Rules Navigator

SEC announces exemption for CAT personal information requirement

Caroline Crenshaw
Caroline Crenshaw. Photo: Leigh Vogel/Getty Images for The New York Times

Alexander Barzacanos

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The decision provoked a dissent from SEC commissioner Caroline Crenshaw.

The SEC has announced an exemption from the requirement to report personally identifiable information (PII), such as names, addresses, and years of birth to the Consolidated Audit Trail (CAT.)

The CAT, which tracks trade orders throughout their life cycles, previously required personal information in order to generate the unique IDs used to keep track of who was responsible for trades.

The SEC cited the redundancy of the requirement, noting that it is possible to generate unique identifiers without storing personal information. Broker-dealers will still be required to transform social security numbers into interim values to generate unique IDs for the CAT. If a regulator ever needed the personally identifiable information, it could contact the issuing broker-dealer for the details.

Regulatory efficiency

However, the SEC conceded that the PII exemption would negatively affect regulatory efficiency due to the added “request-response” step, and create yet another responsibility for broker-dealers.

But the SEC highlighted a greater risk created by storing sensitive data in the CAT: in the event of a data breach, the leaked info could be used to impersonate broker-dealers to gain access to customer accounts.

The exemption follows the SEC’s decision in 2020 to eliminate more sensitive PII, like social security numbers, from CAT requirements.

“We are wiping away the fingerprints from the scene of the crime.”

Caroline Crenshaw, SEC Commissioner

SEC Commissioner Caroline Crenshaw opposed the exemption, describing it as a setback for investors and regulators. Rather than eliminating the personal information requirement over security concerns, she contended that stronger security measures could have been implemented instead.

“By eliminating critical data collection,” she said, “we undermine its use and our own effectiveness. We are wiping away the fingerprints from the scene of the crime.”

Crenshaw expressed alarm that without personally identifiable information at the SEC’s immediate disposal, it may be slow to respond to crises and would impair “regulators’ ability to understand suspicious activity, unwind events, or stave off market disruptions.”

She referred to the very origin of the CAT: the 2010 “Flash Crash” in which the market collapsed and recovered within hours due to manipulation ultimately traced to a single trader using spoofing algorithms.

She noted that at the time, the SEC was unprepared to respond to the crisis, and that a lack of PII would hamper regulators’ ability to respond to such events expediently.

, , , , , ,

You may also like