Republican lawmakers have reintroduced a bill in the House and Senate to prohibit the Securities and Exchange Commission from requiring personally identifiable information be collected under the reporting requirements for its consolidated audit trail.
The bill, Protecting Investors' Personally Identifiable Information Act, introduced July 11 by Sen. John Kennedy, R-La., Rep. Barry Loudermilk, R-Ga., and various co-sponsors, would allow the SEC to obtain personally identifiable information, or PII, related to investors only by requesting it on a case-by-case basis, according to a news release from Mr. Kennedy. Companies and investors trading on the U.S. stock exchanges would need to fulfill the SEC's request for the information within 24 hours, though smaller brokers may request additional time.
The bill, which the lawmakers first introduced in 2021 during the previous congressional session, would also require the SEC to delete personally identifiable information once the agency resolves the investigation or issue that required that information.
"My bill would make sure that the SEC only houses information it needs, and only while it needs it," Mr. Kennedy said in the news release. "As long as hackers and foreign enemies keep targeting Americans, the government shouldn't endanger their personal information by creating one great, big, centralized target for bad actors."
When fully implemented in 2024 or 2025, the consolidated audit trail will be a single database for all equity and options trades on U.S. exchanges.
Industry groups have raised concern over CAT security for years.
American Securities Association President and CEO Chris Iacovella in a statement welcomed the bill's reintroduction. "The collection of investors' personal and financial information by a government database is unprecedented and poses a dangerous threat to the privacy rights of millions of Americans," he said.
In March 2020, the SEC exempted the self-regulatory organizations made up of exchanges and securities associations from having to collect or retain certain retail customer data, including individual Social Security numbers or individual taxpayer identification numbers, dates of birth and account numbers. Instead, broker-dealers are required to report an account holder's name, address and birth year.
