Blogs > Biz Law Blog

SEC Seeks to Increase the Security of the Data on the Consolidated Audit Trail National Market System

In 2005, the Securities and Exchange Commission (“SEC”) established the National Market System (“NMS”), governed by SEC Regulation NMS, “…to modernize and strengthen …[the trading system] for equity securities.” Its aim was to encourage competition both among the several trading markets and among individual orders, SEC Release No. 34-51808 (2005). What is not well known today, is that securities trading in the United States occurred on quite a number of local “stock exchanges” with sometimes the same security garnering far different buy and sell prices from one exchange to another. It was on May 17, 1792, that this all began, when 24 merchants in New York City signed an agreement under the shade of a Buttonwood Tree; that became the New York Stock Exchange (“NYSE”). Some merchants could not gain membership in the NYSE and continued to trade outside “on the curb.” That informal market was finally somewhat organized almost 100 years later in the 1880’s as the Curb Exchange, which changed its name in 1931 when it moved into a new building in lower Manhattan and became the American Stock Exchange.

SEC National Market System

In 1934, when the Securities Exchange Act of 1934 became law, securities exchanges existed around the country from Boston to Honolulu. Twenty-four of them registered with the SEC and another 19 received temporary exemptions from registration. One of the more interesting of these regional exchanges was the Cincinnati Stock Exchange, which first moved to Chicago and changed its name to the National Stock Exchange; and then, in 2011, it moved to Jersey City, where it was familiarly known as the “Black Box Exchange” for its all-electronic trading system. It has since been acquired by the Chicago Board Options Exchange (“Cboe”). In 1975, Congress passed the Securities Act Amendments, which, among other things, allowed the securities of companies not traded on an exchange (such as those traded “over-the-counter” in the “pink sheets”) to be treated essentially the same as exchange-listed securities. This eventually led the National Association of Securities Dealers (“NASD”), which supervised the “pink sheets,” to develop an electronic trading facility that became the NASD Automated Quotation System – or as we know it today, NASDAQ. The 1975 Amendments also authorized the SEC to “facilitate” a national market system. It took the Commission 30 years to accomplish that goal.

Under the National Market System, all trading is essentially shared on a real-time basis so that pricing anomalies among exchanges are close to eliminated. Unfortunately, on May 6, 2010, this national market system was subject to an unexpected and totally undesired collapse of securities prices known as the “Flash Crash,” when the Dow Jones Industrial Average fell over 900 points in the space of some 16 minutes. That collapse was not only unexpected, it was also almost devilishly difficult to analyze post hoc because the orders and the sales came in from all, or at least most, of the participating exchanges and there was little ability to trace backorders and sales. In the aftermath, Congress mandated that the SEC establish a system to gather that kind of information to empower the regulator to respond to market disruptions in the future. In 2015 the SEC requested that the Self Regulatory Organizations (“SRO”s) that own/operate the several exchanges propose a plan to allow a backward-looking audit of sales and buys across all exchanges. In that connection, the SEC in the words of its Chair Jay Clayton noted that the equity and option markets “…operate through multiple exchanges and other venues and the Consolidated Audit Trail (“CAT”) will facilitate cross-market oversight and analysis, thereby improving investor protection and market integrity.” Although something of a “footnote” to the development of CAT, subsequently, in 2020 an aggressive London “day trader,” Navinder Singh Sarao, was tried and convicted for having been one of the principle causes of the 2010 “Flash Crash” using an automated platform.

In November 2016, the SEC approved the CAT NMS Master Plan, as submitted by the exchanges and their respective participating members. That Master Plan looked to FINRA (the Financial Regulatory Authority, a split-off from NASDAQ focused on Market discipline and investor protection). The Plan called for Broker/Dealers (“B/D’s”) and, to some extent, Registered Investment Advisors (“RIA’s”) which engage in securities transactions, to report all transactions by November 2018. The participating market persons were both for CAT and against it –  due to the technical complexity (including the time required and cost of design and implementation), concerns about the privacy of customer data (especially concerning data on natural persons), AND fear that the CAT data could be accessed not only by competitors, but also by both private criminals and governmental players (think Russia, Iran, China, and North Korea). The SEC, having faced the continuing resistance of participants has multiple times (in 2018, 2019, and again now) sought to enhance the protection of information about the trading of stocks that were once only some $50 – $100/share, and now some $250 to $1000/share. The enduring question: Is the exchange where a transaction takes place accurately reporting the fair market price of the stock – RIGHT NOW? The CAT actually is a force to compel more thoughtful and inclusive data reporting, something of particular value in times of market volatility such as the gyrations that have occurred since the COVID-related shut down of the economy in March 2020.

Consolidated Audit Trail Amendments

The Commission, in its August 20, 2020, Release (Release 2020-189) has proposed amendments to the CAT NMS Plan that are intended to limit the scope of sensitive information required to be collected by CAT NMS and to increase the protections afforded by CAT NMS. Those amendments will do a number of things:

  1. Require the establishment of a permanent security working group composed of the CAT’s Chief Information Security Officer (“CISP”) and the chief information security officer or deputy of each participating SRO
  2. Define a Secured Analytical Workspace (“SAW”) for the CAT trading information, with the CISP in charge of designing and overseeing data access and downloading policies
  3. Each participating SRO must use only its SAW to analyze any customer and account data and be limited to minimal data needed for any particular surveillance or regulatory purpose
  4. Limits would apply to the number of records that can be downloaded by regulators (the SEC, FINRA, the participating SRO’s, federal law enforcement authorities, and, theoretically, state securities regulators) using an online targeted query tool
  5. Any extraction of CAT data must be logged in
  6. The amount of customer data required is reduced to eliminate the need to include social security numbers, taxpayer ID numbers, or account numbers for natural person customers, and to limit the data required to the year of a natural person customer’s birth as opposed to the birthdate
  7. All manual access to customer information must comply with “role-based access control” and be on a “need to know” demonstrable after the regulator has identified a customer for inquiry based on the regulator’s own efforts (i.e., something like a “reasonable basis” standard for regulatory scrutiny, so no random or continuing general surveillance)
  8. Any programmatic access to customer data requires specific SEC authorization obtained in advance of access
  9. All participating SRO’s must have  a standard written data confidentiality policy, identical for each SRO and approved by SEC, which policy would be published on the SRO’s website
  10. “Regulatory Staff” for each participating SRO is defined and only Regulatory Staff and certain IT staff can access CAT data, UNLESS that SRO’s Chief Regulatory Officer gives prior written approval for broader access for a particular identified purpose
  11. Access to CAT data for anything other than surveillance or regulatory purpose (i.e., for commercial purposes such as economic or market structure analyses) is forbidden
  12. Access to CAT data is permitted only in countries where CAT reporting or regulatory use is BOTH necessary AND expected
  13. All data centers housing CAT data MUST be physically located in the U.S.
  14. Any breach of the access restriction or otherwise involving CAT data security must be immediately reported to the CAT system operator, including corrective action, both to be taken and accomplished
  15. All data submissions including customer and account information must be accompanied by the Firm Designated ID assigned to the firm involved

Interested parties will have a period to comment on these proposed amendments after they are published both on and in the Federal Register – the SEC press release says 60 days following posting on the SEC website; the accompanying Fact Sheet says that the comment period will be 45 days after publication in the Federal Register. It is clear from the foregoing that the Commission has made a major effort to address security concerns related to CAT NMS. It is also clear that the SEC’s timelines for full implementation and effectiveness of CAT have been pushed out into the future. The target date of December 31, 2021, for full equity and option reporting by both large and small B/D’s and affected RIA’s will probably be delayed, and so too will the target date of July 11, 2022, for full customer and account reporting. Thus, there is NOT YET the ability to review fully the millions of transactions on the National Market System promptly in the case of manipulative or fraudulent activities, let alone to deal with the causes of disruptions like the “Flash Crash.” And this remains the case even in the face of ever-growing NMS activity and the continuing overhang of the COVID-19 pandemic.

If you have any questions about this or any other legal matter, please email me at For more topics related to COVID-19, visit our Coronavirus Thought Leadership Connection.

The information contained in this post may not reflect the most current developments, as the subject matter is extremely fluid and constantly changing. Please continue to monitor this site for ongoing developments. Readers are also cautioned against taking any action based on information contained herein without first seeking advice from professional legal counsel.