thefederalregister.org Federal Register Research Archive

Document

Order Granting Exemptive Relief, Pursuant to Section 36(a)(1) and Rule 608(e) of the Securities Exchange Act of 1934, From Certain Provisions of Section 6.4(d)(ii)(C) and Appendix D, Sections 9.1, 9.2 and 9.4 of the National Market System Plan Governing the Consolidated Audit Trail

Securities and Exchange Commission [Release No. 34-102386; File No. 4-698] February 10, 2025. I. Introduction On July 18, 2012, the Securities and Exchange Commission (the "Comm...

PDF versionSource Record
Securities and Exchange Commission
  1. [Release No. 34-102386; File No. 4-698]
February 10, 2025.

I. Introduction

On July 18, 2012, the Securities and Exchange Commission (the “Commission” or the “SEC”) adopted Rule 613 of Regulation NMS, which required national securities exchanges and national securities associations (the “Participants”) [1] to jointly develop and submit to the Commission a national market system plan to create, implement, and maintain a consolidated audit trail (the “CAT”).[2] The goal of Rule 613 was to create a modernized audit trail system that would provide regulators with timely access to a comprehensive set of trading data, thus enabling regulators to more efficiently and effectively analyze and reconstruct market events, monitor market behavior, conduct market analysis to support regulatory decisions, and perform surveillance, investigation, and enforcement activities. On November 15, 2016, the Commission approved the national market system plan required by Rule 613 (the “CAT NMS Plan”).[3]

On March 20, 2020, the Commission granted exemptive relief from the requirement to report certain customer identifying information (individual tax payer identification numbers (“ITINs”)/social security numbers (“SSNs”), dates of birth, and account numbers) conditioned on the implementation of an alternative method of generating unique customer identifiers through transformed SSNs.[4] The creation of ( printed page 9643) CCIDs [5] using the transformed SSNs/ITINs has since proven to be an effective means of uniquely and consistently identifying customers. And balancing the various considerations, the benefits of continuing to collect the names, addresses, and years of birth of natural persons with SSNs/ITINs no longer justify the associated risks. Accordingly, the Commission grants exemptive relief from certain sections of the CAT NMS Plan relating to the reporting of names, addresses, and years of birth of natural persons reported with transformed SSNs or ITINs. Consistent with the PII Exemption Order, the Participants must continue to require Industry Members, through their CAT Compliance Rules,[6] to report to the Central Repository other required information, including a transformed value for the SSN/ITIN and the Firm Designated ID (“FDID”) for accounts for such natural persons.

II. Background

A. Customer Information Approach

The CAT NMS Plan originally adopted the “Customer Information Approach.” [7] The Customer Information Approach requires each Industry Member to assign a unique FDID to each customer account.[8] Under the CAT NMS Plan, a FDID is a unique and persistent identifier for each trading account designated by Industry Members for purposes of providing data to the Central Repository.[9] According to the CAT NMS Plan, Industry Members must submit an initial set of Customer [10] information to the Central Repository, including, as applicable, the FDID, the Customer's name, address, date of birth, ITIN/SSN, individual's role in the account ( e.g., primary holder, joint holder, guardian, trustee, person with power of attorney) and Legal Entity Identifier (“LEI”), and/or Large Trader ID (“LTID”), if applicable, which would be updated as set forth in the CAT NMS Plan.[11]

Under the CAT NMS Plan, for each new order submitted to the CAT Central Repository, broker-dealers are required to report the FDID for such new order, and the Plan Processor [12] must associate specific Customers and their Customer-IDs with individual order events based on the reported FDIDs.[13] Within the Central Repository, each Customer would be uniquely identified by identifiers or a combination of identifiers such as an ITIN/SSN, date of birth, and, as applicable, LEI and LTID.[14] The Plan Processor is required to use these unique identifiers to map orders to specific Customers across all broker-dealers.[15]

Appendix C provides additional requirements that the Plan Processor must meet under the Customer Information Approach.[16] Among other things, the Plan Processor must maintain information of sufficient detail to uniquely and consistently identify each Customer across all CAT Reporters, and associated accounts from each CAT Reporter, and must document and publish, with the approval of the Operating Committee, the minimum list of attributes to be captured to maintain this association.[17] In addition, the Plan Processor must maintain valid Customer and Customer Account Information [18] for each trading day and provide a method for Participants and the Commission to easily obtain historical changes to that information ( e.g., name changes, address changes).[19]

B. PII Exemption Order

In light of the concerns raised by market participants, industry representatives and the Participants [20] about the importance of only requiring the necessary Customer Identifying Information [21] and Customer Account Information sufficient to achieve regulatory objectives, the Commission granted exemptive relief [22] to, among other things, permit the Participants to no longer mandate Industry Members to report SSN(s)/ITIN(s), dates of birth and account numbers for natural person Customers, provided that Industry Members report the year of birth for natural person Customers to the CAT.[23]

The PII Exemption Order also permitted the Participants to implement the CCID Alternative.[24] Under the CCID Alternative, the Plan Processor generates a unique CCID using a two-phase transformation process that avoids having SSNs/ITINs reported to or stored in the CAT.[25] In the first transformation phase, a CAT Reporter  [26] ( printed page 9644) transforms the SSN/ITIN into an interim transformed value.[27] This transformed value, and not the SSN/ITIN, is submitted to a separate system within the CAT (“CCID Subsystem”).[28] The transformed value is sent to the CAT “separate and apart from the other customer and account information.” [29] The CCID Subsystem then performs a second transformation to create the globally unique CCID for each Customer that is unknown to, and not shared with, the original CAT Reporter.[30] The CCID is then sent to the customer and account information system (“CAIS”) of the CAT, where it is linked with the other customer and account information.[31] The CCID may then be used by the Participants' regulatory staff and the SEC in queries and analysis of CAT Data.[32]

III. Discussion and Exemptive Relief

Under the PII Exemption Order, the Commission issued relief that exempts the Participants from collecting or retaining an individual's SSN or ITIN—“the most sensitive piece of PII” [33] —as well as date of birth and account numbers. When granting the relief, the Commission stated that it believed that limiting the amount of personally identifiable information (“PII”) to the type of information that could be found in a phone-book would still allow regulators to efficiently identify those who are using trading accounts to perform illegal activity. Since the issuance of the PII Exemption Order, market participants, industry representatives and members of Congress have continued to express concerns about the PII collected by the CAT.[34] Given the increasing sophistication of bad actors, including the risk that a “cybercriminal with knowledge of a person's name, address, and recent trades could impersonate a customer or broker-dealer and gain access to a customer's account,” [35] the Commission is committed to ensuring that it continues to strike an appropriate balance between the ability of regulators to efficiently identify market participants engaged in illegal trading activity and mitigating the risk of breaches to individual investors' PII in the CAT.

The Commission recognized the risks associated with a security breach when it acknowledged, in the CAT NMS Plan Approval Order, that “because some of the CAT Data stored in the Central Repository will contain PII such as names, [and] addresses . . . a security breach could raise the possibility of identity theft. . .” [36] When the Commission approved the CAT NMS Plan, the Commission stated that it believed “certain provisions of Rule 613 and the CAT NMS Plan appear reasonably designed to mitigate these risks.” [37] The provisions designed to mitigate the risks of a security breach of PII data included the governance provisions of the CAT NMS Plan,[38] specific provisions designed to ensure the security and encryption of data being transmitted to and extracted from the CAT,[39] provisions requiring that “the Participants establish, maintain, and enforce written policies and procedures reasonably designed to (1) ensure the confidentiality of the CAT Data obtained from the Central Repository; and (2) limit the use of the CAT Data obtained from the Central Repository solely for surveillance and regulatory purposes,” [40] and provisions requiring regulators to mask PII data to all except authorized users who must obtain permission and complete additional authentications to view the data.[41] Further, the Commission required that PII data be stored separately from transaction data.[42] The Commission recognizes that “the most secure approach to addressing any piece of sensitive retail [data] would be to eliminate its collection altogether.” [43] These concerns should be balanced against the regulatory benefits of having customer information readily available in order to allow regulators to promptly and efficiently investigate potential misconduct.[44]

As the Commission has recognized, customer name, address, and birth year are important CAT data points for regulators.[45] But the Commission now weighs the benefits of maintaining some of that information in the CAT differently in light of both the heightened security risks posed by the increased sophistication of bad actors and the prospect of relatively efficient indirect access to customer information. The Commission recognizes the risks identified by market participants, industry representatives and members of Congress as described above.[46] Indeed, when the Commission adopted amendments to Regulation S-P, the Commission acknowledged the increased sophistication of cybercriminals and bad actors.[47]

In light of these risks and the increasing sophistication of cybercriminals and bad actors, it is appropriate to grant this exemption so that the CAT no longer would be required to collect names, addresses and years of birth for natural persons with transformed SSNs or ITINs. The Commission's decision to grant this exemption takes into account the trade-off between the protection of individual investors' PII and regulatory efficiency, achieved by exempting additional PII from the CAT. Specifically, the regulatory benefit of collecting the ( printed page 9645) names, addresses and years of birth for natural persons reported with transformed SSNs no longer justifies the associated risks. Even if the CAT no longer collects the names, addresses and years of birth for these individuals, broker-dealers would still be required to transform SSNs into interim values and report those transformed values to the CCID Subsystem for each order, such that the system of generating reliable CCIDs will not be impacted.[48] If a regulator needs to determine the identity of the individual behind a particular CCID, the regulator would be able to use one or more of the FDIDs associated with the CCID and contact the broker-dealer(s) who reported the FDID(s) and request the name, address and/or year of birth for the individual Customer.[49] Given the increased technological advancements over the past few years, the Commission believes that it is reasonable to expect that the process for requesting names, and/or years of birth from broker-dealers will be more efficient than it would have been a few years ago.

The Commission acknowledges that this Order will negatively impact regulatory efficiency. Specifically, because broker-dealers are currently required to report the names, addresses and years of birth of natural persons, regulators are able to identify the individuals responsible for orders or trades by querying a CCID in the CAT. In contrast, a request-response system [50] would require regulators to contact broker-dealers to determine the names, addresses and years of birth for natural persons, which would take additional time and require manual intervention, thereby decreasing the efficiency of the CAT for regulators.[51] A request-response system could also decrease the efficiency of the CAT for broker-dealers, who would have to respond to regulator requests for the names, addresses and years of birth for natural persons. The Participants and the Commission will, however, continue to have indirect access to such information. Broker-dealers are already required to collect, among other things, the name, address, full date of birth of their customer account owners under existing books and records requirements,[52] as well as collect and periodically update the account's investment objectives. The broker-dealers must verify this information with their customers at least every 36 months and must provide books and records information to the Commission upon request. And regulators and broker-dealers should be able to develop processes or mechanisms that will minimize the impact of a request-response system, if such a system is created.[53] For example, technological advances such as more efficient computing and networking, could result in the development of an automated or partially automated system for requesting information from broker-dealers and for responding to regulator requests for information held by broker-dealers.

Section 36(a)(1) of the Exchange Act grants the Commission the authority, with certain limitations, to “conditionally or unconditionally exempt any person, security, or transaction . . . from any provision or provisions of [the Exchange Act] or of any rule or regulation thereunder, to the extent that such exemption is necessary or appropriate in the public interest, and is consistent with the protection of investors.” [54] Rule 608(e) of Regulation NMS similarly grants the Commission the authority to “exempt from [Rule 608], either unconditionally or on specified terms and conditions, any self-regulatory organization, member thereof, or specified security, if the Commission determines that such exemption is consistent with the public interest, the protection of investors, the maintenance of fair and orderly markets and the removal of impediments to, and perfection of the mechanisms of, a national market system.” [55]

The Commission grants exemptive relief from the following sections of the CAT NMS Plan as set forth below:

  • Section 6.4(d)(ii)(C) of the CAT NMS Plan to the extent it requires Industry Members, through the Participant CAT Compliance Rules, to report to the Central Repository for the original receipt or origination of an order, the names, addresses and years of birth of natural persons reported with transformed SSNs or ITINs. Consistent with the PII Exemption Order, the Participants must continue to require Industry Members, through their CAT Compliance Rules, to report all other required information to the Central Repository, including a transformed value for the SSN/ITIN and the FDID for accounts for such natural persons.
  • Section 9.1 of Appendix D to the extent it requires the CAT to capture the Customer Account Information attributes of current name, current address, previous name, previous address and year of birth of natural persons reported with transformed SSNs or ITINs. Section 9.1 of Appendix D also requires the Plan Processor to maintain valid Customer and Customer Account Information for each trading day. Consistent with the PII Exemption Order, the Participants must continue to require the Industry Members to report all other required information to the Central Repository, including a transformed value for the SSN/ITIN and the FDID for accounts of natural persons.
  • Section 9.4 of Appendix D to the extent the error resolution requirements apply to names, addresses and years of ( printed page 9646) birth of natural persons reported with transformed SSNs or ITINs.[56]

The exemptive relief pursuant to Section 36(a)(1) of the Exchange Act as set forth in this Order is appropriate and in the public interest, the protection of investors, and additionally that, pursuant to Rule 608(e), such relief is consistent with the public interest, the protection of investors, the maintenance of fair and orderly markets and the removal of impediments to, and perfection of the mechanisms of, a national market system. The exemption permitting the elimination of the requirement to report names, addresses and years of birth of natural persons reported with transformed SSNs or ITINs to the CAT minimizes the risk that bad actors will be able to associate individuals with their order and trade information. If there is a regulatory need to ascertain the names, addresses and years of birth of such individuals behind particular orders or trades, regulators will be able to request such information from Industry Members who have long been required to collect such information under Section 17 of the Exchange Act.[57] This exemptive relief supplements the existing relief relating to SSNs, dates (but not year) of birth, and account numbers for individuals provided under the PII Exemptive Order.

Accordingly, it is hereby ordered, pursuant to Section 36(a)(1) of the Exchange Act and Rule 608(e) of the Exchange Act,[58] that the Commission grants the exemptive relief, as set forth in this Order, from Section 6.4(d)(ii)(C) and Appendix D, Sections 9.1, 9.2 and 9.4 of the CAT NMS Plan.

By the Commission.

Sherry R. Haywood,

Assistant Secretary.

Footnotes

1.  The Participants include BOX Exchange LLC, Cboe BYX Exchange, Inc., Cboe BZX Exchange, Inc., Cboe C2 Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe EDGX Exchange, Inc., Cboe Exchange, Inc., Financial Industry Regulatory Authority, Inc., Investors' Exchange LLC, Long-Term Stock Exchange, Inc., MEMX LLC, Miami International Securities Exchange LLC, MIAX Emerald, LLC, MIAX PEARL, LLC, MIAX Sapphire, LLC, Nasdaq BX, Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, Nasdaq PHLX LLC, The Nasdaq Stock Market LLC, New York Stock Exchange LLC, NYSE American LLC, NYSE Arca, Inc., NYSE Chicago, Inc., and NYSE National, Inc.

Back to Citation

2.   See Securities Exchange Act Release No. 67457 (July 18, 2012), 77 FR 45722 (Aug. 1, 2012) (“Rule 613 Adopting Release”); 17 CFR 242.613.

Back to Citation

3.  The CAT NMS Plan is a national market system plan approved by the Commission pursuant to Section 11A of the Securities Exchange Act of 1934 (“Exchange Act”) and the rules and regulations thereunder. See Securities Exchange Act Release No. 79318 (Nov. 15, 2016), 81 FR 84696 (Nov. 23, 2016) (“CAT NMS Plan Approval Order”). The CAT NMS Plan is Exhibit A to the CAT NMS Plan Approval Order. See CAT NMS Plan Approval Order, 81 FR at 84943-85034. The CAT NMS Plan functions as the limited liability company agreement of the jointly owned limited liability company formed under Delaware state law through which the Participants conduct the activities of the CAT (“Company”). Each Participant is a member of the Company and jointly owns the Company on an equal basis. The Participants submitted to the Commission a proposed amendment to the CAT NMS Plan on August 29, 2019, which they designated as effective on filing. On August 29, 2019, the Participants replaced the CAT NMS Plan in its entirety with the limited liability company agreement of a new limited liability company, CAT LLC, which became the Company. See Securities Exchange Act Release No. 87149 (Sept. 27, 2019), 84 FR 52905 (Oct. 3, 2019). The latest version of the CAT NMS Plan is available at https://catnmsplan.com/​about-cat/​cat-nms-plan. Unless otherwise defined herein, capitalized terms used herein are defined as set forth in the CAT NMS Plan.

Back to Citation

4.   See Securities Exchange Act Release No. 88393 (March 17, 2020), 85 FR 16152 (March 20, 2020) (the “PII Exemption Order”).

Back to Citation

5.  The term “CCID” has been used interchangeably with “CAT Customer-ID.” See PII Exemption Order, supra note 4 at 16152. The term “CCID” and “CAT Customer-ID” means the “Customer-ID” under the CAT NMS Plan. The “Customer-ID” means “with respect to a customer, a code that uniquely and consistently identifies such customer for purposes of providing data to the central repository.” See CAT NMS Plan, supra note 3 at Article I, Section 1.1, referring to Rule 613(j)(5). 17 CFR 242.613(j)(5).

Back to Citation

6.  See CAT NMS Plan, supra note 3 at Section 1.1. “Compliance Rule” means, with respect to a Participant, the rule(s) promulgated by such Participant as contemplated by Section 3.11 of the CAT NMS Plan.

Back to Citation

7.   See CAT NMS Plan, supra note 3.

Back to Citation

8.   See id. at Appendix C, Section A.1(a)(iii).

Back to Citation

9.   See id. at Section 1.1. The FDID may not be the account number for a trading account if the trading account is not a proprietary account.

Back to Citation

10.  A “Customer” means “the account holder(s) of the account at a registered broker-dealer originating the order; and any person from whom the broker-dealer is authorized to accept trading instructions for such account, if different from the account holder(s). See id.

Back to Citation

11.   Id. at Appendix C, Section A.1(a)(iii). To ensure information identifying a Customer is updated, broker-dealers are required to submit to the Central Repository daily updates for reactivated accounts, newly established or revised FDIDs, or associated reportable Customer information. The Plan Processor also must design and implement a robust data validation process for submitted FDIDs, Customer Account Information and Customer Identifying Information, and be able to link accounts that move from one CAT Reporter to another due to mergers and acquisitions, divestitures, and other events. Broker-dealers must initially submit full account lists for all active accounts to the Plan Processor and subsequently submit updates and changes on a daily basis. Finally, the Plan Processor must have a process to periodically receive full account lists to ensure the completeness and accuracy of the account database. CAT NMS Plan, supra note 3, at Appendix C, Section A.1(a)(iii) n.33.

Back to Citation

12.  “Plan Processor” means “the Initial Plan Processor or any other Person selected by the Operating Committee pursuant to SEC Rule 613 and Sections 4.3(b)(i) and 6.1, and with regard to the Initial Plan Processor, the Selection Plan, to perform the CAT processing functions required by SEC Rule 613 and set forth in this Agreement.” CAT NMS Plan, supra note 3, at Article I, Section 1.1.

Back to Citation

13.  CAT NMS Plan, supra note 3, at Appendix C, Section A.1(a)(iii). The CAT NMS Plan also requires Industry Members to report “Customer Account Information” upon the original receipt of origination of an order. Id. at Sections 1.1, 6.4(d)(ii)(C).

Back to Citation

14.   Id. at Appendix C, Section A.1(a)(iii).

Back to Citation

15.   Id.

Back to Citation

16.  CAT NMS Plan, supra note 3 at Appendix C, Section A.1(a)(iii).

Back to Citation

17.   Id. at Section 9.1 of Appendix D, which also addresses, among other things, the minimum attributes that CAT must capture for Customers and the validation process for such attributes.

Back to Citation

18.   Id. at Appendix D, Section 9.1. In relevant part, “Customer Account Information” is defined in the Plan to include, but not be limited to, account number, account type, customer type, date account opened, and large trader identifier (if applicable). Id. at Section 1.1.

Back to Citation

19.   Id. at Appendix C, Section A.1(a)(iii).

Back to Citation

20.   See letter from the Participants, dated January 29, 2020 available athttps://www.catnmsplan.com/​sites/​default/​files/​2020-02/​Amended-Exemptive-Request-CCID-and-Modified-PII-Approaches%28Final%29.pdf, requesting exemptive relief from certain PII reporting requirements and suggesting the modified PII approach.

Back to Citation

21.  “Customer Identifying Information” means information of sufficient detail to identify a Customer, including, but not limited to, (a) with respect to individuals: name, address, date of birth, ITIN/SSN, individual's role in the account ( e.g., primary holder, joint holder, guardian, trustee, person with the power of attorney); and (b) with respect to legal entities: name, address, EIN/LEI or other comparable common entity identifier, if applicable; provided, however, that an Industry Member that has an LEI for a Customer must submit the Customer's LEI in addition to other information of sufficient detail to identify a Customer. See CAT NMS Plan supra note 3, at Section 1.1.

Back to Citation

22.   See PII Exemption Order, supra note 4.

Back to Citation

23.   Id. at 16154.

Back to Citation

24.   Id. at 16152.

Back to Citation

25.   Id.

Back to Citation

26.  “CAT Reporter” means “each national securities exchange, national securities association and Industry Member that is required to record and report information to the Central Repository pursuant to SEC Rule 613(c).” See CAT NMS Plan, Article I, Section 1.1. Only Industry Members would be reporting an interim value.

Back to Citation

27.  PII Exemption Order, supra note 4 at 16152.

Back to Citation

28.   Id. at 16153.

Back to Citation

29.   Id.

Back to Citation

30.   Id.

Back to Citation

31.  PII Exemption Order, supra note 4 at 16153.

Back to Citation

32.   Id.

Back to Citation

33.   Id. at 16156.

Back to Citation

34.   See, e.g., Letter from Christopher A. Iacovella, Chief Executive Officer, American Securities Association, dated November 30, 2020 (the “ASA Letter”), at 2, available athttps://www.sec.gov/​comments/​s7-10-20/​s71020-8065865-225955.pdf; Letter from Senator John Kennedy, Senator Cindy Hyde-Smith, Senator Jerry Moran, and Senator John Boozman, dated June 16, 2022, available athttps://www.sec.gov/​comments/​s7-10-20/​s71020-20138074-308285.pdf.

Back to Citation

35.   See ASA Letter at 10.

Back to Citation

36.   See CAT NMS Plan Approval Order at 84874.

Back to Citation

37.   Id. at 84875.

Back to Citation

38.   Id.

Back to Citation

39.   Id.

Back to Citation

40.   Id.

Back to Citation

41.   Id.

Back to Citation

42.   Id. at 84908.

Back to Citation

43.   See PII Exemption Order, supra note 4 at 16156.

Back to Citation

44.   See id.

Back to Citation

45.   See PII Exemption Order, supra note 4 (explaining CAT regulatory uses for customer name, address, and birth year).

Back to Citation

46.   See text accompanying notes 34-35.

Back to Citation

47.   See Securities Exchange Act Release No. 100155 (May 16, 2024), 89 FR 47688 (June 3, 2024) (citing, Federal Bureau of Investigation, 2022 internet Crime Report (Mar. 27, 2023), at 7-8, available at: https://www.ic3.gov/​Media/​PDF/​AnnualReport/​2022_​IC3Report.pdf (stating that the FBI's internet Crime Complaint Center received 800,944 complaints in 2022 (an increase from 351,937 complaints in 2018). The complaints included 58,859 related to personal data breaches (an increase from 50,642 breaches in 2018)); the Financial Industry Regulatory Authority (“FINRA”), 2022 Report on FINRA's Examination and Risk Monitoring Program: Cybersecurity and Technology Governance (Feb. 2022), available at: https://www.finra.org/​rules-guidance/​guidance/​reports/​2022-finras-examination-and-risk-monitoringprogram (noting increased number and sophistication of cybersecurity attacks and reminding firms of their obligations to oversee, monitor, and supervise cybersecurity programs and controls of third-party vendors); Office of Compliance Inspections and Examinations (now the Division of Examinations) (“EXAMS”), Risk Alert, Cybersecurity: Safeguarding Client Accounts against Credential Compromise (Sept. 15, 2020), available at https://www.sec.gov/​files/​Risk%20Alert%20)-%20Credential%20Compromise.pdf (describing increasingly sophisticated methods used by attackers to gain access to customer accounts and firm systems)). This Risk Alert, and any other Commission staff statements represent the views of the staff. They are not a rule, regulation, or statement of the Commission. Furthermore, the Commission has neither approved nor disapproved their content. These staff statements, like all staff statements, have no legal force or effect. They do not alter or amend applicable law; and they create no new or additional obligations for any person.

Back to Citation

48.  The Commission stated, in approving the CAT NMS Plan, the importance of the Customer-ID approach, as it “constitutes a significant improvement relative to the Baseline because it would consistently identify the Customer responsible for market activity, obviating the need for regulators to collect and reconcile Customer Identifying Information from multiple broker-dealers.” See CAT NMS Plan Approval Order at 84827.This Order preserves this benefit of the CCID, thereby preserving one of the critical innovations of the CAT, the ability to track one Customer's market activity across multiple exchanges.

Back to Citation

49.   See 15 U.S.C. 78q(a), requiring registered broker-dealers to “furnish” records as the SEC prescribes by rule. See also17 CFR 240.17a-25(a), requiring broker-dealers to electronically submit securities information (including customer identifying information) to the SEC “upon request.” If multiple FDIDs are associated with a single CCID, regulators would only need to contact one broker-dealer to request the name and/or address of the individual. Contacting other broker-dealers should result in the same name and/or address.

Back to Citation

50.  The Securities Industry and Financial Markets Association (“SIFMA”) previously suggested a request-response system in which regulators would have the ability to request from broker-dealers the identity of investors engaged in potentially problematic trading activity on an as-needed request-only basis, rather than maintaining such data in the CAT. See letter from SIFMA, dated January 28, 2021 at 9, available athttps://www.sifma.org/​wp-content/​uploads/​2021/​01/​Pause-on-Implementation-Related-to-CAT-CAIS-Final-1-28-2021-1.pdf. SIFMA's proposed alternative to the CAT collecting PII would involve a workflow in which a regulatory user that wanted to know the identity of a customer to a trade would submit an FDID and trade dates request through the Plan Processor into a secure file transfer protocol (“FTP”). That FTP would in turn direct the PII request to an Industry Member acting as a CAT Reporter. The Industry Member would then direct the encrypted data through the FTP back into the CAT control environment for the requesting regulatory user to analyze and use the data.

Back to Citation

51.  Similarly, without names of natural persons in the CAT, a regulator investigating allegations relating to a specific person's trading activity may need to contact all broker-dealers to determine where a specific person's accounts are held.

Back to Citation

53.  The Commission recognizes that efficient electronic means of requesting and receiving from industry members targeted subsets of customer identifying information could better enable the Participants and Commission staff to detect and investigate market fraud and abuse. In connection with the relief provided by this Order, the Commission urges the Participants to work with industry members to establish these means by taking advantage of the systems industry members have already established to format and submit customer information consistent with CAT specifications.

Back to Citation

56.  Section 9.4 of Appendix D which requires the Plan Processor to design and implement procedures and mechanisms to handle both “minor and material inconsistencies in Customer information.” For example, “[m]aterial inconsistencies such as two different people with the same SSN must be communicated to the submitting CAT Reporters and resolved within the established error correction timeframe as detailed in Section 8.” Section 9.4 of Appendix D also states that the Central Repository must have an audit trail showing the resolution of all errors. The required audit trail must, at a minimum, include a variety of items including “duplicate SSN, significantly different Name” and “duplicate SSN, different DOB.”

Back to Citation

57.   See 17 CFR 240.17a-3, requiring certain exchange members, brokers and dealers to make and keep current books and records. See also17 CFR 240.17a-25(a), requiring broker-dealers to electronically submit securities information (including customer identifying information) to the SEC “upon request.”

Back to Citation

[FR Doc. 2025-02620 Filed 2-13-25; 8:45 am]

BILLING CODE 8011-01-P

Legal Citation

Federal Register Citation

Use this for formal legal and research references to the published document.

90 FR 9642

Web Citation

Suggested Web Citation

Use this when citing the archival web version of the document.

“Order Granting Exemptive Relief, Pursuant to Section 36(a)(1) and Rule 608(e) of the Securities Exchange Act of 1934, From Certain Provisions of Section 6.4(d)(ii)(C) and Appendix D, Sections 9.1, 9.2 and 9.4 of the National Market System Plan Governing the Consolidated Audit Trail,” thefederalregister.org (February 14, 2025), https://thefederalregister.org/documents/2025-02620/order-granting-exemptive-relief-pursuant-to-section-36-a-1-and-rule-608-e-of-the-securities-exchange-act-of-1934-from-ce.