The SEC is exempting personal data from the CAT process. Will this provide new security at the cost of efficiency?
Grygo is the chief content officer for FTF & FTF News.
Is the Securities and Exchange Commission (SEC) undercutting or protecting the Consolidated Audit Trail (CAT) through a new exemption that would allow “natural persons” to sidestep supplying “certain personally identifiable information (PII)” such as names, addresses, and years of birth?
CAT is an ambitious and controversial big data, U.S. securities transaction monitoring project that has been helping regulators FINRA and the SEC surveil U.S. equity and options markets, exchanges, participants, transactions, and more. FINRA CAT, LLC, a subsidiary of the Financial Industry Regulatory Authority, oversees CAT operations and planning while the U.S. National Securities Exchanges, alternative trading systems (ATSes), and executing brokers cover the funding.
Earlier this week, SEC Acting Chairman Mark Uyeda announced the PII exemptions, arguing that the data points are “not necessary to achieve CAT’s objectives” and could be tempting to bad actors wanting to break into the CAT system and steal precious data. Interstingly, Robert Cook, president and CEO of FINRA, on Jan. 17, posted a blog, “CAT Should Be Modified to Cease Collecting Personal Information on Retail Investors.”
Mark T. Uyeda
The PII data was “originally required to … help regulators identify the person(s) responsible for a trade,” according to the SEC’s announcement. “In 2020, the Commission issued an order exempting the reporting of some of the most sensitive PII, including social security numbers. Today [Feb. 10], the Commission issued an order exempting additional PII from the CAT. The CAT will still be able to generate reliable and consistent anonymized customer IDs even if such PII is not reported to the CAT.”
The SEC “now weighs the benefits of maintaining some of that information in the CAT differently in light of both the heightened security risks posed by the increased sophistication of bad actors and the prospect of relatively efficient indirect access to customer information,” according to the exemption order.
The reactions from the securities industry are likely to be positive. For instance, the securities industry advocate SIFMA supports the exemptions.
Kenneth E. Bentsen, Jr
“For a decade, SIFMA has expressed strong concerns on behalf of the industry and investors that the information in the CAT — the largest database of retail and institutional trading ever created — was a ripe target for cybercriminals and collecting PII put investors’ data at risk,” says Kenneth E. Bentsen, Jr., president and CEO of SIFMA, in a prepared statement. “We have repeatedly called on the SEC to prohibit the collection of investors’ personal information and proposed alternatives that address the Commission’s enforcement concerns without the need to collect such data. This bold decision by the Commission is entirely appropriate and long overdue.”
However, SEC Commissioner Caroline A. Crenshaw disagrees with SIFMA and Uyeda.
“We are wiping away the fingerprints from the scene of the crime,” Crenshaw says in a prepared statement. The CAT system “is a seminal example of how data collection can be used for good purpose. The CAT helps make our markets safer, more efficient and can act as a powerful tool in ferreting out wrongdoing. Yet today, by eliminating critical data collection, we undermine its use and our own effectiveness.”
Caroline A. Crenshaw
During a crisis, regulators “need access to a timely and comprehensive set of data — whether we are trying to figure out a major market event like the Flash Crash, investigate fraud, or identify suspicious foreign activity that may indicate market manipulation or infiltration,” Crenshaw argues. “The CAT was designed to address outdated regulatory infrastructure by improving the completeness, accuracy, accessibility, and timeliness of data needed to support robust regulatory oversight. And, in fact, it has.”
Crenshaw says that the exemption leaves many questions unanswered.
“For example, will it be more difficult for regulators to spot fraud? How much harder will it be to identify certain types of market manipulation? Will it be more difficult to identify and address concerns relating to certain foreign ownership? Will it be more difficult to identify and compensate the victims of swindlers? In times of market disruption and ongoing fraud or manipulation, loss of time means loss of money and loss in market confidence. There is no question that this decision is a loss for markets and investor protection,” she says.
While those consequences may or may not come to pass, the regulator does acknowledge a big problem with this change.
“The Commission’s decision to grant this exemption takes into account the trade-off between the protection of individual investors’ PII and regulatory efficiency, achieved by exempting additional PII from the CAT. … The Commission acknowledges that this order will negatively impact regulatory efficiency,” according to the exemption order.
The current method of querying the CAT system could be replaced by a request-response system that “would require regulators to contact broker-dealers to determine the names, addresses and years of birth for natural persons, which would take additional time and require manual intervention, thereby decreasing the efficiency of the CAT for regulators,” according to the SEC.
The SEC via the exemption order speculates that “regulators and broker-dealers should be able to develop processes or mechanisms that will minimize the impact of a request-response system, if such a system is created. For example, technological advances such as more efficient computing and networking, could result in the development of an automated or partially automated system for requesting information from broker-dealers and for responding to regulator requests for information held by broker-dealers.”
All of which sounds like a challenge for regulators and an opportunity for industry providers.
The exemption order in full can be found here: https://shorturl.at/LUG0U
Need a Reprint?