SIFMA Strongly Opposes Allowing SROs to Bulk Download CAT Data; Raises PII Concerns

Washington, D.C., June 4, 2020 – In a comment letter filed today with the Securities and Exchange Commission (SEC) on improving the data security requirements in the Consolidated Audit Trail (CAT) NMS Plan, SIFMA emphasized its concerns with the security of the CAT, particularly with regard to the ability of self-regulatory organizations (SROs) to bulk download CAT Data.  SIFMA also notes that heightened firm involvement is critical.  Given the vast experience firms have in handling and protecting sensitive customer data, allowing them increased input could significantly help bolster the overall security of CAT Data.

“It is imperative the CAT be held to the highest security standards, not only to maximize the efficacy of the CAT System itself, but also to bolster the confidence of market participants reporting into the system, and to ensure investors their personally identifiable information will not be at risk of a data breach,” said SIFMA president and CEO Kenneth E. Bentsen, Jr.  “SIFMA continues to have grave concerns about the need for and security of customer data provided to and maintained in the CAT and we continue to believe there are more secure alternatives.

“SIFMA believes that an obvious and avoidable significant threat to the security of the CAT Data is the ability of SROs to bulk download customer and transaction data from the CAT to their own systems, including PII data,” continued Mr. Bentsen.  “Such a process would remove the data from the single secure CAT environment and place it in the hands of potentially multiple SROs and the individuals who work there.  Rather than mitigating risk, bulk downloading would only serve to exponentially broaden the risk that the data could be exposed.  It is inconceivable from a risk management standpoint that the Commission would allow bulk downloading customer and transaction data by 24 separate entities.”

SIFMA also notes the parameters regarding the appropriate use of CAT Data should be clearly defined and not left open to interpretation.  SIFMA further notes access to customer data should be provided only in the rarest of instances and FINRA CAT as the Plan Processor should have appropriate protocols that govern the request for access and the approval process to gain such access.

Finally, SIFMA suggests additional measures regarding the oversight of the Plan Processor should be adopted, and requests that member firms that are CAT Reporters and Authorized Reporting Agents be notified of any anticipated major changes to systems, technology and architecture that are planned for the CAT as a result of regular system reviews.  This would provide firms with transparency regarding such changes and afford them the opportunity to provide valuable feedback regarding such changes, especially given the firms’ extensive experience in protecting sensitive customer data and could serve as an invaluable resource to the CAT.

-30-

SIFMA is the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s nearly 1 million employees, we advocate for legislation, regulation and business policy, affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA). For more information, visit http://www.sifma.org.