The proposed limitation of liability provisions for the Consolidated Audit Trail (CAT) discourages CAT Participants (i.e. FINRA and the Exchange Groups) from advancing the security protection and design of CAT and CAT data. Although the immunity status of FINRA and Stock Exchanges as Self-Regulatory Organizations (SROs) may be broad, including affirmative acts and omissions and failures to act. SROs, however, do not enjoy complete immunity from suits. According to Weissman and Sparta Surgical Corp.’s court cases against National Association of Securities Dealers, FINRA and presumably all SROs remain subject to liability should claim(s) arises as a result of private business or commercial conduct.
The SROs’ immunity from private civil actions applies ONLY when they are acting within their delegated authority. How courts apply a “functional test” to determine whether an SRO is entitled to immunity from burdens of litigation or civil damage suits may be a controversy here. If in the case of SROs’ executive(s) or staff(s) or contractor(s) willful misconduct, gross negligence, bad faith or criminal acts related to CAT, SROs should NEVER be immune under those circumstances because these are not part of their arbitral and prosecutorial authority. Given FINRA replaced Thesys Technologies (a private company) as the CAT processor indeed signified that FINRA and CAT LLC are in effect conducting private business. We argue such commercial conducts must be subject to corresponding risks and civil claims in the case of liability.
We rebut the CAT operating committee whom cited the Charles River Associates’ Economic Analysis (CRAEA) on their estimates of “greater than $100 million damage or 95% percentile loss may misguide policy makers info falsely believing the risks may possibly be accepted when it should not” in our January 27, 2021 comments. The SEC’s proposed standard Limitation of Liability Provisions to the Reporter Agreement and Reporting Agent Agreement is inconsistent with the Exchange Act because security and privacy threats could escalate into National Security issues which are outside the jurisdiction of the SEC. Given that, the attempt to transfer or allocate risks between CAT participants and industry members under the proposal gives us the impression or the following picture in our mind:
We are reminded of the temptation for function creep. The ‘defined purposes’ of accessing CAT should be much narrower than the broadly defined “regulatory purposes”. Using the Internal Revenue Service (IRS) tax filing as an illustrating analogy, the IRS asks for income information, but would not ask for the complete customer and supplier lists and detail transactions unless the party is being summoned in court. Therefore, we argue that there should be no access to CAT for ‘market surveillance’ purpose prior to identifying symptoms of irregularity that are substantiated by data at Securities Information Processors/ Competing Consolidators and/or analytical procedures at SROs/ the SEC.
We are also concerned with the realism of various adverse scenarios. Such as, the Edward Snowden case where information from CIA systems got exposed to WikiLeaks. The CRAEA also neglected the scenarios, such as the 2015-2016 SWIFT banking hack, where hackers used stolen information of a foreign central bank to initiate the scam/ scandal to theft on the Federal Reserve Bank of New York; or Market Chaos such as the GameStop phenomenon if it may allegedly involve foreign adversaries. We can go on-and-on with additional scenarios and potential exploitations. If CAT were to be exposed it may potentially destabilize our capitalistic system and economy.
Neither the SEC nor the SROs have rights above the U.S. Constitution. Please be reminded that the Fourth Amendment, the right to be free of unwarranted search or seizure, is recognized by the Supreme Court as protecting a general right to privacy. No-one wants his/her data to be used by regulator(s) to develop policies that potentially may discriminate against him/her. Suspicion of crime or anticipation of market turmoil should begin with some basis or require a ‘search warrant’ before the permissible collection or surveillance of information that would otherwise be considered as private. Unlike census, collection of non-public and PII by CAT for all trade activities without express consent by the investors is an intrusion of one’s privacy. Stakeholders of CAT should NOT be placed above the law.
According to a recent National Security Commission on Artificial Intelligence Final Report, “The reach of tools that China, for instance, uses to monitor, control, and coerce its own citizens — big data analytics, surveillance, and propaganda — can be extended beyond its borders and directed at foreigners. Without adequate data protection, A.I. makes it harder for anyone to hide his or her financial situation, patterns of daily life, relationships, health, and even emotions. Personal and commercial vulnerabilities become national security weaknesses as adversaries map individuals, networks, and social fissures in society; predict responses to different stimuli; and model how best to manipulate behavior or cause harm. The rise and spread of these techniques represent a major counterintelligence challenge.”
This is America, not a communist country
that performs massive government surveillance. To be consistent with §11A or any other provision of the Securities Exchange Act of 1934, we think the SEC has full authority to pursue, without worry of other U.S. regulatory authorities’ objection, to demand better Suspicious Activity Report (SAR) from Broker-Dealers (BDs) and/or order improvements of BDs’ trade controls or fulfill certain compliance requirements. We also think the SEC has rights (without stepping on other agencies’ jurisdictions) to adopt the “A-Z” clauses that we suggested in Table 1 of our November 2020 comment letter, as part of the minimum requirements for CAT NMS Plan’s principle based rules rather than the Enhanced Data Security proposal which makes specific reference to an outdated revision 4 of SP800-53 by the NIST [see prior article's endnote for a elaborated discussion]. However, the CAT NMS Plan in its current form or the application of the proposals may be in contradiction with the Department of Justice’s latest edition of the Privacy Act of 1974 and other applicable laws and new bills.
***
At Data Boiler, we see big to continuously boil down the essential improvements that fit for your purpose. Between my patented inventions and the wealth of experience of my partner, Peter Martyn, we are about finding rare but high-impact values in controversial matters, straight talk of control flaws, leading innovation and change, creation of viable paths toward sustainable development and economic growth.