Forefront Communications

FinOps Report: SEC: CAT Reports Can Omit Some Customer Data

Causality Link

Alexandra Hamer

Alexandra Hamer

Two of our clients’ executives, n-Tier‘s Peter Gargone and STA‘s Jim Toees, comment on the SEC’s decision to allow CAT reports to omit some customer data.

Data management units at US broker-dealers and the Financial Industry Regulatory Authority (FINRA) will be creating bogus codes for ending trade execution reports required by the Consolidated Audit Trail (CAT) to conceal the identities of investors and mitigate potential damage from cybersecurity breaches.

The US Securities and Exchange Commission’s long-awaited decision earlier this month to protect investor data calls for replacing social security numbers with the CAT customer IDs (CCIDs) generated by FINRA. Brokers, in turn, will create dummy customer account ID numbers, known as FDIDs. The full dates of birth have been replaced with strictly the years of birth. The names and addresses of investors will remain, representing what the SEC considers to be information in the public domain.

The CAT, a single mega database storing all information on executed equities and options transactions on US exchange, is intended to help regulators detect illegal or manipulative trades far more quickly in the wake of the May 2010 flash crash whose cause tooks months to unravel. Although the SEC agreed to the creation of CAT back in 2012, its launch was marred by multiple delays with FINRA finally replacing Thesys Technologies as the CAT processor in February 2019. The processor is responsible for developing and operating CAT.

The FDIDs, or new 40 character-text ID numbers broker-dealers can use to identify customer accounts, won’t be that hard to create, according to data management experts. “FDID work has been part of firms’ CAT development for some time and for most firms is being integrated with their centralized account management and reference data systems,” says Peter Gargone, chief executive of n-Tier, a New York-based software firm focused on data management for regulatory reporting. The FDID is one of the required data elements of a new order and allocation event that must make its way onto the CAT report.

Although the SEC and industry players insist its decision to allow the use of “masked information” is unrelated to the coronavirus pandemic, the timing is eerily coincidental. Cybersecurity experts have recently warned that COVID-19 has given cybercriminals a greater opportunity for breaking into networks now that more employees are working remotely.

The Security Traders Association (STA), Financial Information Forum (FIF) and other industry groups such as the Securities Industry and Financial Markets Association advocated for the deletion of sensitive customer information even before the pandemic broke out. So did the CAT NMS Plan Operating Committee created by the exchanges to implement CAT back in October 2019. However, it wasn’t until March 17 that the SEC’s Chairman Jay Clayton publicly announced the changes to CAT’s customer data requirements.

“The cybersecurity concerns have been an ongoing issue and broker-dealers needed to have some relief from the possibility that cybersecurity breaches could expose sensitive customer information,” says Jim Toes, president of the STA, the New York-based trade group representing trading desks at broker-dealers and asset management shops. As part of addressing cybersecurity concerns, the SEC’s Clayton says the agency will also be looking into how access to customer and account information can be restricted and whether there are additional security measures that would enhance the security of the CAT data both inside and outside of the CAT system.

To read the full article, click here.

Leave a comment

Your email address will not be published. Required fields are marked *