Call Comes for SEC to Scrap Personal Data Requirement from Controversial CAT Database
The American Securities Association is lobbying for specific improvements to the Consolidated Audit Trail that the group says should ensure regulators have the ability to surveil the market without collecting the sensitive personal information of virtually every American investor.
The ASA, which represents financial services companies, says in a letter it sent to the SEC Monday that personally identifiable information should be excluded from the CAT. The group also wants the regulator to officially name Finra as the CAT operator instead of an unregulated third party.
The CAT is a single comprehensive database expected to store an unprecedented amount of sensitive trade data and PII, including an investor’s name, address, date of birth and Social Security Number or Individual Taxpayer Identification Number.
The CAT is expected to take in 58 billion records daily – including orders, cancellations, modifications, executions and quotes for the equities and options markets – and maintain data for more than 100 million customer accounts and their unique customer information, according to parties involved in the CAT.
The ASA says it “welcomes recent reports revealing that the exchanges intend to fire Thesys Technologies as the plan processor” and instead have Finra “run the CAT.”
The ASA says, however, it remains concerned that the question of PII collection remains unresolved.
“The SEC should take steps to eliminate any PII collection requirements for whichever entity is ultimately selected as the CAT plan processor,” ASA CEO Chris Iacovella says in the letter.
FA-IQ reached out to both the SEC and Finra to confirm if Finra will indeed be taking over the running of the CAT. The SEC had not replied as of this writing. Finra referred FA-IQ to public relations firm Sloane & Company, the spokesperson for the committee of SROs responsible for the CAT.
A Sloane & Company spokesman confirmed to FA-IQ that the CAT project is being transitioned to a new plan processor and Thesys CAT LLC is “providing necessary services through the transition period.”
CAT NMS LLC – the legal entity established to conduct the activities related to the CAT – is in the process of choosing a new plan processor, according to the spokesman.
“In transitioning the project to a new plan processor, the SROs are evaluating the impact the transition will have on current industry member implementation dates,” the spokesman says.
“The SROs anticipate that initial testing of data ingestion will begin in late 2019, and that the current industry member technical specifications will continue to provide the basis of such reporting,” the spokesman adds.
Meanwhile, the ASA says it believes the SEC “can effectively surveil the market through the consolidation of order message and trading confirmation information alone.”
The ASA adds: “We stand with the overwhelming majority of retail investors who do not want to send their PII to the CAT.”
The ASA cites “growing cyber threats targeting government and business” as among the reasons it is opposed to the collection of PII.
“Our customers, in communities across the United States, have repeatedly made it clear that they do NOT want their sensitive information sent to a one-stop, target-rich environment for cyber criminals,” Iacovella says in the letter.
Citing findings from a survey conducted in November by research firm Morning Consult, the ASA says American investors “overwhelmingly oppose” sending their personal information to the CAT.
While three in four investors trust their broker to keep their personal and financial information secure, nearly four in five wouldn’t feel comfortable if their broker were forced to send this information to an unregulated third party, according to the ASA.
Nine in 10 investors are opposed to the government requiring their broker to send investment information to an unregulated third party, the ASA adds.
“We continue to believe Finra is in a much better position and has the requisite experience and expertise to be the ultimate operator of the CAT,” the ASA says.
The ASA says Finra and its predecessor organization have operated the currently-used Order Audit Trail System – which allows the self-regulator to monitor and analyze the full cycle of orders for National Market System and over-the-counter stocks – since 1998.
“Today, brokerage firms already submit much of the same information that would be collected under the CAT to Finra,” according to the ASA.
Meanwhile, the ASA says it is also concerned about the “legal and reputational risk” to its members of participating in the CAT.
“If a significant cyberattack takes place and the information of a brokerage firm’s customers is compromised, it is not clear to anyone when brokers will learn of the breach and who will have legal liability for putting this information at risk,” Iacovella says in the letter.
“While our members should not be held liable in any way in the event of a CAT data breach, the reputational harm that a firm whose clients have had their information stolen could incur is a significant issue for us,” Iacovella adds.
National securities exchanges, Finra, alternative trading systems and broker-dealer firms were initially required to submit information on trading activities – including customer information and prices – to the CAT daily since November 15, 2017. Large broker-dealers would have been required to start submitting information to the CAT by November 15, 2018, while small broker-dealers were expected to do so by November 15, 2019.
On November 13, 2017 – two days before the self-regulatory organizations were required to start submitting data to the CAT – the SROs appealed to the SEC to delay their deadline by a year, and the other deadlines by a year or two. The SEC had already denied this request, but SEC Chairman Jay Clayton said at the time that the need for PII was being reviewed.
In August 2018, Brett Redfearn, director of the SEC’s Division of Trading and Markets, said given the delays in the implementation timetable of the CAT, “it is not practicable for industry members to report some or all of the contemplated industry data to the CAT unless and until the CAT has been sufficiently developed to receive that data.”
Thus, the SEC “does not expect to make enforcement referrals concerning industry members for failure to report data to the CAT if the CAT is not sufficiently developed to receive that data,” he said.