Data are the foundation of advancement. They sit at the heart of innovation, technology, learning, community building, and so many other values crucial to our progress. Data can also be a critical tool in preventing fraud and wrongdoing.
But our data can also be deeply personal or subject to exploitation. That is why, when the government collects data, such collection must be done with due care and assurances that those who access our data are doing so with adequate guardrails and proper purpose. There must be processes and procedures followed to ensure responsible and appropriate use.[1] The fact that data are a powerful tool is not a reason to stop their collection altogether; rather, it is a reason to make use of data for significant and laudable goals—like protecting American business, investors, and the economy. We must weigh the law enforcement and regulatory benefits of the data collection against the potential costs.
The Consolidated Audit Trail (“CAT”) is a seminal example of how data collection can be used for good purpose. The CAT helps make our markets safer, more efficient, and can act as a powerful tool in ferreting out wrongdoing. Yet today, by eliminating critical data collection, we undermine its use and our own effectiveness. We are wiping away the fingerprints from the scene of the crime.
The agency adopted the CAT after the 2010 “Flash Crash” when U.S. markets collapsed and then partially rebounded in less than an hour.[2] The whiplash in prices undermined market confidence and caused significant investor losses.[3] It was clear following the crash that regulators, including this agency, were unprepared to respond to a market event of that magnitude. A complete regulatory response would have required a full and robust analysis of data we did not have.[4] It ultimately took the SEC nearly five months to determine the root causes of the crash,[5] and to this day, the Commission does not have a sense of who was harmed.
We must be more responsive than that. For quick and effective oversight in a crisis, regulators need access to a timely and comprehensive set of data—whether we are trying to figure out a major market event like the Flash Crash, investigate fraud, or identify suspicious foreign activity that may indicate market manipulation or infiltration. The CAT was designed to address outdated regulatory infrastructure by improving the completeness, accuracy, accessibility, and timeliness of data needed to support robust regulatory oversight. [6] And, in fact, it has. [7]
Unfortunately, today we eliminate the CAT’s collection of the most basic customer identifying information,[8] thus impairing regulators’ ability to understand suspicious activity, unwind events, or stave off market disruptions. Today’s order itself acknowledges the negative impact this will have on regulatory efficiency but fails to grapple with the consequences of these diminished capabilities. It leaves unanswered the most basic questions. For example, will it be more difficult for regulators to spot fraud? How much harder will it be to identify certain types of market manipulation? Will it be more difficult to identify and address concerns relating to certain foreign ownership? Will it be more difficult to identify and compensate the victims of swindlers? In times of market disruption and ongoing fraud or manipulation, loss of time means loss of money and loss in market confidence. There is no question that this decision is a loss for markets and investor protection.
[1] Given that protecting the security and confidentiality of Consolidated Audit Trail data has long been a priority of the Commission, there are safeguards in place to protect this information. For example, Rule 613(e)(4)(i)(A) requires policies and procedures to ensure the security and confidentiality of all information reported to the CAT’s central repository by requiring that the Participants and their employees agree to use appropriate safeguards to ensure the confidentiality of such data and agree not to use such data for any purpose other than surveillance and regulatory purposes. In addition, Rule 613(e)(4)(i)(B) requires the Participants adopt and enforce rules that require information barriers between regulatory staff and nonregulatory staff with regard to access and use of data in the central repository and permit only persons designated by plan sponsors to have access to the data in the central repository. Moreover, Rule 613(e)(4)(i)(C) requires that the Plan Processor develop and maintain a comprehensive information security program for the central repository, with dedicated staff, that is subject to regular reviews by the Chief Compliance Officer; have a mechanism to confirm the identity of all persons permitted to access the data; and maintain a record of all instances where such persons access the data.
[2] See Securities Exchange Act Release No. 67457 (July 18, 2012), 77 FR 45722 (Aug. 1, 2012) (“Rule 613 Adopting Release”). The Commission adopted Rule 613 to require self-regulatory organizations (“SROs”) to submit a national market system plan to create, implement, and maintain a consolidated order tracking system, or consolidated audit trail, with respect to the trading of NMS securities, that would capture customer and order event information for such securities, across all markets, from the time of order inception through routing, cancellation, modification, or execution ( the “CAT Plan” or “Plan”). The SROs then developed and submitted the CAT Plan, and in 2016 the Commission voted unanimously on a bi-partisan basisto approve the Plan. See Securities Exchange Act Release No. 78318 (November 15, 2016), 81 FR 84696, (Nov. 23, 2016) (“CAT Plan Approval Order”); see also Final Commission Votes for Agency Proceeding, 03-Nov-16, Interim Final Temporary Rule Regarding the Consolidated Audit Trail, approved 3-0,available athttps://www.sec.gov/about/commission-votes/annual/commission-votes-ap-2016.xml.
[3] See U.S. Commodity Futures Trading Commission and U.S. Securities and Exchange Commission, Preliminary Findings Regarding the Market Events of May 6, 2010, Report of the Staffs of the CFTC and SEC to the Joint Advisory Committee on Emerging Regulatory Issues (May 18, 2010) available at https://www.sec.gov/sec-cftc-prelimreport.pdf.
[4] See Rule 613 Adopting Release at 45732. Although the SROs and the Commission quickly implemented a single-stock circuit breaker pilot program as an initial response, a more complete regulatory response required a full and robust analysis of additional data. SEC staff had to cobble together data from disparate sources, such as exchange order books and different SRO audit trails. SEC staff encountered major problems that hindered their ability to figure out what happened during the Flash Crash, such as not being able to accurately sequence events across the multiple data sources or identify and eliminate duplicate orders. Moreover, SEC staff had to analyze the order books for thousands of equities, and even then, the reconstruction was not fully complete. Id. at 45733.
[5] Id. at 45733.
[6] See CAT Plan Approval Order at 84727 (stating that the Commission believes the CAT Plan will facilitate regulators’ access to more complete, accurate and timely audit trail data, and allow for more efficient and effective surveillance and analysis, which will better enable regulators to detect misconduct, reconstruct market events, and assess potential regulatory changes). “Completeness” refers to whether a data source represents all market activity of interest to regulators, and whether the data is sufficiently detailed to provide the information regulators require. “Accuracy” refers to whether the data about a particular order or trade is correct and reliable. “Accessibility” refers to how the data is stored, how practical it is to assemble, aggregate, and process the data, and whether all appropriate regulators could acquire the data they need. “Timeliness” refers to when the data is available to regulators and how long it would take to process before it could be used for regulatory analysis. See Rule 613 Adopting Release at 45727.
[7] See e.g., Press Release, SEC Charges Financial Services Professional and Associate in $47 Million Front-Running Scheme (Dec. 14, 2022) available at https://www.sec.gov/newsroom/press-releases/2022-228 (stating that SEC staff analyzed trading using the CAT database to uncover defendant’s allegedly fraudulent trading and to identify how he profited by repeatedly front-running large trades by the other defendant’s employer); see also SEC v. Lawrence Billimek, and Alan Williams, Case 1:22-cv-10542 (S.D.N.Y. filed Dec. 14, 2022), available at https://www.sec.gov/files/litigation/complaints/2022/comp-pr2022-228.pdf. In addition, information in the Gamestop report was also derived from staff review of data maintained in the CAT database. See Staff of the U.S. Securities and Exchange Commission, Staff Report on Equity and Options Market Structure Conditions in Early 2021 (Oct. 14, 2021)(colloquially known as the “Gamestop Report”) available at https://www.sec.gov/files/staff-report-equity-options-market-struction-conditions-early-2021.pdf.
[8] See Securities Exchange Act Release No. 34-102386 (Feb. 10, 2025). Specifically, the CAT will no longer collect, and broker-dealers will no longer report, name, address, and year of birth for natural persons with transformed security numbers (“SSNs”), or individual taxpayer identification numbers (“ITINs”). The Commission previously took exemptive action to eliminate individual social security numbers from the CAT. See Securities Exchange Act Release No. 88393 (Mar. 17, 2020), 85 FR 16152 (Mar. 20, 2020). Accordingly, today’s exemptive relief represents yet another reduction in the data available to regulators, further undermining the effectiveness of CAT.
