Trade group sues SEC to stop collection of retail investor data

A financial industry trade association is suing the Securities and Exchange Commission to stop the agency from collecting retail investor data for a comprehensive market surveillance system.

The American Securities Association, which represents regional financial services firms, said Monday it has filed a lawsuit in the U.S. Court of Appeals for the D.C. Circuit. The group is trying to prevent the SEC from gathering personally identifiable information to construct the Consolidated Audit Trail, known as CAT.

CAT was created by the SEC in 2012 in response to the so-called flash crash in 2010. The mechanism will capture data on customers and orders for exchange-listed equities and over-the-counter securities across all U.S. markets. The SEC says it will enhance the agency’s ability to detect and react to market problems that could harm investors.

In 2016, the agency approved the national market system plan governing the CAT, and it is set to be implemented in 2022.

But the system has run into resistance from critics who say that collecting the market trading data puts individual investors at risk if it includes personally identifiable information. The system, they assert, would become a treasure trove for cybercriminals.

That’s the argument ASA will make in court.

“The ASA supported the creation of the CAT to surveil the markets, but as we have said repeatedly, this can be accomplished without collecting the personal information of every mom and pop American investor and storing it in a one-stop-shop for cybercriminals who want to steal their identities,” Chris Iacovella, chief executive at ASA, said in a statement. 

In March, the SEC exempted the Financial Industry Regulatory Authority Inc. and other self-regulatory organizations that will run CAT from collecting Social Security numbers, birth dates and account numbers from individual investors for the CAT.

Instead, brokerages would be required to provide an account holder’s name, address and birth year for the surveillance system.

“Given the limitation of personally identifiable information to ‘phone book’-type information, I believe this represents an important step in significantly reducing the risk of retail investor identity theft associated with the CAT,” SEC Chairman Jay Clayton said in a March 17 statement. “This is a significant step toward standing up the CAT.”

But that adjustment didn’t satisfy ASA.

“We supported the SEC’s 2012 creation of the Consolidated Audit Trail database to keep track of institutional investors,” Iacovella wrote in a May 17 Wall Street Journal oped. “But collecting sensitive personal and financial information — including address, birth year and transaction data — from retail investors has always been a solution in search of a problem.”

In addition to filing the lawsuit, the ASA has launched a campaign to encourage investors to register opposition to the collection of their information for CAT.

The SEC declined to comment. On Friday, the SEC adopted amendments to the CAT market system plan designed to increase transparency and financial accountability.

Settlement reached on breach liability

The CAT lawsuit comes as another thorny problem related to the system seemed to be resolving.

Brokerages were reluctant to provide information for the CAT if they were going to be held liable for cybersecurity breaches. Last Wednesday, the Securities Industry and Financial Markets Association announced a settlement regarding the issue.

Under the agreement, the self-regulatory organizations removed language from the CAT Reporter Agreement that would have limited the SROs’ liability for any breach of the CAT data and agreed not to impose any limitation of liability without going through an SEC rule-making process.

“SIFMA’s guiding principle is ‘they who hold the data bear the liability,’ and it was inappropriate and unfair for the SROs to unilaterally impose limits on their liability when they alone hold and control the data inside the CAT, the largest data base to ever be constructed,” SIFMA Chief Executive Kenneth Bentsen Jr. said a statement.

A spokesman for CAT said the system will be able to accept data from brokerages on June 22.

“Although we removed the liability language, we will continue to address how best to resolve the underlying questions as to who should bear liability and how that would be funded in the unlikely event of a data breach,” CAT spokesman Armel Leslie said in a statement.   

Related Topics: American Securities Association, Consolidated Audit Trail, Financial Industry Regulatory Authority, Securities and Exchange Commission, Securities Industry And Financial Markets Association (SIFMA)