The Securities and Exchange Commission (SEC) has made an exemption to the requirement for the Consolidated Audit Trail (CAT).
Specifically, it is exempting the requirement to report certain personally identifiable information (PII) – names, addresses, and years of birth – to the CAT for natural persons.
Names, addresses, and years of birth were originally required to be collected in the CAT to facilitate the generation of unique anonymized customer IDs and to help regulators identify the person(s) responsible for a trade.
Officials noted that bad actors have become increasingly sophisticated. In the event of a breach, they may be able to use the names, addresses, and years of birth to impersonate a customer or broker-dealer and gain access to a customer’s account. This exemption from the requirement to report this PII to the CAT will help mitigate potential security risks.
The SEC notes that the CAT still will be able to generate reliable and consistent anonymized customer IDs even if such PII is not reported to the CAT. It follows a directive in 2020, that exempted the reporting of some of the most sensitive PII, including social security numbers.
“Over 12 years ago, the CAT was designed with the goal of creating a modernized audit trail system to enable regulators to analyze and reconstruct market events,” SEC Acting Chairman Mark Uyeda said. “Today’s exemptive order eliminates the requirement to report names, addresses, and years of birth for any U.S. natural person who trades in the stock market and recognizes that such information is not necessary to achieve CAT’s objectives. Despite today’s action, bad actors and other miscreants who engage in insider trading, market manipulation, and other schemes should be forewarned that the Commission has more than sufficient investigative tools to hold them accountable.”
The move was applauded by SIFMA, the association for broker dealers.
“For a decade, SIFMA has expressed strong concerns on behalf of the industry and investors that the information in the CAT—the largest database of retail and institutional trading ever created—was a ripe target for cyber criminals and collecting PII put investors’ data at risk,” SIFMA CEO Kenneth E. Bentsen, Jr. said. “We have repeatedly called on the SEC to prohibit the collection of investors’ personal information and proposed alternatives that address the Commission’s enforcement concerns without the need to collect such data. This bold decision by the Commission is entirely appropriate and long overdue.”