X

SEC Issues Exemptive Relief from CAT Requirements

Steven Lofchie Commentary by Steven Lofchie

SEC staff issued no-action relief (see here and here) from Consolidated Audit Trail ("CAT") requirements in order to (i) enable broker-dealers to implement COVID-19 contingency plans, and (ii) limit the retail customer data that broker-dealers are required to report to the CAT. In a public statement, SEC Chair Jay Clayton said he directed SEC staff to identify measures to strengthen the security of CAT data.

As previously covered, the SEC adopted a national market system ("NMS") plan to create a comprehensive database for all trading activity in the U.S. equity and options markets, known as the CAT plan. The SEC stated that the CAT plan is intended to improve regulators' ability to conduct market research, market monitoring and market event reconstruction, and identify and investigate market misconduct.

Mr. Clayton stated that the SEC issued exemptive relief for self-regulatory organizations ("SROs") from:

  • enforcing CAT implementation deadlines until May 20, 2020 to enable broker-dealers to focus their efforts on "critical operations" relating to COVID-19; and

  • collecting the "most sensitive" retail customer data in the CAT, including a retail customer's (i) social security number or individual tax payer identification number, (ii) date of birth, or (iii) account numbers. Broker-dealers would instead be required to report a retail customer's name, address and birth year to the CAT.

Additionally, Mr. Clayton directed the SEC staff to prepare recommendations on measures to improve the security of CAT data. Specifically, Mr. Clayton asked SEC staff to:

  • suggest alternatives to "bulk downloading" of data by SROs that would better protect CAT data;

  • identify the risks of proliferating CAT data "across multiple environments";

  • address potential data security issues concerning the use of CAT data for regulatory purposes;

  • find methods to safeguard account information, while maintaining access to information for regulatory purposes;

  • review the effectiveness of Plan Processor security decisions;

  • allow for greater transparency concerning the security of CAT data, while protecting the CAT system from bad actors; and

  • examine additional measures that would improve the security of CAT data, "both within and outside the CAT system."

Commentary

Steven Lofchie
Steven Lofchie

Reconsidering aspects of CAT in light of the cybersecurity issues raised by the coronavirus is a good thing. In general, the regulators should give more consideration to whether the cybersecurity risks of CAT are worth the regulatory benefits. At least as currently contemplated, a cyber break of the CAT data would not only be damaging to the financial markets, it would undermine any confidence in the regulators. See also Senate Banking Committee Hears Concerns about Data Protection for the Consolidated Audit Trail System.

Sometimes it is true that what you don't know (or, at least, what you don't aggregate in a single location) can't hurt you.

Email me about this

Primary Sources

  1. SEC No-Action Letter: Consolidated Audit Trail Reporting
  2. SEC Order Granting Conditional Exemptive Relief: Order Granting Conditional Exemptive Relief, Pursuant to Section 36 and Rule 608(e) of the Securities Exchange Act of 1934
  3. SEC Statement, Jay Clayton: Update on Consolidated Audit Trail; Temporary COVID-19 Staff No-Action Letter; Reducing Cybersecurity Risks

Related Articles

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Individuals
Walter Jay Clayton
Regulated Activities
Business Continuity Data Protection / Cybersecurity Trade Reporting
Sub-Activity
CAT, Coronavirus
Regulated Entities
Broker-Dealers Regulatory Agencies
Sub-Entity
Securities SROs
Body of Law
Securities Law
Jurisdiction
US - Federal
Organization
SEC