The SEC’s Unfinished Business: Protecting Investors’ Personal Information in the CAT

The Securities and Exchange Commission (SEC) is pursuing a wide-ranging and ambitious agenda to significantly change existing market rules and practices over a short period of time across a variety of interrelated markets.  16 rule proposals were issued in the first quarter alone, and the SEC has indicated it expects to issue upwards of 50 new rule proposals over the course of this year.  While some of these rules address explicit Congressional mandates, others do not warrant immediate consideration at the expense of other priorities.  Although we support several of the proposals, we continue to be concerned that the Commission is trying to do too much, too quickly and not completing important pending rulemakings.

One such rulemaking is the Consolidated Audit Trail (CAT) data security rule proposed by the SEC in August 2020. Two years after the CAT began collecting transaction data on every equity and option trade, the CAT will soon begin collecting complementary identifying data on every investor who makes an equity or option trade when the CAT customer database goes live in July of this year.  We firmly believe the Commission should slow down and prioritize rulemakings addressing the most pressing needs in the market, with CAT data security proposal being a prime example.  SIFMA has long supported the goals of the CAT but firmly believes that it should be secure.

On July 11, 2022—just 60 days from now—the CAT will be fully live. When that occurs, the CAT will be the largest database of retail and institutional trading data ever created.  It also will include personal information on every retail brokerage customer in America, as well as identifying information for every pension fund, mutual fund, and other institutional account in America.

Given its size and scope, it is imperative the CAT be held to the highest security standards.

The August 2020 SEC proposal would, among other things, prohibit the bulk downloading of CAT data by mandating the use of Secure Analytical Workspaces (SAWs) for self-regulatory organization (SRO) review of CAT Data, subject to a strict exception process in which an SRO has the ability to seek a limited exception to download CAT transaction data provided its security is as robust as the CAT System’s security.  The proposal also would strictly and clearly prohibit the use of CAT data for any commercial purpose, such as a rule filing that has both a commercial and regulatory purpose.

SIFMA supports much of what is included in the August 2020 proposal, some of which we have previously recommended.  We nonetheless recommend certain minor enhancements, discussed in our comment letter, that the SEC should consider in connection with finalizing the proposal.  We believe our recommendations will help enhance the overall confidence of the investing public in the CAT, which will hold vast amounts of their data.

These enhancements include:

  • Working with the exchanges that do not currently defer to FINRA for cross-market surveillance activities to encourage them to do so.
  • Restricting each exchange’s access to transaction data to trading activity conducted on that exchange (and not trading activity on other markets), with the only exception being for limited and well-defined regulatory purposes.
  • Requiring the adoption of procedures to monitor and log an exchange’s access to other markets’ trading data to further ensure that the data is only used for limited and well-defined regulatory purposes and to provide an audit trail of the exchange’s access to the data.
  • Adding industry member representation to the Security Working Group, which is designed to enhance its effectiveness much like the collaborative work SRO and SIFMA member representatives conducted to find a solution for collecting PII data that is reflected in the PII Exemption Order.
  • Requiring the SRO data confidentiality policies to be subject to a public notice and comment process. Such a process would allow the policies to be subject to public input from investors and securities industry participants whose data will reside in the CAT System.

As the go-live date for the CAT quickly draws near, the finalization of the SEC’s August 2020 CAT data security proposal is long overdue. Allowing the CAT customer data base to go live with tens of millions of individual investors personal information residing in a single data base accessed by 25 different SROs without any privacy protocols is a failure of investor protection.  Two years is too long to wait.

Kenneth E. Bentsen, Jr. is president and CEO of SIFMA, the voice of the nation’s securities industry.