CAT’s Cradle – Ongoing Problems with the SEC’s Consolidated Audit Trail

In July 2012, the SEC adopted a new Rule 613 under Section 11A(a)(3)(B) of the Securities Exchange Act of 1934 (“Exchange Act”). It would require national securities exchanges and national Self-Regulatory Organizations (“SROs’) “to act jointly in developing a national market system (‘NMS’) plan to develop, implement, and maintain a consolidated order tracking system, or consolidated audit trail, with respect to the trading of NMS securities.” While the Financial Industry Regulatory Authority (“FINRA”) and the SROs did have their own audit trail systems, they were “limited in their scope in varying ways.” The answer was to create a new, truly comprehensive system:

A consolidated audit trail would significantly aid in SRO efforts to detect and deter fraudulent and manipulative acts and practices in the marketplace, and generally to regulate their markets and members. In addition, such an audit trail would benefit the Commission in its market analysis efforts, such as investigating and preparing market reconstructions and understanding causes of unusual market activity.

The many comment letters submitted in response to the proposed rule between 2010 and 2012 were favorable. Quite a few referenced the “Flash Crash” of May 6, 2010, which had spooked the markets. In fact, the initial proposed rule for a consolidated audit trail appeared only ten days later, on May 26. It was hoped that a consolidated audit trail could prevent similar future events. Some commenters wondered how investors’ privacy would be protected. The Commission addressed those concerns only once in the final rule:

Commenters have expressed concerns regarding the risk of failing to maintain appropriate controls over the privacy and security of consolidated audit trail data. Accordingly, the adopted Rule requires the NMS plan to include additional policies and procedures that are designed to ensure the rigorous protection of confidential information collected by the central repository.

Over the years, the voices of those concerned investors have become louder. While the data held by the SROs has been relatively safe, the hacking of cryptocurrency exchanges has become commonplace. Many more individuals have had their own accounts hacked, and incidents of ransomware attacks have increased exponentially. Fourteen years have passed since the new rule appeared, and work on CAT, as it’s called, has begun, but the system is not yet operational. In August 2020, the SEC proposed a data security rule that would enhance the safety features of CAT, but it hasn’t yet been adopted. Although the idea of an audit trail, as originally described in 2010, seems innocuous, it isn’t just a big database that presents what it collects as metadata. It contains a great deal of “PII,” or “personally identifiable information.” It’s included because the SEC and the SROs want to use that information to catch crooks: market manipulators, fraudsters, and more. But its mandate is to grab pretty much everything, so that means a great deal of information about everyone who trades securities will be known to CAT and to its users.

According to the amendments proposed in 2020, there’s nothing to worry about. The original plan to require CAT to collect SSNs and ITINs has been abandoned. Complete birthdates will not be required; only the year of birth. There’s more, all of it designed to reassure the wary, but most of the changes appear to be semantic rather than… real.

The Commission proposes the following additional amendments to reflect the revised reporting requirements for Industry Members: the defined term “Customer Attributes,” would replace the defined term “Customer Identifying Information” and “Account Attributes” would replace the defined term “Customer Account Information” to more accurately reflect the data elements being reported by Industry Members; and a newly defined term “Customer and Account Attributes” would be defined to include all the data elements, or attributes, in both “Customer Attributes” and “Account Attributes.” Finally, as a result of the changes to the Customer and Account Attributes that are reported to and collected by the CAT, which will no longer require the reporting of the most sensitive PII, the Commission proposes to delete the defined term “PII” from the CAT NMS Plan.

A summary of the 438-page proposal aids in its digestion. Then-Chair Jay Clayton said gamely that data security was an “essential pillar” of the CAT, but many of those for whom it was intended disagreed. 

The comment letters are almost uniformly negative. Even the SROs, except for FINRA, find the whole thing unworkable, dangerous, and too expensive. The NYSE objects that “Neither the Commission’s original Proposal nor FINRA CAT’s Alternative Proposal is legally permissible under the securities laws, and each would contravene the goals the Commission stated when it proposed and adopted Rule 613 and when it approved the CAT NMS Plan.” Nearly every commenter gives lip service to the hoped-for usefulness of CAT, but also expresses alarm at the dangers baked into the system. That, no doubt, explains why the 2020 amendments to the rule have not been adopted. 

But what does the Commission have in mind? As of this moment, CAT is scheduled to become fully operational on May 31, 2024, according to SIFMA. SIFMA, the leading trade association for broker-dealers, investment banks, and asset managers in the U.S., is one of the few affected organizations that would like to see the 2020 proposals made effective. But it isn’t enthusiastic, saying “[i]t is an appalling failure of investor protection for the SEC to not adopt that proposal to enhance the security of the CAT, especially since the SEC has had nearly four years to do so.” As things stand, investors’ PII will be available to anyone who has access to CAT. SIFMA wants the system changed so that regulators would have to ask broker-dealers for “the identity of investors engaged in potentially problematic trading activity on an as-needed request-only basis, rather than maintaining such data in the CAT.” But isn’t that how it works now, and how it’s always worked?

Somewhat surprisingly, Republican Commissioner Hester Peirce supported the proposals, but reluctantly, saying she’d have preferred that stronger measures be taken. With her characteristic bluntness, she continued:

As I have said elsewhere, the CAT treats every American as a presumptive wrongdoer.  The CAT will watch everything you do in the securities marketplace, record it for employees of the SEC and self-regulators to monitor, and store it in databases that hackers undoubtedly will attack.  The discomfort we feel about similar monitoring in other marketplaces is something we should also feel when the government watches our every move in the financial markets.

In July 2022, Peirce voted in favor of granting temporary exemptive relief to give CAT time to fix some implementation issues, but reiterated her worries about the database:

With respect to security, I plead with my fellow regulators to rethink the wisdom of creating a massive database of information that hackers may try to exploit for their nefarious ends. Given these concerns, my preference would be to see the project placed in the SEC’s catacombs—dead and buried forever.

CAT, which is being developed by FINRA, now has its own website where it offers users the latest updates, and displays a list of participants in the program. The site exists chiefly for those participants and is highly technical.

The Lawsuit

On April 16, 2024, the New Civil Liberties Alliance (NCLA), which describes itself as an enemy of the “Administrative State”—known to many as the “Deep State”—and champion of freedom-loving Americans, “unleashed” a lawsuit to, as it said, “take down SEC’s mass data collection machine.” The purpose of the suit is to stop the development of CAT, which it says “runs roughshod” over the constitutional rights of investors. It’s bringing the suit in the name of its clients Erik Davidson, John Restivo, and the National Center for Public Policy Research. The defendants are Gary Gensler, in his official capacity as Chairman of the SEC, the SEC itself, and Consolidated Audit Trail, LLC. 

NCLA was founded in 2017, and, according to Bloomberg Law, is backed by conservative activist Leonard Leo and billionaire Charles Koch. The National Center for Public Policy Research has been around for much longer; it was founded in 1982. It calls itself a “non-partisan, free-market, independent conservative think tank.” Scott Shepard, director of the National Center’s Free Enterprise Project, noted hotly, “The idea that this SEC can be relied on not to abuse this vast cache of financial information for which it has no legitimate use is laughable. We’re delighted that in joining this case we can rely on NCLA’s brilliant minds and impressive record of success to fight against these unjustifiable invasions of privacy and decency.” 

Erik Davidson is an assistant professor of Finance at Baylor University. He’s also an adviser to Inspire Investing, an instructor and curriculum consultant for the American Bankers Association, and provides consulting services on wealth and investment management. John Restivo, the last plaintiff, is a real estate developer who lives near Waco. The suit was filed in the U.S. District Court for the Western District of Texas, Waco Division. The suit is described in the caption as a Class-Action Complaint for Declaratory, Injunctive, and Mandamus Relief.

The complaint is long and comprehensive. It immediately gets to what may turn out to be one of NCLA’s most persuasive arguments: that the SEC’s Rule 613, proposed in 2010 and adopted in 2012, was created without any statutory authority. It points out that if completed as planned, CAT would be the largest database in the United States except for the NSA’s, and adds: “Unlike NSA, however, SEC entirely lacks the authority, history, or special oversight structure that permits it to engage in the seizure and surveillance of private information.”

The complaint goes on to enumerate the ways in which CAT violates the constitution. First, the Fourth Amendment is cited:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The “papers” of the late 18th century are equivalent to today’s “data.” NCLA is no doubt right in saying the founding fathers would not have been happy about CAT. Are we so accustomed to the many intrusions our use of the internet has brought into our lives that we barely notice one more, and don’t really care? Even 50 years ago, it’s likely most of us would have been alarmed if told that in the not-too-distant future, we could view bank accounts and brokerage accounts and make transactions in them. We all know people who, only 20 years ago, resisted paying bills online, preferring to send a check. But all that has changed. There are even banks and brokerages that have no physical location that can be visited, not to mention countless entirely virtual businesses. Most of us no longer even think about it, except to occasionally mourn the loss of another brick-and-mortar store we once enjoyed visiting.

The History

The SEC was created in 1934 to regulate our capital markets. Confidence in those markets had been badly shaken by the crash of 1929, and the new Roosevelt Administration believed something had to be done. First, the Securities Act of 1933 (“Securities Act”) required companies to engage in public offerings to furnish prospectuses to prospective investors. Second, the Securities Exchange Act of 1934 (“Exchange Act”) put Joseph Kennedy in charge of a new regulatory agency called the Securities and Exchange Commission. Registration statements and many other kinds of filings—their number grew over the decades—had to be filed with them. The object was to ensure transparency on the part of issuers. It was hoped that companies required to provide audited financial statements wouldn’t try to cook their books. Obviously, both the ‘33 and ‘34 Acts were laws passed by Congress, not rules cooked up by a government agency. 

NCLA points out that the SEC has always had enforcement powers and is lawfully permitted to conduct investigations. The regulator can obtain information about private individuals’ trading by making “blue sheet” requests. To do so, it must have “an articulable basis to investigate possible violations of the securities laws.” The scope of the underlying investigation limits the number of requests it may make. The SEC can also obtain information by issuing administration subpoenas. In order to do that, it needs to show some facts indicating a violation of the law. Only then can it issue a “formal notice of investigation” and begin to issue subpoenas. The process is explained in its Enforcement Manual

The complaint notes that the flash crash of 2010 was clearly what prompted the SEC to propose Rule 613, and that its proposal was unlike anything considered by the agency in the past. What NCLA considers to be a fundamental break with past practices is that Rule 613 would allow the SEC real time access to whatever data it wanted “without any need to obtain a warrant, issue a subpoena, or even have cause to suspect an investor of wrongdoing.” They add to their list of possible unintended consequences the chance that a bent SEC employee might use his access to figure out proprietary trading strategies, or to undermine a successful trader he disliked, or who someone had paid him to sabotage. 

Very few people are unaware of the dangers presented by insecure databases. While they’re periodically tested for potential vulnerabilities, some will be caught, while others may lurk out of sight. On September 20, 2017, Chair Jay Clayton issued a “Statement on Cybersecurity” and two related press releases. One of them was about the continuing investigation of a 2016 hack of the SEC’s EDGAR reporting system. A Ukrainian hacker and six traders in California, Ukraine, and Russia had broken into the system and helped themselves to information that was not yet in the public domain. As a result, they cleaned up on the trades they immediately placed. The intrusion was not announced by the SEC until 2017. The culprits were charged in 2019. At the same time, the Department of Justice brought parallel criminal charges.

Only a few months ago, on January 9, the SEC’s X social media account was hacked, and the hackers used a technique called “SIM swapping” to announce, in the name of the agency, that Bitcoin ETFs had been approved. Bitcoin soared, and then crashed when, a short time later, the agency announced the “news” wasn’t true.

It isn’t just conservative think tanks and the conservatives who staff them who are worried about data security. Liberals and liberal organizations are as well. The American Civil Liberties Organization (ACLU) wrote to the SEC in late 2019 to express its own concerns about the CAT project. It explained what it saw as problems in detail. 

First, to avoid making investors’ personal information available to all users of the site, it suggested that every individual involved be assigned a unique identifier, called the CAT Customer ID. Second, it felt far too many people at each of the 25 SROs would have access to the database without having to show a specific reason that access was needed. Third, anyone with access could also download information in bulk without limitation. The ACLU believes “The SEC should limit SRO and exchange access to the CAT to only trading activity for their respective exchange(s), and only the SEC and FINRA should access the customer database. The SEC should also ensure that CAT data can only be accessed within the CAT’s secure environment that is managed by FINRA CAT and should provide that the data can never be extracted from that environment.” Finally, each SRO should be required to limit access to CAT to users who are given special training. 

All that is bad enough. But what about the problem of cost? Enormous databases aren’t free. Back when CAT was dreamt up in 2010, it was projected that its implementation would cost $4 billion, and its annual ongoing cost would be about $2.1 billion. These are just estimates; actual costs have risen, as they tend to do, over the years. 

How to Solve the Problem

NCLA has carefully and convincingly laid out the purpose and design of the CAT program and has also gone into detail about its dangers. Surely, nearly everyone can understand that those dangers are very real and could wreak havoc on our financial sector and our personal finances as well. We all know people who’ve had their email accounts hacked, or their credit card numbers recalled because of a leak in their bank or card company’s database. Worst of all, some have had their identities stolen. And that happens to ordinary people just living their lives. CAT, unlike real felines, will be prey for every apex predator out there, because it will hold the keys to our capital markets. 

We have no solution to offer, but we do understand the risk of implementing a system that cannot be assured of being safe. NCLA, the ACLU, and every other institution or individual who’s sounded a warning has our appreciation. As Hester Peirce said in another of her statements on CAT: 

The dollars, distraction, dissension, and drain of endless meetings over the past several years of CAT implementation are reasons enough to reconsider the entire project; the risks to liberty and security posed by the project should compel us to do so.

We urge the SEC and the SROs to get it right before rushing to implementation, which is, as noted above, scheduled for the end of May 2024.