CEI Joins Coalition Letter on SEC Decision RE Consolidated Audit Trail Database

View Full Document as PDF

Dear Chairman Clayton,

We, the undersigned organizations, write today to express our grave concerns with the Securities and Exchange Commission’s (SEC) decision to require broker-dealers to report all securities transactions to the Consolidated Audit Trail (CAT) database. Starting next year, this requirement will go into effect raising numerous concerns with privacy, liability for errors and data breaches, and costs. Complicating this matter further is the SEC’s recently proposed rule which would alter implementation deadlines and subsequently impose higher financial penalties on broker-dealers for missing those deadlines.

Regarding our privacy concerns, as it currently stands, the SEC, the Financial Industry Regulatory Authority (FINRA), and 23 self-regulatory organizations will all be able to access the CAT database in whatever manner they feel is appropriate. According to the CAT’s own FAQ, CAT NMS, which is the entity charged with implementing the SEC-mandated CAT, requires the CAT database to support a minimum of 3,000 users. As the CAT database will include personally identifiable information (PII) for millions of people it is highly concerning that access to this database will be so widespread. Furthermore, this combination of factors makes the CAT database a prime target for cyber criminals which increases American’s risk for identity theft and financial losses.

Despite these valid concerns, the SEC has failed to make the case that the benefits of using the CAT database would justify these risks.

As Michael Simon, the Operating Committee Chairman of CAT NMS, has previously said in a letter to the SEC:

“Groups have expressed concerns that the CAT may be an attractive target for potential cyberattacks by persons seeking to engage in identity theft. The Operating Committee believes that eliminating the capture and storage of individual tax payer identification numbers/social security numbers (collectively, “SSNs”), dates of birth and actual account numbers from the CAT would greatly mitigate these security risks.”

In addition to our stated privacy concerns, we also take issue with the fact that no one has been identified as the liable party in the event of a data breach or some other form of error. From our interpretation, if there were to be a data breach, neither the SEC, a government agency, or CAT NMS, an LLC with limited capital, would bear the financial burden of these losses. Instead, it appears that either the broker-dealers, who are required to use the CAT database, or investors themselves will have to bear the brunt of these costs.

In sum, we strongly encourage the SEC to put this initiative on hold. In its current form, there are far too many risk factors and the SEC has done nothing to show that the benefits of this database would outweigh those risks. Moving forward, the SEC should strongly consider heeding the recommendation of Chairman Simon and make efforts to eliminate the storage of PII and explore other options that require fewer risks for broker-dealers and investors.

Additionally, the SEC should seek to reduce risks by limiting access to the CAT database to only the SEC and FINRA.

Sincerely,