Order Granting Conditional Exemptive Relief, Pursuant to Section 36 and Rule 608(e) of the Securities Exchange Act of 1934, From Section 6.4(d)(ii)(C) and Appendix D Sections 4.1.6, 6.2, 8.1.1, 8.2, 9.1, 9.2, 9.4, 10.1, and 10.3 of the National Market System Plan Governing the Consolidated Audit Trail

Download PDF
Federal RegisterMar 20, 2020
85 Fed. Reg. 16152 (Mar. 20, 2020)
March 17, 2020.

I. Introduction

By letter dated January 29, 2020, BOX Exchange LLC, Cboe BYX Exchange, Inc., Cboe BZX Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe EDGX Exchange, Inc., Cboe C2 Exchange, Inc., Cboe Exchange, Inc., Financial Industry Regulatory Authority, Inc., Investors Exchange LLC, Long Term Stock Exchange, Inc., Miami International Securities Exchange LLC, MIAX Emerald, LLC, MIAX PEARL, LLC, NASDAQ BX, Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, NASDAQ PHLX LLC, The NASDAQ Stock Market LLC, New York Stock Exchange LLC, NYSE American LLC, NYSE Arca, Inc., NYSE Chicago, Inc., and NYSE National, Inc. (collectively, the “Participants”) to the National Market System Plan Governing the Consolidated Audit Trail (“CAT NMS Plan” or “Plan”), requested that the Securities and Exchange Commission (“Commission” or “SEC”) grant exemptive relief from certain requirements in the CAT NMS Plan pursuant to Section 36 of the Securities Exchange Act (“Exchange Act”) and Rule 608(e) of Regulation NMS. Specifically, the Participants seek exemptive relief from Section 6.4(d)(ii)(C) and Appendix D, Sections 4.1.6, 6.2, 8.1.1, 8.2, 9.1, 9.2, 9.4, 10.1, and 10.3 of the CAT NMS Plan (1) to allow for an alternative approach to generating a CAT Customer ID (“CCID”) without requiring Industry Members to report individual social security numbers or tax payer identification numbers (collectively, “SSNs”) to the consolidated audit trail (“CAT”) (the “CCID Alternative”); and (2) to allow for an alternative approach which would exempt the reporting of dates of birth and account numbers associated with natural person retail Customers to the CAT (“Modified PII Approach”), and instead would require Industry Members to report the year of birth associated with natural person retail Customers and the Firm Designated ID for each trading account associated with the Customers.

See letter from the Participants to Vanessa Countryman, Secretary, Commission, dated January 29, 2020 (the “January 29, 2020 Exemption Request”).

The CAT NMS Plan was approved by the Commission, as modified, on November 15, 2016. See Securities Exchange Act Release No. 79318 (November 15, 2016), 81 FR 84696 (November 23, 2016).

17 CFR 242.608(e).

The “Customer-ID” means “with respect to a customer, a code that uniquely and consistently identifies such customer for purposes of providing data to the central repository.” See CAT NMS Plan, Article I, Section 1.1, referring to Rule 613(j)(5). 17 CFR 242.613(j)(5). The Participants also use the term “CCID” to refer to “CAT Customer ID.” See January 29, 2020 Exemption Request at 4-5. For purposes of the January 29, 2020 Exemption Request, the term “CCID” and “CAT Customer-ID” means the “Customer-ID” under the CAT NMS Plan.

“Industry Member” means “a member of a national securities exchange or a member of a national securities association.” See CAT NMS Plan, Article I, Section 1.1.

A “Customer” means “the account holder(s) of the account at a registered broker-dealer originating the order; and any person from whom the broker-dealer is authorized to accept trading instructions for such account, if different from the account holder(s). See CAT NMS Plan, Article I, Section 1.1.

“Firm Designed ID” means “a unique identifier for each trading account designated by Industry Members for purposes of providing data to the Central Repository, where each such identifier is unique among all identifiers from any given Industry Member for each business date.” See CAT NMS Plan, Article I, Section 1.1. Article VI, Section 6.4(d)(ii)(C) of the CAT NMS Plan requires CAT Reporters (as defined below) to report the Firm Designated ID to be reported to the Central Repository.

See January 29, 2020 Exemption Request. Unless otherwise noted, capitalized terms are used as defined in the CAT NMS Plan.

Section 36 of the Exchange Act grants the Commission the authority, with certain limitations, to “conditionally or unconditionally exempt any person, security, or transaction . . . from any provision or provisions of [the Exchange Act] or of any rule or regulation thereunder, to the extent that such exemption is necessary or appropriate in the public interest, and is consistent with the protection of investors.” Under Rule 608(e) of Regulation NMS, the Commission may “exempt from [Rule 608], either unconditionally or on specified terms and conditions, any self-regulatory organization, member thereof, or specified security, if the Commission determines that such exemption is consistent with the public interest, the protection of investors, the maintenance of fair and orderly markets and the removal of impediments to, and perfection of the mechanism of, a national market system.”

17 CFR 242.608(e).

For the reasons set forth below, this Order grants the Participants' request for exemptions from specified provisions of the CAT NMS Plan as set forth in January 29, 2020 Exemption Request, subject to certain conditions.

II. Description

As set forth in the January 29, 2020 Exemption Request regarding the CCID Alternative, the Participants state that “in light of security concerns raised with regard to the maintenance of Customer information in the CAT, the Participants request an exemption to eliminate one of the most sensitive CAT data elements—SSNs—from the CAT.” In lieu of retaining such sensitive information in the CAT, the Participants would use the CCID alternative, a strategy developed by the Chief Information Security Officer for the CAT and the Chief Information Security Officers from each of the Participants, in consultation with security experts from member firms of Securities Industry and Financial Markets Association. According to the Participants, the CCID Alternative allows the Plan Processor to generate a CCID without requiring the Plan Processor to receive SSNs or store SSNs within the CAT. Under the CCID Alternative, according to the Participants, the Plan Processor would generate a unique CCID using a two-phase transformation process that avoids having SSNs reported to or stored in the CAT. In the first transformation phase, a CAT Reporter would transform the SSN to an interim value. The Participants state that the Plan Processor would provide CAT Reporters the tools and/or technology to transform SSNs into interim values. This transformed value, and not the SSN, would be submitted to a separate system within the CAT (“CCID Subsystem”). The CCID Subsystem would then perform a second transformation to create the globally unique CCID for each Customer that is unknown to, and not shared with, the original CAT Reporter. According to the Participants, the CCID would then be sent to the customer and account information system of the CAT, where it would be linked with the other customer and account information. The transformed value would be sent to the CAT “separate and apart from the other customer and account information.” The Participants state that the CCID may then be used by the Participants' regulatory staff and the SEC in queries and analysis of CAT Data.

See January 29, 2020 Exemption Request at 4.

See January 29, 2020 Exemption Request at 4.

“Plan Processor” means “the Initial Plan Processor or any other Person selected by the Operating Committee pursuant to SEC Rule 613 and Sections 4.3(b)(i) and 6.1, and with regard to the Initial Plan Processor, the Selection Plan, to perform the CAT processing functions required by SEC Rule 613 and set forth in this Agreement.” See CAT NMS Plan, Article I, Section 1.1.

See January 29, 2020 Exemption Request at 4-5.

See January 29, 2020 Exemption Request at 5.

“CAT Reporter” means “each national securities exchange, national securities association and Industry Member that is required to record and report information to the Central Repository pursuant to SEC Rule 613(c).” See CAT NMS Plan, Article I, Section 1.1. Only Industry Members would be reporting an interim value.

See January 29, 2020 Exemption Request at 5.

See January 29, 2020 Exemption Request at 12.

In the event that a Customer does not have an SSN, the Participants represent that the CAT Reporter would not be required to submit the transformed value to the CCID Subsystem. See January 29, 2020 Exemption Request at 5.

See January 29, 2020 Exemption Request at 5.

See January 29, 2020 Exemption Request at 5. The CAT NMS Plan indicates that “customer and account information” is CAT Data that “includes PII.” See generally CAT NMS Plan, Appendix D, Section 6.2 at D-19. “PII” means “personally identifiable information, including a social security number or tax identifier number or similar information; Customer Identifying Information and Customer Account Information.” See CAT NMS Plan, Article I, Section 1.1. “Customer Identifying Information” in turn is defined to mean “information of sufficient detail to identify a Customer, including, but not limited to, (a) with respect to individuals: name, address, date of birth, individual tax payer identification number (“ITIN”)/social security number (“SSN”), individual's role in the account (e.g., primary holder, joint holder, guardian, trustee, person with the power of attorney); and (b) with respect to legal entities: Name, address, Employer Identification Number (“EIN”)/Legal Entity Identifier (“LEI”) or other comparable common entity identifier, if applicable; provided, however, that an Industry Member that has an LEI for a Customer must submit the Customer's LEI in addition to other information of sufficient detail to identify a Customer.” Id. “Customer Account Information” is generally defined to “include, but not be limited to, account number, account type, customer type, date account opened, and large trader identifier (if applicable). . . .” For purposes of the January 29, 2020 Exemption Request, the “customer and account information system of the CAT” refers to the database that contains PII, as defined in the Plan.

See January 29, 2020 Exemption Request at 6.

See January 29, 2020 Exemption Request at 5.

The Participants state that there would be no cost imposed by the Plan Processor or CATLLC on an Industry Member if it uses the CAT Reporter Portal to transform an SSN prior to submission. For Industry Members that perform the CCID transformation and submit it via a machine-to-machine interface, the Participants state that there would be ordinary costs associated with installing the transformation logic, but that neither the Plan Processor nor CATLLC would impose any costs on Industry Members. The Participants state that actual costs would depend on the specific Industry Member's technology architecture, but would not be anticipated to be significant.

“CATLLC” refers to the limited liability company, set forth in the Limited Liability Company Agreement of Consolidated Audit Trail, LLC, formed by the Participants to conduct the activities related to CAT. See Securities Exchange Act Release No. 87149 (September 27, 2019); 84 FR 52905 (October 3, 2019).

See January 29, 2020 Exemption Request at 5. The “CAT Reporter Portal” is the “Industry Member CAT Reporter Portal” which is a web-based tool provided by the Plan Processor to CAT Reporters that allows CAT Reporters to monitor and manage data submissions to CAT. See “Industry Member CAT Reporter Portal User Guide” dated November 4, 2019, v. 1.0. https://catnmsplan.com/sites/default/files/2020-02/IM-Reporter-Portal-User-Guide_11042019.pdf. According to the Participants, Industry Members who use this CAT Reporter Portal to transform an SSN into the interim value will incur no cost to perform the transformation.

See January 29, 2020 Exemption Request at 5.

See January 29, 2020 Exemption Request at 5.

The Participants note that Industry Members would continue to store individual customer SSNs outside the CAT, as they do currently, and that if a Participant's regulatory staff or the SEC needs to obtain a Customer's SSN during an investigation, such regulator would need to request that information from the CAT Reporter (e.g., via a FINRA Rule 8210 request or the Electronic Blue Sheets). However, if a Participant's regulatory staff or the SEC already has an SSN via means other than the CAT, the Participants state that the regulator will have the ability to use that SSN to query the CAT. The Participants further state that similar to the process described above, the SSN would be transformed into the CCID, which, in turn, may be used by the Participant's regulatory staff and the SEC in queries and analysis of CAT Data.

See January 29, 2020 Exemption Request at 5. Both “customer” and “Customer” are used by the Participants in the January 29, 2020 Exemption Request. The Commission assumes, for purposes of this Order, that the Participants intended the term “Customer” as defined in the CAT NMS Plan; however, in Section II of this Order, the Commission reflects the terms used in the January 29, 2020 Exemption Request.

Pursuant to the CCID Alternative, because SSNs would no longer be reported to or collected by the CAT, regulatory staff would only be able to obtain an individual's SSN associated with a(n) CCID by submitting a request for such SSN to the CAT Reporter that retains the SSN. Data provided via Electronic Blue Sheets, or EBS data, is provided pursuant to Rule 17a-25 under the Act, and includes certain detailed execution information, including the SSN of a Customer. See 17 CFR 240.17a-25.

See January 29, 2020 Exemption Request at 5.

See January 29, 2020 Exemption Request at 5.

The Participants state that the proposed CCID Alternative is necessary and appropriate in the public interest, and is consistent with the public interest, the protection of investors, the maintenance of fair and orderly markets and the removal of impediments to, and perfection of the mechanisms of, a national market system. The Participants believe that, subject to accurate implementation by CAT Reporters, the CCID Alternative will have the capability to create a reliable and accurate CCID that is unique for each Customer, and that regulators will be able to use a unique CCID to track orders from any Customer throughout the order's lifecycle, regardless of what brokerage account was used to enter the order. The Participants state that the use of CCIDs would thus enhance the security of the Central Repository while preserving regulatory benefits of the CAT. The Participants state that because only CCIDs would be stored in the Central Repository, rather than SSNs, the proposed relief would eliminate the risk of having a comprehensive aggregated source for all individual Customer SSNs (i.e., the potential use of illegally obtained SSNs to facilitate identity theft or other fraud). The Participants state that no SSNs would be collected or stored in the CAT, and that instead, only Industry Members would continue to collect individual Customer SSNs, as they do currently. The Participants state that the process to create CCIDs using, in part, SSNs would be secure. The Participants also state that the significant reduction in the risk that information in the CAT could be used to facilitate identity theft, achieved by the use of CCIDs, does not compromise the regulatory benefits of the CAT. The Participants state that the CCID Subsystem is subject to the security provisions of the CAT NMS Plan.

See January 29, 2020 Exemption Request at 5.

See January 29, 2020 Exemption Request at 5-6. The Participants state that if the Commission grants this request for exemptive relief, each Participant will propose to amend its Compliance Rules consistent with the exemptive relief. See January 29, 2020 Exemption Request at 6, n.17. Each Participant is obligated to enforce compliance by its members with such Compliance Rules, including rules related to implementation of the CCID Alternative. Id. “Compliance Rule” means “with respect to a Participant, the rule(s) promulgated by such Participant as contemplated by Section 3.11.” See CATNMS Plan, Article I, Section 1.1. Section 3.11 of the Plan states that “[e]ach Participant shall comply with and enforce compliance, as required by SEC Rule 608(c), by its Industry Members with the provisions of SEC Rule 613 and of this Agreement, as applicable, to the Participant and its Industry Members. The Participants shall endeavor to promulgate consistent rules (after taking into account circumstances and considerations that may impact Participants differently) requiring compliance by their respective Industry Members with the provisions of SEC Rule 613 and this Agreement.” Id. at Article III, Section 3.11.

See January 29, 2020 Exemption Request at 6.

See January 29, 2020 Exemption Request at 6.

See January 29, 2020 Exemption Request at 6.

See January 29, 2020 Exemption Request at 6.

See January 29, 2020 Exemption Request at 6.

See January 29, 2020 Exemption Request at 12.

The Participants believe that eliminating the retention of SSNs in the CAT would not have an adverse impact on the effective operation of the CAT. The Participants recognize, however, that the elimination of the collection of SSNs would cause CAT Reporters to assume a critical role in the accurate generation of CCIDs. The Participants state that to mitigate the potential risk to the integrity of the CCID values ultimately assigned to Customer records in the CAT, the Participants, working with the Plan Processor, will consider methods for detecting errors in the transformed values submitted by CAT Reporters, such as through validation processes and/or testing of accounts, as well as methods that may be identified by functionality supporting the Error Resolution for the Customer Data requirement in Section 9.4 of Appendix D of the CAT NMS Plan. The Participants represent that the Plan Processor is currently exploring potential validation checks that could be performed upon submission by an Industry Member of an initial CCID, such as ensuring the value submitted is within an expected range of values. The Participants state that such a validation check would help identify transformation errors (e.g., transformation resulted in an invalid or malformed SSN), but it would not ensure that the correct SSN for a specific customer was used for the transformation. The Participants state that, in consultation with the working group of industry members that developed the CCID Alternative, they believe that the value of eliminating the need for CAT Reporters to transmit SSNs to the CAT exceeds the potential increased risk to the integrity of CCID assignments.

See January 29, 2020 Exemption Request at 6.

See January 29, 2020 Exemption Request at 6.

See January 29, 2020 Exemption Request at 6. The Plan does not define “Customer Data”; however, Appendix D, Section 9.4 references various data elements related to the PII reported and collected by the CAT. The Commission assumes for purposes of the January, 29, 2020 Exemption Request that “Customer Data” refers to such PII.

See January 29, 2020 Exemption Request at 6.

See January 29, 2020 Exemption Request at 6.

See January 29, 2020 Exemption Request at 6.

As set forth in the January 29, 2020 Exemption Request, the Participants also state that in light of security concerns raised with regard to the maintenance of Customer information in the CAT, the Participants also propose to eliminate dates of birth and account numbers for individuals from the CAT. Under this proposal, or the Modified PII Approach, dates of birth and account numbers for natural persons would not be reported to the CAT and therefore would not be stored in the CAT. The Participants state that similar to SSNs, this information is particularly sensitive from a security perspective and should not be included in the CAT (i.e., the Participants believe that such information, if illegally obtained, could be used to facilitate identity theft or other fraud). The Participants represent that the Modified PII Approach has been discussed with the Advisory Committee.

See January 29, 2020 Exemption Request at 7.

See January 29, 2020 Exemption Request at 7.

See January 29, 2020 Exemption Request at 7. According to the CAT NMS Plan, the Advisory Committee “shall advise the Participants on the implementation, operation, and administration of the Central Repository, including possible expansion of the Central Repository to other securities and other types of transactions.” See CAT NMS Plan, Article IV, Section 4.13(d).

The Participants believe that the Modified PII Approach is necessary and appropriate in the public interest, and is consistent with the public interest, the protection of investors, the maintenance of fair and orderly markets and the removal of impediments to, and perfection of the mechanisms of, a national market system. The Participants believe that by eliminating dates of birth and account numbers from the CAT, the proposed relief would significantly reduce the risk profile of data collected and stored in the CAT by eliminating the PII data elements that would support attempted identity theft. In addition, the Participants state that the elimination of dates of birth and account numbers for individuals would not compromise the regulatory benefits of the CAT, including the ability of regulators to identify Customers and their related trading activity. The Participants state that instead of reporting dates of birth and account numbers for individuals, CAT Reporters would report to the CAT year of birth and Firm Designated IDs for accounts for individuals.

See January 29, 2020 Exemption Request at 7.

See January 29, 2020 Exemption Request at 7.

See January 29, 2020 Exemption Request at 7.

See January 29, 2020 Exemption Request at 7. The Commission assumes for purposes of this Order that the January 29, 2020 Exemption Request seeks relief from the requirement to report all account numbers, not limited to account numbers individuals.

The Participants state that the Participants, Industry Members, and others have raised concerns regarding the security risk of having personally identifying Customer information in the CAT for individual Customers of every securities brokerage account involving Eligible Securities in the U.S. securities markets in the CAT. The Participants noted the statements made by Chairman Clayton, members of Congress and the broker-dealer community regarding the importance of evaluating the collection of information into the CAT. The Participants state that the Operating Committee of the CAT shares these security concerns and noted that they formed a PII Working Group to research and recommend potential alternatives regarding the handling of PII, including SSNs. After considering various alternatives, the PII Working Group ultimately recommended the CCID Alternative to the Operating Committee of the CAT.

“Eligible Securities” means “(a) all NMS Securities and (b) all OTC Equity Securities.” See CAT NMS Plan, Article I, Section 1.1. “NMS Securities” is defined as “any security or class of securities for which transaction reports are collected, processed, and made available pursuant to an effective transaction reporting plan, or an effective national market system plan for reporting transactions in Listed Options.” Id. “OTC Equity Securities” is defined as “any equity security, other than an NMS Security, subject to prompt last sale reporting rules of a registered national securities association and reported to one of such association's equity trade reporting facilities.” Id.

See January 29, 2020 Exemption Request at 3.

See January 29, 2020 Exemption Request at 3 and 4.

The Participants formed the PII Working Group to analyze whether it might be possible to meet the goals of the CAT while capturing less PII than Rule 613 currently requires. The PII Working Group was composed of representatives from the Participants and the Advisory Committee.

See January 29, 2020 Exemption Request at 4.

See January 29, 2020 Exemption Request at 4.

III. Request for Relief

In order to implement the CCID Alternative and Modified PII Approach, the Participants request that the Commission grant exemptive relief from the following sections of the CAT NMS Plan as set forth below:

  • Section 6.4(d)(ii)(C) of the CAT NMS Plan which requires Industry Members, through the SRO CAT compliance rules, to record and report to the Central Repository for the original receipt of an order, SSNs, dates of birth, and account numbers for individuals. The Participants request relief from the requirement in Section 6.4(d)(ii)(C) that Industry Members, through their Compliance Rules record and report to the Central Repository for the original receipt of an order, SSNs, dates of birth, and account numbers for individuals. In place of reporting SSNs, dates of birth, and account numbers, the Participants will require Industry Members, through their Compliance Rules, to report to the Central Repository a transformed value for the SSN, year of birth, and the Firm Designated ID for accounts for individuals.
  • Section 9.1 of Appendix D which requires the CAT to capture and store Customer and Customer Account Information in a secure database physically separated from the transactional database and that requires the following attributes, at a minimum, to be captured: SSN or ITIN and date of birth. Section 9.1 of Appendix D also requires the Plan Processor to maintain valid Customer and Customer Account Information for each trading day. The Participants request relief from these requirements in Section 9.1 of Appendix D that the CAT capture and store SSNs, dates of birth, and account numbers in the CAT. In place of SSNs, dates of birth and account numbers, Industry Members will report to the Central Repository a transformed value for the SSN, year of birth and the Firm Designated ID for accounts of individuals.
  • Section 9.1 of Appendix D which requires the Plan Processor “provide a method for Participants' regulatory staff and the SEC to easily obtain historical changes to [Customer and Customer Account] information.” If the Commission grants the requested exemptions, SSNs, dates of birth, and account numbers for individuals would not be stored within the CAT and, thus, Participants' regulatory staff and the Commission staff would not be able to obtain historical changes to SSNs, dates of birth and account numbers for individuals. The Participants request exemptive relief from the requirement in Section 9.1 of Appendix D that the Plan Processor provide a method for Participants' regulatory staff and Commission staff to obtain historical changes to SSNs, dates of birth and account numbers. Instead, the Participants state that the Plan Processor will manage changes to CCIDs, years of birth and Firm Designated IDs to provide a history of such data over time.
  • Section 9.1 of Appendix D which states that the Plan Processor “will design and implement a robust data validation process for submitted Firm Designated ID, Customer Account Information and Customer Identifying Information, and must continue to process orders while investigating Customer information mismatches,” and that “[v]alidations should: . . .Confirm the number of digits on a SSN, Confirm [sic] dates of birth, and Accommodate [sic] the situation where a single SSN is used by more than one individual.” If the Commission grants the requested exemption from the requirement that SSNs, dates of birth, and account numbers for individuals be submitted to the CAT, no validation process would be necessary for these elements. The Participants request exemptive relief from the requirement in Section 9.1 of Appendix D for the Plan Processor to design and implement a robust data validation process with regard to SSNs, dates of birth, and account numbers. In place of validation of SSNs and dates of birth, the Participants state that the Plan Processor will implement a validation process for transformed values submitted by CAT Reporters to the Plan Processor. The Participants state that both the Plan Processor and the Participants believe the validations in the CAT NMS Plan that require the identification and handling of inconsistencies in Customer information can still be performed as envisioned using a CCID rather than an SSN. This would include things such as validating that there are not duplicate CCIDs and significantly different names, and duplicate CCIDs and different year of births.
  • Section 9.2 of Appendix D which requires the Central Repository to accept “[a]t a minimum, the following Customer information data attributes. . . . : Account Tax Identifier (SSN, TIN, ITIN).” If the Commission grants the requested exemptions, SSNs would not be submitted to the CAT. The Participants request exemptive relief from the requirement in Section 9.1 of Appendix D for the Central Repository to accept SSNs. Instead, the Central Repository will accept a transformed value for SSNs.
  • Section 9.4 of Appendix D which requires the Plan Processor to design and implement procedures and mechanisms to handle both “minor and material inconsistencies in Customer information.” For example, “[m]aterial inconsistencies such as two different people with the same SSN must be communicated to the submitting CAT Reporters and resolved within the established error correction timeframe as detailed in Section 8.” Section 9.4 of Appendix D also states that the Central Repository must have an audit trail showing the resolution of all errors. The required audit trail must, at a minimum, include a variety of items including “duplicate SSN, significantly different Name” and “duplicate SSN, different DOB.” The Participants request exemptive relief from these error resolution requirements with regard to SSNs, dates of birth and account numbers of individuals. Instead, the Plan Processor will be required to design and implement an error resolution process for CCIDs and years of birth.
  • Section 4.1.6 of Appendix D requires that PII data not be included in the result set(s) from online or direct query tools, reports or bulk data extraction, and further requires that “[i]nstead, results will display existing non-PII unique identifiers (e.g., Customer-ID or Firm Designated ID).” In addition, Sections 4.1.6, 8.1.1 and 8.2 of Appendix D further state that the “PII corresponding to these identifiers can be gathered using the PII workflow described in Appendix D, Data Security, PII Data Requirements.” The PII corresponding to the identifiers referenced in this requirement includes SSNs, dates of birth, and account numbers for individuals. The Participants request exemptive relief from the requirements in Section 4.1.6, 8.1.1 and 8.2 to provide regulators with the ability to gather SSNs, dates of birth, and account numbers that correspond with CCIDs and Firm Designed IDs. The Participants state that regulators will have the ability to gather years of birth that correspond with CCIDs.
  • Section 6.2 of Appendix D which requires that “Customer information that includes PII data be available to regulators immediately upon receipt of initial data and corrected data, pursuant to security policies for retrieving PII.” PII under the Plan includes SSNs, dates of birth, and account numbers as defined in Section 1.1 of the CAT NMS Plan. The Participants request exemptive relief from the requirement in Section 6.2 of Appendix D to provide regulators with SSNs, dates of birth and account numbers. In place of SSNs, dates of birth and account numbers the Participants state that years of birth will be available to regulators immediately upon receipt of initial data and corrected data, pursuant to security policies.
  • Section 10.1 of Appendix D which requires the “Plan Processor to provide technical, operational, and business support to CAT Reporters for all aspects of reporting. Such support will include, at a minimum: . . . [Managing] Customer and Customer Account Information.” The Participants request exemptive relief from Section 10.1 of Appendix D that requires the Plan Process to provide technical, operation and business support to CAT Reporter with regard to SSNs, dates of birth and account numbers of individuals. In place of such support requirements with regard to SSNs, dates of birth and account numbers of individuals, the Participants state that the Plan Processor will provide technical specifications and help desk support to CAT Reporters with respect to the implementation of the CCID Alternative and the reporting of years of birth.
  • Section 10.3 of Appendix D which requires that “CAT Help Desk support functions must include: . . . . Supporting CAT Reporters with data submissions and data corrections, including submission of Customer and Customer Account Information.” The Participants request exemptive relief from the requirements of Section 10.3 of Appendix D regarding CAT Help Desk support function requirements with regard to SSNs, dates of birth, and account numbers of individuals. In place of such CAT Help Desk support functions, the Participants state that the CAT Help Desk will provide support to CAT Reporters with respect to the implementation of the CCID Alternative and the reporting of years of birth.

IV. Discussion

The Commission shares the concerns raised by market participants, industry representatives and the Participants about the importance of only requiring the necessary Customer and Customer account information sufficient to achieve regulatory objectives. Since the inception of the CAT, the Commission has been focused on the security and treatment of PII, which is defined in the CAT NMS Plan. Additionally, the Plan itself focuses on the security and confidentiality of PII. For example, the Plan requires that PII be stored separately from transaction CAT Data, and contains restrictions for accessing PII such that that regulators entitled to query transaction CAT Data are not automatically authorized for PII access under the Plan. The Plan explicitly requires that the process by which a person becomes entitled for PII access, and how they then go about accessing PII data, must be documented by the Plan Processor. According to the Plan, access to PII is based on a Role Based Access Control model, and follows the “least privileged” practice of limiting access as much as possible, and limits access to PII to a “need-to-know” basis. In addition, the Plan requires that all PII data, as with transaction CAT Data, must be encrypted both at-rest and in-flight, including archival data storage methods such as tape backup, and prohibits the storage of unencrypted PII data. The Plan Processor also must describe how PII encryption is performed and the key management strategy (e.g., AES-256, 3DES). While all of these safeguards in the CAT NMS Plan combine to create robust security protections around PII that is reported to and retained by the CAT, the most secure approach to addressing any piece of sensitive retail Customer PII would be to eliminate its collection altogether.

For example, Rule 613(e)(4)(i)(A) requires policies and procedures to ensure the security and confidentiality of all information reported to the central repository by requiring that the Participants and their employees agree to use appropriate safeguards to ensure the confidentiality of such data and agree not to use such data for any purpose other than surveillance and regulatory purposes. Rule 613(e)(4)(i)(B) requires the Participants adopt and enforce rules that require information barriers between regulatory staff and non-regulatory staff with regard to access and use of data in the central repository and permit only persons designated by plan sponsors to have access to the data in the central repository. Rule 613(e)(4)(i)(C) also requires that the Plan Processor develop and maintain a comprehensive information security program for the central repository, with dedicated staff, that is subject to regular reviews by the Chief Compliance Officer; have a mechanism to confirm the identity of all persons permitted to access the data; and maintain a record of all instances where such persons access the data.

See CAT NMS Plan at Appendix D, Section 4.1.6.

See CAT NMS Plan at Appendix D, Section 4.1.6.

See CAT NMS Plan at Appendix D, Section 4.1.6; see also CAT NMS Plan at Appendix C, C-35.

See CAT NMS Plan, Appendix D, Section 4.1.2.

See CAT NMS Plan, Appendix D, Section 4.1.2.

The Commission believes that exemptive relief pursuant to Section 36 to allow for the CCID Alternative and the Modified PII approach is appropriate in the public interest, and is consistent with the protection of investors and additionally that, pursuant to Rule 608(e), such relief is consistent with the public interest, the protection of investors, the maintenance of fair and orderly markets and the removal of impediments to, and perfection of the mechanisms of, a national market system. The CCID Alternative minimizes the risk of theft of SSNs—the most sensitive piece of PII—by allowing the elimination of SSNs from the CAT, while still facilitating the creation of a reliable and accurate Customer-ID. Thus, the CCID Alternative preserves the regulatory benefit of being able to track a specific order of a Customer through its entire lifecycle, as originally contemplated by the Plan, without requiring the reporting of SSNs by Industry Members and the retention of SSNs by the Plan Processor. SSNs are considered among the most sensitive PII that can be exposed in a data breach. Thus, the elimination of SSNs from the CAT may reduce both the risk of attracting bad actors and the impact on retail investors in the event of an incident.

The ability to efficiently and accurately identify individual Customers will allow regulators to establish those that might be responsible for illegal conduct, or to identify those that might be the victim of fraudulent activity. Indeed, one of the hallmarks of the CAT is the ability to provide customer attribution of order and trade activity even if such trading activity spans multiple broker-dealers. Pursuant to the Plan, the identification of Customers is achieved by the creation and use of the Customer-ID, a code that uniquely and consistently identifies every Customer. The Commission continues to believe, as it did when it approved the Plan, that the ability to link the full life cycle of every order as that order travels across broker-dealers and market centers to a specific Customer through the use of a Customer-ID will greatly facilitate the regulatory and surveillance efforts of regulators. For the Commission in particular, this ability to identify a Customer through the use of a CCID will also facilitate the Commission's efforts in the areas of market reconstruction, market analysis and rule-making support. Indeed, in the Commission's view, without the Customer-ID, the value and usefulness of the CAT would be significantly diminished.

See Identify Theft Resource Center 2018 End of Year Breach Report, pg. 13, https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_2018-End-of-Year-Aftermath_FINAL_V2_combinedWEB.pdf.

The Modified PII Approach removes two additional pieces of sensitive PII—account numbers and dates of birth—both of which can also be used perpetrate identify theft against retail investors. Reduction of these additional sensitive PII data elements in the CAT is expected to further reduce both the attractiveness of the database as a target for hackers and reduce the impact on retail investors in the event of an incident of unauthorized access and use. However, certain limited retail customer information will remain in the CAT; specifically, name, address, and birth year. Having such customer information remain in the CAT will allow regulators to identify bad actors who are using retail trading accounts to perform illegal activity. Finally, requiring that the birth year of retail investor continue to be reported to the CAT will also permit regulators to use CAT data to protect senior investors and identify other types of fraudulent activity that may target certain age demographics.

Based on the foregoing, the Commission is granting conditional exemptive relief from Section 6.4(d)(ii)(C) and Appendix D, Sections 4.1.6, 6.2, 8.1.1, 8.2, 9.1, 9.2, 9.4, 10.1, and 10.3 of the CAT NMS Plan (1) related to SSNs to allow for the implementation of the CCID Alternative; and (2) related to dates of birth and account numbers to allow for the implementation of the Modified PII Approach.

This order granting Exemptive Relief is conditioned upon the implementation of the CCID Alternative and the Modified PII Approach in a manner consistent with the January 29, 2020 Exemption Request, including each of the representations made and conditions included in the January 29, 2020 Exemption Request with regard to the CCID Alternative and the Modified PII Approach.

This order granting Exemptive Relief also is conditioned upon the following:

(1) The Process described in the January 29, 2020 Exemption Request, Section D.9(5) will support the efficient and accurate conversion of multiple SSNs at the same time into their corresponding CCIDs. The Commission believes this condition is appropriate in order to promote efficiency when a regulator obtains multiple SSNs from other sources;

(2) The Participants shall ensure the timeliness, accuracy, completeness, and integrity of the interim value, and shall ensure the accuracy and overall performance of the CCID Alternative process and the CCID Subsystem to support the creation of a global Customer-ID that uniquely identifies each Customer; and

(3) The Participants must assess the overall performance and design of the CCID Alternative process and the CCID Subsystem as part of each annual Regular Written Assessment of the Plan Processor, as required by Article VI, Section 6.6(b)(i)(A).

Accordingly, it is hereby ordered, pursuant to Section 36 and Rule 608(e) of the Exchange Act, that the Commission grants the Participants' request for exemptive relief, as set forth in the January 29, 2020 Exemption Request, from Section 6.4(d)(ii)(C) and Appendix D, Sections 4.1.6, 6.2, 8.1.1, 8.2, 9.1, 9.2, 9.4, 10.1, and 10.3 of the CAT NMS Plan, subject to the conditions set forth above.

By the Commission.

J. Matthew DeLesDernier,

Assistant Secretary.

[FR Doc. 2020-05935 Filed 3-19-20; 8:45 am]

BILLING CODE 8011-01-P