How the Consolidated Audit Trail Affects FAs
Source: FA-IQ, Jan. 3, 2018
RITA RAAGAS DE RAMOS: The rollout of the SEC’s consolidated audit trail – or CAT – is underway. It is a single, comprehensive database that is expected to store an unprecedented amount of sensitive trade data and personal identifiable information or PII.
National securities exchanges, Finra, alternative trading systems and broker-dealer firms are required to submit information on trading activities to the CAT daily, including customer information and prices.
The national securities exchanges and Finra were required to submit trade data to the CAT on November 15 last year. Large broker-dealers will be required to start submitting information to the CAT by November 15 this year, while small broker-dealers are expected to do so by November 15 next year.
The CAT was created in response to the flash crash of May 2010, which saw up to $1 trillion in the value of U.S. stocks erased in a matter of minutes before markets rebounded.
It took five months before the SEC and the Commodity Futures Trading Commission completed a report on their investigation of the flash crash, which placed the blame on one trader in London.
The CAT is intended to give the SEC and SROs the ability to monitor, analyze and investigate trading activities in the equities and options markets on a consolidated basis, with the end goal of better protecting investors.
Broker-dealer firms have raised alarm bells over the security of the data, especially the PII, to be stored in the CAT. Even legislators are worried.
REP. BILL HUIZENGA: Most troubling, however, is the amount of personally identifiable information, or PII, that would be required to be collected by the CAT.
RITA RAAGAS DE RAMOS: In November last year, the U.S. House of Representatives’ Subcommittee on Capital Markets, Securities and Investments held a hearing on the implementation and cybersecurity protocols of the CAT led by Representative Bill Huizenga.
BILL HUIZENGA: Not only will it collecting such data points as social security numbers, addresses, and dates of births for individual customers, but it will also gather identifiable proprietary transaction data, that could potential be reversed engineered, and used for nefarious activities such as market manipulation.
RITA RAAGAS DE RAMOS: Also expressing concern was Pershing CEO and Sifma board member, Lisa Dolly.
LISA DOLLY, CEO, PERSHING: The implementation issues remain largely unaddressed and incomplete, and quite frankly, there is concern remaining over security of privacy issues.
RITA RAAGAS DE RAMOS: Dolly said broker-dealer firms are also worried that too many people will have access to information stored in the CAT.
LISA DOLLY: As the SRO’s initial reporting deadline approached and passed, Thesys had not yet hired a Chief Information Risk Officer, who would be responsible to review and implement the data security policies and procedures to ensure the protection of CAT data, as required by the CAT NMS plan.
RITA RAAGAS DE RAMOS: She noted that the SEC and 22 SROs will be allowed to “download any or bulk data from the CAT onto their system,” with access allowed for up to 3,000 users.
Mike Beller, CEO of Thesys Technologies, which built and operates the central repository of the CAT, tried to assuage those concerns by explaining there are security measures in place for the CAT.
MIKE BELLER, CEO OF THESYS TECHNOLOGIES: There is a special role-based access control that a regulatory user of the CAT is not necessarily permitted to access the PII except on a need-to-know basis.
It is stored in separate areas, actually in separate physical data centers, and not stored in the cloud. It is encrypted in transit at rest. There’s an audit trail specific to the access to the personally identifiable information, over and above the auditing of everything else that happens. In general, record displays in the CAT, they don't display personally identifiable information.
RITA RAAGAS DE RAMOS: Meanwhile, a draft legislation, entitled “The American Customer and Market Information Protection Act,” is pending. It would require the SEC to perform a cost-benefit analysis of the CAT, to ensure that the collection of PII would outweigh the costs or potential harm.