SEC Market-Surveillance Project Hits Snag Over Hacker Fears
Brokers cite concerns that they could face costly lawsuits if database is breached. SEC Market-Surveillance Project Hits Snag Over Hacker Fears
A project to create a massive market-surveillance database for U.S. financial regulators is encountering fresh resistance from Wall Street brokerages that fear it could be targeted by hackers seeking investors’ private information.
Some of the biggest U.S. brokerage firms are balking at a contract they must sign to connect their systems to the Consolidated Audit Trail, or CAT, ahead of a deadline just three months away. The brokers have cited concerns that they could be held liable if the database is breached, spurring costly lawsuits, people familiar with the matter said.
Firms that have raised concerns over the contract include Credit Suisse Group AG, Goldman Sachs Group Inc., JPMorgan Chase & Co., Morgan Stanley, TD Ameritrade Holding Corp. and UBS Group AG, these people said.
The CAT was conceived nearly a decade ago as a way to help the Securities and Exchange Commission investigate stock-market manipulation and episodes of anomalous trading like the May 6, 2010, “flash crash” that sent the Dow plummeting nearly 1,000 points.
Proponents say the CAT will help regulators make sense of complex U.S. financial markets, by putting data from disparate markets in one place and pinning down the time of each trade to the millisecond. Kara Stein, a former Democratic commissioner at the SEC, has called it a “Hubble Telescope” for the securities markets. When complete, it is expected to ingest more than 58 billion records a day to become the world’s largest repository of stock-trading data.
But the CAT has faced repeated delays and come under fire for potentially exposing Americans’ private financial information to hackers. Advocacy groups including the American Civil Liberties Union have blasted the project for plans to store the personal data, such as Social Security numbers and birth dates, of individuals behind stock trades.
“We are concerned that the CAT will pose significant risks to the privacy of millions of investors,” the ACLU wrote in a Dec. 16 letter to SEC Chairman Jay Clayton.
Among the concerns cited by the ACLU and other critics: An estimated 3,000 employees of regulatory agencies and exchanges are expected to have access to CAT data, potentially increasing the risk of an unauthorized download of sensitive information.
Mr. Clayton, a proponent of the CAT who has also criticized the way it has been implemented, has said he is willing to keep sensitive personal information out of the database. The SEC says it is considering an industry proposal to remove Social Security numbers, birth dates and taxpayer IDs from the database, and instead use ID tags that couldn’t be as easily traced to an individual’s identity.
“Chairman Clayton remains committed to moving CAT from concept to reality,” an SEC spokeswoman said in an emailed statement. “This requires addressing valid privacy issues.”
The CAT is overseen by a consortium of stock and options exchanges, including the New York Stock Exchange and Nasdaq Inc., as well as the Financial Industry Regulatory Authority, Wall Street’s self-regulator. The consortium created the contract that brokers must sign to connect to the database, called the CAT Reporter Agreement.
The contract, which is available online, limits the liability of the consortium to any broker making a claim against it to $500. Brokers worry this provision would leave them exposed to lawsuits if the CAT were hacked and they were sued by investors upset about the breach, according to the Securities Industry and Financial Markets Association, or Sifma, a Wall Street group representing brokers in negotiations over the contract.
Sifma “believes that such sweeping limitations on liability are inappropriate,” the group wrote in a Jan. 8 letter to the CAT consortium that was reviewed by The Wall Street Journal.
The dispute threatens to derail progress toward an April 20 deadline for large brokers to begin reporting data to the CAT. Of around 1,300 brokerages that need to sign the contract by then to start reporting data, about 650 have signed, a person close to the CAT consortium said.
In the Jan. 8 letter and other statements, Sifma has said it would be more appropriate for the consortium and its main contractor building the database, a unit of Finra, to face liability for a breach.
Sifma has also said the exchanges and Finra should waive the immunity that they enjoy as self-regulatory organizations when it comes to the risk of a CAT breach. As SROs—entities that have a government charter to regulate market activity—the exchanges and Finra are generally immune from lawsuits regulated to their regulatory role.
The SEC is aware of industry concerns over the CAT contract, the spokeswoman for the commission said. “We continue to work with the SROs and broker-dealers as we move toward broker-dealer CAT reporting in April,” she said.
A spokesman for the CAT consortium declined to comment on the dispute over the contract, but pointed to a Nov. 27 letter defending the contract from Sifma’s criticism. The CAT Reporter Agreement is “not substantively different” from similar contracts that brokers have signed to report data for regulatory reasons, the CAT consortium said in that letter, which was addressed to the SEC’s Mr. Clayton. The letter also said it was appropriate for management of the CAT to fall under the immunity principle that shields exchanges and Finra from lawsuits.
The CAT will start receiving data from brokers in April as planned, according to the consortium spokesman. “We expect large broker-dealers will begin reporting to the CAT by the April 20, 2020, deadline,” he said.
Your Questions And Comments Are Greatly Appreciated.
Monty H. & Carolyn A.