Regulators assure industry CAT will not expose consumer data

Recent remarks by Securities and Exchange Commission chairman Jay Clayton regarding a market-surveillance system in the works seem to be allaying financial industry fears that it will collect investors’ personal information.

Last week, Mr. Clayton told a Securities Industry and Financial Markets Association conference the agency is working on a unique customer identification for the so-called Consolidated Audit Trail, which would compile data on all orders for U.S. exchange-listed and over-the-counter equities. He also said the SEC would work with the industry to reach an agreement on the data the system retrieves and how it would be compiled.

“There are solutions here,” Mr. Clayton said. “We’ll get to a responsible place on customer data as long as everybody remains constructive.”

An SEC spokesman elaborated about Mr. Clayton’s position in an email Monday: “Chairman Clayton’s comments highlight that to address concerns regarding consumer PII [personally identifiable information] and to minimize cyber-vulnerabilities, the SEC is supportive of an approach that no longer requires Social Security numbers to be maintained in the CAT repository.”

The Wall Street Journal first reported the development last week.

Christopher Iacovella, chief executive of the American Securities Association, argued in a March 14 comment letter to the Senate Banking Committee that CAT could expose investor data to online theft.

“I’m very happy to see that the SEC chair agrees that retail investor PII should not be collected by the CAT,” Mr. Iacovella said.

Mr. Iacovella said the ASA, which represents regional broker-dealers, supports a market-wide surveillance system to flag potential investor harm posed by certain securities transactions. But that system would jeopardize investor safety if it collected information such as their Social Security numbers.

“If that were to happen, the CAT would become the world’s biggest one-stop shop for cybercriminals,” he said.

CAT is similar to an idea pursued several years ago by the Financial Industry Regulatory Authority Inc. to use data analytics to target potential investor harm. The Comprehensive Automated Risk Data System was ultimately killed due to industry worries about the security of customer data.

“SIFMA appreciates the SEC’s focus on the development of CAT,” SIFMA managing director Ellen Greene said in a statement. “SIFMA has ongoing material concerns regarding CAT data security. Given increasing cyberrisk, we urge regulators to ensure the CAT is effective and secure.”

In late February, Finra was put in charge of creating CAT.

“The collection of PII is not imminent, so there is time to have this conversation,” Finra chief executive Robert Cook said at the SIFMA conference.