The American Securities Association (“ASA”), a financial industry trade association representing regional and small financial services companies, has sued the Securities and Exchange Commission (“SEC”) to prevent the SEC from using the Consolidated Audit Trail (the “CAT”) initiative to gather personal data of retail investors. ASA alleges that the by collecting the personal financial data of retail investors, it puts their identities and assets at risk of compromise.
The CAT was created and developed by the SEC after the so-called flash crash in 2010. It was designed to capture important financial data on both orders and customers for exchange-listed equities and over-the-counter securities across the U.S. marketplace. CAT was intended to enhance the SEC’s ability to detect and respond to market issues that could harm both institutional and retail investors, including insider trading. In 2016, the national market system plan governing the CAT was approved and is due to begin accumulating data on June 22, 2020. ASA recognizes that the CAT information is highly confidential, and so has filed suit, asserting that the data collection will put individual investors at risk of identity theft. Indeed, the CEO of ASA, Christopher Iacovella, in an editorial published in the Wall Street Journal on May 17, 2020, sees the CAT process as “a one-stop-shop for cybercriminals”.
The ASA had previously supported the implementation of the CAT, but had done so before it was clear that the CAT would include collecting the personal identifiable information of individual investors. Under the current CAT iteration, brokerages would be required to provide the account holder’s name, address and birth year. In a March 17 public statement , SEC Chairman Jay Clayton stated that “the limitation of personally identifiable information to ‘phone book’-type information” goes a long way in “reducing the risk of retail investor identity theft associated with the CAT”. In response to this, Mr. Iacovella of the ASA asserts that the SEC’s present course “has left us with a choice: expose our customers to identity theft or protect their right to privacy. We choose the latter”. Mr. Iacovella also noted that “the industry can’t abide a privacy threat to every U.S. investor. Saving and investing for retirement is hard enough. Americans shouldn’t also have to worry about cybercriminals from China and Russia”.
ASA points out that the SEC was hacked in 2016, but unaware of the hack until 2017. Further, ASA noted that SEC Chairman Jay Clayton has previously warned that “unauthorized access to the CAT’s central repository” could allow hackers to “potentially obtain, expose and profit from the trading activity and personally indentifiable information of investors”. ASA also revisited the 2014 warning of Former FBI Director James Comey: “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese”.
ASA warns that the SEC is compelling brokerages “to send the data of every individual U.S. investor to an unsecure database”. In filing the action, they are taking the opportunity “to stand up for investors, to maintain trust and confidence in America’s equity markets, and to force the SEC to publicly defend this dangerous policy”. A complete copy of Mr. Iacovella’s editorial in the WSJ can be found here .