The SEC Is Starting a Massive Database of Every Stock Trade
Brokers will have to report every trade and the trader’s personal information.
What little financial privacy you have when trading stocks is about to get even smaller next month. When you make a stock trade, your broker already is required by the Bank Secrecy Act to maintain records of it, monitor your trading activity, and report any suspicion of illegal activity to the federal government. But, starting in March, your broker will be required to directly report all of your trades, including your personal information, to a massive government database. If the Bank Secrecy Act concerns you—and even if it doesn't—just wait until you hear about the Consolidated Audit Trail (CAT).
The Consolidated Audit Trail is intended to collect and accurately identify every order, cancellation, modification, and trade execution for all exchange-listed equities and options across all U.S. markets, allowing the Securities and Exchange Commission (SEC) to track orders and identify who made them.
The SEC ordered the CAT to be created in 2012 after regulators had difficulty identifying the causes of the 2010 "flash crash." At the time, then-SEC Chair Mary Schapiro described the CAT as providing regulators with the "data and means to exponentially enhance [their] abilities to oversee a highly complex market structure." And in years since, the CAT has been championed as necessary for the SEC's enforcement efforts.
The CAT began collecting trading data in 2020, after years of development replete with challenges and controversies. It is scheduled to begin collecting customer information on March 17, 2023. Although the SEC has limited the scope of customer information to be collected—initial plans called for Social Security numbers, dates of birth, and account numbers—brokers must still provide customer names, addresses, and birth years which allows for easy identification of individual investors.
This massive surveillance database is a financial privacy nightmare.
Most of the criticism leveled at the CAT has focused on data security. The CAT will absorb information about tens of billions of trades daily, making it quite possibly the largest database in the world. Its sheer size will be an invitation for criminals, who then-SEC Chair Jay Clayton recognized in 2017 "could potentially obtain, expose and profit from the trading activity and personally identifiable information of investors."
The government is hardly immune from hacking; indeed, the SEC itself was hacked in 2016. Thousands of users (not just at the SEC) will have access to the CAT, with vague standards guiding their use of the data accessed, creating even more security gaps. And while the SEC proposed a rule to address some data security concerns in 2020, the agency has taken no action to finalize that rule or anything similar (despite a flurry of other rule making).
But these criticisms seem to assume that if the government had good enough data security, this type of intrusion into Americans' financial privacy would be acceptable. That's simply not the case. Personal and financial privacy are key components of life in free societies, where individuals enjoy a private sphere free of government involvement, surveillance, and control. As SEC Commissioner Hester Peirce recognized:
Our purchases and sales of securities, particularly when aggregated together as the CAT would do, are a rich form of value expression. They might express a view of how markets work, a determination on the efficiency of markets, expectations about the future, or even a moral philosophy.
Trading is thus an expressive activity, and the CAT raises the same types of civil liberties concerns as any other mass surveillance program. It doesn't matter if the SEC has good intentions, seeking only to use the CAT to understand our markets better and to enforce existing laws. Financial privacy is vital because it can be the difference between survival and oppression for those who hold disfavored views.
In this way, the CAT burdens not only Americans' First Amendment rights of speech and expression but also their rights under the Fourth Amendment to be free from unreasonable government searches and seizures. Although a 1976 Supreme Court case about the Bank Secrecy Act found that information shared with a third party—there, the bank—is not protected by the Fourth Amendment, that doctrine is ripe for revisiting given the ubiquitous role of intermediaries in modern life. But even if the CAT's surveillance isn't constitutionally deficient, its data collection is troubling and should be treated no differently than other areas of American life where people reject broad-based surveillance of their activity.
This is especially true where the benefit of surveillance seems marginal. The SEC isn't without the ability to analyze trading information absent the CAT, although it's understandably tempting for the agency to want to see every trade in close to real time. Some have suggested alternatives to prohibit personal information from the database, leaving the SEC to make case-by-case requests of brokers when warranted. This is the minimum the agency could do to protect customer privacy (especially where the SEC is touting enforcement cases brought with CAT data prior to including personal information). But such solutions leave the surveillance machinery in place; Commissioner Peirce's suggestions of a more limited database focused on institutional investor trading or improvements to already existing systems are better choices to protect the privacy of individual investors.
The CAT threatens American investors' privacy. Knowing that the SEC is watching your every trade is too great a cost for easier SEC enforcement. Despite the years of planning and expenses already incurred, the SEC should put the CAT back in the bag—or let it out only when declawed—to protect the liberties of American investors.
