SEC Grants Further Relief From Including Personally Identifiable Information in CAT Reporting

On February 10, the Securities and Exchange Commission (SEC) granted relief exempting industry members from reporting a natural person’s name, address, and year of birth to the Consolidated Audit Trail (CAT). Industry members must still report transformed social security numbers (SSNs) or individual taxpayer identification numbers (ITINs) for natural persons and, to the extent applicable, Larger Trader IDs (LTIDs) and Legal Entity Identifiers (LEIs). This exemptive relief builds on the SEC’s 2020 relief that exempted industry members from reporting actual SSNs/ITINs and full birth dates to CAT (but then requiring year-of-birth reporting) and developed the system for transforming SSNs/ITINs, which are then used to generate CAT Customer-ID (CCIDs).

The SEC’s relief acknowledges the ongoing concerns of industry members and trade associations that the wholesale collection of customer information created cybersecurity risks, as such sensitive customer information was vulnerable to hacking by cybercriminals. Particularly when such customer information could be paired with the full inventory of historical securities transactions effected by that customer maintained in the CAT transaction database, cybercriminals could further use compromised information to impersonate customers or regulators, take over or otherwise compromise customer accounts, or otherwise engage in fraud or other bad acts affecting customers or the markets. The SEC’s action largely tracks a recommendation from FINRA President and CEO Robert Cook last month (https://www.finra.org/media-center/blog/cat-should-be-modified-to-cease-collecting-personal-information-on-retail-investors), perhaps anticipating inevitable CAT reform by a Republican-led Commission.   

Regulators will still be able to obtain customer-specific information regarding individual transactions, but they will have to do so by requesting do so by requesting such information from broker-dealers through Bluesheet and other regulatory requests. Both the SEC’s exemptive order and FINRA’s proposal highlighted reverting to such a “request-response” system. 

The SEC’s exemptive order is available at https://www.sec.gov/files/rules/sro/nms/2025/34-102386.pdf.