Last week, several securities industry groups filed critical responses to the SEC’s plan for an audit trail. While most groups that commented on the SEC’s proposed regulation supported implementing the proposal, several had concerns regarding the cost for investors and firms, and the protection of private data.
The SEC audit trail, approved for public comment on April 27, 2016, is a proposed national market system plan to create a single, comprehensive database that would enable regulators to efficiently track all trading activity in the United States equity and options market. When the plan was announced, SEC Chair Mary Jo White commented that the plan “will enable regulators to harness today’s technology to enhance the regulation and oversight of  trading markets” and “will significantly increase the ability of regulators to conduct research, reconstruct market events, monitor market behavior, and identify and investigate misconduct.” The SEC’s proposed audit trail details the methods by which self-regulatory organizations and broker-dealers would record and report information, including the identity of the customer, that would provide a complete lifecycle of all orders and transactions in the U.S. equity and options markets.
Three primary securities industry groups commented last week on this audit trail. The Securities Industry and Financial Markets Association (“SIFMA”) submitted its letter to the SEC on July 18 and was critical of the plan. In particular, SIFMA questioned whether: sufficient justification exists to require broker-dealers to bear any of the financial burden of funding a system that exists to receive and process information that broker-dealers are required to report under SEC regulations; the security and confidentiality of information transmitted to and stored by the system would be adequate; the implementation timeline was appropriate; and, whether the plan could be overseen in a transparent matter. Similarly, the Financial Services Institute critiqued the plan as a potential target for hackers, and requested that the plan be revised to include data breach protocols and a determination on how liability will be determined if a data breach occurs. Lastly, the Financial Services Roundtable also questioned the cybersecurity of the data, and expressed concern over the plan’s cost.
Will the SEC revise its audit trail plan? The SEC has 120 days from July 18 to approve the plan, but it appears that further revisions might be necessary before approval is granted. With several recent cybersecurity threats and hacks, it will be vital that the repository for the audit trail has the highly advanced security measures to protect the markets’ information. It will also be important for the plan to detail who will bear the burden of the costs. The SEC and other regulators should bear some of that burden since it will be a useful tool for them, but the plan fails to delineate such as currently constructed.