May 30, 2025

Ms. Vanessa Countryman
Secretary
U.S. Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549

Re: Joint Industry Plan; Notice of Filing of Amendment to the National Market System Plan Governing the Consolidated Audit Trail Regarding the Proposed Customer and Account Information System Amendment; File No. 4-698

Dear Ms. Countryman:

The Securities Industry and Financial Markets Association (“SIFMA”)¹ respectfully submits this letter to the U.S. Securities and Exchange Commission (“Commission” or “SEC”) to comment on the proposal, filed by the Consolidated Audit Trail, LLC (“CAT LLC”) on behalf of self-regulatory organizations (“SROs”) as the Participants in the National Market System Plan Governing the Consolidated Audit Trail (“CAT NMS Plan” or “Plan”), to reduce the amount of Customer² information in the CAT Customer and Account Information System (“CAIS”).³ The CAIS Amendment follows the SEC’s February 10, 2025 order granting exemptive relief from certain requirements of the CAT NMS Plan related to the reporting of names, addresses, and years of birth for natural persons reported with transformed social security numbers (“SSNs”)/individual taxpayer identification numbers (“ITINs”) to the CAIS.⁴ SIFMA supported the CAIS Exemption Order, as SIFMA has long been opposed to the CAT’s collection and storage of individual investors’ personally identifiable information (“PII”). For this reason,

SIFMA also supports the proposed CAIS Amendment as it furthers the goal of eliminating the collection and storage of individual investors’ PII in the CAT.

I. Executive Summary

SIFMA supports the CAIS Amendment and urges the SEC to provide further guidance to market participants regarding how it plans to proceed with the CAIS database now that the SEC has issued its CAIS Exemption Order and the SROs have followed it up with their CAIS Amendment to cease the reporting and storage of individual investors’ PII in the CAT and to delete existing PII within it. In light of these actions, market participants have raised questions about whether the Commission expects the SROs to retain either or both of the CAIS database and the CAT Customer-ID (“CCID”) functionality, which we understand is held in a CAIS sub-system apart from the customer and account information.⁵ Assuming it approves the CAIS Amendment, SIFMA members would welcome SEC guidance on its future plans for CAIS and potential use of the CCID.

SIFMA applauds the recent statement by Chairman Atkins noting that he had “instructed the staff to undertake a comprehensive review of the CAT,” and that in addition to examining CAT costs, he “would like to see the staff take a hard look at the reporting requirements and scope of what is collected.”⁶ Chairman Atkins further added that he looks “forward to the agency engaging with the public on this important issue.” A Commission-led review is consistent with other policymakers’ views and recent SRO requests.⁷ SIFMA wholeheartedly supports such a review and is submitting a separate letter setting forth several high-level recommendations, which are supported by more detailed technical information we can provide at the Commission’s request, designed to further that effort.

II. The CAIS Amendment

As noted, SIFMA supports the CAIS Amendment as it is consistent with SIFMA’s long-standing opposition to the CAT’s collection and storage of individual investors’ PII. Under the amendment, the Plan Participants would eliminate requirements in the CAT NMS Plan that Industry Members report Customer names, Customer addresses, account names, account addresses, years of birth, and authorized trader names to the CAT. The amendment also would provide for the deletion of previously reported Customer information (i.e., PII) held and maintained in the CAT. The Participants represent that the amendment would achieve significant annual savings in CAT operating costs of approximately $12 million per year.

Because of long-standing privacy and cyber security concerns regarding CAT, SIFMA members have been opposed to the collection and storage of PII data by the CAT since its inception. These objections persisted even though the SEC on March 17, 2020 issued an order to reduce the amount of PII held in the CAT.⁸ In January 2021, SIFMA called upon the Commission to order a temporary pause of the further development and implementation of the CAIS database to allow for a full reassessment of whether the PII and other customer-related data to be held within the database was necessary or appropriate to fulfill the purposes of the CAT.⁹ In that request, SIFMA also reiterated its call from 2017 for the SEC to adopt an alternative approach to the CAT’s collection and maintenance of investors’ PII.¹⁰ While the Commission adopted the CCID concept as part of the PII Exemption Order in 2020, it did not adopt the other aspect of SIFMA’s suggestion to develop a request-response system using CCIDs and Firm Designated IDs (“FDIDs”) to allow regulators to request directly from a firm the identify of an investor engaged in potentially problematic trading.¹¹

The CAIS Amendment and CAIS Exemption Order would seem to effectively eliminate the reporting and storage of individual investors’ PII within the CAT. Absent this PII, SIFMA members have questioned the continuing need for the CAIS database, which was primarily designed to hold investors’ PII. As far as we know, the Commission has not directly addressed this question.

SIFMA members are thus left to speculate on the Commission’s expectations for the future direction of the CAT and particularly the CAIS database. For example, within SIFMA, certain members have expressed the view that the CAIS database should be eliminated as it will serve no purpose if the Commission approves the CAIS Amendment. In connection with these discussions, questions also have been raised about whether the Commission expects the CAT to retain the CCID functionality, which is currently part of the CAIS database, albeit in a CAIS sub-system separate from customer and account information. While the Commission indicated in the CAIS Exemption Order that the CCID functionality should be retained, it did not explicitly tell the SROs to do so. For instance, the Commission in the CAIS Exemption Order stated that the order preserves the benefit of the CCID, “thereby preserving one of the critical innovations of the CAT, the ability to track one Customer’s market activity across multiple exchanges.”¹²

Similarly, although the Commission suggested in the CAIS Exemption Order that a request-response system may be needed to ascertain the identity of investors behind potentially problematic trading activity, the Commission has not directly addressed whether it expects the SROs to develop such a system. For example, the Commission in the order observed that “regulators and broker-dealers should be able to develop processes or mechanisms that will minimize the impact of a request-response system, if such a system is created.”¹³ SIFMA therefore urges the SEC to provide the industry with further guidance on its expectations for the future direction of the CAT and the CAIS system.

In connection with discussions about the future of the CAIS database, certain SIFMA members also have expressed the view that the CAIS Amendment and the CAIS Exemption Order should lead to the development of a request-response system that would allow the Commission to retire electronic blues sheets (“EBS”). SIFMA members have long called for the retirement of EBS, as this was one of the promises of the CAT. With these recent actions, these members believe that the Commission and the SROs should take steps to develop a request-response system that ultimately replaces EBS, which members believe has long-standing security concerns, such as unmasked SSNs and other PII, that have not been addressed. However, it is uncertain what the Commission’s plans are related to the elimination of EBS as it has not directly addressed the question of whether or how it expects the SROs to develop a request-response system.

Given these questions, SIFMA calls on the Commission to provide further, explicit guidance on its expectations for the future direction of the CAT. While the SROs may have some insight as to the Commission’s views given how closely they work with the Commission on CAT, SIFMA members and the public do not have the benefit of any information that might be shared as a result of this close working relationship. The Commission should directly address these questions so that further industry-wide work on CAT reforms can proceed in a fully transparent manner.

Even if the Commission were to provide such guidance, some SIFMA members have also raised concerns about whether the CCID could be viewed as another form of PII due to the current operation of the CAT system. For example, assuming an investor’s CCID does not change over time, once the Commission or an SRO requests the identity of an investor behind a CCID in connection with a trading review, the Commission or the SRO would have this information from then on and would know that the CCID belongs to that investor long after the review ended. In other words, it is our understanding that once a regulator establishes a link between an investor and their CCID, they are able to know and track that investor’s trading activity in CAT theoretically in perpetuity – even in the absence of any evidence of wrongdoing. Similarly, given the nature of the CAT in which it captures all of an investor’s trading activity in equities and listed options, once a regulator knows the identity of an investor behind a CCID, the regulator has the ability see all of that investor’s trading activity across markets and brokers even if this activity falls outside of the scope of the regulator’s purpose for requesting the investor’s identity.

* * *

SIFMA appreciates the opportunity to submit this letter to the Commission regarding the proposed CAIS Amendment. As discussed above, SIFMA supports the proposed amendment as it is consistent with SIFMA’s long-standing objection to the CAT’s collection and storage of PII. SIFMA also calls on the Commission to provide further guidance to market participants regarding its future expectations regarding the CAT. If you have any questions or need any additional information, please contact Joe Corcoran at (202) 962-7383 or Gerald O’Hara at (202) 962-7343.

Sincerely,

Joseph Corcoran
Managing Director and
Associate General Counsel

Gerald O’Hara
Vice President and
Assistant General Counsel

1. SIFMA is the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation, regulation and business policy affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA). [↩]
2. A “Customer” means “the account holder(s) of the account at a registered broker-dealer originating the order; and any person from whom the broker-dealer is authorized to accept trading instructions for such account, if different from the account holder(s). See CAT NMS Plan. [↩]
3. See Release No. 34-102665 (March 13, 2025), 90 FR 12845 (March 19, 2025) (“CAIS Amendment”). [↩]
4. See Release No. 34-102386 (February 10, 2025), 90 FR 9642 (February 14, 2025) (“CAIS Exemption Order”). [↩]
5. “The CCID Exemption Request was the product of close coordination between the Participants, Industry Members, and the Commission.” CAIS Amendment, supra n. 4, 90 FR at 12847. The CCID serves as an alternative to reporting SSNs and ITINs to CAT by relying on a two-stage encryption process to create a unique CCID to identify each customer in the CAT. [↩]
6. See (https://www.sec.gov/newsroom/speeches-statements/atkins-prepared-remarks-sec-speaks-051925). [↩]
7. See, e.g., Robert Cook, CAT Should Be Modified to Cease Collecting Personal Information on Retail Investors, FINRA Blog (Jan. 17, 2025), available at https://www.finra.org/media-center/blog/cat-should-be-modified-to-cease-collecting-personal-information-on-retail-investors; letter from John A. Zecca, Nasdaq and Patrick Sexton, Cboe to Paul S. Atkins, SEC re: Petition for Rulemaking and Exemptive Relief to Reduce the Costs of the Consolidated Audit Trail (CAT) (April 24, 2025), available at https://www.sec.gov/comments/4-698/4698-598775-1738922.pdf; letter from Jaime Klima, NYSE to Paul Atkins, SEC re: Consolidated Audit Trail: NYSE Proposals to Lower Costs while Maintain Regulatory Benefits (April 24, 2025), available at https://www.sec.gov/comments/4-698/4698-598195-1737842.pdf. [↩]
8. See Release No. 34-88393 (March 17, 2020), 85 FR 16152 (March 20, 2020) (“PII Exemption Order”). [↩]
9. See (https://www.sifma.org/wp-content/uploads/2021/01/Pause-on-Implementation-Related-to-CAT-CAIS-Final-1-28-2021-1.pdf). [↩]
10. See, e.g., letter re: Consolidated Audit Trail • Data Security Issues, from Thomas Price, Managing Director, Operations, Technology & BCP, SIFMA, to Brett Redfearn, Director, Division of Trading and Markets, SEC, dated October 29, 2018. [↩]
11. Rather than requiring the reporting of PII to the CAT System, that approach envisioned a workflow in which a regulatory user that wanted to know the identity of a customer to a trade would submit a FDID and trade date(s) request through the CAT Processor into a secure file transfer protocol (FTP) that would in turn direct the PII request to an Industry Member acting as a CAT Reporter. The Industry Member would receive the request and generate a query of its records for the customer PII and account detail related to the FDID and trade date(s). The Industry Member would then direct the encrypted data through the FTP back into the CAT control environment for the requesting regulatory user to analyze and use the data. At the time this approach was developed, SIFMA noted that many Industry Members were likely to automate elements of the response generation, with a staff person to oversee the process. In addition, SIFMA noted that smaller Industry Members were likely to rely on a clearing firm or service provider to report on their behalf or manually generate responses, depending on the volume of such requests. [↩]
12. CAIS Exemption Order, supra n. 4, 90 FR at 9645, n. 48. [↩]
13. Id. [↩]