Data Protection in CAT Explained

The framers of the Consolidated Audit Trail explained how Personally Identifiable Information (PII) or (data protection )will be protected.

The Senate Committee on Banking, Housing, and Urban Affairs held a hearing entitled “Oversight of the Status of the Consolidated Audit Trail.”

CAT, “will track orders throughout their life cycle and identify the broker-dealers handling them, thus allowing regulators to more efficiently track activity in Eligible Securities throughout the U.S. markets,” according to its description on the CAT Plan website.

One recurring theme was the protection of PII.

“FINRA CAT understands concerns that continue to be raised about the inherent risk of handling CAT data, particularly PII. Even with the enhanced architectural and program controls required by the plan for PII—such as containing PII in its own separate system with restricted access—there may be policy questions for the SEC and SRO consortium to discuss about the costs and benefits of collecting and storing sensitive personal data,” said Judy McDonald, in her written testimony.

McDonald is the Chair of the CAT NMS Advisory Committee and one of three witnesses in the hearing.

Mike Crapo is a Republican Senator from the State of Idaho and he chairs the committee.

During his five minute question and answer period some of the complexities of protecting PII, namely people’s social security numbers and other personal information, came into focus.

“Given that the PII information will be excluded from the data will be excluded from collection, can the data that is collected be reverse engineered?’ Crapo asked.

Michael Simon, the CAT NMS Plan Operating Committee Chair first answered.

He said the person making the trade will be identified by what is referred to as the CCID, the Cat Customer ID.

“It’s important to note that broker/dealers will not be sending social security numbers to the CAT; the CAT will never receive or store them. Rather, we have a multi step system in place that FINRA CAT will be building so that the broker/dealers will be dealing some hashing.”

This CCID, Simon explained, will be attached to the trade and not an indvidual’s social security number.

But Crapo did not seem impressed, he followed up by saying, “that (CCID) seems like it just begs for reverse engineering.”

Shelly Bohlin

Shelly Bohlin is the President & Chief Operating Officer of FINRA CAT LLC FINRA and the third person who testified.

She explained further how the system would work.

“The objective is to be able to identify a single customer trading across all broker/dealers,” Bohlin said of the reason CCID was created.

She further explained why reverse engineering is difficult, “The CCID is only known by CAT; it is not returned to the broker/dealer, no one outside of CAT will ever have access or know the CCID,” she said, “The customer account data is segregated from the transaction data. The CCID- while it will have associated with it customer information in the customer and account database- it is not available to the transaction data. Only the actual CCID, not knowing who it is, whether it is an institution or a natural person.”

FINRA, the Financial Industry Regulatory Authority, and other self-regulatory organizations, have taken the lead in building the CAT, which continues.

CAT was originally proposed by the SEC in the aftermath of the flash crash which occurred almost ten years ago.