The Securities and Exchange Commission (SEC) in June began requiring broker-dealers to submit detailed information on securities trades to the SEC’s Consolidated Audit Trail (CAT) database. A similar requirement for options trades went into effect in July. The purpose of the CAT is to allow SEC regulators to identify and analyze irregularities and threats to the securities markets.
NAIFA supported the development of the CAT and understands that it can be a useful tool to help the SEC protect investors and the market. However, NAIFA has concerns, along with Securities Industry and Financial Markets Association (SIFMA) and other industry organizations, that the CAT may unnecessarily make personally identifiable information (PII) on individual investors vulnerable to cyberattacks.
It remains unclear why the CAT system should should require the collection of PII to help regulators track illegal or manipulative trades and identify the causes of large drops in trading values, which are the stated goals of the program. In March, the SEC responded to industry concerns and changed the regulation so that broker-dealers would not be required to provide the CAT with such data as individuals' social security numbers, dates of birth and account numbers. However, the SEC still requires the submission of account holders’ names, addresses and birth years.
NAIFA appreciates that the SEC has shown sensitivity to our concerns, but remains concerned that collecting PII on individual investors is unnecessary and raises cybersecurity and privacy issues. The fact that self-regulatory organizations (SROs), like exchanges and securities associations, are able to download the CAT data in bulk makes it particularly vulnerable. As long as the SEC is collecting PII, NAIFA supports SIFMA recommendations that the SEC eliminate SRO access to CAT data and devise stronger safeguards drawing on industry expertise to ensure the CAT is secure.