Data management units at US broker-dealers and the Financial Industry Regulatory Authority (FINRA) will be creating bogus codes for sending trade execution reports required by the Consolidated Audit Trail (CAT) to conceal the identities of investors and mitigate potential damage from cybersecurity breaches.
The US Securities and Exchange Commission’s long-awaited decision earlier this month to protect investor data calls for replacing social security numbers with the CAT customer IDs (CCIDs) generated by FINRA. Brokers, in turn, will create dummy customer account ID numbers, known as FDIDs. The full dates of birth have been replaced with strictly the years of birth. The names and addresses of investors will remain, representing what the SEC considers to be information in the public domain.
The CAT, a single mega database storing all information on executed equities and options transactions on US exchange, is intended to help regulators detect illegal or manipulative trades far more quickly in the wake of the May 2010 flash crash whose cause tooks months to unravel. Although the SEC agreed to the creation of CAT back in 2012, its launch was marred by multiple delays with FINRA finally replacing Thesys Technologies as the CAT processor in February 2019. The processor is responsible for developing and operating CAT.
The FDIDs, or new 40 character-text ID numbers broker-dealers can use to identify customer accounts, won’t be that hard to create, according to data management experts. “FDID work has been part of firms’ CAT development for some time and for most firms is being integrated with their centralized account management and reference data systems,” says Peter Gargone, chief executive of n-Tier, a New York-based software firm focused on data management for regulatory reporting. The FDID is one of the required data elements of a new order and allocation event that must make its way onto the CAT report.
The bigger challenge appears to be storing the FDIDs in other systems and protecting any other critical data. Several data management directors at East Coast-based broker-dealers tell FinOps Report they had been anticipating the change in data requirements and were already starting to do the work. “It’s really a no-brainer for most firms,” says one data management director. “The additional code will just need to be added as a line item to customer account databases.”
A separate two-step transformation process developed between FINRA and broker-dealers for the plan processor– aka FINRA– to generate the CCIDs will ensure that broker-dealers not receive the CCIDs and no one either receives or retains social security numbers or other individual taxpayer identification numbers. The CAT database will link the CCIDs to the FDIDs.
While praising the SEC’s decision to mitigate the potential for misuse of customer data by hackers, cybersecurity compliance consultants caution it should not be construed as the end game for broker-dealers. “Creating fake ID codes requires a broker-dealer to develop a table that maps out the fake IDs,” explains Joanna Fields, managing principle of Aplomb Strategies, a New York-based regulatory compliance consultancy focused on cybersecurity. “If the data and table are stored in a cloud hosted by a third-party provider, the broker-dealer needs to understand its own responsibilities for securing certain aspects of the data based on its service-level agreements.” Her concern: not every broker is equipt to take on the job.
Although the SEC and industry players insist its decision to allow the use of “masked information” is unrelated to the coronavirus pandemic, the timing is eerily coincidental. Cybersecurity experts have recently warned that COVID-19 has given cybercriminals a greater opportunity for breaking into networks now that more employees are working remotely.
The Security Traders Association (STA), Financial Information Forum (FIF) and other industry groups such as the Securities Industry and Financial Markets Association advocated for the deletion of sensitive customer information even before the pandemic broke out. So did the CAT NMS Plan Operating Committee created by the exchanges to implement CAT back in October 2019. However, it wasn’t until March 17 that the SEC’s Chairman Jay Clayton publicly announced the changes to CAT’s customer data requirements.
“The cybersecurity concerns have been an ongoing issue and broker-dealers needed to have some relief from the possibility that cybersecurity breaches could expose sensitive customer information,” says Jim Toes, president of the STA, the New York-based trade group representing trading desks at broker-dealers and asset management shops. As part of addressing cybersecurity concerns, the SEC’s Clayton says the agency will also be looking into how access to customer and account information can be restricted and whether there are additional security measures that would enhance the security of the CAT data both inside and outside of the CAT system.
The SEC’s announcement of the change in customer information requirements on March 17 was overshadowed by its release of a no-action letter the previous day saying it would temporarily postpone any enforcement action against CAT’s plan participants for failing to ensure broker-dealers meet the CAT milestone dates. The exchanges and FINRA, in turn, provided broker-dealers with assurances that they would not seek enforcement action against them for any reporting delays which can be far longer for equities than options. Transactions in equities can now be reported on May 20 instead of April 20. The timetable for reporting transactions in options has also been switched to May 20. That’s two days afer the original May 18 deadline. Data on underlying customers won’t be due until next year.
“The SEC recognized that market volatility combined with setting up remote workplaces would be challenging for broker-dealers,” says Christopher Bok, director of FIF, a New York trade group focused on regulatory compliance and market data management. “Delaying the first phase of CAT allows broker-dealers to also focus on other pressing issues.” Yet another benefit of the delay, says Gargone: “Broker-dealers can use the time to reduce the potential for errors which, in turn, will reduce the potential for fines from FINRA.”. Broker-dealer IT and compliance managers are naturally hoping that the SEC will also postpone enforcing the subsequent phases of CAT’s roll-out.
While most of the attention about the SEC’s recent actions has focused on the delay in CAT reporting, IT managers sound just as relieved that the risk of theft of f customer data have been somewhat mitigated. ” At this point we don’t care about why the SEC finally decided to address the problem,” quips one IT manager at an East Coast brokerage. “We are happy the SEC finally listened.”