Senate Banking Committee Hears Concerns about Data Protection for the Consolidated Audit Trail System

Steven Lofchie Commentary by Steven Lofchie

The Senate Committee on Banking, Housing and Urban Affairs considered data protection and other issues concerning the Consolidated Audit Trail ("CAT") system. CAT is intended to serve as the centralized database for all trading activity in the U.S. equities and options markets.

Background

The CAT system, implemented pursuant to Reg. NMS Rule 613, is intended to help regulators better monitor the equities and listed options markets. The testimony centered on the collection of certain personally identifying information ("PII") that may include an individual's name, address, date of birth, taxpayer identification number / social security number and role in the account. Concerns have been raised by market participants about whether there are sufficient protections in place to prevent bad actors from gaining access to or misusing this information.

Testimony

In a Request for Exemptive Relief submitted at an October 16, 2019 hearing, CAT Operating Committee Chair Michael J. Simon asked the SEC to exclude the collection of taxpayer identification numbers, social security numbers, dates of birth and account numbers from the CAT system. During the hearing, Mr. Simon advocated for an alternative approach that would not create a unique identifier for each customer. Mr. Simon also drew attention to the current lack of fee structure in place for the CAT system, which currently is being funded by its participant exchanges. He noted that the participant exchanges are drafting an amended fee proposal that will be submitted to the SEC.

FINRA CAT, LLC President and COO Shelly Bohlin stated that (i) CAT will prioritize the security of PII and (ii) sufficient data protection measures were being taken. She said that CAT's information security program will be consistent with the National Institute of Standards and Technology Special Publication 800-53, and that CAT will continually assess new threats and security control opportunities.

Ms. Bohlin also provided information as to the progress being made towards the rollout of CAT. According to Ms. Bohlin, FINRA CAT intends to require:

  • large and small firms - that already report similar data to FINRA's Order Audit Trail System ("OATS") - to report equities data in April 2020;

  • large firms to report options data in May 2020;

  • small firms - that do not report to OATS - to report equities data in December 2021; and

  • all firms to report certain customer and accounting information in July 2022.

CAT Advisory Committee Chair Judy McDonald reiterated concerns regarding data security. In addition, she highlighted issues regarding (i) the collection and reporting of verbal and manual quotes, (ii) poor insight into fees that are applied to broker-dealers and (iii) the lack of flexibility in the implementation timeline.

Commentary

If one makes the very reasonable assumption that it is impossible to be perfectly assured for an indefinite period that data can be made absolutely safe from bad actors or from internal carelessness, it follows that there is tremendous risk in centralizing so much data in one place. Even assuming that having all this data will materially improve the ability of the regulators to monitor the markets and protect investors - as is no doubt the case - is that benefit really worth the risk? If there is a material data breach, no amount of regulatory improvement will compensate for the loss of privacy on such a massive scale and for the reputational damage to the regulatory system. Is the upside of this data collection and centralization really worth the risk, even if one believes that the chance of a breach is small?

Email me about this

Premium Content

Available only to Premium subscribers.

 

Tags