SIFMA expressed concern about the scope of personally identifiable information ("PII") to be reported in the Customer and Account Information System ("CAIS") of the Consolidated Audit Trail ("CAT").
In a comment letter to the SEC, SIFMA stated that the CAT system will be an "extremely attractive target" to bad actors, highlighting the SolarWinds hack as one reason for its concern. Accordingly, SIFMA requested that the SEC immediately order a temporary pause to the finalization of the CAIS's technical specifications regarding customer and account reporting so that the SEC can assess whether the proposed PII data requirements are "necessary or appropriate to fulfill the purpose of the CAT."
Additionally, SIFMA asserted that certain proposed information to be collected in the CAIS fields, such as whether a customer is an accredited investor, goes "significantly beyond existing broker-dealer recordkeeping requirements." SIFMA argued that this would be "directly contrary" to the SEC's stated view that the CAT be bound by existing broker-dealer recordkeeping requirements.
Finally, SIFMA noted that the current January 29, 2021 deadline to finalize the CAIS technical specifications is too "compressed" and "aggressive."
Given the success that criminals and non-U.S. governments have had in penetrating the records of the U.S. government, it should be incumbent upon the SEC to explain either why (i) the CAT information cannot be hacked or (ii) the hack of the CAT information would not be significant to the U.S. government, broker-dealers, and investors. If such an explanation is not possible at the current time, it would seem prudent to put the system on hold.
- SIFMA Press Release: SIFMA Asks SEC to Pause Activity in the CAT to Assess Need to Collect Investors' Personally Identifiable information
- SIFMA Comment Letter: Request for a Temporary Pause Related to Further Development and Implementation of the Final Full Customer & Account Information System Specification for the Consolidated Audit Trail
- Reuters Press Release: SolarWinds hackers accessed Microsoft source code, the company says