CAT Seeks Approval to Mask Personal Data

The self-regulatory organizations (SROs) behind the Consolidated Audit Trail (CAT) are asking the Securities and Exchange Commission (SEC) to allow the system not to gather certain personal information.

In a letter dated January 29, the CAT NMS plan committee asked the SEC to let the CAT refrain from collecting and storing social security numbers, dates of birth, and individual trader account numbers. It asked the regulator to approve the use of a planned CAT Customer ID (CCID) that will be created based on personally identifiable information (PII) of individual traders and customers.

“The participants believe that the proposed CCID alternative is necessary and appropriate in the public interest, and is consistent with the public interest, the protection of investors, the maintenance of fair and orderly markets and the removal of impediments to, and perfection of the mechanisms of, a national market system,” the letter said.

The SROs that make up the CAT NMS committee added that using an alternative such as the CCID “would enhance the security of the [CAT] central repository while preserving the regulatory benefits of the CAT.”

While the SEC is aware of the CCID and its firm-specific counterpart, the Firm Designated ID (FDID), it has not formally approved its use. Under the national market system plan, the CAT NMS is required to collect PII as a means to identify individual traders and customers for the purpose of tracking transactions. However, concerns over data security have increased since the CAT was conceived back in 2010.

During a Senate committee hearing on SEC oversight on December 10, the regulator’s chairman, Jay Clayton, said it is working with the CAT NMS to “significantly limit phone book information and allow us to do the job,” while protecting sensitive data.

The FDID will keep track of reporting firms, and although it tracks customer accounts, no actual account numbers are linked to it. While the CCID is generated using information that includes social security numbers, the end product that is seen in the CAT system will be masked; rather, the social security numbers that refer to the CCID will be kept in the SEC’s databases and will not be visible in the CAT. The role of  protecting those social security numbers will therefore be retained by the SEC.

With the request still pending, industry testing of the CAT continues. The current test period is aimed at checking the data validation of trades sent through the CAT system, and only covers transaction information. CAT reporters currently in the test environment do not send individual trader information, as customer and account data are not required until January 2022, when the operator—Finra CAT—plans to begin testing this feature.

Individual customer, trader, and account data are not currently required in the existing order audit trail system (Oats) that the CAT is meant to replace.

Testing began on December 16 and will run until April, when CAT reporters will be required to prove that their data has an error rate of 10% or less in order to participate in live production by April 20.

Live production of the CAT in April is aimed mainly at industry members that deal with equities and were previously Oats reporters. Options, specific to large broker-dealers, go live a month later. Full production is expected to take place by December 2021.