Broker-dealers are terrified that the sensitive data of their customers could end up in the hands of hackers, but an attorney from the US markets regulator said it is necessary to collect this data to give regulators the power to perform detailed analysis on equities and options transactions, and spot financial crime.

Hugh Beck, regulatory reporting advisor to Allison Herren Lee, the acting chair of the Securities and Exchange Commission (SEC), defended the regulator’s requirement that personally identifiable information (PII) be included in reports to the Consolidated Audit Trail (Cat), the database being built to track equity and options trading activity.

Beck was speaking on a webinar hosted by the Securities Industry and Financial Markets Association (Sifma), whose clients include the broker-dealer community that must report data to the Cat. The platform requires broker-dealers to submit biographical information such as birth dates on customers (some of whom are known as “authorized traders” in the regulation that governs Cat) identified with a unique code—the Cat Customer ID (CCID).

Beck said that this information is critical to the regulators’ ability to connect customers of broker-dealers with other accounts they may hold.

“Why is that important? Well, just imagine a scenario in which an unscrupulous trader is submitting disadvantageous orders into an account on which they are an authorized trader, and then an account on which they are a customer. They are submitting opposing orders, and hoping that they will cross, essentially transferring value from the account on which they are an authorized trader to an account on which they are a customer. Having a link between the two is what enables us to identify that scheme much more readily,” Beck said.

“There is a host of reasons why having the unique CCID that links all accounts controlled by a person—whether in the capacity of authorized trader or in the capacity of a customer—is really important.”  

Against the stereotype of the lone rogue trader, many financial crimes—whether front-running, market abuse, or insider trading—are social crimes, Beck said, involving the participation of networks of individuals. Requiring biographical information is important in catching linkages between individuals.

“Imagine that an investigator is looking at suspicious trading by an individual and comes into some new information that suggests that relatives are somehow involved. The investigator knows the last name of that individual, and so could run a search in Cat by tracing individuals of the same last name,” he said.

“You can’t do those searches if the customer and account information characteristics are not part of the database itself. It doesn’t help to be able to ask the question afterwards about who did it if the question is about narrowing the search in the first instance.”

Beck added, however, that these are the goals of Cat; how the system eventually achieves that goal of providing sufficient information is immaterial, and the regulator is prepared to work with the industry on addressing its concerns.

Data sticking point

Sifma held the webinar to update the industry on the progress of Cat, which is being implemented in phases. The project is an initiative of the SEC and 24 securities exchanges and securities associations, known as the self-regulatory organizations (SROs). The Cat’s progress has been beset by delays since its inception, but reporting and two of four phases of the Cat’s transaction database are complete. The Cat is currently receiving billions of messages daily, said Ellen Greene, Sifma’s managing director for equity and options market structure, who moderated the discussion.

However, the security of sensitive PII that is to go into a separate database—the Customer and Account Information System (CAIS), which will be maintained by the SROs—is a major sticking point in the project.

Sifma has frequently expressed concern for the safety of customer information in the Cat. Its president and CEO Ken Bentsen said the fact that sensitive data will be compiled in one place, and that some 3,000 users at 24 separate organizations will be able to bulk download and store this data, is hugely concerning. Sifma wants only the SEC and Finra to have access to the entire database, and said that broker-dealers and customers should not bear the liability of such risks to their information, especially as they have not chosen to submit it but are compelled to do so by regulation.

In the final days of 2020, the SROs filed a proposal with the SEC to amend the Cat user agreements to limit the SROs’ liability for a data breach in the Cat system. While Sifma argues this is unfair, the SROs say that users of other reporting facilities that held sensitive data, such as the Order Audit Trail System (Oats), must agree to limitation of liability provisions, so why shouldn’t that be the case for Cat?

In its latest salvo, Sifma sent a letter to the SEC in late January asking for a temporary pause in development and implementation of the Cat, to allow for a reassessment of whether the PII and other customer data planned to be reported to and maintained within the CAIS is necessary or appropriate to fulfil the purpose of the Cat, “particularly in light of the evolving risk landscape.”

The Sifma letter referenced US tech firm SolarWinds, which suffered a massive data breach that was spread to its clients via routine software updates, allowing the hackers to spy on companies including Microsoft, Cisco, and Deloitte, and the US government, including the Treasury and Department of Homeland Security

“As the repository for virtually all of investors’ equity and options trading activity in the United States, the Cat system will be an extremely attractive target for nation states and other bad actors. The recent discovery of the SolarWinds hack has greatly increased industry members’ concerns about the security of data within the Cat System and its vulnerability to a breach,” Sifma said in its letter.

Sifma’s Greene said during the webinar that the organization believes that since the customer and account reporting phase of the Cat project is not scheduled to go live until July 2022, an SEC-ordered pause would not delay the final implementation and would allow for the continued development of the technical specifications consistent with current broker-dealer recordkeeping requirements.

Greene said it was “inconceivable from a risk management standpoint that the SEC would allow bulk downloading of customer and transaction data by the SROs,” and that if a breach of the Cat were to occur, the SROs should be held liable.

“Sifma’s guiding principle on this issue is that they who hold the data bear the liability, and we strenuously oppose efforts to shield responsibility for maintaining the security and privacy of such data. It is inappropriate and unfair for the SROs to unilaterally oppose limits on their own liability when they alone hold and control data,” Greene said.

Security is expensive

During the webinar, Greene asked Michael J. Simon, chair of the Cat operating committee, why the committee has opposed attempts by the SEC to improve Cat security. In August 2020, the SEC proposed amendments to the Cat that, if they are adopted, will, among other measures, require that the SROs use analytical environments called Secure Analytical Workspaces (Saws) to review Cat data (a recommendation that Sifma endorses).

Simon responded by saying that these proposed amendments will make the Cat far more expensive to run without clarifying how they even will improve data security.

Security improvements to the Cat have already been made, he said. For example, as of March 2020, the SEC no longer requires social security numbers to be included in the PII reported to the Cat, and allows the use of the CCID, along with birth years, instead. The CAIS database, which is being built by vendor Kingland, is going to be maintained entirely separately from the transaction database and have extra levels of protection and extra access controls, he added.

“Security is a tough issue, and we all agree that it’s paramount—but not at any cost for the incremental benefit you may achieve,” he said.

Simon said the SEC’s cost-benefit analyses in its Cat proposals have underestimated how much it will take to build the Saws that the SROs would have to use to look at Cat data.

The committee’s comment letter opposing the amendments states the labor costs alone to build the proposed Saws would be about $26.4 million, which is 60-times greater than the commission’s estimate of $441,600. Similarly, the cost of operating it would be about $34.4 million, over 40-times greater than the commission’s estimate of $860,200.

“So there is a cost, and what benefit are you going to get out of that? Obviously, Sifma doesn’t think that it’s of sufficient benefit since you want to have a pause on the entire Cat system,” Simon said.

On the issue of liability for data breaches, he pointed out that all of Sifma’s members have limitation of liability clauses in their own commercial agreements. He concluded, however, that he would be happy to work with Sifma to reduce the liability of everyone involved in the Cat system.