAWs) to review CAT data, subject to a strict exception process in which an SRO has the ability to seek a limited exemption to download CAT transaction data in its own environment provided its security is as robust as the CAT System’s security. The proposal also would strictly and clearly prohibit the use of CAT data for any commercial purpose by the SROs, such as a rule filing that has both a commercial and regulatory purpose.

SIFMA supports much of what is included in the proposal, some of which we previously recommended. We have recommended to the SEC, as discussed in our comment letter, certain minor enhancements to the proposal that the Commission should consider in connection with finalizing it. We believe our recommendations will help further increase the security of data within the CAT, which in turn should help enhance the overall confidence of the investing public.

Second, the SEC should resolve with finality the issue of liability for a breach or misuse of CAT data.

As mandated by the SEC, the CAT is owned and operated by 25 SROs, including several exchanges owned by for-profit, publicly-traded holding companies. As currently configured, once broker-dealers report trade and PII data to the CAT, as mandated by the SEC, all control, access and protection of that data shifts to the SROs and their thousands of employees and contractors. For that reason, SIFMA also has consistently raised concerns about the security of CAT Data, its susceptibility to breach or misuse, and the potentially significant liabilities that could flow from such a breach or misuse of CAT Data or the CAT System.

SIFMA has long believed those responsible for the CAT data should bear the liability for any security breaches. To that end, we oppose the recent proposal to limit the SROs’ liability in the event of a data breach and have shared our views with the SEC in a recent comment letter.

The SROs have offered repeated assurances that CAT Data will be fully secured, though SIFMA believes the SROs undercut those assurances by repeatedly seeking to limit their own liability for breach or misuse of the data. SIFMA consistently has opposed, and the SEC ultimately disapproved, previous inclusions of limitation of liability provisions, including a proposed disclaimer of warranties clause (DWC) in the CAT Agreements.

The DWC is essentially identical to the warranty disclaimers included in the original CAT Agreements, which SIFMA successfully negotiated out, and in the Limitation of Liability Proposal, which the SEC disapproved. SIFMA believes the SEC should reject this third attempt by the SROs to impose, without any proper basis, a limitation on their CAT duties, responsibilities and potential liability.

It is seriously concerning that the SROs appear simultaneously to be telling industry members and the SEC that the CAT System and CAT Data are appropriately protected, but that the SROs are unwilling to be responsible for basic representations and warranties regarding the integrity and security of the system that they control and operate.

The impermissible goal of the DWC proposed by the SROs is to shift risk, responsibility, and potential liability away from the SROs, which fully control and operate the CAT System and the data that is part of the CAT System, and toward industry members and, by extension, their customers, whose data is embedded within the system, but which exercise no control over the safety, security, integrity or operations of the system.

Ellen Greene is Managing Director, Equity and Options Market Structure at SIFMA.