Wiping Away the Fingerprints
The SEC has intentionally weakened the Consolidated Audit Trail
Summary: The SEC has decided to remove critical information from the Consolidated Audit Trail (CAT) which will weaken their primary market surveillance tool.
Why does this matter? Removal of this information will slow down the SEC’s surveillance capabilities and hamper their ability to identify market manipulators which can impact stock valuations.
Last week, the SEC issued an exemption from the “requirement to report certain personally identifiable information (PII) – names, addresses and years of birth – to the Consolidated Audit Trail for natural persons”. You might recall that in 2020, the SEC also issued an exemption that removed individual taxpayer identification numbers (ITIN), social security numbers (SSN), dates of birth, and account numbers from the CAT. They have now stripped away almost all customer information and will instead rely on a complicated and time-consuming CAT Customer ID system to track suspicious market behavior. This latest removal of data is even more concerning since it comes at a time when the SEC has only three commissioners and is pending the confirmation of its new Chairman.
Why is the SEC eliminating critical information from their primary surveillance tool?
After many years, multiple vendors, and an enormous cost, the SEC finally had a surveillance tool worthy of keeping an eye on today’s fragmented market. They built a tool which could catch bad guys doing bad things. However, certain industry participants felt that the CAT contained too much information. These industry participants, along with industry trade groups (SIFMA, ASA), friends in Congress and other assorted flunkies put pressure on the SEC to remove critical information under the guise that the data could be stolen if there was a cyber security breach. Surprisingly, even FINRA, the builder of the CAT, asked the SEC to remove this critical information. Last month, the President and CEO of FINRA wrote a blog post titled “CAT Should Be Modified to Cease Collecting Personal Information on Retail Investors” where he recommended stripping customer data from the system that his firm built.
What are the risks associated with removing this data and how will the SEC now identify market manipulators?
Without customer data in the CAT, the SEC will now have to go through a much more tedious process to identify suspicious behavior. In their exemption notice, the SEC acknowledged that this new process, which is known as a request-response system, is not ideal and would be more time-consuming. The SEC said:
“The Commission acknowledges that this Order will negatively impact regulatory efficiency....a request-response system would require regulators to contact broker-dealers to determine the names, addresses and years of birth for natural persons, which would take additional time and require manual intervention, thereby decreasing the efficiency of the CAT for regulators."
The FINRA blog post also recognized that removal of customer information from the CAT would be a step backwards since regulators would have to revert to relying on brokers to supply the information. FINRA’s CEO described the old surveillance method and how the SEC would now have to replicate that method since the customer data would be removed from the CAT:
"Before CAT, regulators used a different two-step process to determine the party responsible for potentially problematic trading activity. After detecting such activity from anonymized audit trail data, they would make tailored requests for investor-identifying information from the broker-dealer carrying the relevant account using an electronic system called “Blue Sheets” (which is still operational) or other investigatory tools. Under this “request and response” approach, regulators could ask for the specific information necessary for their investigation, and broker-dealers could respond with that specific information."
After being paid millions of dollars to build the CAT, FINRA is now recommending that regulators go back to doing things like they did before the CAT was implemented. This makes absolutely no sense.
Does anybody disagree with the SEC's decision?
One of the three current SEC commissioners, Caroline Crenshaw, vehemently disagreed with the SEC's decision and published this statement titled "Declawing the CAT" :
“The Consolidated Audit Trail (“CAT”) is a seminal example of how data collection can be used for good purpose. The CAT helps make our markets safer, more efficient, and can act as a powerful tool in ferreting out wrongdoing. Yet today, by eliminating critical data collection, we undermine its use and our own effectiveness. We are wiping away the fingerprints from the scene of the crime.”
“Unfortunately, today we eliminate the CAT’s collection of the most basic customer identifying information, thus impairing regulators’ ability to understand suspicious activity, unwind events, or stave off market disruptions. Today’s order itself acknowledges the negative impact this will have on regulatory efficiency but fails to grapple with the consequences of these diminished capabilities.”
The folks at Better Markets also strongly disagreed with the SEC and published this statement :
"Rather than putting the handcuffs on the lawbreakers, the SEC handcuffs itself when it weakens the CAT, as it just did by limiting the information that the CAT can collect. It’s as if lawbreakers were using the newest, fastest racing cars to get away from a crime scene and the SEC just deflated the tires and disabled the GPS in its chase car.”
Is this the final piece of data that will be removed from the CAT or will the SEC wipe even more fingerprints from their very expensive surveillance system?
Considering the amount of political capital that has been used so far to diminish the CAT, there may be plans to remove even more data from the CAT. The next data item that might be targeted for removal could be the Large Trader ID (LTID). The SEC’s Rule 13h-1 defines a large trader “as a person whose transactions in NMS securities equal or exceed 2 million shares or $20 million during any calendar day, or 20 million shares or $200 million during any calendar month”. Brokers that trade on behalf of these large traders are required to submit their LTID to the CAT thus giving the SEC a quick way to spot market manipulators. It’s possible that certain high frequency, proprietary traders would like their LTID removed from the CAT.
Final Thoughts
The SEC’s decision to weaken their primary equity market surveillance tool is very disappointing. All large databases have cyber security risks but most
organizations can take the appropriate measures to mitigate this risk. SEC Commissioner Crenshaw correctly stated, “We must weigh the law enforcement and regulatory benefits of the data collection against the potential costs.” If we can’t trust the SEC to keep the CAT’s data secure, then how can we trust that they can keep any data secure?
We didn’t hear many small investors complain about their data being collected by the data. Instead, we heard large brokers, industry trade groups and politicians complain about the information that was being collected. Is it possible that these groups are afraid of what the CAT may find?