A Safer CAT for Investors

The SEC-mandated Consolidated Audit Trail (CAT) is scheduled to become fully operational on May 31, 2024. It will be the largest database of retail and institutional trading ever created, containing information on every equity and listed options order and trade processed in the U.S. It will include personally identifiable information (PII) on every retail brokerage customer in the U.S., as well as identifying information for every pension fund, mutual fund, and other institutional account.

Recognizing the value of the data held within the CAT, the SEC proposed a data security rule in August 2020 to significantly enhance the security of the CAT database. Among other things, the SEC recognized in that proposal the security concerns associated with potentially thousands of staff at the SEC and the self-regulatory organizations (SROs) having access to that data. Despite the CAT now being nearly completed, and the SEC and SROs using the CAT transactional database to engage in rulemaking and other regulatory activities, the SEC has not adopted the proposal. It is an appalling failure of investor protection for the SEC to not adopt that proposal to enhance the security of the CAT, especially since the SEC has had nearly four years to do so.

Given the tremendous value of the data held within the CAT, it is critically important that the CAT be held to the highest security standards. The SEC recognized this back in 2020 in the CAT data security rule when it proposed to prohibit the bulk downloading of CAT data by mandating SROs to use Secure Analytical Workspaces (SAWs) for SRO review of CAT Data, subject to a strict and very limited exception process. The proposal also would strictly and clearly prohibit SRO use of CAT data for any commercial purpose, such as a rule filing that has both a commercial and regulatory purpose. Nearly four years later, that proposal remains unfinished. Instead, the SEC is devoting its regulatory apparatus to fixing market problems that only it believes exist.

In addition to the CAT data security proposal, the current requirements for collecting and storing individual investor PII within the CAT database raise further questions about whether such data needs to be maintained in the CAT in the first place.

As we proposed several years ago, SIFMA believes there is a better way. The framework we previously proposed aims to address the security and privacy concerns of holding individual investor PII in the CAT by establishing a request-response system in which regulators would have the ability to request from broker-dealers the identity of investors engaged in potentially problematic trading activity on an as-needed request-only basis, rather than maintaining such data in the CAT.

We recognize that the CAT customer and account database is almost complete. Nonetheless, we continue to believe our alternative approach will allow the CAT to serve its regulatory purposes while maintaining the security and privacy of investor PII.

SIFMA has for years expressed significant concerns over the mass collection and storage of investor PII in the CAT. We have noted that such a concentration of sensitive PII data poses significant security and privacy risks to investors, particularly from bad actors with ill intent. With the CAT now almost completed, now is the time to assess its operation and examine ways in which it can be improved to enhance investor protection while still allowing it to serve its regulatory functions. We believe that our previously proposed request-response system should be closely considered as a means to facilitate these objectives.

Author

Kenneth E. Bentsen, Jr. is President and CEO of SIFMA. From 1995 to 2003, he served as a Member of the United States House of Representatives from Texas. Prior to his service in Congress, Mr. Bentsen was an investment banker specializing in municipal and housing finance.