CEI Comments on the Consolidated Audit Trail
Release No. 34-105251; File No. S7-2026-12
Securities and Exchange Commission Notice of Proposed Rulemaking
“Concept Release on Consolidated Audit Trail and Other Audit Trails and Data Sources” CFR Parts 240 and 242
[Release No. 34-105251; File No. S7-2026-12]
RIN 3235-AN54
Comment of Richard Morrison[1]
Senior Fellow, Competitive Enterprise Institute[2]
June 22, 2026
The Competitive Enterprise Institute (CEI) is pleased to comment on the Securities and Exchange Commission’s concept release, “Consolidated Audit Trail and Other Audit Trails and Data Sources.” Since 1984, CEI has published research in support of free markets and limited government and has long advocated for policies that increase consumer choice, free investors from undue government burdens, and protect Americans from abuse by government agencies. CEI policy experts frequently comment on a wide variety of economic policy topics, including finance, regulatory reform, civil liberties, and property rights.
Introduction
The current concept release asks, “What are the regulatory use cases that must be enabled for the Commission and the SROs to fulfill their statutory obligations?”[3] But a better question might be “How does the existence of the Consolidated Audit Trail (CAT) exceed the SEC’s statutory powers and threaten the rights of Americans?” Indeed, it has become clear that the CAT and its related data sources are problematic and unnecessary burdens on the investing public. Whatever practical law enforcement or regulatory values the CAT may serve, they do not overcome the program’s serious constitutional concerns and lack of statutory legitimacy.
When it comes to implementing the CAT, the Commission relies largely on Section 11A of the Securities Exchange Act of 1934 for authorization, in effect piggybacking on the original National Market System (NMS) framework that Congress directed the SEC to establish in 1975.[4] But the modern CAT is substantively different from the objectives laid out in that authorization. Congress’ intent was to ensure efficient execution of securities transactions and fair competition among brokers and dealers by fixing the geographically fragmented trading system that existed before the Securities Acts Amendments of 1975. This is substantively different from what the Commission has subsequently implemented.[5]
As plaintiffs in NCPPR v. Atkins point out, “No statutory language authorizes SEC to order SROs to seize for later search investor-identifying information about every trade in the entire market.”[6] The Commission’s claimed authority also lay dormant for a suspiciously long time, well over 30 years. By the time the CAT was being implemented in 2014, it was hailed by then-Commission Chair Mary Jo White as “a sea change” in the way the agency processes data.[7] While clearly intended as praise, that claim is more of a confession that the agency may have been treading in what the Supreme Court considers a major question of public policy. For that, the agency would have needed new, express authorization from Congress—something it did not have.[8]
Moreover, the CAT’s comprehensive, “fishing expedition” style compliance requirements are at odds with the best traditions of U.S. jurisprudence in addition to creating the specific policy concerns detailed below. The CAT also mirrors other expensive and invasive compliance regimes found elsewhere in the federal financial regulatory ecosystem. As such, the SEC’s job should be to proceed with full elimination as soon as possible, just as other federal agencies have recently moved to rescind other rules and guidance with similar deficiencies.
1st Amendment concerns
Where Americans choose to invest their money can reveal their political and personal beliefs, such as divesting from certain industries for ethical reasons, supporting specific companies, or using strategies tied to environmental or religious principles. Requiring centralized reporting of this information creates a risk that sensitive investment data could be misused to identify or burden investors based on political, religious, or other associational commitments. That risk raises serious First Amendment concerns under Americans for Prosperity Foundation v. Bonta, 594 U.S. 595 (2021), and NAACP v. Alabama ex rel. Patterson, 357 U.S. 449 (1958), because compelled disclosure regimes may chill protected speech and association even when the government asserts an administrative or regulatory purpose.
In Bonta, the Court reiterated that “[p]rotected association furthers ‘a wide variety of political, social, economic, educational, religious, and cultural ends,’ and ‘is especially important in preserving political and cultural diversity and in shielding dissident expression from suppression by the majority.’” The state requirement in that case threatened to punish non-profits that refused to reveal information about their donors. The Court held that compelled disclosure of this information posed a risk to Americans’ First Amendment rights, chilled speech and donations, and infringed upon their associational interests.
Investment choices may not be as obviously expressive conduct as writing a newspaper op-ed or protesting in front of a government building, but SEC Commissioner Hester Peirce argues persuasively that they are indeed expressive acts, writing that “economic transactions offer a window into a person’s deepest thoughts and core values” and that such transactions “are a rich form of value expression.”[9]
4th Amendment concerns
There is nothing new about citizen concern over data collection in the style of the CAT. The surveillance regime birthed by the Patriot Act and the Department of Homeland Security worried many civil liberties advocates, and the Pentagon’s now-discontinued Total Information Awareness project was analogous in one key respect—a shift from surveilling specific suspects to surveilling everyone.[10] Moreover, entrusting initial data collection to third parties (the self-regulatory organizations) cannot erase the coercive aspect of the program if data-sharing, particularly in financial matters, is ultimately mandatory.
The CAT raises serious Fourth Amendment concerns because it requires the routine collection and retention of detailed trading information concerning investors without individualized suspicion. Although the Commission may argue that such information is held or transmitted through regulated intermediaries, Carpenter v. United States, 585 U.S. 296 (2018), confirms that the mere involvement of a third party does not necessarily extinguish all reasonable expectations of privacy in comprehensive, revealing, and retrospectively searchable data. The Commission should not assume that the third-party doctrine reflected in United States v. Miller, 425 U.S. 435 (1976), and Smith v. Maryland, 442 U.S. 735 (1979), automatically resolves the constitutional issue.
It should not matter, for Fourth Amendment purposes, whether the customer’s personally identifiable information is available in the initial collection. The agency can request that information upon a determination of “suspicious” trading patterns, under its own definition and at its own discretion. Searching and seizing first and then matching suspicious trading patterns to a particular person at a later date should be no more lawful than police searching every home in a given area without a warrant and obtaining the names of the owners only after discovering evidence of illegal conduct.
The unreasonableness of this type of search should be obvious if we apply the same standard to other industries or transactions. How would U.S. citizens feel if, as Commissioner Peirce has suggested we imagine, “every time [we] went to the grocery store, convenience store, bookstore, or hardware store, those stores — under government orders — sent a complete, itemized list of what [we] bought and when [we] bought it to the government and organizations working on its behalf that could challenge you to explain any purchase that catches their interest”?[11] No conscientious defender of our constitutional rights would assent to that expectation, not should we do so in the case of the CAT.
5th Amendment concerns
Some commentators have also raised property-rights concerns regarding the compelled collection and use of proprietary financial data. See Ruckelshaus v. Monsanto Co., 467 U.S. 986 (1984). The analogy is not exact, because Monsanto involved trade-secret information, but the case illustrates that compelled disclosure of valuable private information may implicate constitutional property-rights principles in some circumstances.
Commentators have also argued that CAT’s compelled reporting structure may raise Fifth Amendment self-incrimination concerns insofar as it requires the production and retention of records that could later be used in enforcement proceedings.[12] See U.S. Const. amend. V. The Commission should address those concerns directly rather than assume that the regulatory character of the reporting regime eliminates them.
Cybersecurity threats
As mentioned above, the large volume of potentially sensitive information generated by the CAT is vulnerable to misuse and weaponization. The concentration of sensitive trading information in a centralized repository creates material risks of misuse, unauthorized access, insider abuse, and disclosure. Those risks are heightened where multiple public- and private-sector entities have access to the data and where the information could reveal sensitive financial, political, religious, or associational choices. While the agency’s decision last year on the requirement to report certain personally identifiable information is a welcome one, it is insufficient to solve this problem.[13]
There have been many cases of data held by government sources being so leaked. The compromised data have included information from otherwise unknown individuals up to the tax returns of the President of the United States.[14] The SEC itself has also suffered high-profile cybersecurity breaches to its own EDGAR database[15] and the social media account of a former chairman, among other issues.[16] The way CAT data is currently treated is also not carefully compartmentalized or limited in order to maximize the privacy of citizens. As Commissioner Peirce has written, “People working for over a dozen different organizations in the public and private sector will have access to the data, and there are few concrete parameters on how they can use it.”[17]
Even if we set aside the politically motivated targeting by those with legal access to the information, the mere existence of a database like the CAT creates the incentive for malicious hackers to attempt to access it for any variety of reasons of their own. This concern—that a large, central database of information from innocent individuals creates novel risks—has been raised widely in a variety of contexts beyond regulation of financial transactions, including age verification for digital media.[18]
Relevance to the SEC’s climate disclosure rule
At the same time that the SEC is considering its current Concept Release on the CAT, it is also proceeding with a proposal to rescind its climate disclosure rule, initially approved March 2024.[19] Commissioners and staff reviewing the former would do well to consider the parallels with the latter proceeding.
Much like the CAT, the climate disclosure rule would have mandated the creation of an extremely large database of information of dubious value, at great cost, with burdens resting on every regulated party regardless of underlying conduct. The climate disclosure rule also had both constitutional and statutory deficiencies, including requiring subjective and potentially disparaging disclosures on the part of registrant firms (a First Amendment violation) and a lack of authority for the agency to regulate in the relevant area at all.[20]
Relevance to the Bank Secrecy Act and related statutes
There are also parallels between the CAT and the problematic way that the nation’s bank secrecy regulations are implemented. Both hoover up enormous amounts of data from non-offending citizens with only very small and diffuse results. As described in recent congressional testimony, US financial institutions spent an estimated $59 billion complying with the federal bank secrecy regime last year. The requirements of the Bank Secrecy Act and subsequent related legislation forced banking institutions to file 28.7 million reports on their customers in 2025, yet those reports only tipped off 275 investigations by the Internal Revenue Service’s Criminal Investigations division.[21]
The best government policy is narrowly tailored to achieve a compelling public purpose and implemented without unduly burdening the rights of the citizenry. Neither framework mentioned above passes either this general test or a reasonable cost-benefit analysis, especially if one includes both the hard costs of compliance by regulated entities and the constitutional infringements they represent. While reforming statutes such as the Bank Secrecy Act, the USA PATRIOT Act, and the Anti-Money Laundering Act is squarely in the hands of Congress, the SEC has its chance to play its role in the case of the CAT.
Conclusion
The Commission has solicited comments on whether changes should be made to the CAT that respond to “civil liberty, privacy, and confidentiality concerns; cost-efficient technology solutions; and cybersecurityconsiderations.”[22] The answer is an overwhelming yes. For the reasons described above—and additional ones described by others in the docket—the time has come for the SEC to bring an end to this entire enterprise. The Consolidated Audit Trail should be reformed via elimination.
Notes
[1] Richard Morrison is a senior fellow at the Competitive Enterprise Institute. He has been working in research and communications roles in the liberty movement since 1999 and has written extensively on financial regulation, in particular the topics of politicized investing and environmental, social, and governance (ESG) theory. He is the host of the Free the Economy podcast and the editor of the Great Capitalism newsletter.
[2] The Competitive Enterprise Institute (CEI) is a think tank in Washington, D.C., focused on free-market policy analysis. Founded in 1984, CEI is America’s leading advocate of regulatory reform on a wide range of policy issues.
[3] “Concept Release on Consolidated Audit Trail and Other Audit Trails and Data Sources,” Securities Exchange Act Release No. 34-105251, File No. S7-2026-12, April 16, 2026, https://www.sec.gov/rules-regulations/2026/04/s7-2026-12.
[4] SEC Rule 613, 17 C.F.R. § 242.613, https://www.ecfr.gov/current/title-17/chapter-II/part-242/subject-group-ECFRac68bdd026a46db/section-242.613.
[5] Erik Davidson, Josh Restivo, and National Center for Public Policy Research v. Atkins, Class-Action Complaint for Declaratory, Injunctive, and Mandamus Relief, U.S. District Court for the Western District of Texas, Waco Division, April 16, 2024, https://nationalcenter.org/wp-content/uploads/2024/04/2024.04.16-CAT-Complaint.pdf
[6] Ibid.
[7] Mary Jo White, “Chairman’s Address at SEC Speaks 2014,” Securities and Exchange Commission, February 21, 2014, https://www.sec.gov/newsroom/speeches-statements/2014-spch022114mjw.
[8] See West Virginia v. Environmental Protection Agency, 597 U.S. 697 (2022).
[9] Hester Peirce, “Statement in Response to Release No. 34-88890; File No. S7-13-19,” Securities and Exchange Commission, May 15, 2020, https://www.sec.gov/newsroom/speeches-statements/peirce-statement-response-release-34-88890-051520.
[10] Clyde Wayne Crews, “The social significance of the Consolidated Audit Trail,” Open Market (blog), Competitive Enterprise Institute, August 19, 2024, https://cei.org/blog/the-social-significance-of-the-consolidated-audit-trail/.
[11] Hester Peirce, “This CAT is a Dangerous Dog,” Real Clear Policy, October 9, 2019, https://www.realclearpolicy.com/articles/2019/10/09/this_cat_is_a_dangerous_dog_111285.html.
[12] Thomas A Berry and Kimberly Coleman, “American Securities Association v. SEC,” Cato Institute, May 28, 2026, https://www.cato.org/legal-briefs/american-securities-association-v-sec-0.
[13] “Exemption From the Requirement to Report Certain Personally Identifiable Information to the Consolidated Audit Trail,” Securities and Exchange Commission, February 10, 2025, https://www.sec.gov/newsroom/press-releases/2025-38-exemption-requirement-report-certain-personally-identifiable-information-consolidated-audit-trail.
[14] “Former IRS Contractor Sentenced for Disclosing Tax Return Information to News Organizations,” U.S. Department of Justice, January 29, 2024, https://www.justice.gov/archives/opa/pr/former-irs-contractor-sentenced-disclosing-tax-return-information-news-organizations.
[15] “SEC Brings Charges in EDGAR Hacking Case,” Securities and Exchange Commission, January 15, 2019, https://www.sec.gov/newsroom/press-releases/2019-1.
[16] Austin Weinstein & Jamie Tarabay, “SEC Had a Fraught Cyber Record Before X Account Was Hacked,” Bloomberg Law, January 11, 2024, https://www.bloomberg.com/news/articles/2024-01-11/sec-had-a-fraught-cyber-record-longbefore-x-account-was-hacked.
[17] Peirce (2019).
[18] Shoshana Weissmann, “The Fundamental Problems with Social Media Age-Verification Legislation,” R Street Institute, May 16, 2023, https://www.rstreet.org/commentary/the-fundamental-problems-with-social-media-age-verification-legislation/.
[19] Rule adoption press release: “SEC Adopts Rules to Enhance and Standardize Climate-Related Disclosures for Investors,” Securities and Exchange Commission, March 6, 2024, https://www.sec.gov/newsroom/press-releases/2024-31. Proposed rescission press release: “SEC Proposes Rescission of Climate-Related Disclosure Rules,” Securities and Exchange Commission, May 29, 2026, https://www.sec.gov/newsroom/press-releases/2026-49-sec-proposes-rescission-climate-related-disclosure-rules.
[20] Richard Morrison, “CEI Comments to SEC on Proposed Climate-Related Disclosures Rule,” Competitive Enterprise Institute, June 16, 2022, https://cei.org/regulatory_comments/cei-comments-to-sec-on-proposed-climate-related-disclosures-for-investors-rule/.
[21] Nicholas Anthony, “Modernizing the BSA for Financial Crime in the 21st Century,” Cato Institute, May 21, 2026, https://www.cato.org/testimony/modernizing-bsa-financial-crime-21st-century.
[22] “Concept Release on Consolidated Audit Trail and Other Audit Trails and Data Sources.”