Why the SEC’s Consolidated Audit Trail Is a Bad Idea
David Burton /
The Securities and Exchange Commission beginning next year will require broker-dealers to report securities transactions to CAT NMS LLC, a Delaware-based limited-liability company jointly owned by broker-dealers on an equal basis.
This consolidated audit trail—or “CAT”—requirement invades investor privacy, creates a severe risk of data breaches, and will likely lead to more small firms leaving the financial services industry.
CAT National Market System is charged with implementing the Securities and Exchange Commission-mandated consolidated audit trail. All broker-dealers will be required to report all securities transactions to it by 2020.
The SEC, the Financial Industry Regulatory Authority, and 23 self-regulatory organizations will be able to access the consolidated audit trail database at will. It’s anticipated that there will be as many as 3,000 regulatory users.
On Sept. 13, the SEC published a proposed rule that would modify the implementation deadlines and impose higher costs on broker-dealers if those deadlines are not met.
The consolidated audit trail will replace the current “electronic blue sheet” system under which broker-dealers are required to report information requested by regulators.
While there are countless technical issues that will need to be resolved to report and integrate this massive information flow, three key concerns are privacy, liability for errors and data breaches, and costs.
The consolidated audit trail database will become an incredibly attractive target for hackers. It will include personally identifiable information with respect to millions of people, including Social Security numbers, date of birth, and brokerage account information.
The risks of identity theft and huge financial losses for ordinary Americans are quite high. As SEC Commissioner Hester Peirce put it in a recent opinion essay:
A more limited version of the program that looked only at the trades of large institutional investors would be almost as useful for reconstructing market events and would not violate the privacy interests of specific individuals.
The risk that a bus driver placing a trade for her daughter’s college fund will cause market turbulence is outweighed by the invasion of privacy and the attendant risk that cybercriminals will deplete the college education fund.
The SEC has not made the case that imposing this very large risk on the American people is worth it.
It’s not clear who would be financially liable for errors and data breaches. If the CAT NMS database is breached, the personally identifiable information of millions of people will be able to be obtained by hackers, and hundreds of millions of dollars may be lost by ordinary Americans.
From whom do they seek compensation? Certainly not the SEC. The agency can impose rules that lead to the losses but, as a government agency, it will not be held responsible. And CAT NMS is not a well-capitalized LLC. Will entirely blameless broker-dealers be forced to pay? Or will investors simply have to accept the loss of their life’s savings?
Over the 15-year period from 2004 to 2018, the number of broker-dealers has declined by 30 percent, from 5,187 to 3,607. This loss of small broker-dealers is caused by the relentless increase in the regulatory burden on financial institutions.
A similar trend is occurring in banking. Regulatory burdens do not increase in linear fashion with size. They impose a disproportionate burden on small institutions.
The loss of small broker-dealers has an adverse impact on entrepreneurs seeking to raise capital and on competition in the financial industry. The consolidated audit trail adds considerably to the problem.
The SEC needs to put the consolidated audit trail on pause. It’s a poorly thought-out initiative. The SEC hasn’t demonstrated that it’s necessary or worth the risks entailed in its implementation.
The agency clearly hasn’t given adequate thought to protecting personally identifiable information or to liability issues, and it hasn’t seriously considered options involving more narrowly circumscribed reporting.
If the SEC will not do so, Congress should.