Why the SEC’s Consolidated Audit Trail Is a Bad Idea

FREE Simplisafe camera

The Securities and Exchange Commission beginning next year will require broker-dealers to report securities transactions to CAT NMS LLC, a Delaware-based limited-liability company jointly owned by broker-dealers on an equal basis.

This consolidated audit trail—or “CAT”—requirement invades investor privacy, creates a severe risk of data breaches, and will likely lead to more small firms leaving the financial services industry.

CAT National Market System is charged with implementing the Securities and Exchange Commission-mandated consolidated audit trail. All broker-dealers will be required to report all securities transactions to it by 2020.

The SEC, the Financial Industry Regulatory Authority, and 23 self-regulatory organizations will be able to access the consolidated audit trail database at will. It’s anticipated that there will be as many as 3,000 regulatory users.

On Sept. 13, the SEC published a proposed rule that would modify the implementation
deadlines
and impose higher costs on
broker-dealers if those deadlines are not met.

The consolidated
audit trail
will replace the currentelectronic blue sheet
system under which broker-dealers are required to report information requested by regulators.

While there are countless technical
issues that will need to be resolved to report and integrate this massive
information flow, three key concerns are privacy, liability for errors and data
breaches, and costs.

The consolidated
audit trail
database will become an incredibly
attractive target for hackers. It will include personally identifiable
information with respect to millions of people, including Social Security
numbers, date of birth, and brokerage account information.

The risks of identity theft and huge financial losses for ordinary Americans are quite high. As SEC Commissioner Hester Peirce put it in a recent opinion essay:

A more limited version of the program that looked only at the trades of large institutional investors would be almost as useful for reconstructing market events and would not violate the privacy interests of specific individuals.

The risk that a bus driver placing a trade for her daughter’s college fund will cause market turbulence is outweighed by the invasion of privacy and the attendant risk that cybercriminals will deplete the college education fund.

The SEC has not made the case that
imposing this very large risk on the American people is worth it.

It’s not clear who would be financially
liable for errors and data breaches. If the CAT NMS database is breached, the personally
identifiable information of millions of people will be able to be obtained by
hackers, and hundreds of millions of dollars may be lost by ordinary Americans.

From whom do they seek compensation? Certainly not the SEC. The agency can impose rules that lead to the losses but, as a government agency, it will not be held responsible. And CAT NMS is not a well-capitalized LLC. Will entirely blameless broker-dealers be forced to pay? Or will investors simply have to accept the loss of their life’s savings?

Over the 15-year period from 2004 to
2018, the number of broker-dealers has declined by 30 percent, from 5,187
to 3,607

This loss of small broker-dealers is caused by the relentless increase
in the regulatory burden on financial institutions.

A similar trend is occurring in
banking. Regulatory burdens do not increase in linear fashion with size. They
impose a disproportionate burden on small institutions.

The loss of small broker-dealers has an
adverse impact on entrepreneurs seeking to raise capital and on competition in
the financial industry. The consolidated
audit trail
adds considerably to the problem.

The SEC needs to put the consolidated audit trail on pause. It’s a poorly thought-out initiative. The SEC hasn’t demonstrated that it’s necessary or worth the risks entailed in its implementation.

The agency clearly hasn’t given adequate thought to protecting personally identifiable information or to liability issues, and it hasn’t seriously considered options involving more narrowly circumscribed reporting.

If the SEC will not do so, Congress
should.