Wall Street and its allies in the House are trying to kill the Consolidated Audit Trail. The CAT is a supercomputer and a massive database that will allow securities markets regulators to detect market abuses, punish wrongdoers, and better understand how markets work and why they sometimes crash.
Just such a crash happened on May 6, 2010. In a matter of minutes, among other inexplicable events, the stock prices of Accenture, CenterPoint Energy and Exelon dropped to a penny, while those of Apple, HP and Sotheby’s shot up to $100,000. Nearly a trillion dollars was temporarily wiped from investors’ portfolios. A confidence-shattering event that took about 18 minutes to unfold took months for regulators to reconstruct and understand. And there have been several other “flash crashes” since. On Oct. 15, 2014, we saw extreme volatility in Treasury markets, and on Aug. 24, 2014, another market boomerang caused the Dow to fall by more than 1,000 points and recover quickly.
After the 2010 “flash crash,” many in and out of Congress called on the Securities and Exchange Commission to get a better handle on such events and, more importantly, to fulfill its central mandates of protecting investors and maintaining the integrity of the markets. Hearings were held, blame was cast, reports were issued and promises were made. Ultimately, it took six years for the SEC to approve a final rule. The regulation was far from perfect, but it did set in motion the building of CAT.
In January 2017, Thesys Technologies LLC was hired to build and operate the CAT. Today, Thesys has nearly completed the initial build and according to an SEC-approved timeline, exchanges are set to begin reporting data into the CAT by this Nov. 15, and broker-dealers (those who handle investor orders or otherwise trade in stocks and options) will have to begin reporting in the next two years.
But now the industry is using the recent hack of the decades-old SEC computer system EDGAR as an excuse to kill the CAT. The CAT is built according to the highest security standards, and this mission-critical system and database would empower regulators to better protect investors and our markets against crashes and manipulations.
The industry and their lobbyists, who always grumbled about the CAT, are now openly and fiercely fighting against it. They are arguing that the SEC, which is statutorily charged to protect investors and make our securities markets fairer and less prone to manipulation, cannot be trusted with the vital data it needs to conduct audits or monitor the markets, and go after those who manipulate markets or defraud investors.
In meetings with policymakers, industry representatives say that unless and until the securities regulators build an unrealistically impregnable system to house personally identifiable information (PII) that is critical to the workings of the CAT, regulators should not have access to the CAT. In an even more disturbing move, the industry is pushing for legislation that will bar the operator of the CAT from collecting any market data until the SEC builds these hacker-proof systems. That would in effect spell the end of the CAT, since such a delay would render the system obsolete before it is ever turned on. It is worth noting that the industry is loath to impose similarly high IT security standards on itself before collecting PII from clients and investors.
While we too are concerned about the computer hacks and the theft of PII — whether it is stolen from regulators or, as is more often the case, from corporations — we think it is shortsighted and unwise to kill a potentially game-changing tool in the guise of “protecting PII.” If the industry and its allies truly are concerned about PII and market stability (and getting rid of bad actors), they should embrace and advocate for other solutions that give the CAT another life. In short, they should help improve the CAT, not petition Congress effectively to kill it.
One simple solution against PII exposure would be to allow the CAT operator to create a secure, firewalled space within the confines of the CAT system with access to its analytical capabilities and data. This would allow regulators to log into the CAT system, conduct their regulatory business without ever needing to export the data (PII or otherwise) to their in-house system. This way, the regulators won’t need to build an impossibly high wall around the PII data, alleviating the SEC of the need to protect what it doesn’t have in the first place.
Today, our cops on the Wall Street beat still lack the tools to understand market abnormalities and to quickly find and punish manipulators. It took more than five years for the government to find and bring a case against the perpetrator of the May 2010 “flash crash.” Such crashes are sure to happen again, and it should be in the interest of policymakers and enlightened industry members alike to arm regulators with effective tools against such events. Most practitioners in the industry are never going to love the CAT or want it to be effective. They will always think it costs too much and those practitioners who benefit from the opaqueness and the chaotic nature of the markets will always resist any attempts by policymakers to bring transparency and enforce the rule of law. Lawmakers should know better.