Eliminating All PII from CAT
Abstract Technology Image

By Robert Cook, President and CEO, FINRA1 

Last month, the SEC issued an exemptive order providing significant relief from the personally identifiable information (PII) reporting requirements of CAT (the Exemptive Order).2 This was an important step towards reducing unnecessary PII risk associated with CAT, and was directionally consistent with a blog I previously wrote calling for CAT to stop collecting and storing investors’ PII. As discussed below, however, the Exemptive Order did not eliminate all PII from CAT. 

CAT LLC has now filed with the SEC a proposal to formally amend CAT in a manner that would build on the objectives underlying the SEC’s Exemptive Order.3 Among other things, this proposal would stop the reporting of all PII to CAT and delete any PII previously reported to CAT. FINRA supports prompt approval of CAT LLC’s proposed amendment.4   

The SEC Exemptive Order

The SEC noted in its Exemptive Order that the evolving data security landscape must be considered when weighing the benefits and risks associated with collecting investors’ PII in CAT. Indeed, in 2020 the SEC responded to this evolving landscape by reducing the scope of investor PII collected by CAT.5 At that time, however, the Commission deemed it appropriate to continue requiring the collection of investors’ names, addresses, and years of birth.

In last month’s Exemptive Order, the SEC revisited the trade-off between regulatory efficiency and data privacy, stating that it “now weighs the benefits of maintaining some of that information in the CAT differently in light of both the heightened security risks posed by the increased sophistication of bad actors and the prospect of relatively efficient indirect access [by regulators] to customer information.”6 The latter point refers to the ability of regulators to utilize existing mechanisms, or to work with the industry to establish new mechanisms, to efficiently obtain information regarding the identity of market participants on an as-needed basis, without collecting and storing in CAT the PII of all investors.7

Based on these considerations, the SEC Exemptive Order permitted market participants to not report to CAT the names, addresses, and years of birth for investors who are U.S. natural persons.

CAT LLC’s Proposal—Finishing the Job on PII

FINRA appreciates the SEC’s willingness to review and update the requirements for CAT. The Exemptive Order will substantially reduce the future PII footprint of CAT.

CAT LLC’s recent proposal would build on the Exemptive Order in a number of important respects:

  • Stop Reporting All Customer-Identifying Information. The Exemptive Order did not address the reporting of a subset of sensitive information regarding certain types of customers—e.g., certain foreign natural persons and legal entities (such as a trust). As with the PII covered by the Exemptive Order, this other information also presents security risks and can be obtained by regulators through alternative means. 

    CAT LLC’s proposal would cover the reporting of all customer-identifying information to CAT. 

  • Make It Mandatory, Not Permissive. The Exemptive Order appears to be permissive, not mandatory, meaning that industry members may choose whether to continue reporting the relevant PII to CAT, and as a result CAT must continue to be prepared to accept that information.

    CAT LLC’s proposal would stop the reporting of PII to CAT by all market participants.

  • Delete Previously Collected PII. The Exemptive Order addresses the reporting of certain PII to CAT on a going-forward basis. It does not address the existing footprint of PII reported to and stored by CAT since 2022. Due to regulatory record-keeping requirements, CAT currently must maintain this information. But the rationale for stopping the future reporting of PII applies equally to previously collected PII.

    CAT LLC’s proposal would delete previously reported PII from CAT.

  • Reduce Costs. Because the Exemptive Order (1) did not cover all customer-identifying information, and (2) appears to be permissive (requiring CAT to maintain the capability to accept customer-identifying information), it will not by itself result in cost savings for CAT. 

    CAT LLC’s proposal would provide significant cost savings—estimated by CAT LLC to be up to $12 million per year. Viewed from a cost-benefit perspective, these cost savings further support approval of CAT LLC’s proposal.

CAT LLC’s proposal builds on the SEC’s Exemptive Order and further reduces the risks and costs associated with CAT. At the same time, the proposed modifications would preserve the core regulatory objectives of CAT, including providing regulators with the data they need to conduct ongoing and robust oversight of the markets and ensure they operate with integrity.8

FINRA supports approval of CAT LLC’s proposal and is committed to continuing to work with the SEC, the SROs and member firms to identify further opportunities to improve CAT.

1 FINRA is a private not-for-profit membership organization dedicated to investor protection and market integrity. It is registered with the SEC as a national securities association, and as such is responsible for monitoring the securities trading activities of its member broker-dealers, regardless of where that trading occurs. FINRA does not operate an exchange or other platform for executing securities trades.

The Consolidated Audit Trail, or CAT, is an SEC-mandated reporting system that collects data regarding trading in the U.S. equities and options markets. FINRA does not speak on behalf of the SEC, any of the securities exchanges, or the Consolidated Audit Trail, LLC (CAT LLC), which operates CAT in accordance with SEC rules. Pursuant to a contract with CAT LLC, FINRA’s subsidiary (FINRA CAT, LLC) built and operates CAT. CAT LLC is jointly owned and governed by the 25 securities exchanges and FINRA (each a self-regulatory organization, or SRO). FINRA has 1/26 of the voting interest in CAT LLC.

2 See SEC Release No. 34-102386 (Feb. 10, 2025). 

3 See SEC Release No. 34-102665 (Mar. 13, 2025). 

4 As noted in my January blog, FINRA also supports a more comprehensive review of CAT that takes into consideration the lessons learned since the system was first mandated by the SEC.

5 In 2020, the SEC allowed the SROs to exclude from the CAT customer database specified sensitive information that was originally required to be reported, such as each individual account holder’s Social Security number, account number, and date of birth. See SEC Release No. 34-88393 (Mar. 17, 2020).

6 See page 8 of the Exemptive Order.

7 Examples of these mechanisms for identifying parties responsible for problematic trading activity, including request-response systems, are discussed in my January blog and in the SEC’s Exemptive Order.

8 As discussed in my earlier blog, CAT consists of a transaction database and a customer database. The transaction database serves important market oversight objectives and does not include any PII. The SEC Exemptive Order and CAT LLC’s proposal would not impact the transaction database and would preserve the ability of regulators to determine whether trading spread across multiple accounts and broker-dealers is being conducted by the same party (although CAT data would not identify that party).