Consolidated Audit Trail Concept Release Elicits Strong Industry Support

SIFMA and the ASA are among the organizations urging Congress and the SEC to protect investors’ personally identifiable information.



Investment and trading industry groups in recent weeks have supported the Security and Exchange Commission’s proposed overhaul of the Consolidated Audit Trail, the database the SEC uses to track all trading activity in U.S. markets for listed equities and options.

Since the SEC’s April 16  concept release  soliciting public comment on its proposal, organizations such as the Securities Industry and Financial Markets Association and the American Securities Association have expressed support for the proposed restructuring of the current CAT funding model and operation, protections against the CAT’s collection of personally identifiable information, and destruction of the information the CAT has already collected.

The SEC’s concept release sought input on topics including the “cybersecurity and data privacy” of the CAT and related data sources, as well as “the appropriate balance between privacy and confidentiality considerations, civil liberties protections and regulatory need,” according to a statement from the SEC. The comment period closed on June 22, according to the Federal Register, and yielded 243 comments, including submissions from additional industry groups and stakeholders such as the Security Traders Association, the Health Markets Association, FINRA, Nasdaq and Cboe.

The SEC may now review the feedback and choose whether to advance with the overhaul through formal rulemaking.

SIFMA Urges Direct Control of the CAT

SIFMA’s letter to the SEC, written by SIFMA President and CEO Keith Bentsen, recommended the SEC eliminate the current CAT funding model, which relies on contributions from industry members and investors, and assume sole responsibility for CAT costs. Bentsen suggested the SEC include the amount necessary to fully fund the CAT in its annual budget request to Congress.

Never miss a story — sign up for CIO newsletters to stay up-to-date on the latest institutional investment industry news.

Once it controls CAT funding, the “SEC should eliminate the CAT [National Market System] Plan,” the letter stated. The NMS Plan, created by Rule 613 of the Securities Exchange Act of 1934, is the requirement that self-regulatory organizations submit to the SEC a plan to create, implement and maintain the CAT in a way that allows regulators to more efficiently and accurately track all activity in U.S. equity and options markets. Under Rule 613, national securities exchanges and national securities associations are required to adopt rules requiring their members to comply with Rule 613 and the CAT NMS Plan, and to agree to enforce compliance by their members, according to FINRA.

The NMS plan currently “excludes industry members from any direct role in CAT operations even though they pay 80% or more of the costs—and directly operate the CAT,” SIFMA’s letter stated.

The letter also called for the SEC to eliminate electronic blue sheets—data files that contain both trading activity and account-holder information—for equities and listed options. Instead, the SEC should implement a “secure, centralized request-response system” that would enable regulators to identify accounts associated with trading activity that is flagged for additional review in the CAT.

Bentsen also urged the SEC to revisit its 2020 CAT security data proposal and implement several of the data security best practices it included. The letter suggested this would ensure that regulators using the CAT transactional database do so in a way consistent with the “highest and most current data security standards.”

ASA Backs Legislative Push to Protect PII

In a letter to House Committee on Financial Services leadership, American Securities Association President and CEO Christopher Iacovella expressed the ASA’s support for a pending bill that would prohibit the SEC from requiring that personally identifiable information be collected under CAT reporting requirements.

The Protecting Investors’ Personally Identifiable Information Act was introduced in February 2025 by Representative Barry Loudermilk, R-Georgia, and co-sponsored by Troy Downing, R-Montana; Bill Huizenga, R-Michigan; Daniel Meuser, R-Pennsylvania; Zachary Nunn, R-Iowa; and Ann Wagner, R-Missouri. The legislation advanced from the Financial Services Committee on June 30 and may now receive consideration from the full House of Representatives.

“The CAT’s collection of Americans’ personal and financial information has enabled the largest surveillance scheme ever assembled by the federal government—one that poses unconscionable risks to the privacy, security and finances of millions of investors,” the ASA’s letter stated. “Tracking Americans through the stock market without any evidence of wrongdoing violates the 4th Amendment and exposes them to cybersecurity risks that far outweigh any regulatory benefit.”

The letter later referred to the CAT as an “Orwellian registry” that “betrays” the SEC’s mission to protect American investors.

ASA Asks SEC to Destroy Personal Data

Iacovella, again on behalf of the ASA, on June 22 filed comments directly with the SEC in response to the regulator’s concept release. Those comments urged the SEC to permanently eliminate the collection of “Customer and Account Information Data,” abandon the “Customer and Account Identifier” and destroy all personal data already collected.

The CAT’s stated objectives of improved market surveillance, event reconstruction and market analysis do not require CCID or CAIS, the ASA’s letter stated. Rather, Iacovella suggested, the goals of the CAT can be achieved using order-level data tied to firm-side account identifiers, without collecting any investor’s name, address, date of birth, Social Security number of other personally identifiable information. The letter also noted that broker/dealers already maintain account-level records and can quickly respond to targeted regulatory inquiries, making a government-generated tracking identifier unnecessary for any regulatory purpose.

The ASA’s letter also raised several legal concerns, including that the CAT’s data collection and CCID violate the 4th Amendment’s protection against unreasonable searches, exceed the SEC’s statutory authority and raise nondelegation concerns.

The letter also highlighted an increasing cybersecurity threat posed by the CAT, pointing to known breaches in 2024 of the Department of Treasury and major U.S. communication companies by Chinese state-sponsored hackers. The ASA warned that the CAT represents the single most valuable target for foreign adversaries seeking to compromise American investors’ financial data.

The letter concluded by calling on the SEC to assess the CAT’s legality, perform a full financial audit of its costs, and move the system onto the SEC’s own budget from the budget of the self-regulatory organizations before approving any new funding model.

The concept release referenced the SEC’s 2026 Funding Model Order for the CAT, which includes a sunset provision for the current CAT fee collection process, stating “it would be premature to adopt a permanent funding model while engaged in a comprehensive review.”

The ASA stated that “the concept release … the [SEC’s] best opportunity in years to correct the CAT’s fundamental design flaws, and ASA urges the Commission to seize it. ASA has warned of these dangers for years, and every warning has only grown more urgent.”

Tags: , , , , , , ,

«