Federal & State Lawfederalstatelaw.com
Home/Federal/Federal Register/2025-02620
Notice2025-02620

Order Granting Exemptive Relief, Pursuant to Section 36(a)(1) and Rule 608(e) of the Securities Exchange Act of 1934, From Certain Provisions of Section 6.4(d)(ii)(C) and Appendix D, Sections 9.1, 9.2 and 9.4 of the National Market System Plan Governing the Consolidated Audit Trail

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published
February 14, 2025

Issuing agencies

Securities and Exchange Commission

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 30 (Friday, February 14, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 30 (Friday, February 14, 2025)]
[Notices]
[Pages 9642-9646]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-02620]


=======================================================================
-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-102386; File No. 4-698]


Order Granting Exemptive Relief, Pursuant to Section 36(a)(1) and 
Rule 608(e) of the Securities Exchange Act of 1934, From Certain 
Provisions of Section 6.4(d)(ii)(C) and Appendix D, Sections 9.1, 9.2 
and 9.4 of the National Market System Plan Governing the Consolidated 
Audit Trail

February 10, 2025.

I. Introduction

    On July 18, 2012, the Securities and Exchange Commission (the 
``Commission'' or the ``SEC'') adopted Rule 613 of Regulation NMS, 
which required national securities exchanges and national securities 
associations (the ``Participants'') \1\ to jointly develop and submit 
to the Commission a national market system plan to create, implement, 
and maintain a consolidated audit trail (the ``CAT'').\2\ The goal of 
Rule 613 was to create a modernized audit trail system that would 
provide regulators with timely access to a comprehensive set of trading 
data, thus enabling regulators to more efficiently and effectively 
analyze and reconstruct market events, monitor market behavior, conduct 
market analysis to support regulatory decisions, and perform 
surveillance, investigation, and enforcement activities. On November 
15, 2016, the Commission approved the national market system plan 
required by Rule 613 (the ``CAT NMS Plan'').\3\
---------------------------------------------------------------------------

    \1\ The Participants include BOX Exchange LLC, Cboe BYX 
Exchange, Inc., Cboe BZX Exchange, Inc., Cboe C2 Exchange, Inc., 
Cboe EDGA Exchange, Inc., Cboe EDGX Exchange, Inc., Cboe Exchange, 
Inc., Financial Industry Regulatory Authority, Inc., Investors' 
Exchange LLC, Long-Term Stock Exchange, Inc., MEMX LLC, Miami 
International Securities Exchange LLC, MIAX Emerald, LLC, MIAX 
PEARL, LLC, MIAX Sapphire, LLC, Nasdaq BX, Inc., Nasdaq GEMX, LLC, 
Nasdaq ISE, LLC, Nasdaq MRX, LLC, Nasdaq PHLX LLC, The Nasdaq Stock 
Market LLC, New York Stock Exchange LLC, NYSE American LLC, NYSE 
Arca, Inc., NYSE Chicago, Inc., and NYSE National, Inc.
    \2\ See Securities Exchange Act Release No. 67457 (July 18, 
2012), 77 FR 45722 (Aug. 1, 2012) (``Rule 613 Adopting Release''); 
17 CFR 242.613.
    \3\ The CAT NMS Plan is a national market system plan approved 
by the Commission pursuant to Section 11A of the Securities Exchange 
Act of 1934 (``Exchange Act'') and the rules and regulations 
thereunder. See Securities Exchange Act Release No. 79318 (Nov. 15, 
2016), 81 FR 84696 (Nov. 23, 2016) (``CAT NMS Plan Approval 
Order''). The CAT NMS Plan is Exhibit A to the CAT NMS Plan Approval 
Order. See CAT NMS Plan Approval Order, 81 FR at 84943-85034. The 
CAT NMS Plan functions as the limited liability company agreement of 
the jointly owned limited liability company formed under Delaware 
state law through which the Participants conduct the activities of 
the CAT (``Company''). Each Participant is a member of the Company 
and jointly owns the Company on an equal basis. The Participants 
submitted to the Commission a proposed amendment to the CAT NMS Plan 
on August 29, 2019, which they designated as effective on filing. On 
August 29, 2019, the Participants replaced the CAT NMS Plan in its 
entirety with the limited liability company agreement of a new 
limited liability company, CAT LLC, which became the Company. See 
Securities Exchange Act Release No. 87149 (Sept. 27, 2019), 84 FR 
52905 (Oct. 3, 2019). The latest version of the CAT NMS Plan is 
available at <a href="https://catnmsplan.com/about-cat/cat-nms-plan">https://catnmsplan.com/about-cat/cat-nms-plan</a>. Unless 
otherwise defined herein, capitalized terms used herein are defined 
as set forth in the CAT NMS Plan.
---------------------------------------------------------------------------

    On March 20, 2020, the Commission granted exemptive relief from the 
requirement to report certain customer identifying information 
(individual tax payer identification numbers (``ITINs'')/social 
security numbers (``SSNs''), dates of birth, and account numbers) 
conditioned on the implementation of an alternative method of 
generating unique customer identifiers through transformed SSNs.\4\ The 
creation of

[[Page 9643]]

CCIDs \5\ using the transformed SSNs/ITINs has since proven to be an 
effective means of uniquely and consistently identifying customers. And 
balancing the various considerations, the benefits of continuing to 
collect the names, addresses, and years of birth of natural persons 
with SSNs/ITINs no longer justify the associated risks. Accordingly, 
the Commission grants exemptive relief from certain sections of the CAT 
NMS Plan relating to the reporting of names, addresses, and years of 
birth of natural persons reported with transformed SSNs or ITINs. 
Consistent with the PII Exemption Order, the Participants must continue 
to require Industry Members, through their CAT Compliance Rules,\6\ to 
report to the Central Repository other required information, including 
a transformed value for the SSN/ITIN and the Firm Designated ID 
(``FDID'') for accounts for such natural persons.
---------------------------------------------------------------------------

    \4\ See Securities Exchange Act Release No. 88393 (March 17, 
2020), 85 FR 16152 (March 20, 2020) (the ``PII Exemption Order'').
    \5\ The term ``CCID'' has been used interchangeably with ``CAT 
Customer-ID.'' See PII Exemption Order, supra note 4 at 16152. The 
term ``CCID'' and ``CAT Customer-ID'' means the ``Customer-ID'' 
under the CAT NMS Plan. The ``Customer-ID'' means ``with respect to 
a customer, a code that uniquely and consistently identifies such 
customer for purposes of providing data to the central repository.'' 
See CAT NMS Plan, supra note 3 at Article I, Section 1.1, referring 
to Rule 613(j)(5). 17 CFR 242.613(j)(5).
    \6\ See CAT NMS Plan, supra note 3 at Section 1.1. ``Compliance 
Rule'' means, with respect to a Participant, the rule(s) promulgated 
by such Participant as contemplated by Section 3.11 of the CAT NMS 
Plan.
---------------------------------------------------------------------------

II. Background

A. Customer Information Approach

    The CAT NMS Plan originally adopted the ``Customer Information 
Approach.'' \7\ The Customer Information Approach requires each 
Industry Member to assign a unique FDID to each customer account.\8\ 
Under the CAT NMS Plan, a FDID is a unique and persistent identifier 
for each trading account designated by Industry Members for purposes of 
providing data to the Central Repository.\9\ According to the CAT NMS 
Plan, Industry Members must submit an initial set of Customer \10\ 
information to the Central Repository, including, as applicable, the 
FDID, the Customer's name, address, date of birth, ITIN/SSN, 
individual's role in the account (e.g., primary holder, joint holder, 
guardian, trustee, person with power of attorney) and Legal Entity 
Identifier (``LEI''), and/or Large Trader ID (``LTID''), if applicable, 
which would be updated as set forth in the CAT NMS Plan.\11\
---------------------------------------------------------------------------

    \7\ See CAT NMS Plan, supra note 3.
    \8\ See id. at Appendix C, Section A.1(a)(iii).
    \9\ See id. at Section 1.1. The FDID may not be the account 
number for a trading account if the trading account is not a 
proprietary account.
    \10\ A ``Customer'' means ``the account holder(s) of the account 
at a registered broker-dealer originating the order; and any person 
from whom the broker-dealer is authorized to accept trading 
instructions for such account, if different from the account 
holder(s). See id.
    \11\ Id. at Appendix C, Section A.1(a)(iii). To ensure 
information identifying a Customer is updated, broker-dealers are 
required to submit to the Central Repository daily updates for 
reactivated accounts, newly established or revised FDIDs, or 
associated reportable Customer information. The Plan Processor also 
must design and implement a robust data validation process for 
submitted FDIDs, Customer Account Information and Customer 
Identifying Information, and be able to link accounts that move from 
one CAT Reporter to another due to mergers and acquisitions, 
divestitures, and other events. Broker-dealers must initially submit 
full account lists for all active accounts to the Plan Processor and 
subsequently submit updates and changes on a daily basis. Finally, 
the Plan Processor must have a process to periodically receive full 
account lists to ensure the completeness and accuracy of the account 
database. CAT NMS Plan, supra note 3, at Appendix C, Section 
A.1(a)(iii) n.33.
---------------------------------------------------------------------------

    Under the CAT NMS Plan, for each new order submitted to the CAT 
Central Repository, broker-dealers are required to report the FDID for 
such new order, and the Plan Processor \12\ must associate specific 
Customers and their Customer-IDs with individual order events based on 
the reported FDIDs.\13\ Within the Central Repository, each Customer 
would be uniquely identified by identifiers or a combination of 
identifiers such as an ITIN/SSN, date of birth, and, as applicable, LEI 
and LTID.\14\ The Plan Processor is required to use these unique 
identifiers to map orders to specific Customers across all broker-
dealers.\15\
---------------------------------------------------------------------------

    \12\ ``Plan Processor'' means ``the Initial Plan Processor or 
any other Person selected by the Operating Committee pursuant to SEC 
Rule 613 and Sections 4.3(b)(i) and 6.1, and with regard to the 
Initial Plan Processor, the Selection Plan, to perform the CAT 
processing functions required by SEC Rule 613 and set forth in this 
Agreement.'' CAT NMS Plan, supra note 3, at Article I, Section 1.1.
    \13\ CAT NMS Plan, supra note 3, at Appendix C, Section 
A.1(a)(iii). The CAT NMS Plan also requires Industry Members to 
report ``Customer Account Information'' upon the original receipt of 
origination of an order. Id. at Sections 1.1, 6.4(d)(ii)(C).
    \14\ Id. at Appendix C, Section A.1(a)(iii).
    \15\ Id.
---------------------------------------------------------------------------

    Appendix C provides additional requirements that the Plan Processor 
must meet under the Customer Information Approach.\16\ Among other 
things, the Plan Processor must maintain information of sufficient 
detail to uniquely and consistently identify each Customer across all 
CAT Reporters, and associated accounts from each CAT Reporter, and must 
document and publish, with the approval of the Operating Committee, the 
minimum list of attributes to be captured to maintain this 
association.\17\ In addition, the Plan Processor must maintain valid 
Customer and Customer Account Information \18\ for each trading day and 
provide a method for Participants and the Commission to easily obtain 
historical changes to that information (e.g., name changes, address 
changes).\19\
---------------------------------------------------------------------------

    \16\ CAT NMS Plan, supra note 3 at Appendix C, Section 
A.1(a)(iii).
    \17\ Id. at Section 9.1 of Appendix D, which also addresses, 
among other things, the minimum attributes that CAT must capture for 
Customers and the validation process for such attributes.
    \18\ Id. at Appendix D, Section 9.1. In relevant part, 
``Customer Account Information'' is defined in the Plan to include, 
but not be limited to, account number, account type, customer type, 
date account opened, and large trader identifier (if applicable). 
Id. at Section 1.1.
    \19\ Id. at Appendix C, Section A.1(a)(iii).
---------------------------------------------------------------------------

B. PII Exemption Order

    In light of the concerns raised by market participants, industry 
representatives and the Participants \20\ about the importance of only 
requiring the necessary Customer Identifying Information \21\ and 
Customer Account Information sufficient to achieve regulatory 
objectives, the Commission granted exemptive relief \22\ to, among 
other things, permit the Participants to no longer mandate Industry 
Members to report SSN(s)/ITIN(s), dates of birth and account numbers 
for natural person Customers, provided that Industry Members report the 
year of birth for natural person Customers to the CAT.\23\
---------------------------------------------------------------------------

    \20\ See letter from the Participants, dated January 29, 2020 
available at <a href="https://www.catnmsplan.com/sites/default/files/2020-02/Amended-Exemptive-Request-CCID-and-Modified-PII-Approaches%28Final%29.pdf">https://www.catnmsplan.com/sites/default/files/2020-02/Amended-Exemptive-Request-CCID-and-Modified-PII-Approaches%28Final%29.pdf</a>, requesting exemptive relief from certain 
PII reporting requirements and suggesting the modified PII approach.
    \21\ ``Customer Identifying Information'' means information of 
sufficient detail to identify a Customer, including, but not limited 
to, (a) with respect to individuals: name, address, date of birth, 
ITIN/SSN, individual's role in the account (e.g., primary holder, 
joint holder, guardian, trustee, person with the power of attorney); 
and (b) with respect to legal entities: name, address, EIN/LEI or 
other comparable common entity identifier, if applicable; provided, 
however, that an Industry Member that has an LEI for a Customer must 
submit the Customer's LEI in addition to other information of 
sufficient detail to identify a Customer. See CAT NMS Plan supra 
note 3, at Section 1.1.
    \22\ See PII Exemption Order, supra note 4.
    \23\ Id. at 16154.
---------------------------------------------------------------------------

    The PII Exemption Order also permitted the Participants to 
implement the CCID Alternative.\24\ Under the CCID Alternative, the 
Plan Processor generates a unique CCID using a two-phase transformation 
process that avoids having SSNs/ITINs reported to or stored in the 
CAT.\25\ In the first transformation phase, a CAT Reporter \26\

[[Page 9644]]

transforms the SSN/ITIN into an interim transformed value.\27\ This 
transformed value, and not the SSN/ITIN, is submitted to a separate 
system within the CAT (``CCID Subsystem'').\28\ The transformed value 
is sent to the CAT ``separate and apart from the other customer and 
account information.'' \29\ The CCID Subsystem then performs a second 
transformation to create the globally unique CCID for each Customer 
that is unknown to, and not shared with, the original CAT Reporter.\30\ 
The CCID is then sent to the customer and account information system 
(``CAIS'') of the CAT, where it is linked with the other customer and 
account information.\31\ The CCID may then be used by the Participants' 
regulatory staff and the SEC in queries and analysis of CAT Data.\32\
---------------------------------------------------------------------------

    \24\ Id. at 16152.
    \25\ Id.
    \26\ ``CAT Reporter'' means ``each national securities exchange, 
national securities association and Industry Member that is required 
to record and report information to the Central Repository pursuant 
to SEC Rule 613(c).'' See CAT NMS Plan, Article I, Section 1.1. Only 
Industry Members would be reporting an interim value.
    \27\ PII Exemption Order, supra note 4 at 16152.
    \28\ Id. at 16153.
    \29\ Id.
    \30\ Id.
    \31\ PII Exemption Order, supra note 4 at 16153.
    \32\ Id.
---------------------------------------------------------------------------

III. Discussion and Exemptive Relief

    Under the PII Exemption Order, the Commission issued relief that 
exempts the Participants from collecting or retaining an individual's 
SSN or ITIN--``the most sensitive piece of PII'' \33\--as well as date 
of birth and account numbers. When granting the relief, the Commission 
stated that it believed that limiting the amount of personally 
identifiable information (``PII'') to the type of information that 
could be found in a phone-book would still allow regulators to 
efficiently identify those who are using trading accounts to perform 
illegal activity. Since the issuance of the PII Exemption Order, market 
participants, industry representatives and members of Congress have 
continued to express concerns about the PII collected by the CAT.\34\ 
Given the increasing sophistication of bad actors, including the risk 
that a ``cybercriminal with knowledge of a person's name, address, and 
recent trades could impersonate a customer or broker-dealer and gain 
access to a customer's account,'' \35\ the Commission is committed to 
ensuring that it continues to strike an appropriate balance between the 
ability of regulators to efficiently identify market participants 
engaged in illegal trading activity and mitigating the risk of breaches 
to individual investors' PII in the CAT.
---------------------------------------------------------------------------

    \33\ Id. at 16156.
    \34\ See, e.g., Letter from Christopher A. Iacovella, Chief 
Executive Officer, American Securities Association, dated November 
30, 2020 (the ``ASA Letter''), at 2, available at <a href="https://www.sec.gov/comments/s7-10-20/s71020-8065865-225955.pdf">https://www.sec.gov/comments/s7-10-20/s71020-8065865-225955.pdf</a>; Letter from 
Senator John Kennedy, Senator Cindy Hyde-Smith, Senator Jerry Moran, 
and Senator John Boozman, dated June 16, 2022, available at <a href="https://www.sec.gov/comments/s7-10-20/s71020-20138074-308285.pdf">https://www.sec.gov/comments/s7-10-20/s71020-20138074-308285.pdf</a>.
    \35\ See ASA Letter at 10.
---------------------------------------------------------------------------

    The Commission recognized the risks associated with a security 
breach when it acknowledged, in the CAT NMS Plan Approval Order, that 
``because some of the CAT Data stored in the Central Repository will 
contain PII such as names, [and] addresses . . . a security breach 
could raise the possibility of identity theft. . .'' \36\ When the 
Commission approved the CAT NMS Plan, the Commission stated that it 
believed ``certain provisions of Rule 613 and the CAT NMS Plan appear 
reasonably designed to mitigate these risks.'' \37\ The provisions 
designed to mitigate the risks of a security breach of PII data 
included the governance provisions of the CAT NMS Plan,\38\ specific 
provisions designed to ensure the security and encryption of data being 
transmitted to and extracted from the CAT,\39\ provisions requiring 
that ``the Participants establish, maintain, and enforce written 
policies and procedures reasonably designed to (1) ensure the 
confidentiality of the CAT Data obtained from the Central Repository; 
and (2) limit the use of the CAT Data obtained from the Central 
Repository solely for surveillance and regulatory purposes,'' \40\ and 
provisions requiring regulators to mask PII data to all except 
authorized users who must obtain permission and complete additional 
authentications to view the data.\41\ Further, the Commission required 
that PII data be stored separately from transaction data.\42\ The 
Commission recognizes that ``the most secure approach to addressing any 
piece of sensitive retail [data] would be to eliminate its collection 
altogether.'' \43\ These concerns should be balanced against the 
regulatory benefits of having customer information readily available in 
order to allow regulators to promptly and efficiently investigate 
potential misconduct.\44\
---------------------------------------------------------------------------

    \36\ See CAT NMS Plan Approval Order at 84874.
    \37\ Id. at 84875.
    \38\ Id.
    \39\ Id.
    \40\ Id.
    \41\ Id.
    \42\ Id. at 84908.
    \43\ See PII Exemption Order, supra note 4 at 16156.
    \44\ See id.
---------------------------------------------------------------------------

    As the Commission has recognized, customer name, address, and birth 
year are important CAT data points for regulators.\45\ But the 
Commission now weighs the benefits of maintaining some of that 
information in the CAT differently in light of both the heightened 
security risks posed by the increased sophistication of bad actors and 
the prospect of relatively efficient indirect access to customer 
information. The Commission recognizes the risks identified by market 
participants, industry representatives and members of Congress as 
described above.\46\ Indeed, when the Commission adopted amendments to 
Regulation S-P, the Commission acknowledged the increased 
sophistication of cybercriminals and bad actors.\47\
---------------------------------------------------------------------------

    \45\ See PII Exemption Order, supra note 4 (explaining CAT 
regulatory uses for customer name, address, and birth year).
    \46\ See text accompanying notes 34-35.
    \47\ See Securities Exchange Act Release No. 100155 (May 16, 
2024), 89 FR 47688 (June 3, 2024) (citing, Federal Bureau of 
Investigation, 2022 internet Crime Report (Mar. 27, 2023), at 7-8, 
available at: <a href="https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf">https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf</a> (stating that the FBI's internet Crime Complaint 
Center received 800,944 complaints in 2022 (an increase from 351,937 
complaints in 2018). The complaints included 58,859 related to 
personal data breaches (an increase from 50,642 breaches in 2018)); 
the Financial Industry Regulatory Authority (``FINRA''), 2022 Report 
on FINRA's Examination and Risk Monitoring Program: Cybersecurity 
and Technology Governance (Feb. 2022), available at: <a href="https://www.finra.org/rules-guidance/guidance/reports/2022-finras-examination-and-risk-monitoringprogram">https://www.finra.org/rules-guidance/guidance/reports/2022-finras-examination-and-risk-monitoringprogram</a> (noting increased number and 
sophistication of cybersecurity attacks and reminding firms of their 
obligations to oversee, monitor, and supervise cybersecurity 
programs and controls of third-party vendors); Office of Compliance 
Inspections and Examinations (now the Division of Examinations) 
(``EXAMS''), Risk Alert, Cybersecurity: Safeguarding Client Accounts 
against Credential Compromise (Sept. 15, 2020), available at <a href="https://www.sec.gov/files/Risk%20Alert%20">https://www.sec.gov/files/Risk%20Alert%20</a>)-%20Credential%20Compromise.pdf 
(describing increasingly sophisticated methods used by attackers to 
gain access to customer accounts and firm systems)). This Risk 
Alert, and any other Commission staff statements represent the views 
of the staff. They are not a rule, regulation, or statement of the 
Commission. Furthermore, the Commission has neither approved nor 
disapproved their content. These staff statements, like all staff 
statements, have no legal force or effect. They do not alter or 
amend applicable law; and they create no new or additional 
obligations for any person.
---------------------------------------------------------------------------

    In light of these risks and the increasing sophistication of 
cybercriminals and bad actors, it is appropriate to grant this 
exemption so that the CAT no longer would be required to collect names, 
addresses and years of birth for natural persons with transformed SSNs 
or ITINs. The Commission's decision to grant this exemption takes into 
account the trade-off between the protection of individual investors' 
PII and regulatory efficiency, achieved by exempting additional PII 
from the CAT. Specifically, the regulatory benefit of collecting the

[[Page 9645]]

names, addresses and years of birth for natural persons reported with 
transformed SSNs no longer justifies the associated risks. Even if the 
CAT no longer collects the names, addresses and years of birth for 
these individuals, broker-dealers would still be required to transform 
SSNs into interim values and report those transformed values to the 
CCID Subsystem for each order, such that the system of generating 
reliable CCIDs will not be impacted.\48\ If a regulator needs to 
determine the identity of the individual behind a particular CCID, the 
regulator would be able to use one or more of the FDIDs associated with 
the CCID and contact the broker-dealer(s) who reported the FDID(s) and 
request the name, address and/or year of birth for the individual 
Customer.\49\ Given the increased technological advancements over the 
past few years, the Commission believes that it is reasonable to expect 
that the process for requesting names, and/or years of birth from 
broker-dealers will be more efficient than it would have been a few 
years ago.
---------------------------------------------------------------------------

    \48\ The Commission stated, in approving the CAT NMS Plan, the 
importance of the Customer-ID approach, as it ``constitutes a 
significant improvement relative to the Baseline because it would 
consistently identify the Customer responsible for market activity, 
obviating the need for regulators to collect and reconcile Customer 
Identifying Information from multiple broker-dealers.'' See CAT NMS 
Plan Approval Order at 84827.This Order preserves this benefit of 
the CCID, thereby preserving one of the critical innovations of the 
CAT, the ability to track one Customer's market activity across 
multiple exchanges.
    \49\ See 15 U.S.C. 78q(a), requiring registered broker-dealers 
to ``furnish'' records as the SEC prescribes by rule. See also 17 
CFR 240.17a-25(a), requiring broker-dealers to electronically submit 
securities information (including customer identifying information) 
to the SEC ``upon request.'' If multiple FDIDs are associated with a 
single CCID, regulators would only need to contact one broker-dealer 
to request the name and/or address of the individual. Contacting 
other broker-dealers should result in the same name and/or address.
---------------------------------------------------------------------------

    The Commission acknowledges that this Order will negatively impact 
regulatory efficiency. Specifically, because broker-dealers are 
currently required to report the names, addresses and years of birth of 
natural persons, regulators are able to identify the individuals 
responsible for orders or trades by querying a CCID in the CAT. In 
contrast, a request-response system \50\ would require regulators to 
contact broker-dealers to determine the names, addresses and years of 
birth for natural persons, which would take additional time and require 
manual intervention, thereby decreasing the efficiency of the CAT for 
regulators.\51\ A request-response system could also decrease the 
efficiency of the CAT for broker-dealers, who would have to respond to 
regulator requests for the names, addresses and years of birth for 
natural persons. The Participants and the Commission will, however, 
continue to have indirect access to such information. Broker-dealers 
are already required to collect, among other things, the name, address, 
full date of birth of their customer account owners under existing 
books and records requirements,\52\ as well as collect and periodically 
update the account's investment objectives. The broker-dealers must 
verify this information with their customers at least every 36 months 
and must provide books and records information to the Commission upon 
request. And regulators and broker-dealers should be able to develop 
processes or mechanisms that will minimize the impact of a request-
response system, if such a system is created.\53\ For example, 
technological advances such as more efficient computing and networking, 
could result in the development of an automated or partially automated 
system for requesting information from broker-dealers and for 
responding to regulator requests for information held by broker-
dealers.
---------------------------------------------------------------------------

    \50\ The Securities Industry and Financial Markets Association 
(``SIFMA'') previously suggested a request-response system in which 
regulators would have the ability to request from broker-dealers the 
identity of investors engaged in potentially problematic trading 
activity on an as-needed request-only basis, rather than maintaining 
such data in the CAT. See letter from SIFMA, dated January 28, 2021 
at 9, available at <a href="https://www.sifma.org/wp-content/uploads/2021/01/Pause-on-Implementation-Related-to-CAT-CAIS-Final-1-28-2021-1.pdf">https://www.sifma.org/wp-content/uploads/2021/01/Pause-on-Implementation-Related-to-CAT-CAIS-Final-1-28-2021-1.pdf</a>. 
SIFMA's proposed alternative to the CAT collecting PII would involve 
a workflow in which a regulatory user that wanted to know the 
identity of a customer to a trade would submit an FDID and trade 
dates request through the Plan Processor into a secure file transfer 
protocol (``FTP''). That FTP would in turn direct the PII request to 
an Industry Member acting as a CAT Reporter. The Industry Member 
would then direct the encrypted data through the FTP back into the 
CAT control environment for the requesting regulatory user to 
analyze and use the data.
    \51\ Similarly, without names of natural persons in the CAT, a 
regulator investigating allegations relating to a specific person's 
trading activity may need to contact all broker-dealers to determine 
where a specific person's accounts are held.
    \52\ See 17 CFR 240.17a-3(17).
    \53\ The Commission recognizes that efficient electronic means 
of requesting and receiving from industry members targeted subsets 
of customer identifying information could better enable the 
Participants and Commission staff to detect and investigate market 
fraud and abuse. In connection with the relief provided by this 
Order, the Commission urges the Participants to work with industry 
members to establish these means by taking advantage of the systems 
industry members have already established to format and submit 
customer information consistent with CAT specifications.
---------------------------------------------------------------------------

    Section 36(a)(1) of the Exchange Act grants the Commission the 
authority, with certain limitations, to ``conditionally or 
unconditionally exempt any person, security, or transaction . . . from 
any provision or provisions of [the Exchange Act] or of any rule or 
regulation thereunder, to the extent that such exemption is necessary 
or appropriate in the public interest, and is consistent with the 
protection of investors.'' \54\ Rule 608(e) of Regulation NMS similarly 
grants the Commission the authority to ``exempt from [Rule 608], either 
unconditionally or on specified terms and conditions, any self-
regulatory organization, member thereof, or specified security, if the 
Commission determines that such exemption is consistent with the public 
interest, the protection of investors, the maintenance of fair and 
orderly markets and the removal of impediments to, and perfection of 
the mechanisms of, a national market system.'' \55\
---------------------------------------------------------------------------

    \54\ 15 U.S.C. 78mm(a)(1).
    \55\ 17 CFR 242.608(e).
---------------------------------------------------------------------------

    The Commission grants exemptive relief from the following sections 
of the CAT NMS Plan as set forth below:
    <bullet> Section 6.4(d)(ii)(C) of the CAT NMS Plan to the extent it 
requires Industry Members, through the Participant CAT Compliance 
Rules, to report to the Central Repository for the original receipt or 
origination of an order, the names, addresses and years of birth of 
natural persons reported with transformed SSNs or ITINs. Consistent 
with the PII Exemption Order, the Participants must continue to require 
Industry Members, through their CAT Compliance Rules, to report all 
other required information to the Central Repository, including a 
transformed value for the SSN/ITIN and the FDID for accounts for such 
natural persons.
    <bullet> Section 9.1 of Appendix D to the extent it requires the 
CAT to capture the Customer Account Information attributes of current 
name, current address, previous name, previous address and year of 
birth of natural persons reported with transformed SSNs or ITINs. 
Section 9.1 of Appendix D also requires the Plan Processor to maintain 
valid Customer and Customer Account Information for each trading day. 
Consistent with the PII Exemption Order, the Participants must continue 
to require the Industry Members to report all other required 
information to the Central Repository, including a transformed value 
for the SSN/ITIN and the FDID for accounts of natural persons.
    <bullet> Section 9.4 of Appendix D to the extent the error 
resolution requirements apply to names, addresses and years of

[[Page 9646]]

birth of natural persons reported with transformed SSNs or ITINs.\56\
---------------------------------------------------------------------------

    \56\ Section 9.4 of Appendix D which requires the Plan Processor 
to design and implement procedures and mechanisms to handle both 
``minor and material inconsistencies in Customer information.'' For 
example, ``[m]aterial inconsistencies such as two different people 
with the same SSN must be communicated to the submitting CAT 
Reporters and resolved within the established error correction 
timeframe as detailed in Section 8.'' Section 9.4 of Appendix D also 
states that the Central Repository must have an audit trail showing 
the resolution of all errors. The required audit trail must, at a 
minimum, include a variety of items including ``duplicate SSN, 
significantly different Name'' and ``duplicate SSN, different DOB.''
---------------------------------------------------------------------------

    The exemptive relief pursuant to Section 36(a)(1) of the Exchange 
Act as set forth in this Order is appropriate and in the public 
interest, the protection of investors, and additionally that, pursuant 
to Rule 608(e), such relief is consistent with the public interest, the 
protection of investors, the maintenance of fair and orderly markets 
and the removal of impediments to, and perfection of the mechanisms of, 
a national market system. The exemption permitting the elimination of 
the requirement to report names, addresses and years of birth of 
natural persons reported with transformed SSNs or ITINs to the CAT 
minimizes the risk that bad actors will be able to associate 
individuals with their order and trade information. If there is a 
regulatory need to ascertain the names, addresses and years of birth of 
such individuals behind particular orders or trades, regulators will be 
able to request such information from Industry Members who have long 
been required to collect such information under Section 17 of the 
Exchange Act.\57\ This exemptive relief supplements the existing relief 
relating to SSNs, dates (but not year) of birth, and account numbers 
for individuals provided under the PII Exemptive Order.
---------------------------------------------------------------------------

    \57\ See 17 CFR 240.17a-3, requiring certain exchange members, 
brokers and dealers to make and keep current books and records. See 
also 17 CFR 240.17a-25(a), requiring broker-dealers to 
electronically submit securities information (including customer 
identifying information) to the SEC ``upon request.''
---------------------------------------------------------------------------

    Accordingly, it is hereby ordered, pursuant to Section 36(a)(1) of 
the Exchange Act and Rule 608(e) of the Exchange Act,\58\ that the 
Commission grants the exemptive relief, as set forth in this Order, 
from Section 6.4(d)(ii)(C) and Appendix D, Sections 9.1, 9.2 and 9.4 of 
the CAT NMS Plan.
---------------------------------------------------------------------------

    \58\ 17 CFR 242.608(e).

    By the Commission.
Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2025-02620 Filed 2-13-25; 8:45 am]
BILLING CODE 8011-01-P


</pre></body>
</html>
View on FederalRegister.gov →Plain-text source
Indexed from Federal Register on February 14, 2025.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.