SEC, CFTC program delays seen as likely due to EDGAR breach
The potential delay in launching the SEC's consolidated audit trail on equity and options trades because of cybersecurity concerns could stall another regulatory data collection initiative — the CFTC's registry of algorithmic trading codes, sources said.
The CAT delay, in particular, is tied to concerns about the 2016 attack on the Securities and Exchange Commission's EDGAR corporate filing system.
SEC Chairman Jay Clayton said in testimony before the House Committee on Financial Services Oct. 4 that so far the Nov. 15 start date for CAT, which will track the lifecycle of all equity and options trades and identify all trade participants, has not changed. But he also doesn't want to collect too much information.
"The questions I've been asking are: 'What information are we taking in, do we need it, and can we protect it?' I don't want information unless we need it," Mr. Clayton said.
Mr. Clayton said the SEC "won't take" CAT live until those questions are answered. Rep. Jeb Hensarling, R-Texas, the House committee chairman, said he supported a delay.
"I understand what (Mr.) Clayton is doing and probably would do the same thing," said David Weisberger, head of equities, at ViableMkts, a trading technology and market structure advisory firm in New York. "The cybersecurity issue is real, since the CAT data is important and could be market moving." Mr. Weisberger said with the SEC, the Financial Industry Regulatory Authority and other self-regulatory organizations such as exchanges having access to the data, "the risk of a hack grows dramatically."
A similar delay could affect Regulation Automated Trading at the Commodity Futures Trading Commission, which is slated to begin later this year but already has an opponent in newly confirmed Commissioner Brian Quintenz, who said in a prepared statement at an Oct. 4 conference that "the prior administration's massively overreaching and highly concerning 'source code repository' proposal is D-E-A-D."
"Certainly the CFTC has expressed concern about the issue of cybersecurity," said Willa Cohen Bruckner, partner, financial services, at the law firm of Alston & Bird LLP, New York. "Some of these issues, like exchanges and the cybersecurity of data, they care about. Postponement (of Reg AT) is certainly a possibility. Can we tell if the delay is because of cybersecurity concerns? Who knows where Reg AT is?"
Ms. Bruckner said if the SEC decides to hold off on implementing the CAT, it could force the CFTC's hand even further. "If the SEC says it will rethink implementing CAT because of cybersecurity concerns, if the CFTC has similar concerns but doesn't say anything, people will wonder why they didn't," Ms. Bruckner said. "Cybersecurity should be on all their minds."
Mr. Weisberger said there are parallels between CAT and Reg AT. "Because of CAT's granular data, it's similar to the issue with the CFTC's original proposal to require source code," Mr. Weisberger said. "While the source code is more direct, the CAT data makes it possible to reverse engineer the code, which is critically important to the firms that create it."
One issue with Reg AT beyond cybersecurity, Mr. Weisberger said, is whether anyone at the CFTC will understand how the codes work. "With Reg AT, the only people qualified to look at code are employed by the firms who make this code, meaning that it has no value to the regulators except when they already suspect a particular behavior," he said.
Rather than going fully ahead with CAT, Mr. Weisberger thinks consideration should be given to enhancing the current FINRA Order Audit Trail System to include proprietary trading strategies and order routing for options to its current capability to view a trade's lifecycle. That way, the order audit system will perform the same function as CAT with less risk, he said.
"OATS doesn't require information about the end customer directly," Mr. Weisberger said. "With CAT, you'll know the actual customer and, if it was compromised, hackers could learn about strategic investments or when high-profile investors acquire or sell positions in real time. It's extremely sensitive market information and there are clearly risks, however well the system is built since the users of the system could provide access unwittingly. There is an argument that a breach of the CAT could be used to discover non-public information that's market-moving and information that could be used to manipulate the market."
'Other side of the argument'
Not all are calling for either agency to delay implementation of the two data registries. "It's the other side of the argument," said Joseph Saluzzi, partner, co-founder and co-head of equity trading at brokerage Themis Trading LLC, Chatham Township, N.J. "Why is everyone afraid of regulation? Critics are hiding behind the fact they are worried about getting their code stolen, but they change their algorithmic code every few weeks. That's a ... story. (Mr.) Quintenz fell for it."
Mr. Saluzzi said the concerns over the data collection are easy to mollify. "This is what the opponents of Reg AT, CAT do," Mr. Saluzzi said. "When it comes to the CAT, the worry about the use of Social Security numbers, that could be solved fairly easily" through the use of participant identifiers as opposed to more common personal identification.
The Sept. 8 announcement that millions of consumers' personal information could have been compromised through a cyberattack on credit reporting agency Equifax Inc. — an attack cited by Mr. Hensarling in his concern over proceeding with the CAT — "was a gift" to those opposed to CAT and Reg AT.
"I don't buy the argument that they're afraid of losing data," Mr. Saluzzi said. "They're more afraid of someone finding out they're doing something wrong. There are simple solutions they can do. But you have to give regulators the tools to manage market structure. This all came about through the fragmentation of Regulation (National Market System). NMS shattered the glass; now they have to regulate each piece of glass."
The idea for a consolidated audit trail came about seven years ago, Mr. Saluzzi said, and for those who want Mr. Clayton to hold off on instating it because of cybersecurity concerns, "only now do they figure out this would be a problem? I blame the SEC for this. They need to know who's trading. The whole point of the consolidated audit trail is so that, when something goes wrong with trades, regulators can find out what's wrong and solve it."